Azure Information Protection (AIP)

Let's start with one of my favorites (till now). Azure Information Protection (or AIP). Just imagine the following example:

You are working on your Word document and you want to send this document to an external person. You e-mail that document as an attachment. The person opens this document, reads it and puts it on an USB stick to take with him. The USB stick get's lost! Now the document can have fallen into the wrong hands! Now what?


OK this is a little bit of a roman but hey it could happen!



Active Director Rights Management 


First let us go back in time to when AIP didn't exist and there was Active Directory Rights Management Services
This was a server role that could be installed on Windows Server 2008 R2, it exists since Windows server 2003! Back then it was called RMS. The RMS client is available from Windows 2000 and later. So what does RMS do?
To explain in simple English: Information with RMS on it has certain policies with it that would remain with the item wherever it went. If the item would be opened it would verify with the AD RMS server to check if the policy matched. AD RMS provided encryption, authentication and certificates. RMS is the DRM of information If a user couldn't be verified the document could not be opened.  


Azure Rights Management


OK so fast forward a few years and voila! Microsoft implements RMS in Azure and calls it Azure Rights Management. Nothing new here just that it's in the cloud now!



AD RMS vs AIP

It's true I can read your mind! I know you're thinking "What is the difference between AIP and RMS" Don't worry I'll explain.

RMS is the DRM (Digital Rights Management) of information. You know how DRM prevents you from listening to music that's not on a device or in a certain player? Well that's the same with RMS. RMS prevents users from sharing or printing a document while AIP will only label the document to notify users that the document is confidential. The user can still share the document with AIP only when someone opens it AIP will check RMS to make sure it's allowed to be opened. Yes that's correct AIP works with RMS. AIP does the classification, labeling and tracking of information RMS the policies.

For more information take a look at this site (Here)


Classification

AIP has some default classifications:
  1. Personal
  2. Public
  3. Internal
  4. Confidential
  5. Secret
You can configure (add/remove) labels as you like in the AIP center. Certain labels can have protection via RMS and some don't. For example the Personal and Public are labels that don't have RMS because these are items that you can share with anyone. We don't want to have everyone that opens the document to be confronted with the AIP client. Internal, Confidential and Secret can be RMS or HYOK (Hold your own Key) protected because these documents are classified and are not allowed to be publicly shared with everyone. 




HYOK

The more I dive into this tool the more things I come across. What is HYOK? HYOK or Hold Your Own Key means that the organization holds the key. The organization holds the rights policies and the private key that protects these policies are managed and kept on-premise. For example, this might be required for regulatory and compliance reasons. The AIP policies for labeling and classification remains managed and stored in Azure. HYOK sounds like a good deal but Microsoft does not recommend it because it has some limitations, only if there is real need for it should you use it over AD RMS. 


AIP Client

You can download the AIP client here. To use documents that have AIP enabled on them or if you want to set a classification to a document or e-mail. Once you installed the AIP client you can use it in Office or Outlook but also for all your pictures or other items that you want to protect. The AIP client is also available as app on IOS or Android device. 



AIP Conditions

Say you want to prevent users from NOT using AIP when creating a document or e-mail and you know they could be sending information that needs to be protected, you can use conditions. Conditions enables the administrators to define when a label is set on a document or item. Say you have strict policies on using credit card numbers or banking information. A condition could be that if a IBAN number or Credit card number is found the label is automatically applied. You can also use custom conditions maybe you have certain phrases that you know need to be protected (think of merger or acquisition). 

Conclusion

That a lot is possible with AIP is clear by now. I personally find it a really cool way of having the freedom of the cloud but still having control and security over all the documents/ items. It's maybe a little confronting if you have to verify credentials via an App or client to open a document but it's for the safety of the company that it's there. 





References:



Comments

Post a Comment

Popular posts from this blog

Tiles modern UI

Azure Active Directory (AAD)