rvlsoft - Fotolia
Administrators need increased security because sensitive information is stored in locations that are beyond the reach of traditional security tools. Microsoft Azure Information Protection aims to add this extra layer of security around data stored in email, the cloud and on-premises file servers.
Enterprises -- particularly, those with stringent regulatory standards -- implement many layers of security and protection to stop certain data from falling into the wrong hands. IT monitors and secures the firewall, identity management, access controls and network access to avoid a breach. But what about protecting sensitive content such as confidential HR documents, contracts and health records once they leave the environment? Traditional security tools cannot control and protect these files if they go into an email, a flash drive or an Office 365 service such as OneDrive for Business. Azure Information Protection detects the sensitivity level of content and applies custom protections, regardless of the location. Microsoft offers two subscription licenses with different levels of protection.
What is Azure Information Protection?
Azure Information Protection (AIP), previously known as Rights Management Services, is a cloud-based service used to encrypt data and restrict some functions via a content labeling system. These labels prevent unauthorized actions such as printing, viewing, copying and downloading content, based on the organization's policy.
AIP fills a gap for companies that must restrict access and functionality to sensitive digital assets. Organizations in certain industries, such as healthcare, legal, manufacturing or financial services, must comply with regulations that require sensitive data to have tighter restrictions.
AIP supports many content types, including email, text, image, Microsoft Office files and PDFs. AIP protects files stored in on-premises file servers and in cloud platforms, such as SharePoint Online and OneDrive for Business.
What are the types of Azure Information Protection plans?
Microsoft sells AIP plans as direct add-ons to existing Office 365 subscriptions and as part of the Microsoft 365 Enterprise bundle that includes Office 365, Windows 10 and Enterprise Mobility + Security.
There are three subscription plans of AIP available from Microsoft: Azure Information Protection for Office 365, Azure Information Protection Premium P1 and Azure Information Protection Premium P2. The chart below summarizes the technical features available in each plan.
Microsoft also offers a free account for individuals who need to access AIP-protected content by entering their work email address. Once validated, the user can install Microsoft's AIP app to view the protected content on their mobile devices, or Windows or Mac computer.
Microsoft incorporates the Azure Information Protection for Office 365 plan for free for enterprises that subscribe to the Office 365 Enterprise E3 and E5 plans. With these subscriptions, AIP features include encryption protection for email and documents both in Office 365 and in on-premises Exchange and SharePoint; integrated security with Office apps; and access to administrator AIP controls, such as usage logging and bulk add/removal of file protection.
Compare the Azure Information Protection P1 vs. P2 plans
Microsoft sells two premium versions of Azure Information Protection: Premium P1 and Premium P2. Microsoft offers the two plans with an add-on license for $2 per user, per month for the AIP Premium Plan 1 and $5 per user, per month for the AIP Premium Plan 2.
These premium levels include all the features in the Azure Information Protection for Office 365 plan and access to additional features, such as the AIP scanner to find sensitive data in on-premises platforms; controls to track and revoke access to documents; and protection of documents beyond the Microsoft Office file formats.
The AIP Premium Plan P2 includes all the features in the Azure Information Protection for Office 365 and AIP Premium Plan P2 subscriptions and more protection features, such as:
- Automatic and recommended classification for certain types of data that meet certain conditions to apply protections rather than relying solely on manual labeling.
- Automatic use of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol to sign and encrypt messages in Outlook. S/MIME uses a series of cryptographic security services to combat spoofing attempts to assure the recipient that a message is legitimate.
- Added information protection in Outlook that detects the potential sharing of sensitive information. The organization can customize the response by using a popup message that cautions the user to review the email, requests an explanation for sending the email or blocks the message from leaving the organization.
- Hold Your Own Key (HYOK) functionality for users in regulated environments for confidential data that cannot leave the internal network. Users can label sensitive information with a Protect label. Administrators can configure a policy so only users who need to apply HYOK labels have access to it.
- Automatic protection, classification and labeling for on-premises files. After the administrator sets the AIP scanner to use automatic mode rather than discovery mode, the AIP scanner will automatically label content that matches a sensitive information type. This feature works on network file shares and SharePoint servers.
Organizations that subscribe to Microsoft's Enterprise Mobility + Security E3 plan at a cost of $8.80 per user, per month also have rights to AIP Premium P1 plan, which includes tracking and revoking shared documents, protection of file formats outside of Microsoft Office, and on-premises discovery of sensitive data.
Organizations that license the Microsoft's Enterprise Mobility + Security E5 plan at a cost of $14.80 per user, per month get access to the AIP Premium P2 plan.
What is the Azure Information Protection deployment process?
Microsoft designed the AIP platform to use three distinct stages to help organizations protect and secure their sensitive data: discovery and labeling, protecting and monitoring.
Phase one: classification and labeling. In this initial phase, AIP scans content that's either in the Office 365 tenant or on servers and local machines. This step allows AIP to detect and label the type of content based on user-defined rules or industry-specific data profiles, such as protected health information or financial data.
Phase two: protecting the content. After it classifies the data, AIP applies several restrictions and protections on files defined in the AIP policy produced by the administrator. These limitations include the encryption of the files to prevent opening or viewing without the appropriate permissions. AIP provides other restrictions such blocking the download, printing, copying or taking screenshots of protected files.
Phase three: monitoring and revoking access. After AIP designates a document's protection and management status, users who share the protected content can monitor all the interactions with the file. For example, an HR manager can send out a protected document to a set of employees and use an audit log that shows who interacted with the file and when. The HR manager can revoke access to that shared file permanently and make it inaccessible, even if the data is in the recipient's computer.
What are the Azure Information Protection requirements?
IT administrators must prepare four key areas to get their organization ready to use Azure Information Protection.
1. Defining compliance requirements
In the beginning stages, administrators document the compliance requirements that drive the organization to implement content protections. Some questions that need answers include:
- What are the compliance requirements for the organization's data?
- Which departments require content protection?
- What specific sets of files and digital content need restrictions?
- Which users or groups need more controlled content access?
- What content access needs close monitoring?
2. Licensing requirements and pricing
Microsoft sells two Azure Information Protection subscription plans -- AIP Premium P1 and AIP Premium P2 -- through two licensing models.
- Add-on license. AIP Premium Plan 1 costs $2 per user, per month while AIP Premium Plan 2 costs $5 per user, per month.
- Bundled license. The Microsoft 365 E3 package includes the AIP Premium Plan 1 for $32 per user, per month. The Microsoft 365 E5 package includes AIP Premium Plan 2 for $57 per user, per month.
3. Azure Active Directory setup
After acquiring the licenses, administrators set up and configure Azure Active Directory synchronization. If the organization does not have an Office 365 subscription, then it must set up the Azure tenant account before it can proceed to the AIP setup and configuration outlined by Microsoft documentation.
4. Client requirements
Microsoft recommends administrators deploy the latest version of the Azure Information Protection unified labeling client for end users to discover and protect local documents based on corporate policies. If the organization does not require this type of protection, then administrators will only need to deploy the Rights Management client included in Microsoft Office applications to open protected files.
Why enterprises should consider Azure Information Protection
Many companies maintain confidential data in online services such as Office 365 and in on-premises infrastructure such as file servers, and protections on this information must stay intact. Sharing confidential and sensitive data is necessary in collaborative environments, but AIP restricts unauthorized parties from accessing sensitive email and documents to help maintain a high level of security, even when the data leaves the organization's network.