Top 10 Myths: Microsoft Azure Information Protection
As the UK’s leading project delivery experts in Data Classification we hold many discussions with customers around the importance of classifying data for security and compliance purposes. One of the common questions of late is how good is the Microsoft Azure Information Protection solution?
There have been many rumours and speculations circulating in the industry about what might or might not be supported but no real substantial evidence to support or refute some of the claims. So naturally, being that HANDD are the experts, I thought that I would take a closer look and address some of the stories I have been hearing.
Myth Number 1:
AIP only works in the cloud application of O365 and not on the end users desktop client
Well here I am using the Office 365 (2016) Outlook desktop client and as you can see AIP fully integrates into the ribbon allowing me to classify all of my emails.
Myth Number 2:
AIP will only allow organisations to use the pre-canned Microsoft classification labels
Simply not true. You can see from the image above how simple it is to configure a classification label and customise it to include whatever label title and description you like. You can even create multiple policies within a single configuration and assign them to different business units or groups.
Myth Number 3:
There is no AIP integration with the desktop meaning you will not be able to “right-click” and classify”
In the image above you can clearly see that I am able to right click on a file on my desktop and select “Classify and Protect”. A pop up box then allows me to select any of my configured classification labels. The look and feel is seamless throughout the classification client suite.
Myth Number 4:
AIP does not support multiple levels of classification
In the AIP admin console you do have the option to configure a second level of classification labels. I know the competition supports 3 or more sub levels but I rarely experience a customer who requires more than 2. In any case I am sure Microsoft have the skills and resources to address this very quickly if there is enough demand.
Verdict: BUSTED (if you accept “multiple” as more than 1)
Myth Number 5:
Microsoft will take ownership of your keys and store them in the cloud
This is understandably a very sensitive subject for many of our clients who are concerned about handing over their keys to Microsoft. Certainly many clients cannot do this from a compliance point of view and also because they are weary of handing over control of their keys to a third party.
Fortunately for those who prefer all things Microsoft, AIP also supports integration with on premise Active Directory Rights Management Service (AD RMS). This means you can create a “Hold Your Own Key” (HYOK) classification infrastructure. The downside of this however is you lose the encryption capabilities for external content and the ability to track and revoke access to protected information. I can’t see encryption being a major concern considering most organisations rely on 3rd party software to provide their encryption anyway. Something that can be leveraged by the metadata injected into documents and emails in any case. Of more concern would be losing the ability to track and revoke access to data but this is a feature above and beyond the capabilities of other solutions anyway.
Verdict: BUSTED (with the loss of minimal functionality)
Myth Number 6:
AIP does not allow you to collect any tangible management information
Like any other Data Classification solution Microsoft AIP outputs all of it’s events to the local windows event log. Event logs can be collected/forwarded to any third party SIEM solution or reporting tool for more advanced reporting.
Additionally the logs integrate with the Microsoft Operations Management Suite (OMS) to create customised reports detailing all kinds of user classification activities in fancy Pie Charts and Graphs.
Particularly useful for tracking and monitoring the whereabouts of sensitive content. Should you need to revoke access to the files you can also do that.
Myth Number 7:
AIP doesn’t support classification of any files other than MS Office documents
Wrong again I am afraid. Here we can see an example of at least one none Microsoft Office file type being classified. The official answer from Microsoft was that they support “most file types”, currently .PDF is not one of them. They are however adamant that this feature will be available later this year. With what they have already delivered since their original announcements last year I doubt this will take them very long at all.
Myth Number 8:
AIP does not provide a “bulk classification” feature
Classification solutions are great for classifying all new information created from the moment they are deployed, but as everyone knows most large organisations can hold petabytes of legacy data. How do you classify that?
Functionality is limited but Azure Information Protection does support the ability to right click multiple files and folders to apply the classification of files in bulk. This is not strictly bulk classification of file servers and is limited in terms of its ability to be scripted (such as with PowerShell) and automated but its a good start. We have no ideas of metrics as yet but I have no doubt functionality will improve over time.
Verdict: BUSTED (with limitations)
Myth Number 9:
strong>If you lose connection to Azure you lose your ability to access your encrypted data
Oh ye of little faith. Not only do I have faith in Microsoft’s ability to provide business continuity in the event of a disaster, I also believe that I already dispelled this myth earlier in my piece about support for AD RMS on premise. But in case it isn’t already clear, in the event that your ISP does have a major outage you are safe in the knowledge that with on prem AD RMS you will not lose any access to your data internally.
Myth Number 10:
AIP is difficult to configure and deploy
Of all the classification solutions I have worked with Microsoft’s Azure Information Protection solution is probably the most advanced in terms of configuration and deployment simplicity. Yes there is a reliance on customers using RMS, in fact it simply will not work without some flavour of RMS, but the fact remains it is simple to configure and deploy.
Configuring your rules is as simple as clicking on a policy, selecting the label and turning the rules on that you wish to apply to that label. You can easily create a rule to search for content and enforce or “recommend” classification. You can also assign an RMS template for the encryption or to prevent actions such as forward, copy and paste. Once you are satisfied with your wording, colours and rules, you simply click on “Publish” to send the policy out to all the users you have been assigned to that policy.
At my first attempt it took me about 5 minutes to deploy the default policy with one customised rule and an RMS template. Yes there is a small installation file that needs installing at the client end but the policy creation couldn’t have been easier.
Microsoft Azure Information Protection does require you to stand up an instance of Azure RMS or AD RMS in order for it to work but for me it was a fantastic experience from configuration through to deployment once the RMS templates were configured. There is the issue of loss of functionality if you are not prepared to opt for Azure RMS and question marks are still hanging over the tools ability to truly support bulk classification and older versions of office.
Microsoft have made a great first effort that will satisfy most of your classification requirements and although they are gambling on organisations adopting Azure RMS to make this a success I do believe they are heading in the right direction.