Streamlined document classification and label management – here’s how AIP is evolving to better control and protect your files.
Azure Information Protection is changing.
When AIP was first released in June 2016, it was based on the technology acquired when the purchase of Secure Islands took place in 2015. This was then integrated with Azure and RMS and deployed as part of the EMS suite.
Since then, there have been many changes within AIP, with a bigger change on the way when the classic AIP client and portal will be deactivated in March 2021.
This change is due to the introduction of new unified labeling (UL) capabilities.
This blog will cover these changes and look to the future of AIP with unified labeling and what needs to happen for a smooth migration from the older version to the unified future.
As a reminder, Azure Information Protection allows for the classification and labeling of unstructured documents.
Think of it as the digital equivalent of applying a stamp to a physical file to inform the user of the sensitivity of the contents.
In Word, for example, the AIP toolbar appears at the top of the document:
Once a classification and sensitivity label has been assigned it will appear in the ‘Properties’ section of the file:
Because the sensitivity is held as part of the document (whether that’s Word, PowerPoint, Excel or email message), it can be used as part of a set of security controls.
So, if a user tries to send a sensitive email outside of the organisation, it can be blocked – or an advisory message can be sent to the user or admin.
When a classified document is saved to a SharePoint location, the system can tell if it has been misfiled and report appropriately.
By adding the correct label, we can gain more control over what happens to it. If we add encryption to protect the file, then we are sealing it against inadvertent opening.
If we think about what we want to control based on what classification the file has, things become easier.
Using AIP to label the file allows the other Microsoft tools to work together to help with data protection compliance – whether that be GDPR or some other regulation.
Tools like Data Loss Prevention (DLP) or Cloud Application Security operating in conjunction with the Security and Compliance tools, go a long way to ensuring that sensitive data is kept as secure as possible.
In the past four years, many elements of AIP have changed.
Once upon a time, AIP could only be applied through apps running on Windows. Now, sensitivity labels can now be applied to documents using Office on Windows, Mac, Android, iOS and iPadOS.
AIP functionality is also now available within the browser-based versions too.
When the AIP client was first introduced, a new icon was added to the Office ribbon. This was identified as “Protect” and showed a blue padlock.
The labeling functionality is now built into the Office applications as standard and does not require any additional software to be installed.
The new icon is a stamp and is identified as “Sensitivity”. This better reflects the function as not all documents that are labelled require protection.
The latest versions of Office for Windows include this sensitivity functionality and will appear as soon as any labels have been defined. Though this does require the user to have the Click-To-Run installation dated 1909 or later.
The labeling bar that appears above the document is still there and allows a user to choose the relevant sensitivity of a document.
Labels can be assigned automatically to a document based on specific content being found.
A recommended label can even be suggested to the user, again based on the content of the document.
Discover the power to secure documents and data regardless of who it’s shared with or where it’s stored. We'll show you:
So far so good, the functionality seems to match up well, in fact, it is now easier to get the users to start to label documents as there is no requirement to install any additional software.
The main change lies with how the labels themselves are managed. With the older AIP, administration was handled by the AIP blade within the Azure portal.
This had separate blades for labels and for the policies that published the labels to specific sets of users.
These functions have now been moved to the Security and Compliance portal.
Under the ‘Classification’ heading there is a section for ‘Sensitivity labels’ and this is used to configure the label and the publication policy.
The labels are very similar and are configured individually. Sub-labels are created by clicking on the ellipsis to the right of the top-level label.
Once the labels have been configured, they must be published to the relevant users. This is done using the ‘Label policies’ tab on the same page. This is where the first big difference comes in.
50% of technology projects fail to meet their goals or complete within time and budget. Discover why planning for the people element of change is crucial to ensure successful adoption and ROI.Find out more
With the older AIP publication, a label could only be associated with one policy.
This meant that the publication of multiple labels to multiple sets of users could become complicated.
With unified labeling (UL) a single label can be associated with multiple policies.
This means that publication policies for each user set includes all of the relevant labels required rather than having to be constructed by adding labels to global and scoped policies.
The migration from AIP to UL is handled in the Azure portal from within the AIP blade.
In the screenshot above, the labels have already been copied to UL by clicking on the ‘Activate’ option. This is why it is shown as greyed out.
The option to copy the current publication policies has now been added as a preview function.
But if you have a complex label structure within your previous AIP configuration, it may be simpler to re-create the required policies within the new label policies.
The new unified labels work well and many of the old AIP functions are fully supported by the new system.
There is some functionality not currently supported in UL. If these are particularly important to an organisation, then the move to UL may have to be postponed.
The functions that are missing are:
Hold Your Own Key
Hold Your Own Key (HYOK) is a feature that enables an organisation to protect data in a way where they hold the encryption key.
HYOK has the organisation operating its own AD, its own RMS server, and its own HSMs for key retention. With this in place, the only keys that can be used to decrypt each document are owned and managed by the organisation.
This functionality is not widely used so should not cause too much concern with the migration.
Track and Revoke
Track and Revoke is a function that uses the document protection functions to allow a user to track who has accessed a protected file. If necessary, a user can also revoke access to these documents if people should no longer be able to read them.
This is all accomplished from the document tracking site which can be accessed from Windows computers, Mac computers, and even from tablets and phones. Before it can be tracked and access revoked the functionality must be enabled within the document.
The Track and Revoke functionality is not currently available within the UL implementation but is expected to be released shortly.
Windows event log support
The classic AIP client logs user activity to the local Windows event log.
Specifically, in the Applications and Services Logs > Azure Information Protection. This functionality is moved with the newer UL client.
The AIP classic client and portal will be being turned off at the end of March 2021.
Before then the newer unified labeling should have been configured, tested and be ready to roll out to the user population.
If you are not going to be ready to do this, then contact Microsoft and register for extended support so that you can continue to operate correctly.
Keep your finger on the pulse of security and Microsoft technology. Submit your business email to get the latest content and event invites straight to your inbox.
As ThirdSpace’s Solution Architect and Technology Evangelist (yes, he knows it’s a long title), Dave has a background in IT that goes back to installing a piece of kit called a Microsoft Softcard in...
READ AUTHOR'S FULL BIO
Discover the power to secure your data – no matter who shares it and wherever it’s stored.Watch now
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.