Chapter 12

Demystif ying Information Protection

IN THIS CHAPTER

Bullet Diving deep into the world of information protection

Bullet Setting the user environment for Azure Information Protection

Bullet Recovering from a data leak by revoking access to a document

People can say anything they want about robots taking over IT jobs, but as far as I’m concerned, the job of an IT admin is still relevant and much needed today and in the future. If you think about how social media has encouraged people to loosen up about sharing personal information — what they had for lunch, the car they just bought, or their upcoming trip to Cabo while their home will be unattended — it’s not hard to imagine that the same loose attitude could spill over into the workplace.

Consider the hapless lawyer who responded to a colleague with details about their pending case only to realize that by clicking the Reply to All button, he had shared that information with the opposing counsel. Or the police officer in the UK who sent a spreadsheet of criminal record checks to a newspaper instead of to an internal recipient because of Outlook’s auto-complete feature.

These scenarios are just two of many illustrating why IT admins should feel secure about their jobs. Without proper data and information protection in place, businesses can be put in an embarrassing situation or face litigation or, worse, lose their competitive advantage. With the right toolset and access to the latest industry best practices, IT admins can protect their organization from data leakage and prevent data loss.

Microsoft 365 Business includes a robust set of functionalities for protecting company data through the recent addition of the Azure Information Protection Premium P1 license. This is great news for SMBs because these features have traditionally required purchasing more expensive enterprise licenses.

In this chapter, I break down the concept behind Azure Information Protection (AIP), describe data classification and labeling, explain how documents can be protected, and show you the AIP experience from the end user’s perspective. The information presented in this chapter is designed to solidify the important role an IT admin plays in securing company data. If you’re an IT admin, this chapter is a validation of your relevance and value.

Configuring AIP

The term information protection, or IP, is generally used to encompass industry standards and best practices for protecting information from unauthorized access. In the Microsoft ecosystem, Azure Information Protection, or AIP, is a cloud service that allows organizations to classify data with labels to control access. AIP can be purchased as a stand-alone license or bundled into a solution such as Microsoft 365 Business.

A breakdown of the features included in each of the four versions of AIP is available at this link: https://azure.microsoft.com/en-us/pricing/details/information-protection/. The AIP Premium P1 license is included in Microsoft 365 Business.

The evolution of AIP

AIP has gone through an evolution in the last few years, and you may have encountered this technology under a different name. Some of the technology’s old names are Azure Rights Management Service (Azure RMS), Azure Active Directory Rights Management (AADRM), Windows Azure Active Directory Rights Managements, Information Rights Management (IRM), or to some, simply “The New Microsoft RMS.” You’ll do yourself and Microsoft a great favor by forgetting all those old names and just sticking with AIP.

The latest iteration of this cloud technology now offers classification and labeling capabilities that can, in turn, apply rights management to protect files. At a high level, AIP protects your data in three key steps:

  1. First, data is classified and labeled. For example, if a document is classified as confidential and should be available only to the recipients of the email, the label might be Confidential — Recipients Only.”
  2. Next, data is protected through encryption, access control, and policies based on the label. Continuing with the preceding example, a document marked with the Confidential — Recipients Only label will be encrypted so that only the recipients can read it.
  3. Finally, documents can be tracked, and access can be revoked if necessary. From the preceding example, the sender of the email may decide that one of the recipients should no longer have access to the document. In that case, the sender can revoke access for a specific user.

Office 365 Message Encryption, or OME, is one of the features in AIP. In Chapter 6, I cover the details of OME and provide step-by-step instructions for sending encrypted email by using Outlook. In this chapter, I focus on AIP features you can use in Office applications such as Word and Excel.

If you have the AIP Premium P2 license, you can avail yourself of additional functionalities, such as automatic classification for cloud and on-premises data. In this chapter, however, I cover the features available in the AIP Premium P1 license.

Activating AIP

To start using AIP, the first thing you need to do as an IT admin is to activate the service in your Microsoft 365 Business tenant. Even if you think the service is already enabled, it doesn’t hurt to verify. Here’s how:

  1. Log in to https://admin.microsoft.com with your global admin credentials.

  2. In the left navigation, under the Settings group, click Services & Add-ins.

    The Services & Add-ins page is displayed, as shown in Figure 12-1.

  3. Select Microsoft Azure Information Protection.

    The Microsoft Azure Information Protection window is displayed on the right.

  4. In the Microsoft Azure Information Protection window, click Manage Microsoft Azure Information protection settings.

    The Rights Management page is displayed, as shown in Figure 12-2.

  5. Confirm that Rights Management is activated. If it isn’t, click the Activate button.

    In this example, the tenant is already activated for AIP.

Screenshot of the Microsoft 365 admin center enabling the user to navigate to the Microsoft Azure Information Protection settings.

FIGURE 12-1: Navigating to the Microsoft Azure Information Protection settings.

Screenshot of the Office 365 window displaying the rights management page with the rights management of a tenant activated.

FIGURE 12-2: A tenant with Rights Management activated.

After you’ve confirmed the status of your AIP settings, you can safely close the browser window or navigate back to Microsoft 365 Admin Center from the app launcher.

Getting familiar with labels

Tip AIP comes preconfigured with default policies and labels that are applicable for most organizations, including small businesses. Before you start thinking about configuring custom labels and policies for your organization, take the time to become familiar with the default settings. You might save yourself a lot of work creating and testing custom policies.

If your tenant was provisioned after February 2018, the following labels and corresponding descriptions are already available:

  • Personal: Non-business data, for personal use only.
  • Public: Business data that is specifically prepared and approved for public consumption.
  • General: Business data that is not intended for public consumption but can be shared with external partners as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.
  • Confidential: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. The Confidential label is further broken down into two sub-labels:
    • Recipients Only: Confidential data that requires protection and that can be viewed only by the recipients. This label will only appear in Outlook and will apply the Do Not Forward policy.
    • All Employees: Confidential data that requires protection that allows all employees full permissions. Data owners can track and revoke content.
    • Anyone (not protected): Data that does not require protection. Use this option with care and with appropriate business justification.
  • Highly Confidential. Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. The Highly Confidential label is further broken down into three sub-labels:
    • Recipients Only: Highly confidential data that requires protection and that can be viewed only by the recipients. This label will only appear in Outlook and will apply the Do Not Forward policy.
    • All Employees: Highly confidential data that allows all employees to view, edit, and reply permissions to this content. Data owners can track and revoke content.
    • Anyone (not protected): Data that does not require protection. Use this option with care and with appropriate business justification.

If your Office 365 tenant was provisioned before March 21, 2017, you’ll find that the General and Highly Confidential labels are missing. Their equivalent in the older tenants are Internal and Secret, respectively.

To further explore these labels and corresponding policies, you need to navigate to the Azure portal and access the Azure Information Protection service settings. Here’s how:

  1. Follow Steps 1-4 in the preceding section (“Activating AIP”).

  2. On the Rights Management page, click the Advanced Features button.

    A new browser window launches and the Azure Information Protection — Labels page is displayed, as shown in Figure 12-3.

Screenshot of a new browser of the Microsoft Azure window providing the labels page of the Azure Information Protection.

FIGURE 12-3: Azure Information Protection — Labels page in Azure.

The Confidential and Highly Confidential labels are collapsed by default. To view their sublabels, click the arrow to the left of the label to expand the selection.

A few words about policies

On the Azure Information Protection — Labels page, referenced in the preceding section, note that the labels all have Global under the Policy column. By default, AIP comes with a Global policy that is applied to all users in the tenant. You can edit this policy, but you can’t delete it. You can also create new policies and configure them to your heart’s content, but the Global policy will always be there.

To view the details of the Global policy, follow these steps:

  1. Follow Steps 1-4 in the previous section (“Activating AIP”).

  2. On the Rights Management page, click the Advanced Features button.

    A new browser window launches and the Azure Information Protection — Labels page is displayed (refer to Figure 12-3).

  3. In the left menu, under the Classifications group, click Policies.

    On the right, the Configure Administrative Name and Description for Each Policy blade is displayed.

  4. In the Policy column, click Global.

    The Policy: Global blade is displayed, as shown in Figure 12-4.

Screenshot of the Azure Information Protection — Labels page depicting the details of the Policy: Global blade for configuring administrative name, description, and scope for a policy.

FIGURE 12-4: The Policy: Global blade in Azure Information Protection.

Warning Be careful about changing the default settings in the Global policy because it is applicable to everyone in your organization. You might want to create another policy first and test it out. If you decide to change the Global policy, make sure to save your changes. (If you forget and simply close the blade, the system will prompt you to save your changes.)

Putting AIP Into Action

Implementing Azure Information Protection is not something you would do without thoughtful planning and the involvement of keys stakeholders in your organization. You need to make sure that the rollout is communicated to end users, training is delivered, and support is planned.

As an IT admin, you should perform some testing and become familiar with the process before you implement AIP for the entire organization. After you’ve explored the Azure Information Protection service in Microsoft Azure, the next step is to put what you know into action. In this phase, you need your end users to participate.

Installing the AIP client

You can have the greatest policies and labels for AIP in Azure, but they’ll be no good if your end users can’t see and apply them. The AIP client, a program that is run on the end users’ devices, solves this problem.

Before you install the AIP client, make sure Office ProPlus is already installed but not running on the device. When you’re ready to install the AIP client, do the following:

  1. Navigate to the AIP client download page at https://www.microsoft.com/en-us/download/details.aspx?id=53018.

    The Microsoft Download Center appears.

  2. Click the Download button.

    The Choose the Download You Want window is displayed.

  3. Select AzInfoProtection.exe by selecting the box, as shown in Figure 12-5, and then click Next.

  4. From the notification that pops up at the bottom of your screen, click (or double-click) Run.

    The system performs a security check on the download. When the check is complete, the Microsoft Azure Information Protection window pops up, as shown in Figure 12-6.

  5. Click the I Agree button.

    You can opt to install a demo policy (not recommended because it will clutter your user interface) or send usage statistics to Microsoft or both.

  6. In the User Account Control window that displays, click Yes to start the installation.

    You see the progress of the installation.

  7. When the Microsoft Azure Information Protection window displays Completed Successfully, click the Close button.

    The installation window disappears, and you’re now ready to check that the AIP client was successfully installed.

Screenshot of the Microsoft Azure Information Protection page for downloading a chosen API client from the list of file names.

FIGURE 12-5: Downloading the AIP client.

Screenshot of the Microsoft Azure Information Protection page displaying the installation window for AIP with the license terms and conditions.

FIGURE 12-6: Installation window for AIP.

To verify the installation, open a blank document in Word. You see the labels below the ribbon, as shown in Figure 12-7.

Screenshot of a word document displaying the AIP labels in Word in the Office applications.

FIGURE 12-7: AIP labels displayed in Word.

Applying a label to a document

Now that the AIP client is installed, and the labels are displayed in the Office applications, it’s time to put it to the test.

  1. Create a Word document and pretend that it’s highly confidential.

  2. On the Sensitivity bar, click Highly Confidential and select All Employees as shown in Figure 12-8.

    The label is applied, and the other labels will disappear.

  3. Run Outlook, start a new email, and attach the Word document.

    Note that Outlook displays the Sensitivity bar with the same labels you saw in Word.

  4. Enter the email address of a user in your organization.

  5. Enter an email address outside your organization, and then click Send.

    Outlook sends the email to the recipients with the Highly Confidential/All Employees label.

Screenshot of the Outlook page displaying the Sensitivity bar with the same labels in a word document, highlighting the highly confidential All Employees label.

FIGURE 12-8: Applying the Highly Confidential/All Employees label.

In this exercise, the email will still go out to both the internal and external user. The internal user will be able to open and read the document from the sharing invitation. The external user, however, will be blocked from opening the document and will be presented with the message shown in Figure 12-9.

Screenshot of the Microsoft Word displaying a warning message that an external user has been blocked from a sensitive document.

FIGURE 12-9: An external user blocked from a sensitive document.

Revoking access to information

As illustrated in the preceding section, AIP protects your company information from falling into the wrong hands — even after it has fallen into the wrong hands.

For example, suppose you realize that you accidentally sent a document to the wrong people and want to remedy the situation by revoking all access to the document. Here’s what you can do, continuing from the example in the preceding section:

  1. Open the protected Word document from the preceding exercise.

    A yellow bar appears, indicating the sensitivity of the document and containing a button to view the permissions for the document.

  2. On the Ribbon, click Home, and then click the Protect button.

    A submenu appears below the Protect button, as shown in Figure 12-10.

  3. On the submenu, click Track and Revoke to launch the document-tracking site.

    Your browser launches to take you to the document-tracking site.

  4. If this is the first time you’ve visited the site, log in with your Microsoft 365 Business credentials.

    After a successful login, the document-tracking site displays a summary of views of your document, as shown in Figure 12-11. Explore the tabs to see the robust features in AIP.

  5. At the bottom of the document-tracking site, click the Revoke access button.

    The Revoke access page is displayed.

  6. Click the Confirm button at the bottom of the page.

    The Revoke Complete window is displayed.

  7. Click Continue to go back to the document-tracking page.

    In the Summary view, the document displays the Revoked stamp.

Screenshot of the Microsoft Word page for accessing the document-tracking site displaying a submenu below the Protect button.

FIGURE 12-10: Accessing the document-tracking site.

Screenshot displaying a Top Secret Project page displaying the document-tracking site with the Revoke access button displayed.

FIGURE 12-11: The document-tracking site.

One of the features I find amazing in this solution is that in the Map tab, you can see where around the world users tried to access your document! So, if you ever find that someone from, say, Russia or Timbuktu tried to open your document even though all your users are in the United States, you’ll know that access to the document should be revoked.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset