Since we first released Azure Information Protection (AIP) on October 1st, we have been busy helping, visiting, and listening to customers worldwide. Our engineering team has also been working hard on rapidly delivering previously requested updates and several new features. Today we are making available a new preview release! This preview includes a significant number of enhancements very important to your active (or soon-to-be active) information protection deployments. As usual, we invite you to scrutinize the below, kick the tires on the actual software, test new scenarios out and let us help you in protecting your information!
So, what’s now in preview
- Scoped Policies so you can make labels available to users based on group membership
- A new, unified Windows client that combines the RMS Sharing app features into the Azure Information Protection client
- An updated viewer for protected files, including protected PDFs downloaded from Share Point
- Manual (right-click) labeling and protection for non-Office files
- Bulk classification and labeling for data at rest using PowerShell
Here’s what is now released (no longer in preview)
- Event logs for labeling and protection events
- HYOK (Hold Your Own Key) for protecting highly sensitive content from anyone but you
- Cloud App Security (MCAS) integration of labels into their product offering
This blog will explain each of these new offers, as they pertain to a given adoption scenario. All you experienced Information Protection folks out there will quickly connect with these amazing new adds. For those of you newer to the Information Protection space, an upcoming series of blogs are being crafted to help you get AIP deployed in no time! We’ve learnt a lot helping lots of customers and so it is high time we share with you all the best practices we’ve learnt as well as a roadmap of the coming wave of investments.
Let’s dive into what’s new today:
Enabling Azure Information Protection for the distributed, and hybrid organizations:
Scoped Policies allow customers to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects. This is an incredibly powerful capability for those of you with larger scale or diverse needs. If that does not describe your organization, then simply don’t use them. In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set; available to those users named in security group membership. It is important to note that scoped policies is an admin concept, users will not be aware as they just see a combined set of labels they are able to see.
Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups.
A few important notes on scoped policies:
- Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant.
- Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.
Policies sets can be defined and created in the admin console:
Labels can be ordered which defines how they show up in the client:
Protecting your secret or regulated data even if the data travels / is stored in the cloud
Hold Your Own Key (HYOK) is now Generally Available (GA) which means a fully supported configuration. The configuration remains very simple and as outlined in the HYOK blog.
Expanding labeling and protection to a wider set of application and file types
With the new, unified AIP client, Classification, Labeling and Protection support is now extended beyond ‘just’ Office files. We have brought together the existing AIP client with the RMS Sharing App features to provide a more complete Information Protection experience in AIP. When you install this new client, you can now classify, label and protect your files through Office applications, through the Windows Explorer shell extension and through PowerShell commands.
A user can label and protect any file through the windows shell-explorer, select either one file, multiple files or a folder and apply a label. (Note: some file types do not offer an ability to attach persistent metadata, for these file types you can only label when protecting).
You can also apply custom permissions to files if preferred or required. Of note, our #1 requested client application feature has always been to have an address book picker. You can now see a lovely icon at the far right of the ‘select users’ box.
Users can also right-click on a folder to auto-apply at the folder level to all existing documents (note this is not a persistent folder attribute, this applies to existing files, new files added are not auto-classified).
Being able to view all the popular file types on all platforms:
You can now also view RMS protected files, such as protected PDF files downloaded from Share Point using our new, cleaner Azure Information Protection viewer (We had previously only implemented PPDF but not the PDFv1 created from SharePoint due to the lack of a mobile SDK):
Protecting information flowing to SaaS environments:
Microsoft Cloud Application Security (MCAS) integration now allows policy actions and file investigation based on Azure Information Protection labels. You can read more about this in the Azure Information Protection and Cloud App Security integration blog and Cloud App Security technical docs.
If you’d like to see MCAS also support RMS encryption, please let us know.
Expanding labeling and protection to a wider set of tools and services:
We have extended the RMS PowerShell commands to support Label and Protection actions based on the Azure Information Protection policy. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. As an example, a data owner can label all files under the “Project Manhattan” share as “Confidential”. A risk manager can query and investigate all “Highly Confidential” files that are located under the “Shared” folder.
Running the command will apply the specified label and any protection set in the policy (Note: We do not currently support applying visual marking).
Visibility to data classification and control:
With local client event logs, all CLP activities on the client are logged into the Windows event log. Administrators can collect these logs into a central SIEM system to analyze CLP usage and track specific activities. You can read more about logs, centralizing them, and some really nice PowerBI integration examples in this great blog.
Get started NOW!
It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!
- Download the new unified client from our Download Center
- Start a trial and kick the tires
- Learn more about Information Protection
- Get deep technical and scenario documentation
- Keep up to date by following our blogs
- Engage with us on Yammer, Twitter or send us an e-mail
- Watch the overview video
- Watch the recordings of our Ignite sessions (BRK2127, BRK2128, and BRK3095)
- Learn more about the Enterprise Mobility + Security offerings