Blog Post

Security, Compliance, and Identity Blog
7 MIN READ

Azure Information Protection: Ready, set, protect!

Azure Information Protection Team's avatar
Sep 08, 2018
First published on CloudBlogs on Feb 21, 2017

Part 1 – Getting up and running is easier than you think

This post is the first in a 4-part series focusing on how to implement information protection in your organization. With the adoption of mobility and cloud services, data is traveling to more locations than ever before. While it has helped users become more productive and collaborative, securing and monitoring the data has become harder. Our goal with this blog series is to help you address some of these information protection challenges regardless of where you are in that journey. Today, we’ll share some tips for those who already own our information protection solution but are not taking advantage of it. We’re also pleased to share this video that talks about some of these tips in detail. [embed]https://youtu.be/GWcnZFMPcnE[/embed] Based on learnings from our customers, we offer you tips below to start protecting your information quickly.

Tip#1: Pick standardized and approachable labels

The first tip, Pick standardized and approachable labels , a very critical step. We assert quite strongly that you must use global labels. These are the labels that everyone sees in the ‘bar’. Simply stated, train people once and don’t expect them to understand overly geeky terms like C2 or HBI. Terms like Highly Confidential are plain and obvious. You can certainly do otherwise but, it’s the road far less travelled. Here’s what we advocate you do:

Figure 1: Our default labels we recommend you use

Tip#2: Create sub-labels for your key departments

The second tip, Create sub-labels for your key departments , is also quite important. It’s the ‘pressure release valve’ for all those folks who gave you a hard time with your inflexible stance on Tip #1! Here, you create sub-labels for those departments that are special. For example, HR, Legal, and Finance are all quite special in that they handle very sensitive materials. Give them a sub-label. This makes it trivial for someone to classify data as Finance \ Highly Confidential.

Figure 2: Use sub-labels for key departments

Tip#3: Use scoped policies for the needs of specialized teams

If you’re a large company, you may find yourself with a lot of special people; it generally comes with the territory. That’s perfectly fine. For those teams who are less mainstream than the above trio of HR/Legal/Finance, you can support them with the capabilities we call out in our third tip, Use scoped policies for the needs of specialized teams . Scope policies enable you to control who can see what sub-labels (recall that we’re asking you to maintain a consistent set of labels!) and they also let you offer specialty behaviors. For example, using scoped labels for HR lets you set their default to be Confidential whereas you can maintain General as the default classification for the more normal people in your organization. Here’s an example of my view given I was part of a special secret team called ‘Project Samos’.

Figure 3: Use scoped policies for specialized teams

As shown in the video, no one but those who are part of the Project Samos user group would see this template. Here’s the administrative user interface where you specify the group membership filter:

Figure 4: The admin view of scoped policies

Tip#4: Encourage the right behavior

Tip four is a simple one: Encourage the right behavior . This tip is really about enabling you to take risk with very low cost if you make mistakes. Let’s explain what that means. Automatic classification is always wonderful but in complex systems rarely does automatic work the way you’d expect. Over use of automatic classification can frustrate your users. Instead, rely on recommendations so that you can make mistakes.

Figure 5: Encourage the right behaviors with recommendations

Learn the system, review the Azure Information Protection (AIP) application logs and when you get a really high percentage of accuracy, then – and only then – should you consider using automatic. We’d also suggest that a ‘really high percentage’ is better than 98 of 100 accurate classification. Recommendations are your friend! When ready, simply change the setting at the bottom of figure 6.

Figure 6: Conditions are content detection rules and can be either recommended or automatic

Tip#5: Safeguard Email Communications

The fifth tip is to Safeguard Email Communications . We’re going to save that for another post. Turns out that those of you stuck on S/MIME will have a much harder time migrating and we’ll have a lot to write about that.

With the above said, let’s cover those second order considerations:

Consideration #1 – How can I perform a scoped deployment of the above?

This one is easy. Simply do the following:

  1. Go to your Azure Subscription. Find the Azure Information Protection service.
    • Review the current settings.
    • Resist the urge to change the Global labels but you can enable/disable some of them (e.g.: Not everyone wants the Personal label).
    • Do NOT turn on RMS templates for your first attempt -- stick with classification alone.
    • Consider requiring justifications.
    • Invoke Publish when asked (you need to do this after any change)
  2. Deploy the AIP client to yourself and 1-3 people. Should just work.
Consideration #2 – How do I deploy to the next 100-1000 folks? Before moving from a pilot-phase to a production-phase, it’s important to settle on a set of standards and broadly communicate the impact.
  1. Create & Publish a standard: Establish a working group which is tasked with creating a data classification standard for the organization. Ensure that folks across the organizations risk management board, security & standards council weigh and sign-off on the classification standard before publishing it. If you are replacing any existing classification taxonomy, build a plan to retire the existing standard.
  2. Support: Ensure that your organization’s helpdesk is aware of the deployment & classification standard.
  3. Communication plan: Create a communication plan to inform the leaders & employees of the rollout and its impact. Build a plan to influence high impact/mandatory trainings (such as new employee orientation or business conduct trainings). Build channels to actively seek feedback and make configuration improvements based on the feedback.
Consideration #3 – I’m an over-achiever, what more ‘can’ I do?
  1. Custom Help/IP page: Create your custom webpage which summarizes your organization’s classification taxonomy. You can specify the URL of this page in the AIP portal under Global settings.
  2. DLP policies: AIP updates the message headers as part of classifying & protecting content. Create mail flow rules/policies which take an appropriate action based on message headers. For example, if the mail is classified as ‘Highly Confidential’ (as reflected in the message header) and if the recipient is outside the organization – block the mail.
  3. SharePoint Online (SPO) custom properties – From the O365 Security and Compliance center, create a rule for SPO which inspects the managed properties in a document to take an appropriate action (for e.g. notify the library owner or the last person who modified the content)
Consideration #4 – I’m an over-achiever. What should I NOT do? We’re happy you asked! It’s simple: Don’t go crazy with your new found super powers! By way of a story…a long time ago I invented Windows Group Policy with a few colleagues. We were so proud. We told everyone to turn every knob, dial, and switch they could. You know what, they did. The end users were SO upset by the ‘heavy hand of IT’ that they rebelled. Not a pretty sight! It certainly was not the right balance of control vs usability. Having learned a few things, I’d now encourage you to show restraint with a few aspects of Azure Information Protection
  • Don’t overdo sub-labels. Many user cognition studies show that users can retain about five different things. Don’t give them fifteen. Show restraint.
  • Don’t overdo scoped policies. People talk. People change jobs. If you make ‘everyone’ in your organization special, you are asking for more pain. Show restraint.
  • Don’t wait. You’re leaking data. You’re focused on protecting way, way too much data today. By classifying your data as we advocate above, you can focus on the Confidential / Highly Confidential stuff and only that stuff. You’ll reduce your workload by quite a bit.
Consideration #5 – I own EMS E3. Should I wait for the next budget cycle to get EMS E5. No. Practically everything we’ve covered is part of E3 except for recommendation/automatic classification (and HYOK, the next consideration). You can enjoy a wonderful uptick in information protection with the E3 offer. In fact, show your leadership that you have maximized the value of your EMS E3 purchase and then consider AIP P2 or EMS E5. That said, we’re working hard at adding value at all tiers so I’d encourage you to look at the very nice work we’ve done with Cloud App Security (MCAS) with regards to classification. Hopefully you’ve gotten a taste of what you can do today with ease. This stuff is not hard for you given we’ve spent many, many hours talking to customers and understanding their pain points. Give it a try and share your feedback with us at AskIPTeam@microsoft.com . Thank you, Dan Plastina on behalf of our enthusiastic Azure IP team.

Twitter: @DanPlastina Useful links: a ka.ms/DanPlastina

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!
Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment