Posted by Andrew Ballantyne on 27th January 2021

An Introduction to Azure Information Protection

Let me delve straight in by answering two key questions:

  1. What is Azure Information Protection?
  2. What does it have to do with the security of remote working?

In Microsoft’s own words, Azure Information Protection (AIP) is a cloud-based solution that enables organizations to discover, classify, and protect documents and emails by applying labels to content (1). It is part of the Microsoft Information Protection Solution and is dedicated to solving the problem of how to label your organisation’s information appropriately to avoid it falling into the wrong hands. 

The answer to question 2 gives me the opportunity to start expanding on this by building in a bit of context. All organisations have business-critical and sensitive information. It is likely that you have those key client lists or that document that you simply cannot afford to lose. In such cases, something as simple as a careless email forward to the wrong person can prove costly.  Having an information classification policy is obviously a great place to start, but with the amount of information being produced and circulated in this era of digital communication, we must ask ourselves the question:

Is relying on employees to reference a policy to classify company information and treat it appropriately sufficient in protecting key business information?

If we are being honest with ourselves, the answer to this question should always be no. I am not suggesting this is because employees are hellbent on destruction and malintent, but simply because we make mistakes. It’s only a matter of time before one of those everyday mistakes becomes costly, and the risk factor increases with so many people working from home.

What’s important to understand is that in AIP you can:

  • Create the labels yourself: you can call them whatever you want. You can even align them with the labels in your company’s information classification policy (that’s what we’ve done);
  • Apply permissions to those labels to unify the level of protection across the entire company;
  • Enforce all documents and emails to require a label, meaning nothing gets missed!

Rather than go any further, I thought it would be best to show you, so I have put together a 5 minute video that gives you an insight into the basic (but all-important) functionality of the product:


What Labels can I set up and What can they do?

With AIP, you can really lock down your content. To give a good example, if you choose to restrict ‘copy (EXTRACT)’ from the list provided below, this will prevent screen shotting and will also blank the screen if attempting to share content over Microsoft Teams (or other remote communication software).

Below is a list of the permissions that can be applied to your labels:

  • View, Open, Read (VIEW)
  • View Rights (VIEWRIGHTSDATA)
  • Edit Content, Edit (DOCEDIT)
  • Save (EDIT)
  • Print (PRINT)
  • Copy (EXTRACT)
  • Reply (REPLY) **
  • Reply All (REPLY ALL) **
  • Forward (FORWARD) **
  • Change Rights (EDITRIGHTSDATA)
  • Save As, Export (EXPORT)
  • Allow Macros (OBJMODEL) *
  • Full Control (OWNER)

The details for each of the above and what they mean in real-time can be found in the links at the bottom of this article under ‘Label Permissions’. As you will see, the rules will cover pretty much all scenarios. The question is, what labels do you want, and what permissions do you want to apply to each label.


Some other Frequently asked Questions

Q: Does AIP cover other non-Microsoft documents (pdfs and dwg format (CAD drawings), for example)?

A: Pdf is covered under AIP. For dwg files, there is a really intelligent plug-in called Seal Path which is recommended by Microsoft.

Q: Can access be restricted to individuals, not just domains?

A: Yes, we do that ourselves for HR. We have set it up so that only specific Circle Cloud individuals can access documents with the HR label.

Q: Can you set role-based document access?

A: Yes, Labels can be applied to role-based access groups rather than individual users or domains.


The Summary

As a business owner or senior IT professional, wondering whether document classification policies (and policies generally) are being adhered to when working remotely can be a worry, especially when a demand for speed has potentially bypassed our daily focus on information security. There hasn’t been a better time to implement these cloud-based security products, and moreover, they are not just a quick fix. They can form part of your longer term IT strategy when (probably more like ‘if’) we return to our offices.

To find out more about how AIP and what it can do for your organisation, please get in touch. We can also arrange technical demonstrations to build on the more high-level functionality presented in this blog.

To find out more about implementing Azure Information Protection into your organisation, get in touch.

Thanks for reading!


Sources and Links

Source (1)

Label Permissions

Recent Posts

Some of our happy clients...

Drop us a message...