Get a grip on documents with Azure Information Protection

Protecting content in documents and files remains a major concern for organizations. Still (too) many files are sent as attachments with an e-mail or shared via cloud storage. The challenge is that far from everyone is aware of the security risks. Sending a document means that access to the document can no longer be controlled either. Smart software can ensure that security policies travel with the document and are automatically applied whenever possible.

In this blog, we look at how Microsoft’s Azure Information Protection software can be used for this purpose and I give you practical tips for implementing it.

The Capabilities of Azure Information Protection

Azure Information Protection (AIP) offers various options for securing files, covering all Microsoft Office documents and PDFs. It also allows for the encryption of emails and attachments, ensuring that only people with the correct identity (e.g., internal employees) can open them. But AIP goes even further: you can specify that a document may be opened but cannot be forwarded, printed, or even copied and pasted.

Labels Determine Security Classification

AIP works by classifying documents with “labels” that can be applied to documents and/or emails. In a simple scenario, for instance, you might have labels like “Internal” and “Public,” with the default label being “Internal.” This setup ensures that a user must take deliberate action to make a document readable externally.

For all documents and emails, the available labels are displayed just below the menu bar. Classifying a document is as easy as clicking on the appropriate label (as shown below).

Defining Security Policies in Templates

For each label, a template is defined. First, the template specifies who has access to the document. For example, it could be the internal organization, a specific department, or particular email addresses of external collaboration partners. Then, it sets what type of access is allowed—whether the document can be read only, or also edited, printed, forwarded by email, or if text can be copied and pasted.

Creating these labels and templates is the administrator’s job. The end user doesn’t need to understand or set these parameters—they simply click on the relevant label to apply it.

Security Travels with the Document

One of the key principles of Azure Information Protection is that security is embedded within the document itself. This means that if a document is copied outside the organization’s infrastructure, the security settings still apply. For example, if an employee has documents stored on a home PC and then leaves the company, any document labeled as “Internal” will no longer be accessible. It’s also possible to track documents and even revoke permissions remotely.

Tips for a Successful Implementation of Azure Information Protection

With AIP, it’s now possible to implement robust document security without imposing too many additional steps on end users. Here are some practical tips for the implementation process:

  • Start with a limited number of labels. It can be as simple as labeling everything as “Internal” with an option to switch to “External.”
  • Choose label names carefully. Ensure they are not technical terms.
  • Educate users about the purpose of the labels. User adoption is a critical aspect of information security.
  • Automatically label all existing documents with the default label.
  • Monitor usage. Track which labels are used most and by whom.
  • Begin by labeling documents without applying security right away. This gives users time to get used to labeling. If this goes well, add security features gradually. Also, keep an eye on developments with AIP, as the product is frequently updated with new features.

Watch our webinar, “Securing Documents in Office 365,” for live demonstrations and more detailed explanations about Azure Information Protection.