Information, as defined by Oxford Dictionary, is facts provided or learned about something or someone. These facts can range from something very minute that no one gives a damn about to something, not to sound utterly naïve, that has the power to change the world. But then, you are not here to talk about the world, are you? Nope; we are here to talk about how you can protect the data that might end you company if it were to fall in the wrong hands.
Most managers would agree that information is the key to an organisation’s success. Since time immemorial, information has helped empires grow in stature and has also resulted in the fall of some. So, in todays day and age where almost all our information is stored/accessed online, the protection part takes centre stage. The huge sums of money invested in Information Protection systems worldwide annually give credence to the fact that companies have started to investigate the information protection part seriously.
Data travels everywhere. Customers, employees, partners and vendors collaborate continuously on different devices and applications. But is the data always shared safely? Probably not. You can’t hold data in a corporate database at a single location anymore. Vendors, partners and consultants send millions of documents across corporate boundaries every day.
To fully understand the importance of information security, there is need to appreciate both the value of information and the consequences of such information being compromised. The days when thieves would only steal laptops and desktops are long gone. Nowadays, they steal critical data and information contained in insurable hardware including mobile phones, giving rise to cyber-crime. The thieves are now called hackers. It’s not just about malicious data breaches, either. Information leakage, whether on purpose or inadvertently, can also compromise sensitive company data. Security specialists have found it useful to place potential security violations in three categories:
Unauthorized information release: an unauthorized person is able to read and take advantage of information stored in the computer. This category of concern sometimes extends to “traffic analysis,” in which the intruder observes only the patterns of information use and from those patterns can infer some information content. It also includes unauthorized use of a proprietary program.
Unauthorized information modification: an unauthorized person is able to make changes in stored information–a form of sabotage. Note that this kind of violation does not require that the intruder see the information he has changed.
Unauthorized denial of use: an intruder can prevent an authorized user from referring to or modifying information, even though the intruder may not be able to refer to or modify the information. Causing a system “crash,” disrupting a scheduling algorithm, or firing a bullet into a computer are examples of denial of use. This is another form of sabotage.
The term “unauthorized” in the three categories listed above means that release, modification, or denial of use occurs contrary to the desire of the person who controls the information.
Examples of security techniques sometimes applied to computer systems are the following:
- labelling files with lists of authorized users,
- verifying the identity of a prospective user by demanding a password,
- controlling who is allowed to make changes to the computer system.
Information protection solutions used over the years have focused on control. Firewalls and proxies kept sensitive information within corporate boundaries, and device security services protected data contained on managed devices and apps. But that only works for internal users. With the world getting ever so interconnected daily and data being shared with customers, vendors and business partners this approach doesn’t work.
Traditional boundaries fall short of today’s security needs. With rapidly shifting collaboration scenarios, security measures need to change from organization centric to a data-centric focus, protecting the data wherever it goes. And this is where “Azure Information Protection” comes in.
Azure Information Protection is a cloud-based application that classifies, labels and protects documents and emails within as well as outside an organization. It’s a universal way to identify data across disparate locations and apply the appropriate security measures. Azure Protection Information’s classification labels use headers, footers and watermarks to identify documents with sensitive information. The service adds metadata in clear text to files and email headers so other data loss prevention services can take action if necessary. Although it’s cloud-based, Azure Information Protection supports on-premises and hybrid scenarios. We will be focussing on the cloud-based part only.
Every document protection part contains the following 4 parts:
- Identify Sensitive Data
- Classify the Data
- Protect Data and Control Usage Rights
- Track and Report Document Usage
Data is critical to organizations and to users. One of the first tasks that systems designers must do is identify sensitive data and determine how to protect it appropriately. Many deployed systems over the years have failed to protect data appropriately. This can happen when designers fail to identify data as sensitive, or when designers do not identify all the ways in which data could be manipulated or exposed.
After identifying the type of data that is present, you need to classify it. Azure Information Protection by default provides the user will 5 security labels that help classify documents. Labels are what define the type of document, think of them as genre in movies/songs. These include:
- Highly confidential
Once you categorize data, you also need to protect it. Azure Information Protection uses Azure Rights Management (Azure RMS) to encrypt sensitive data and manage access. Azure RMS integrates with other Microsoft cloud services and third-party applications to safeguard your data on the move.
Apart from the default labels present in AIP, one can also create custom policies according to our needs. This is usually done in big companies where the default labels aren’t enough to keep the things safe.
After implementing controls, you need to monitor the protected data. Azure Information Protection has tracking and reporting capabilities to manage document access, detect and respond to risky behaviour and prevent data misuse. The tool also offers detailed reporting and logs to support compliance and regulatory requirements. The tool also helps in revoking access to the document is and when it is deemed to be in the wrong hands.
Below, I will be walking you through the steps required to enabling Azure Information Protection in your tenant but first we need to configure the labels that will be applied to the documents.
To access the Azure Information Protection blade for the first time
- Sign in to the Azure portal.
- On the hub menu, select “Create a resource”, and then, from the search box for the Marketplace, type “Azure Information Protection”.
- From the results list, select “Azure Information Protection”. On the “Azure Information Protection” blade, click “Create”.
- Click “Create” again.
Next time you access the “Azure Information Protection” blade, it automatically selects the “Labels” option so that you can view and configure labels for all users.
As mentioned earlier, by default, Microsoft provides us with 5 labels, namely:
Personal: Non-business data, for personal use only. No physical marking or protection is provided to documents that have “Personal” label applied to them.
Public: Business data that is specifically prepared and approved for public consumption. The documents that have been labelled “Public” are provided with physical markings but no protection.
General: Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. The documents that have been labelled “General” are provided with physical markings but no protection.
Confidential: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. The documents that have been labelled “Confidential” are provided with both, physical markings and protection.
Highly Confidential: Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. The documents that have been labelled “Highly Confidential” are provided with both, physical markings and protection.
Now these default labels may not work for you or your business needs. You may have different security scenarios that you have to take care of for document protection. Microsoft provides you with the option of creating your own customs policies which will contains your custom labels that can be assigned to users/groups.
Creating Customs Labels
Sign in to Azure Portal.
In the search dialogue box, search for “Azure Information Protection”. Click on the first result in the list. You will be taken to the Azure Information Protection blade.
- To create a new label: Click “Add a new label”.
- On the Label, select the options that you want for this new label.
You are presented with the following options:
- a. Label Display Name
- b. Label Description
- c. permissions for documents and emails containing this label
- d. Set visual marking (such as header or footer)
- e. Configure conditions for automatically applying this label
Once you select the options that suit your security needs the best, click “Save”.
Once you create the label, to make your new label available to users, go through the following steps
From the “Classifications” go to “Policies” menu option.
- Select the policy to contain the new label.
- Select “Add or remove labels”.
- Select the label from the “Policy: Add or remove labels” blade.
- Select “OK”.
Azure Information Protection is available as a single service and through Microsoft’s EM+S. Still have questions? Send us your Queries here or learn how managed services from Mismo Systems LLP can help secure your data and devices.