First published on CloudBlogs on Oct 04, 2016
On June 22nd, we announced
Microsoft Azure Information Protection
(AIP), a new service that builds on both Microsoft Azure Rights Management (RMS) and our recent acquisition of Secure Islands. This was quickly followed by the first
on July 12th, delivering a comprehensive classification, labeling and protection solution to the market.
Today we’re excited to announce that
Azure Information Protection is now Generally Available (GA)
The Preview program was incredibly successful, with over 500 active tenants testing and giving us great input. We want to say a HUGE THANK YOU to all the customers that participated, providing us with feedback (and yes, the odd bug!) and helping shape the product into what it is today.
To quickly recap, we promised (and delivered!) the following value in AIP:
Classify, label, and protect data at the time of creation or modification.
Use policies to classify and label data in intuitive ways based on the source, context, and content of the data. Classification can be fully automatic, user-driven, or based on a recommendation. Once data is classified and labeled, protection can be applied automatically on that basis.
Persistent protection that travels with your data.
Classification and protection information travels with the data. This ensures that data is protected at all times, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android, or Windows.
Enable safe sharing with customers and partners.
Share data safely with users within your organization as well as with external customers and partners. Document owners can define who can access data and what they can do with it; for example, recipients can view and edit files, but they cannot print or forward.
Simple, intuitive controls help users make the right decisions and stay productive.
Data classification and protection controls are integrated into Office and common applications. These provide simple one-click options to secure data that users are working on. In-product notifications provide recommendations to help users make the right decisions.
Visibility and control over shared data.
Document owners can track activities on shared data and revoke access when necessary. IT can use logging and reporting to monitor, analyze, and reason over shared data.
Deployment and management flexibility.
Protect data whether it is stored in the cloud or on-premises, and choose how your encryption keys are managed with Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options.
So, what does this announcement actually mean?
The Azure Information Protection service is GA
The Azure Information Protection client for Office (2010/13/16) on Windows (7/8/10) is GA
The HYOK feature is available in Preview
New mobile apps for iOS and Android replace the existing RMS Sharing Apps
We will be enforcing license requirements and admin rights in the Admin Portal from 10/5
Azure Information Protection service
The configuration of all policies, rules, and labels is completed in
the administration portal
. You can define the labels that users will see in the client, and what the content detection, protection, and visual marking rules are, as shown in the example below:
Azure Information Protection client
Today we are making available the AIP client for Office (versions 2010/13/16) on Windows (versions 7/8/10). The client is the user experience, simple and intuitive to use. Based on the classification policies, users can have a default set, manually select a label, be prompted based on content, or have a classification automatically applied based on content. Changes to classification levels are captured and users can be requested to justify the change.
We currently provide for the consumption of protected content on all platforms. In the near future we will also provide additional support for classification and labeling across other platforms including Mac, iOS, Android, and Web.
We are releasing new AIP apps for iOS and Android. These apps replace the existing RMS Sharing apps that are in the store. Anyone with the current RMS Sharing app installed will receive an update through the app stores and an in-place update will be completed—you don’t need to take any action.
New in these apps is the ability to open protected emails (for when you are not using
Outlook for iOS
Outlook for Android
) and protected PDFs in addition to the existing file types (image and adhoc protection).
Hold Your Own Key (HYOK)
First discussed on August 10, the
enables highly regulated organizations to protect data in a way in which you hold the encryption key. Whereas with BYOK we host your key in Azure Key Vault HSMs, with HYOK the key is held in YOUR HSMs.
As we state in the above linked post,
HYOK is not for everyone
. The HYOK offer is meant for cases where opaque data is required and it comes with trade-offs. Please read the linked article carefully so you understand and take into account these trade-offs in your decision-making process.
It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!
And of course, we are not done yet! We will be rapidly iterating on the service. Some of the upcoming features and updates include:
Scoped policies – provide each user with their own set of labels and policies based on group membership
Reporting and dashboards
Updates to the AIP Client to fully replace the existing RMS Sharing App (Windows Explorer integration plus adhoc sharing)
Updates to the SDK/API to include classification and labelling
General availability of the HYOK capability
Dan Plastina (
) on behalf of the Information Protection Team.