How to Keep Your Data Safe With Azure Information Protection

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Data travels everywhere. Customers, employees, partners and vendors collaborate continuously on different devices and applications. But is the data always shared safely? Probably not.

Here’s why you need to protect your data and how Azure Information Protection can help. Plus, we’ll share resources, how-to tips and a guide to help you get started.

Need help defining your cloud security strategy? See how Agile IT can help.

Why You Need to Protect Your Data

You can’t hold data in a corporate database at a single location anymore. Vendors, partners and consultants send millions of documents across corporate boundaries every day.

A Ponemon Institute study founded by IBM estimates the average data cost breach is $3.6 million. Another study by the Identity Theft Resource Center found that over 1,000 agencies and companies experienced data breaches in 2016 — a record 40 percent increase from the year before. And the numbers are growing.

It’s not just about malicious data breaches, either. Information leakage, whether on purpose or inadvertently, can also compromise sensitive company data.

Why Legacy Security Won’t Work

Legacy security measures don’t protect sensitive data.

Information protection solutions used to focus on control. Firewalls and proxies kept sensitive information within corporate boundaries, and device security services protected data contained on managed devices and apps. But that only works for internal users. It doesn’t account for consultants, remote employees or third-party partners.

Traditional boundaries fall short of today’s security needs. With rapidly shifting collaboration scenarios, security measures need to change from organization centric to a data-centric focus, protecting the data wherever it goes.

What Is Azure Information Protection?

Azure Information Protection is a cloud-based application that classifies, labels and protects documents and emails within an organization. It’s a universal way to identify data across disparate locations and apply the appropriate security measures.

Use the service to protect against sharing and data leakage and keep unauthorized users from accessing shared data.

Azure Protection Information’s classification labels use headers, footers and watermarks to identify documents with sensitive information. The service adds metadata in clear text to files and email headers so other data loss prevention services can take action if necessary.

Although it’s cloud-based, Azure Information Protection supports on-premises and hybrid scenarios.

Get Started With Azure Information Protection

It’s overwhelming to identify every piece of data you need to protect. Azure Information Protection is designed to address that. Here’s how it works:

Identify Sensitive Data

First, identify critical company data, including personal customer data, financial or health information and sensitive company memos.

Classify the Data

Next, you’ll need to label all sensitive data. Azure Information Protection comes with several standard labels: Personal, Public, General, Confidential and Highly Confidential (you can also customize your own.)

When you’re choosing classifications, keep it simple with standardized labels. Don’t make complicated or technical acronyms. Every employee should understand the terms. Critical departments with highly sensitive info (human resources, legal or finance departments) can use sub-labels. But they should be consistent and easy to understand.

You can classify the data a few ways:

  • IT administrators: Define the conditions and rules to classify them automatically.
  • Users: Manually label data.
  • A hybrid approach: Administrators and users can both classify the data depending on the rules created.

Protect Data and Control Usage Rights

Once you categorize data, you also need to protect it. Azure Information Protection uses Azure Rights Management (Azure RMS) to encrypt sensitive data and manage access. Azure RMS integrates with other Microsoft cloud services and third-party applications.

With Azure RMS, the protection stays with the data regardless of its location. You control the shared data.

When implementing protections, it might be your first instinct to put restrictions on everything. But that could frustrate users and hinder productivity.

Don’t overuse automatic classifications. It sounds good in theory but rarely works, especially in large organizations. There are too many exceptions and complications. Try implementing recommendations instead (see below). It gently guides users and encourages the right behavior, which will be more effective in the long run.

Track and Report Document Usage

After implementing controls, you need to monitor the protected data. Azure Information Protection has tracking and reporting capabilities to manage document access, detect and respond to risky behavior and prevent data misuse. The tool also offers detailed reporting and logs to support compliance and regulatory requirements.

Get Complete Data Protection and Control With EM+S

Many sensitive documents not only need to be classified, but also protected across multiple devices. Microsoft’s Enterprise Mobility + Security suite (EM+S) is a comprehensive mobile device management tool for identity rights, mobile applications and document and data security.

Azure Information Protection Resources

Azure Information Protection is available as a single service and through Microsoft’s EM+S. You can also get it through the enterprise volume licensing.

Still have questions? Schedule a call or learn how managed services from Agile IT can help secure your data and devices.