Azure
Information Protection is a cloud-based solution that can be used to classify,
label and protect data and e-mails. The nice thing about it is that depending
on the implementation, this works without the user's intervention. Rules are
automatically applied based on metadata, storage location, template on which a
document was created or on the content of the document.
Of course,
users can also assign classification manually. A combination of both, whereby
proposals are displayed to the user based on administrative specifications, can
also be implemented.
AIP integrates into the Office Client
applications Word, Excel and PowerPoint from version 2010 in the Enterprise or
Office ProPlus version. With this integration, files can be classified and
protected directly from Office applications. Word, Excel and PowerPoint also
display the classification of a file directly:
Overview of the features
of AIP
The AIP
feature essentially works with 2 objects:
Labels:
- A
label is used for classification; e.g. CONFIDENTIAL
- A
label can contain encryption, but can also be used for classification purposes
only
- The
following rights can be assigned during encryption: View, Open, Read (VIEW) |
View Rights (VIEWRIGHTSDATA) | Edit Content, Edit (DOCEDIT) | Save (EDIT) |
Print (PRINT) | Copy (EXTRACT) | Reply (REPLY) | Reply All (REPLY ALL) |
Forward (FORWARD) | Change Rights (EDITRIGHTSDATA) | Save As, Export (EXPORT) |
Allow Macros (OBJMODEL) | Full Control (OWNER)
Policies:
- Policies
determine which users/groups have which labels available
- Policies
also regulate administrative options such as whether a standard label is
assigned
Due to the
integration into the Outlook client, labels can also be assigned directly when
writing an email. The classification then affects documents that are sent as
attachments to the mail and the e-mail itself.
In addition
to labels and policies there is another useful function. The "Protect with
user-defined permissions" function is used to encrypt files individually
and make them available with explicit rights for certain users (including
external users). This feature can be used in both the AIP Client and Office integration.
The following individual options can be configured per file:
- Displaying
user: Display only
- Check:
Display, Edit
- Co-author:
view, edit, copy, print
- Co-owner:
All rights
- Only
for me
- User
/ Group: Users or groups by e-mail address, who should have access with the
selected right
- Expiration
of the access: Date how long the access for the selected users / groups with
the configured right should exist
Typical scenarios
Scenario 1: A user creates a document. The user knows
which category the document must be assigned to and is responsible for
assigning the corresponding label.
Scenario 3: Classification Based on location. The AIP
scanner, which is part of the AIP client, is used to do this. The scanner can
encrypt NTFS shares and SharePoint libraries. Example: all files that are
stored in a specific folder or in a specific SharePoint library always get the
label "Confidential - Contract". The AIP
scanner runs as a service on a Windows server. Using PowerShell and a
parameterized call, the scanner then checks and encrypts contents in the
defined storage locations with the specified label.
Licensing
Microsoft
Azure Information Protection is available as a standalone solution or as part
of the Enterprise Mobility + Security Suite, Microsoft 365 Enterprise and
Office 365 E5.
Only the user
who protects content needs a license. External users or users who only consume
do not need to be licensed.
AIP, RMS and IRM
Definition and dependencies:
- RMS: The Azure Right
Management Service is the basic instance for encryption and rules. Word,
Excel, PowerPoint, Outlook and the Office Server SharePoint and Exchange
provide native support for Azure Rights Management and provides document and
email protection.
- AIP: Azure
Information Protection is based on RMS and requires the RMS service in the
background. With AIP, files can be individually encrypted and classified. File
tracking and detailed reporting show who opened an AIP-protected file, when and
from where.
- IRM: Information
Rights Management is required to connect RMS to Exchange or SharePoint. If
we need to connect the on-prem versions of Exchange or SharePoint or an NTFS
file server, an RMS Connector is required. IRM integrates seamlessly into
Exchange and SharePoint.
IRM with Exchange and SharePoint:
- To
protect an e-mail with the "Do not forward" restriction, the
Information Rights Management options for Exchange is required. With IRM in
Exchange features like DLP can also be used.
- IRM
integration can be used to encrypt files stored in SharePoint. This integration
does not offer the flexibility and functionality of AIP. Documents in
SharePoint are not encrypted until they are downloaded for example. IRM does
not provide an option to classify files and permissions must be assigned by an
administrator at the site or library level.
Depending
on the detailed scenario, either AIP or IRM can be used. Both functions require
the RMS service in the background.
Details about RMS, IRM and the limitations with
SharePoint are described in this article: https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/office-apps-services-support
Related
posts: