As we discussed in the prior entries of this series, Microsoft has recently enhanced the EMS offering by adding more services into the bundle and adding an additional tier. This post will focus on the Azure Information Protection P2 (AIP P2) portion of the suite.
Let’s start with the Microsoft explanation of what’s in the offering:
|Manual document classification and consumption of classified documents||X||X|
|Automated data classification and administrative support for automated rule sets||X|
|Hold Your Own Key (HYOK) for highly regulated scenarios||X|
|Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content||X||X|
|Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle||X||X|
|Protection for on-premises Exchange and SharePoint content via Rights Management Services (RMS) connector||X||X|
|RMS software developer kit for all platforms: Windows, Windows Mobile, iOS, Mac OSX, and Android||X||X|
|RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector||X||X|
|Document tracking and revocation||X||X|
|Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection)||X||X|
|RMS content consumption by using work or school accounts from RMS policy-aware apps and services||X||X|
|RMS content creation by using work or school accounts||X||X|
Why would you use it?
With the transition of businesses to cloud- and mobile-based applications, data doesn’t live just within the confines of your corporate network. As stated in the prior entry, today’s user works in an environment that allows her:
- To access data on any device and from any network
- To decide how to share data and with whom to share it
- To create data without thought to how the data should have been classified, labeled, or protected
The user often isn’t acting with malicious intent, she is simply trying to do her job in the most efficient way possible. All is not lost, AIP will help protect your organization by:
- Classifying and labeling data based on source, context or content
- This label persists with the document and be applied either manually or automatically
- Providing protection and control of use rights:
- Encrypts the document and only allows authorized users to access it – even external users
- Encryption persists with the document in flight and at rest – no matter where it is stored
- Tracking and reporting of user activities
- Your users can track who has accessed a document and can revoke access to unauthorized users if they made a mistake (or if the situation changes)
- AIP provides rich logs and reporting that can be used by your compliance department
These classifications always stay with the document; no matter who comes into possession of the documents, they will always retain their protections.
How to use these services to help protect your organization?
Let’s use an example of the fictional Contoso company to show how AIP works to protect key company assets.
Contoso’s management defines 3 data classifications and the rules that should apply to that classification:
- Low Business Impact (LBI) – the information is either public or would not cause issues if made public so the data is stored in clear text without any sharing restrictions
- Medium Business Impact (MBI) – information shared with partner companies or presented at public conferences – the expectation is that it will be shared externally, so the data is stored in clear text, but is only shared with authorized users and/or partner organizations
- High Business Impact (HBI) – highly secret and confidential company data (e.g. HR, financial, future product specifications) – if the data leaked, there could be legal or financial impacts to the company, so the data has encryption applied, is made read-only to most users, and can only be viewed by authenticated users
Contoso’s management applies these policies to their various SharePoint site collections, document templates, and distributes the rules to their Microsoft Office installations.
- The Marketing department has a SharePoint site collection where they store all press releases. By the virtue of the document name (“Press Release”), it is implied that the data is public; this data is classified LBI.
- The Sales department has a SharePoint site collection where they store all customer presentations. These presentations are for customer consumptions, but should only be presented by Contoso salespeople or by authorized Contoso partners; this data is classified MBI.
- The HR department has a SharePoint site collection where they store all employee records. If this information were to leak, great financial harm might impact the company; this data is classified HBI.
Sarah, a marketing coordinator, needs to be able to easily create press releases and share them with her external contacts. She can easily share a press release to her external contacts without issue. However, recently, Sarah has been tasked with developing a campaign for an upcoming (but highly confidential) new product. She begins crafting her documents to get ready for the future product announcement. Without thinking, she creates here documents in the Marketing site collection, where they have the LBI classification applied to them. However, Contoso management has also created rules that define classification overrides if certain keywords or topics are in a document; consequently, this document automatically has the HBI classification applied, preventing any possible data leak.
Mike, a HR analyst, maintains confidential employee data, containing HBI information such as Social Security numbers, salaries, employee IDs. Mike is required to share some of this data with authorized and authenticated users at Contoso’s payroll provider. Mike is unable to email the information to anyone else, as Contoso’s Exchange system respects the HBI classification and prevents Mike from hitting “Send”. Mike has recently hired a financial planner to help him with his private finances; he creates a Microsoft Excel spreadsheet containing his personal information. Mike attempts to email this spreadsheet to his financial planner and is blocked since it contains HBI data; however, Mike is able to click on an “Override” button where he can provide justification to his manager on why this is OK. Michele, Mike’s manager receives a notification and is able to approve the message (of course, she admonishes Mike about using company resources for his private life!)
I hope this post has got you interested in this portion of the EMS E5 suite. Future posts will cover Cloud App Security and then will wrap up with how all of these services work together to protect your business!