Good practice in using Azure Information Protection to protect your data

At the end of 2016 Microsoft officialized the release of the Azure Information Protection solution. This cloud-driven solution is a kind of evolution of the RMS (Rights Management System) suite. It will allow you to create a document classification policy and then apply protection profiles to encrypt sensitive documents.

At Kyos we started evaluating the tool in July 2017. We quickly realized that this solution would provide even better protection for all types of documents whether they are stored on our file server, in our emails or on a cloud solution.

This article aims to explain the basic functionalities of the solution.

The first step is to define a classification of your documents. We decided to keep it simple: Public, Private, Confidential.

Under confidential we have created restrictions per group.

A banner then appears in the Office suite and in the Windows file explorer.

You can then create classification rules, for example if a document contains a keyword such as “confidential”, Word can reclassify the document for you or suggest that you change the classification.

Default protection is done using a master key stored in an HSM in a Microsoft datacenter. But it should be noted that the solution also allows you to “Bring Your Own Key” by transferring a key from your HSM to Microsoft’s.

Once a document is classified or protected, you have the ability to track who opened the document and from where.

For example, here we will see the opening of a document from Switzerland.

Since its initial release, many new features have been added such as sharing protected documents with guest accounts. It is also possible to retroactively classify your documents on your file servers to protect them or name them. This classification can even be done continuously.

For example, the administrator can decide that if a document contains a credit card number it will automatically be protected.

To finish this quick overview of AIP it is important to know that this product is included in the Microsoft EMS Suite (Enterprise Mobility and Security) and also in the Microsoft 365 Suite.

Soon the AIP labels should become the standard and replace the old labels currently present in the Office 365 suite.

Author: Thomas Eklund