Azure Information Protection- part 1: Document+email protection overview

In one of my earlier post, I wrote about VDI and if the concept is dead. One of my points was that VDI was/is used for content security reasons. Place all your desktops virtually in a central data center, and automatically, the assumption is that content will be protected as well. I have heard this use case many times but I believe there is a better approach to deal with content protection: truly protect your content; your documents and emails. Besides true protection, make your users aware what kind of content they are dealing with. Make them think twice before they send content to others, for example.

Azure Information Protection is a cloud-based solution that helps you to classify, label
and protect documents and emails. This can be done automatically (rules set by administrators), manually (by users) or both- where users are given recommendations. Optionally you can monitor and respond which means you can track & trace content and revoke access.

By using labels you add classifications to files and emails. This is done by adding metadata in clear text to files and email headers.

So, there are 3 components to Azure Information Protection:

  1. Classification/labeling: as an organisation you must think about your content- documents/emails first. There needs to be a organisation wide policy on how to classify/label content. Call it sensitivity levels, like: Personal, General, Confidential etc. You need to describe which content will get what classification/label. This policy will be implemented in Azure Information Protection. I sometimes call this the awareness phase: as an organisation, you need to think documents/emails, get aware of the sensitivity and translate that to labels. As a user, because of the policy, you will become aware of the guidelines set by the organisation how to handle specific content, and become more aware of its sensitivity. Besides coming up with classifications/labels, as an organisation you also need to think about the results/consequences within a classification/label. Is there a result within a label? Does a label require protection? That’s component 2,
  2. Protection: if you decide/agree as an organisation that a specific classification/label needs protection, you will need to define what kind of protection; encryption, access control, expiration data etc. That’s a second policy you need to think about. Do realize that not all classifications/labels will get protection in most cases, as far as I see it. So, as an example: documents with a label “General” aren’t protected and can be send to everyone, opened by everyone. etc. Documents labeled as “Confidential” might have a protection policy- only shared internally, only viewed and not edited, etc. When there is a protection policy in place, attached to a classification/label, users can track&trace the document and optionally revoke access to it. Component 3,
  3. Monitor and Respond: when a document is classified/labeled and protected, a user can monitor the usage of that document when he/she shares it. Via the Azure Information Protection client, a user can monitor who has opened the document and from where. That user also can revoke access to that document.

The beauty of Azure Information Protection is that it can classify/label and protect data no matter where the documents are; file shares, OneDrive, Sharepoint etc. It is very intuitive and easy to use for users through buttons. I will cover what Azure Information Protection looks like from an admin perspective, from a user perspective and use cases in different, coming posts. Stay tuned. If you want to know more/read more, click here.

Leave a Reply

Your email address will not be published. Required fields are marked *