Mittwoch, 7. August 2019

Updates & News around Microsoft Information Protection

In the last couple of weeks Microsoft release a bunch of new features / versions for Information Protection and Unified Labeling:
  • New features & functions with Microsoft Cloud App Security and Azure Information Protection
  • Azure Information Protection unified labeling client
  • Update to Unified labeling

Cloud App Security and Azure Information Protection

Cloud App Security and the integration with Azure Information Protection is not new. If you are already migrated to Office 365 unified sensitivity labels and if you did not migrate your existing classification labels you need to know:  Creating new labels in the Office 365 Security and Compliance Center, Cloud App Security will only use the preexisting labels configured in the Azure Information Protection portal.

Integrating Azure Information Protection into Cloud App Security you get the ability to:
  • apply classification labels as a governance action to files that match specific policies
  • view all classified files in a central location
  • investigate according to classification level, and quantify exposure of sensitive data over your cloud applications
  • create policies to make sure classified files are being handled properly
This integration is focusing to scenarios like:
  • Visibility on sensitive data in managed cloud apps
  • Compliance / Risk Enforcement
    • Apply label to documents in cloud apps repositories
    • Prevent storage of highly sensitive documents in the cloud
  • Sensitive data reporting in AIP analytics space
  • Detect anomalous access
  • Block download of sensitive document from specific locations or non-compliant device
  • Block upload of sensitive documents

You need both a Cloud App Security license and a license for Azure Information Protection. Then Cloud App Security syncs the labels from Azure Information Protection. This action is performed every hour.
Scanning the files:
  • Automatic scan: all new or modified files are added to the scan queue and will be scanned, classified and protected
  • File policy to search for classification labels: these files are added to the scan queue for classification labels

After you enable Azure Information Protection on Cloud App Security, all new files that are added to Office 365 will be scanned and you can create new policies within Cloud App Security that apply classification labels automatically.
More Details: How to integrate Azure Information Protection with Cloud App Security

Azure Information Protection unified labeling client

Highlights of version
  • Support for labels that are configured for user-defined permissions for Word, Excel, PowerPoint, and File Explorer
  • Support for advanced settings with PowerShell for the Security & Compliance Center
  • New cmdlet New-AIPCustomPermissions to create an ad-hoc policy for custom permissions
  • New parameters added to Set-AIPFileClassification:-WhatIf and -DiscoveryInfoTypes so that this cmdlet can run in discovery mode without applying labels

Download and further information: Version

Actually, we have two management portals which are supported by different clients:
  1. Azure Information Protection:
    • Azure Information Protection client (classic)
    • Azure Information Protection scanner
    • Microsoft Cloud App Security

  1. Unified labeling in Office 365 Security & Compliance Center:
    • Azure Information Protection unified labeling client
    • Microsoft Cloud App Security
    • Office apps for MacOS, Android and iOS
    • Information Protection SDK and applications based on it like Adobe Acrobat
    • Coming Soon:
      • SharePoint Online
      • Office Online, Outlook Mobile for iOS and Android
      • Built-in labeling in Office for Windows
      • Azure Information Protection scanner

Update to Unified labeling

Unified labeling is not activated per default and Azure Information Protection labels can be used only by the Azure Information Protection client. To make labels available in the Office 365 Security & Compliance Center and to use the unified labeling client you need to Activate that integration:

Before you activate unified labeling, check in Office 365 that you don't have labels that have the same name or display name as your labels in Azure Information Protection. Note that Azure Information Protection labels will be automatically renamed so that migration can succeed. Once activated you cannot deactivate unified labeling for your tenant. Learn more about the migration process.

Unified labeling: Activated

Depending on how many labels do you have the updated takes some time. After it is done you can manage your labels from either the Azure portal or the Office 365 Security & Compliance Center. The labels can be used by the Azure Information Protection client and by unified labeling clients.

Note: you must use the Publish option after the migration to make the labels available in the unified labeling clients. Otherwise the client is showing an error like this:

1 Kommentar: