4 Questions You’ve Always Wanted to Ask About Azure Information Protection (AIP)

Posted on 12 October 2018

Protecting sensitive information has become a pressing issue for businesses, especially in light of GDPR and developing cybersecurity threats. Understanding how Azure Information Protection (AIP) can help is a great step forward – and it all starts with asking the right questions.

In 2018, Bupa was unveiled as one of the first major organisations to be penalised for failing to protect user data under GDPR. The breach – which came about when a disgruntled employee emailed 547,000 records to himself – cost the healthcare giant £175,000, and worst of all, it was completely preventable.

Each day, an estimated over 300 billion emails are sent and received globally, many of which contain sensitive information. Meanwhile, employees are transferring sensitive documents to their personal devices, and others are penning classified files on unsecured networks.

With employees putting data at risk – either by accident, poor choice or necessity– it’s no wonder that business owners are frantically searching for ways to protect information. That’s where Azure Information Protection (AIP) comes in, controlling such behaviour and creating rules to protect your documents. Sounds great, doesn’t it?

Asking the Right Questions 

As the risks to sensitive information have evolved, so too have the solutions on offer. AIP is one such solution – one which we’ve frequently encountered during our work as Microsoft Gold Partners.

With the ability to remove business owners’ pain points and protect data from being seen by the wrong eyes, AIP is undoubtedly a forerunner in this arena. Unfortunately, many users are unaware that it’s already included in their subscriptions; it’s a powerful tool just waiting to be used.

But before you take the first step towards making AIP work for you, you’ll likely have many more questions to ask. That’s OK, because one of our consultants – Alan Armstrong– is pleased to give you the scope of AIP.

What is Azure Information Protection?

Azure Information Protection (AIP) is a subscription-based service from Microsoft. It forms part of the Enterprise Mobility + Security (EM+S) Stack, which consists of other products you may be familiar with, such as Intune, Cloud App Security, Azure AD Premium, Advance Threat Analytics and Azure Advance Threat Detection.

At its core, AIP allows you to classify and protect documents. What’s more, once the protection is applied, it follows the document – regardless of where it’s stored.

How Does Azure Information Protection Work?

AIP safeguards sensitive information in two ways:

  • Classifying documents 

While using the AIP client with Microsoft Office, users can select a label which will apply metadata to the document, displaying the classification used. If configured, it’s possible to add visual markings too, such as footers and watermarks. These visual markings change when a label changes, and the latter applies protection on top of both the metadata and the visuals.

In this area, AIP employs some other interesting features. For example, when the document is de-classified, a user can be given the option to provide justification. You can also set a default label for documents and emails, ensuring that all documents get a classification –it’s then down to the user to change the classification.

If you make use of the AIP P2 licence, you can also automatically classify documents based on their content. This can be done using Microsoft templates for different types of data (Finance, PII etc), and you can also create custom expressions for AIP to detect and then classify appropriately.

  • Protecting documents 

Meanwhile, AIP protects documents by applying Azure Rights Management (Azure RMS) templates to them. This encrypts the documents for safekeeping.

Encryption keys are stored within the Azure RMS service, and access to protected documents is based on the Azure RMS template. You can specify decide on which users have co-author access – allowing them to edit, save and print – and which users have view-only access. In the latter instance, the document can be locked down, preventing any copying or screenshots being taken. It’s understandably a powerful tool to have at your disposal.

Furthermore, when a document is protected, the document creator can track where it has been opened and whether someone who isn’t allowed to access the document has attempted. Access to the document can then be revoked remotely if needed.

As the document is protected, it’s possible to store files anywhere (Dropbox, OneDrive Personal, USB stick etc); even though the location might not be secure, the document is. After all, regardless of where the document sits, you can only access it by authenticating.

How can AIP integrate with other Office365 services? 

As AIP adds metadata to documents, you can use Office365 DLP and Exchange Transport rules to detect what classification a document/email has. This means you can block these documents from being shared out or sent in an email.

With Microsoft Cloud App Security (MCAS) you can search for documents with the classifications and receive alerts when someone tries to share it to an external user.

MCAS can also check documents that are in SharePoint and OneDrive that doesn’t have a classification and see if they need one applied (detect content of the document). MCAS can then apply the label and classification to that document.

How do I get Azure Information Protection? 

Another great question. AIP is a per user subscription. It can be bought on its own as Azure information Protection P1/P2, as part of the Enterprise Mobility + Security subscriptions (E3/E5) or the M365 (E3/E5) subscription.

Any user with a Microsoft Account (Work, School or Personal) or Google account can consume AIP protected documents. You can see the differences between subscriptions for yourself here.

Hopefully, you’ll now have a more in-depth insight into AIP and how it can support your organisation’s security strategy. Just think: next time you attach sensitive information to an email, you could be doing so with little anxiety that only the right person will be able to access it – a weight off anybody’s shoulders.

Are you seeking to secure your organisation’s sensitive information? Identity Experts are the first place to go for identity and access management – drop us a line to speak to a member of our team, or explore our past work.

A few people we've already done it for