Azure
Information Protection is a cloud-based solution that can be used to classify,
label and protect data and e-mails. The nice thing about it is that depending
on the implementation, this works without the user's intervention. Rules are
automatically applied based on metadata, storage location, template on which a
document was created or on the content of the document.
Of course,
users can also assign classification manually. A combination of both, whereby
proposals are displayed to the user based on administrative specifications, can
also be implemented.
AIP integrates into the Office Client
applications Word, Excel and PowerPoint from version 2010 in the Enterprise or
Office ProPlus version. With this integration, files can be classified and
protected directly from Office applications. Word, Excel and PowerPoint also
display the classification of a file directly:
The AIP
Client is used to protect and classify non-Office files. This free software is
used to classify and protect e.g. PDF documents and other files. The AIP Viewer
is also used to open protected non-Office files. This tool is available free of
charge for the iOS, Android, macOS and Windows platforms. Details on supported
platforms and Office versions can be found here: https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements-applications
Overview of the features of AIP
The AIP
feature essentially works with 2 objects:
Labels:
- A label is used for classification; e.g. CONFIDENTIAL
- A label can contain encryption, but can also be used for classification purposes only
- The following rights can be assigned during encryption: View, Open, Read (VIEW) | View Rights (VIEWRIGHTSDATA) | Edit Content, Edit (DOCEDIT) | Save (EDIT) | Print (PRINT) | Copy (EXTRACT) | Reply (REPLY) | Reply All (REPLY ALL) | Forward (FORWARD) | Change Rights (EDITRIGHTSDATA) | Save As, Export (EXPORT) | Allow Macros (OBJMODEL) | Full Control (OWNER)
Policies:
- Policies determine which users/groups have which labels available
- Policies also regulate administrative options such as whether a standard label is assigned
Due to the
integration into the Outlook client, labels can also be assigned directly when
writing an email. The classification then affects documents that are sent as
attachments to the mail and the e-mail itself.
In addition
to labels and policies there is another useful function. The "Protect with
user-defined permissions" function is used to encrypt files individually
and make them available with explicit rights for certain users (including
external users). This feature can be used in both the AIP Client and Office integration.
The following individual options can be configured per file:
- Displaying user: Display only
- Check: Display, Edit
- Co-author: view, edit, copy, print
- Co-owner: All rights
- Only for me
- User / Group: Users or groups by e-mail address, who should have access with the selected right
- Expiration of the access: Date how long the access for the selected users / groups with the configured right should exist
Details on
the individual functions of AIP can be found here: https://azure.microsoft.com/en-us/services/information-protection/
Typical scenarios
Scenario 1: A user creates a document. The user knows
which category the document must be assigned to and is responsible for
assigning the corresponding label.
Scenario 2: In addition to scenario 1, automatic
classification can be used. To do this, we need to define or create own information
types. Microsoft provides standard information types such as credit card
number, driver's license number, etc. A complete list of standard information
types can be found here: https://support.office.com/en-us/article/what-the-sensitive-information-types-look-for-fd505979-76be-4d9f-b459-abef3fc9e86b?ui=en-US&rs=en-US&ad=US
Scenario 3: Classification Based on location. The AIP
scanner, which is part of the AIP client, is used to do this. The scanner can
encrypt NTFS shares and SharePoint libraries. Example: all files that are
stored in a specific folder or in a specific SharePoint library always get the
label "Confidential - Contract". The AIP
scanner runs as a service on a Windows server. Using PowerShell and a
parameterized call, the scanner then checks and encrypts contents in the
defined storage locations with the specified label.
Licensing
Microsoft
Azure Information Protection is available as a standalone solution or as part
of the Enterprise Mobility + Security Suite, Microsoft 365 Enterprise and
Office 365 E5.
AIP is
available in three different versions: AIP for Office 365, AIP P1 and AIP P2
Details on the different versions can be found here: https://azure.microsoft.com/en-us/pricing/details/information-protection/
Only the user
who protects content needs a license. External users or users who only consume
do not need to be licensed.
AIP, RMS and IRM
Definition and dependencies:
- RMS: The Azure Right Management Service is the basic instance for encryption and rules. Word, Excel, PowerPoint, Outlook and the Office Server SharePoint and Exchange provide native support for Azure Rights Management and provides document and email protection.
- AIP: Azure Information Protection is based on RMS and requires the RMS service in the background. With AIP, files can be individually encrypted and classified. File tracking and detailed reporting show who opened an AIP-protected file, when and from where.
- IRM: Information Rights Management is required to connect RMS to Exchange or SharePoint. If we need to connect the on-prem versions of Exchange or SharePoint or an NTFS file server, an RMS Connector is required. IRM integrates seamlessly into Exchange and SharePoint.
IRM with Exchange and SharePoint:
- To protect an e-mail with the "Do not forward" restriction, the Information Rights Management options for Exchange is required. With IRM in Exchange features like DLP can also be used.
- IRM integration can be used to encrypt files stored in SharePoint. This integration does not offer the flexibility and functionality of AIP. Documents in SharePoint are not encrypted until they are downloaded for example. IRM does not provide an option to classify files and permissions must be assigned by an administrator at the site or library level.
Depending
on the detailed scenario, either AIP or IRM can be used. Both functions require
the RMS service in the background.
Details about RMS, IRM and the limitations with
SharePoint are described in this article: https://docs.microsoft.com/en-us/azure/information-protection/understand-explore/office-apps-services-support
Related
posts:
- AzureInformation Protection Part I – Overview
- Azure InformationProtection Part II – PowerShell
- AzureInformation Protection Part III – AIP Scanner
- AzureInformation Protection Part V – Advanced features
Keine Kommentare:
Kommentar veröffentlichen