Azure Information Protection makes warding off data leaks easier
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Peter Bright
Today, Microsoft announced Azure Information Protection (AIP),
a new system to help protect sensitive data even as it moves between
applications and organizations. AIP builds on the existing Azure Rights
Management (RMS) system to add data labelling and classification to
ensure that the right protection policies are applied to sensitive data
at the time it is created to help restrict data leaks.
Azure RMS provides a cloud-based system for performing
rights management of sensitive information. With RMS, documents are
encrypted and restricted in various ways; opening them requires
authentication against Azure Active Directory (AD), allowing the usage
of the documents to be tracked and recorded. Once opened, the documents
can have their usage restricted to prevent, for example, printing or
editing.
Unlike a traditional password-protected document, where
knowing the password is sufficient to give permanent access to the file,
the online authentication used by RMS means that access can be
controlled on a more continuous basis. Accounts showing suspicious
behavior such as impossible travel (where logins are made from different
places around the world faster than one could travel between those
places) can be locked out, blocking access to protected data.
Applications such as Exchange and SharePoint already have
support for rights management policies, with Exchange being able to
block the forwarding of sensitive e-mails to external addresses, for
example.
AIP adds easy-to-use classification and labeling of data so
that the right policies can be applied. RMS provides the core file
encryption and authentication features; AIP provides an easy interface
within Microsoft Office for picking a policy, along with automatic
rules-based classification so that policies can either be suggested or
applied automatically, based on document features. For example, a Word
document containing a credit card number might suggest a policy that
restricts access to the finance department. Users can be given the
ability to override these suggestions (optionally requiring them to
describe their reason for doing so), giving IT departments oversight of
the system.
AIP has native support for Office documents, along with
PDFs, AutoCAD files, and reports generated by SAP. This native support
enables things like watermarks to be automatically added to protected
Word documents to indicate their protection. Other data can also be
protected by putting it inside an encrypted wrapper. The combination of
encrypted data and cloud authentication means that the protection is
applied wherever a file is accessed from, whether at the office or on a
mobile device, and it works the same way whether the data is stored
locally or in the cloud.
This labeling and classification capability is a result of
Microsoft's late-2015 purchase of Israeli firm Secure Islands. The
feature will go into preview in July, with the company planning general
availability by the end of the year.
Microsoft's investment in this area signals a broader shift
in the approach to data management. The widespread use of mobile devices
and cloud services means that for many organizations, the network
perimeter no longer represents the border beyond which sensitive data
must not flow. Collaboration with external companies makes this problem
harder still. RMS and AIP instead use what the company calls an
"identity-driven" approach to securing data: users must authenticate
with Azure AD, proving their identity, regardless of where they're using
protected data.
While Microsoft is not alone in offering cloud-based rights management (we wrote about Egnyte, a cloud company offering some similar capabilities,
earlier this month), Redmond argues that it's particularly
well-positioned in this area. Companies using Office 365 already have
Azure AD identities, so a large part of the setup that might otherwise
be required is taken care of.
Comments
Post a Comment