Azure Information Protection: Ready, Set, Protect! – Part 3

First published on CloudBlogs on Mar 23, 2017
This post is the third in a 4-part series focusing on how to implement information protection in your organization. In Part 1 of the series we showed you how to get going with classification and labeling , and FAST. In Part 2 we focused in on how you can take the learnings and benefits of classification and labeling and protect your information. Today's blog post is for those of you who are either Information Protection skeptics or have yet to kick off a proper evaluation of the technology in this space.  We want to help you hone in on what's really important in an enterprise solution for Classifying, Labeling and Protecting (CLP) your information. I'll be the first to admit that I write this from a position of bias, but I promise to be as candid as one can be having walked many miles in these particular shoes. As you scope your project and desired outcomes, we suggest that the critical criteria for a CLP solution as being:

1. Anchored in the new world information models while interoperating with the older world models
2. Deeply integrated into the applications that matter
3. Deeply integrated into the services that matter
4. Provided by a worthy enterprise partner
5. Promises a spectrum of assurances that span your requirements
6. Hosted in a manner that is consistent with your compliance boundaries

Let's explore these one by one:

Anchored in the new world information models

Generally speaking, the “old world” model is one where, like a butterfly, data is set free and you ask your IT leadership to 'catch it' before it leaks (DLP). While there are certainly use cases for reactive classification and protection of data, everyone would prefer that data be born properly classified, labeled and protected. We call this model CLP, Classification and Labeling should trigger DLP or other types of protection, like encryption. When considering information protection offerings, you want to ensure that your chosen vendor can perform this CLP activity early enough to be effective and secure. This is easier asked than done!

Deeply integrated into the applications that matter

Building on the above, CLP should be built into all your important applications. This is a tall order! Let's break it down.

• Most organizations use Office (Word, Excel, PowerPoint) and Outlook. They do so on PCs, Macs, Mobile Devices and even in web browsers via Outlook Web Access (OWA) and Office Web App companions (WAC). You'll want a partner that can integrate CLP into these products.
• Many other files types are important. Those can be enabled for protection via Windows Explorer extensions or more invasive bolt-on 'filter driver' abstractions or via format owner influence (i.e. application integrations). The Window Explorer extension category is achievable by any vendor so the important criteria here is how forward looking the offer is. Specifically, in which format is the file labeled and protected? This is critical as one could strongly assert that future versions of Windows (at the least) will become aware of data-bound encrypted files. When this happens, say in a future version of Windows 10, you'll want ALL your encrypted assets to 'just work'. Incompatible protection formats will, well, continue to be incompatible.
• As we progress from add-on protection tools towards native integrations, the next most popular file type is PDF. There are many PDF readers but the undisputed king-of-PDF is Adobe with Foxit being the next most recognized offering. You'll want a partner that stands a chance to partner with Adobe and that works with others to enable a popular and standardized CLP in their offerings.
• Some of you may want to leverage native email clients. Here, just as with PDF, you'll want to evaluate your partner's ability to influence the leading mail clients (iOS mail, Android mail, Windows mail) to integrate support for CLP.

Deeply integrated into the services that matter

Beyond desktop and device applications, you will want to see integrations both across the services you use in your environments and to collaborate with your broader ecosystem. As you move to the cloud, you are adopting Exchange Online, SharePoint Online, OneDrive for Business as well as other offerings such as SAP, Box, Dropbox, SFDC and so on.

• As information flows, you will want to gain visibility into how and where this happens, AND be able to take actions.
• These actions may be in-line (such as active blocking) but also remedial in nature (being able to apply protection to a document that lands on a cloud storage platform for example).

As with applications, you want to choose a vendor that can achieve these for both Microsoft cloud as well as be sufficiently influential to be in a position to work with the other significant cloud vendors in your environment.

Provided by a worthy enterprise partner

Security is a serious business. You want to be working with technology partners who are advocating strong leadership in the space, and who are in it for the duration. The last thing you want is to adopt products that either end up being terminated, or acquired by larger companies that are not directionally aligned. The floor is littered with solutions that have been subsumed in both these scenarios (Liquid Machines, Sealed Media, and several more).

Promises a spectrum of assurances that span your requirements

Our experiences show us that while there are broad commonalities in our customer base, there are also a long list of specific requirements that apply to smaller groups of customers. From geopolitical and country-specific laws, to regulatory compliance, to internal business information policies, your business is, well your business. And you need a partner that offers you the ability to adopt technology the way that you need to. There may be guiding rails, but the range of choice must be available.

• What are the requirements you have for encryption keys?
• Where can logs be stored?
• Can you use public clouds or is there a need for segmented platforms?
• Do you have highly toxic data that must reside on physical platforms you control?

Regardless of what the permutations are that you need, your partner must be able to work with you to help you adopt in the right ways. Being ‘just on premises’ or ‘just cloud based’ is insufficient.

Hosted in a manner that is consistent with your compliance boundaries

And lastly, but certainly by no means least, you must have confidence in your security partner to operate the applications, services and platforms you use to the standards you require. Cloud vendors must adhere to all compliance and security needs, from writing code through to operational processes, you should look into how this is done, and what will happen in the event of an incident.

In closing…

Hopefully you found this to be a useful checklist. With the above offered as neutrally as one in my position can do, I’d like to now say that, for each of the above, our Azure Information Protection offering scores quite well. In total, we feel even stronger that no other vendor can get anywhere near as close to meeting these needs requirements as can Microsoft. Sure, we have a few edges that need a bit more work but we’d be doing that alongside you, and at a rapid rate of innovation. We know this is a lot to absorb, and we are here to help. Engage with us on Yammer , Twitter or send us an e-mail to askipteam@microsoft.com . Thank you, Dan Plastina on behalf of our enthusiastic Azure IP team. Twitter: @DanPlastina Useful links: aka.ms/DanPlastina (PDF) It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

• Download the new unified client from our Download Center
• Start a trial and kick the tires
• Learn more about Information Protection
• Get deep technical and scenario documentation