Protecting proprietary information and managing company communications present challenges to modern organisations. Sensitive data shouldn’t be shared outside of departments, and great care must be taken to allow only authorised personnel either to
Azure Information Protection is designed to augment and improve upon current protections for documents and emails within an organisation, both internally and in the cloud. It works directly within Microsoft 365 and related apps to help ensure unauthorised sharing or access is prohibited.
What is Azure Information Protection?
Azure Information Protection (AIP) is a cloud-based solution to add another layer of primarily file-level controls to prevent unauthorised access, sharing, or distribution. It’s designed to work under the Microsoft Purview Information Protection system, which includes AIP and other advanced features for data security protection.
AIP brings new opportunities to create security taxonomies and added controls by tagging files using sensitivity labels. Labels are assigned explicit permissions, depending on what’s required within the department and business.
The Microsoft 365 suite of Office apps and the latest retail version of Microsoft Office include the ability to assign labels to files. Other implementations allow either manual assignment, file repository scanning, or automated label assignment to existing files.
Directory/Folder-Level and User-Level Controls
Previously, companies mainly relied on various implementations of folder-level and user-level access controls for file systems. These had various names, including Windows Rights Management Services, and Active Directory Rights Management Services, amongst others.
Broadly speaking, these ensured that files in certain folders – for instance, relating to a specific department – could only be accessed by that team alone. Also, user-level protocols permitted senior managers to access files for the departments or smaller teams they’re responsible for too.
Potential Limitations of Active Directory and Previous Solutions
While active directory and user-level controls perform well, they have limitations.
For instance, new documents attached to an incoming email, or the introduction of a new cloud storage repository of files for users, create new problems.
What labels and permissions should they have? When thousands of incoming files are received daily, how can they be manually assigned rights and folders?
Azure Information Protection meets this need by adding an extra layer of security. This primarily works inside the Microsoft 365 apps, Microsoft Teams, SharePoint, and Microsoft 365 groups.
Labelling, Customisation, and Confidentiality
A standard collection of default sensitivity labels exists for AIP. However, these can be extensively modified depending on the organisational needs for which Microbyte can access and implement for you.
Standard labels may include:
- Personal
- Private
- Internal
- Confidential
- Highly Confidential
Publishing Sensitive Labels
Once labels are set, classified, and grouped, they can be published internally as an established label policy.
From that point, they’re enforced on all relevant users and user groups.
Confidential Labels
The pre-existing Confidential label has specific restrictions and controls in place.
Files tagged with this label aren’t allowed to be sent outside of the organisation over email or by any other method. Confidential information such as credit card numbers, passwords, or the source code from software under development is restricted too.
Attempts to contravene these limitations, once the labels have been published to all relevant users and groups they pertain to, produce immediate warnings and are actively prevented. Activity logs are also generated for each occurrence.
Highly Confidential Labels
Files tagged using the pre-existing Highly Confidential label have additional elevated limitations.
These almost always include encryption of all files with this label applied, preventing third-party access, and preventing confidential financial data from being exposed. Taking screengrabs of open files is also blocked due to their confidential nature.
Some files may be emailed using a cloud-based email solution, such as Gmail. However, active rights management policies, labelling controls, and file encryption processes ensure that the document or file isn’t accessible to outsiders.
Microsoft 365 Built-in Labelling vs. AIP Add-In
Users of the Microsoft 365 suite now have a Sensitivity option where a currently open file is labelled.
This also applies to the newer standalone versions of Microsoft Office too. Forcing users to label every document they produce is possible to avoid categorisation gaps from occurring.
Built-in Labelling Support – In the future, newer versions of the Office suite of apps will include labelling options by default. These receive the latest features and upgrades.
AIP Add-In – For older Office suite versions, an Add-In file from Microsoft is installable. Add-Ins are sometimes temperamental. Therefore, the preferred tag labelling is performed via the built-in feature.
Automatic Labelling of Files
Automatic labelling of files is supported for Office apps. This is currently available via a Unified Labelling Client.
Auto-labelling is beneficial with files containing sensitive information. Users and users within appropriate groups are prompted to add an appropriate label to their file, or the system does it for them.
Manual Labelling Methods
Azure Information Protection uses its unified labelling client to allow for the labelling, file classification, and permission features.
The AIP Unified Labelling Client adds new features to File Explorer and PowerShell to allow an appropriate user to apply labels to relevant files. This adds a right-click context menu option for Classify and protect for easy access.
The AIP on-premises scanner is another labelling method. Administrators can use it to scan file repositories for unlabelled and unclassified files and to tag files that need a label applied. Additionally, files found to contain sensitive information (credit card numbers, etc.) are highlighted to ensure they have appropriate permissions used there too.
There is also an SDK to allow third-party apps, used internally, to apply relevant labels using established labelling policies before the exportation of the file.
In the future, some of these features will be accessible directly within the Microsoft Purview Information Protection system for centralised control by administrators.
Enhanced Email Security
Email security is paramount today. Many email attachments arrive from third parties that not only must be scanned for potential malware and viruses but also require tagging with the most relevant sensitivity label.
AIP ensures that files reaching email servers, including Outlook users, get labelled once received. This ensures that appropriate file security policies are applied in real-time.
Let Microbyte Improve Your File Security Today
Microbyte is highly experienced in setting up improved file security via the features within Azure Information Protection. Let our team better protect your files, email usage, and confidentiality of propriety information.
Get in touch today.
