Azure Information Protection
With the adoption of mobility and cloud services, data is traveling to more locations than ever before. While it has helped users become more productive and collaborative, securing and monitoring the data has become harder.
Our goal with this blog is to help you address some of these information protection challenges regardless of where you are in that journey. Now we will share some tips for those who already own our information protection solution but are not taking advantage of it. We’re also pleased to share this video that talks about some of these tips in detail.
Tip#1: Pick standardized and approachable labels
The first tip, Pick standardized and approachable labels, a very critical step. We assert quite strongly that you must use global labels. These are the labels that everyone sees in the ‘bar’. Simply stated, train people once and don’t expect them to understand overly geeky terms like C2 or HBI. Terms like Highly Confidential are plain and obvious. You can certainly do otherwise but, it’s the road far less travelled. Here’s what we advocate you do:
Tip#2: Create sub-labels for your key departments
The second tip, Create sub-labels for your key departments, is also quite important. It’s the ‘pressure release valve’ for all those folks who gave you a hard time with your inflexible stance on Tip #1! Here, you create sub-labels for those departments that are special. For example, HR, Legal, and Finance are all quite special in that they handle very sensitive materials. Give them a sub-label. This makes it trivial for someone to classify data as Finance \ Highly Confidential.
Tip#3: Use scoped policies for the needs of specialized teams
If you’re a large company, you may find yourself with a lot of special people; it generally comes with the territory. That’s perfectly fine. For those teams who are less mainstream than the above trio of HR/Legal/Finance, you can support them with the capabilities we call out in our third tip, Use scoped policies for the needs of specialized teams. Scope policies enable you to control who can see what sub-labels (recall that we’re asking you to maintain a consistent set of labels!) and they also let you offer specialty behaviors. For example, using scoped labels for HR lets you set their default to be Confidential whereas you can maintain General as the default classification for the more normal people in your organization. Here’s an example of my view given I was part of a special secret team called ‘Project Samo’
Tip#4: Encourage the right behavior
Tip four is a simple one: Encourage the right behavior. This tip is really about enabling you to take risk with very low cost if you make mistakes. Let’s explain what that means. Automatic classification is always wonderful but in complex systems rarely does automatic work the way you’d expect. Over use of automatic classification can frustrate your users. Instead, rely on recommendations so that you can make mistakes.
Learn the system, review the Azure Information Protection (AIP) application logs and when you get a really high percentage of accuracy, then – and only then – should you consider using automatic. We’d also suggest that a ‘really high percentage’ is better than 98 of 100 accurate classification. Recommendations are your friend!
Tip#5: Safeguard Email Communications
The fifth tip is to Safeguard Email Communications. We’re going to save that for another post. Turns out that those of you stuck on S/MIME will have a much harder time migrating and we’ll have a lot to write about that.With the above said, let’s cover those second order considerations:Consideration #1 – How can I perform a scoped deployment of the above?This one is easy. Simply do the following:
- Go to your Azure Subscription. Find the Azure Information Protection service.
- Review the current settings.
- Resist the urge to change the Global labels but you can enable/disable some of them (e.g.: Not everyone wants the Personal label).
- Do NOT turn on RMS templates for your first attempt — stick with classification alone.
- Consider requiring justifications.
- Invoke Publish when asked (you need to do this after any change)
- Deploy the AIP client to yourself and 1-3 people. Should just work.
Consideration #2 – How do I deploy to the next 100-1000 folks? Before moving from a pilot-phase to a production-phase, it’s important to settle on a set of standards and broadly communicate the impact.
- Create & Publish a standard: Establish a working group which is tasked with creating a data classification standard for the organization. Ensure that folks across the organizations risk management board, security & standards council weigh and sign-off on the classification standard before publishing it. If you are replacing any existing classification taxonomy, build a plan to retire the existing standard.
- Support: Ensure that your organization’s helpdesk is aware of the deployment & classification standard.
- Communication plan: Create a communication plan to inform the leaders & employees of the rollout and its impact. Build a plan to influence high impact/mandatory trainings (such as new employee orientation or business conduct trainings). Build channels to actively seek feedback and make configuration improvements based on the feedback.
Consideration #3 – I’m an over-achiever, what more ‘can’ I do?
- Custom Help/IP page: Create your custom webpage which summarizes your organization’s classification taxonomy. You can specify the URL of this page in the AIP portal under Global settings.
- DLP policies: Azure Information Protection updates the message headers as part of classifying & protecting content. Create mail flow rules/policies which take an appropriate action based on message headers. For example, if the mail is classified as ‘Highly Confidential’ (as reflected in the message header) and if the recipient is outside the organization – block the mail.
- SharePoint Online (SPO) custom properties – From the O365 Security and Compliance center, create a rule for SPO which inspects the managed properties in a document to take an appropriate action (for e.g. notify the library owner or the last person who modified the content)
Consideration #4 – I’m an over-achiever. What should I NOT do? We’re happy you asked! It’s simple: Don’t go crazy with your new found super powers! By way of a story…a long time ago I invented Windows Group Policy with a few colleagues. We were so proud. We told everyone to turn every knob, dial, and switch they could. You know what, they did. The end users were SO upset by the ‘heavy hand of IT’ that they rebelled. Not a pretty sight! It certainly was not the right balance of control vs usability. Having learned a few things, I’d now encourage you to show restraint with a few aspects of Azure Information Protection
- Don’t overdo sub-labels. Many user cognition studies show that users can retain about five different things. Don’t give them fifteen. Show restraint.
- Don’t overdo scoped policies. People talk. People change jobs. If you make ‘everyone’ in your organization special, you are asking for more pain. Show restraint.
- Don’t wait. You’re leaking data. You’re focused on protecting way, way too much data today. By classifying your data as we advocate above, you can focus on the Confidential / Highly Confidential stuff and only that stuff. You’ll reduce your workload by quite a bit.
Consideration #5 – I own EMS E3. Should I wait for the next budget cycle to get EMS E5. No. Practically everything we’ve covered is part of E3 except for recommendation/automatic classification (and HYOK, the next consideration). You can enjoy a wonderful uptick in information protection with the E3 offer. In fact, show your leadership that you have maximized the value of your EMS E3 purchase and then consider Azure Information Protection P2 or EMS E5. That said, we’re working hard at adding value at all tiers so I’d encourage you to look at the very nice work we’ve done with Cloud App Security (MCAS) with regards to classification.
- September 2018 (1)
- August 2018 (2)
- July 2018 (2)
- June 2018 (3)
- May 2018 (2)
- April 2018 (1)
- March 2018 (2)
- February 2018 (2)
- January 2018 (1)
- December 2017 (1)
- November 2017 (2)
- October 2017 (2)
- September 2017 (2)
- August 2017 (2)
- July 2017 (2)
- June 2017 (1)
- May 2017 (3)
- April 2017 (1)
- March 2017 (3)
- February 2017 (2)
- January 2017 (3)
- December 2016 (2)
- November 2016 (2)
- October 2016 (3)
- September 2016 (1)
- July 2016 (1)
- June 2016 (3)
- May 2016 (2)
- April 2016 (5)
- March 2016 (2)
- February 2016 (1)
- January 2016 (4)
- December 2015 (5)
- November 2015 (5)
- October 2015 (5)
- September 2015 (4)