Azure Information Protection (AIP) is a product from Microsoft which allows classification (or labelling, if you prefer) of information such as documents or emails. The service has now expanded (in preview at the time of writing) to allow classification of Office 365 Groups, Teams and SharePoint sites which adds critical functionality to assist with your data protection strategy.
In this blog; part 1 of a 4 part series, we will answer the questions: Why AIP? and How do I deploy AIP in a controlled way?
Important to note: Rolling out AIP can be quite different depending on the license type you have. This blog assumes you have Microsoft 365 E3 at a minimum which gives you the following :
- Azure AD Premium P1
Upgrading to E5 adds a LOT of functionality, the main ones being Microsoft Cloud App Security (MCAS) and AIP P2 which adds automatic classification. Throughout this blog I will make it clear when referring to E5 features.
This blog helps to identify in more detail, the steps you can take to implement AIP in the correct order, ensuring a risk-managed and controlled outcome.
For Microsoft’s guidance on how to deploy AIP please refer to this guide
THE CRAWL, WALK, RUN STRATEGY
From working with several clients on their information and data protection strategies, we have adopted a Crawl, Walk, Run strategy for successful deployment, this is for a few reasons:
- Implementing products or features all at once can be challenging and in some cases impact productivity
- A lot of businesses don’t understand what data they have or access behaviour patterns etc.
- Statistics and data insights are required before you can make impactful decisions
- To be successful, user education and enablement is hugely important and this takes time
The phases we use are not hard and fast and tasks within each one can be moved around however, most of the Crawl tasks must be completed early on in the project.
With the majority of businesses moved to remote working, keeping control or governance of data has become increasingly difficult. AIP is one tool which forms part of a large strategy covering Information Protection as a whole. It’s not like the risk didn’t exist previously, but the global Covid-19 crisis has exacerbated and highlighted the situation.
Here are some of the risks:
- Using work PC’s on unverified networks
- (Shadow IT) such as a user using Box or Gmail for data when it should be in Office 365
- No visibility into risk
HOW DO I DEPLOY IN A CONTROLLED WAY?
Deploying AIP as part of an overall data protection strategy by adding things like conditional access (risk-based access control), MCAS, DLP, correct governance and, optionally, Torsion Information Security can assist with all of the above.
A valuable outcome from deploying AIP is visibility; beginning to understand your environment, how information is created, accessed, and shared. Finally, AIP can be addressed separately to other projects which focus on security and compliance, but we have found it is best addressed in conjunction with a wider security and compliance strategy in mind.