Azure Information Protection – Part 1 – classifying and labelling data

Posted on 18 May 2017

In the first of two blog items we are going to look a little more in-depth into the important topic of information protection, and in particular how Azure Information Protection (AIP) can help you achieve this goal.

AIP enables you to better protect your sensitive information – anytime, anywhere no matter where it’s stored or who it’s shared with. It will help you control and secure email, documents and sensitive data that you share outside your company.

AIP offers information protection across the entire data lifecycle:

  • Classify – based on business rules
  • Label – based on sensitivity
  • Protect – using various methods
  • Monitor – use of data
  • Respond – to misuse

Azure Information Protection – classification

The first stage is obviously classification and so it makes sense to start with your data that is the most sensitive. AIP enables you, as IT administrators, to set automatic rules and allow users to complement it. This can be done by associating actions like visual markings and protection to data.

Not all data needs the same level of protection, so you need to classify data according to its level of sensitivity. There are 4 different ways you can apply classifications to your data:

  • Automatic – this is where the IT department will set policies that automatically apply classification (and subsequent protection) to your data based on rules.
  • Recommended – this is where, dependent on the content a user is working on, they will be prompted with a suggested classification (not automatically applied), eg if a spreadsheet is detected as containing credit card numbers it could be recommended that it be made confidential.
  • Reclassification – this enables a user to override (usually downgrade) an existing classification and optionally be required to provide a new classification and justification
  • User set – this is where users can apply (with as single click via an AIP plug-in) a sensitivity label to the data they are working on

Once you have classified your data, it can then be labelled.

AIP – labelling

AIP has a number of default labels that can be used like: secret, confidential, internal etc. It also allows you to create your own custom ones based on your own business rules. These labels, once set, are persistent and move the data.

The label is, in fact, metadata that is written to the document. This metadata is in clear text so that it can be read by other systems, such as DLP. Actions like visual marking and encryption can then be taken based on the classification and label.

If you would like to find out more about how AIP can help your organisation protect its data both internally and externally, please contact us.

Read the second article here.

A few people we've already done it for