Microsoft Information Protection – keep your data protected

By Neil Hobson on

Information can be created and potentially accessed from different physical locations via different apps running on different devicesProtecting sensitive information while maintaining collaboration capabilities becomes a key consideration.  Microsoft Information Protection is a framework of products, services and features for protecting information across its lifecycle. It includes products, services and features such as: 

  • Azure Information Protection (AIP) 
  • Office 365 Message Encryption (OME)
  • Conditional Access 
  • Office 365 Data Loss Prevention (DLP) 
  • Office 365 Advanced Data Governance 
  • The Office apps such as Word, Excel, PowerPoint, Outlook, etc 
  • Microsoft Cloud App Security 
  • Windows Information Protection 

These products, services and features offer solutions for detecting, classifying, protecting, blocking, tracking and monitoring content. 

One of the cornerstones of protecting information is the ability to classify files and emails with a sensitivity label so that the sensitivity of that item can be indicatedPolicies to protect sensitive information can be applied and enforced based on these sensitivity labels. 

What are sensitivity labels and how do they apply protection? 

Sensitivity labels can be applied to information that an organisation creates, such as files and emails, to indicate the sensitivity of that information. Sensitivity labels are part of Microsoft’s Azure Information Protection cloud-based service and are defined by an organisation based on its requirements. 

These sensitivity labels can apply classifications only, or classification and protection. For example, the Non-Business, Public and General sensitivity labels shown below in Microsoft Word have been configured to apply a classification but do not apply any protectionHowever, the Confidential / All Employees sensitivity label has been configured to apply protection to this Microsoft Word document. 

Image: Microsoft Information Protection in a word document

Protection includes encryption, identity and authorisation policies. In the example above, the Confidential / All Employees sensitivity label is used to restrict access to the document to employees of the organisation. Classifications and protection are persistent and remain with the item no matter where it is stored. 

Sensitivity labels can also be configured to include visual markings if required. These visual markings come in the form of headers, footers and watermarks that permit customising the text, font sizes, font colours and alignment. 

Image: Microsoft Information Protection sensitivity labels

Office 365 services such as Exchange Online and other Office apps such as Outlook also integrate with the protection technologies. For example, Office 365 Message Encryption (OME) can be used to encrypt messages as well as prevent messages from being forwarded. 

Image: Information protection in Exchange online

Can protection be applied automatically? 

In the examples shown above, the user must classify the document manually by selecting the relevant sensitivity label from those presented. Automatic or ‘recommended’ classifications are possibleThe features available in each plan are detailed in Microsoft’s Azure Information Protection pricing information. 

Sensitivity labels can be configured to detect the Office 365 pre-defined sensitive information types, such as credit cards, as well as any custom phrases or expressions. In the example below, a recommendation is made to the user to classify the document using the Highly Confidential \ ProjectY sensitivity label due to the detection of the custom phrase ‘ProjectY’. 

Image: Automatic information protection

How do other services in the framework fit it? 

Microsoft Information Protection is a framework that includes other services such as Conditional Access and Microsoft Cloud App Security which help protect and govern sensitive information throughout its lifecycle. Example scenarios that show the integration between AIP, Conditional Access and Microsoft Cloud App Security include: 

  • Conditional Access is configured to require a device to be compliant if it is being used to access protected content 
  • Microsoft Cloud App Security is configured to alert if a user stores a confidential document in a third-party cloud storage service 

It is important to consider the other products, services and features of the Microsoft Information Protection framework when planning an information protection architecture. 

It all sounds great! How do I get started? 

Deploying Azure Information Protection to provide classifications and optional protection requires careful planning. Areas that need to be considered and defined include: 

  • Understanding the data that exists within an organisation 
  • Determining the required sensitivity labels 
  • Determining any required protection configuration of thsensitivity labels 
  • Considering any automatic labelling scenarios 
  • Azure Information Protection integration with other products, services and features from the Microsoft Information Protection framework 
  • Deployment planning, such as the prerequisite configuration tasks for enabling Azure Information Protection 
  • Adoption planning, such as user communications, support, driving ongoing usage, etc 

Microsoft suggests following the Microsoft Information Protection Lifecycle phases to deploy this technology, starting with the ‘discover’ phase:  

Image: Microsoft information protection cycle

Discovering sensitive information 

Data can be located on-premises, in the cloud, or in a mixture of both locations in hybrid environmentsMicrosoft offers solutions such as the AIP Scanner for discovering sensitive information in on-premises locations. For discovering sensitive information in cloud locations, Microsoft provides Office 365 Data Loss Prevention (DLP) and Cloud App Security solutions. A mixture of these technologies can be used for data in hybrid environments. 

In the example below, the AIP Scanner has detected a spreadsheet that contains credit card numbers. The different sensitive information types uncovered during the discovery phases can be aligned with the corresponding sensitivity label that has been defined by the organisation. 

Information protection AIP scanner

How can Silversands help with Microsoft Information Protection? 

Understanding the Microsoft Information Protection products, services and features together with their benefits, applicability and requirements can be a daunting experience.  We have extensive experience with Microsoft cloud services and can assist you in making sense of the options available to you.  Use the attached form and someone will be in contact with you very soon. 

Join one of our regular workshops and webinars providing the latest updates and expert advice about Microsoft 365, Cloud and Hybrid IT, security, Power Platform, compliance and partner tools. We also post regular blogs so please do follow us.

Contact us

  • This field is for validation purposes and should be left unchanged.

We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch