Your Guide to Azure Information Protection

Microsoft Azure Information Protection: A Guide for Small Businesses

In today’s technology and productivity focussed world, hybrid, remote and multidevice work is a part of everyday life for almost every organisation. Whilst it brings many benefits, it also poses new challenges for data security.

  • How can you keep your sensitive information safe and compliant no matter where your employees work from?
  • How can you ensure that documents are only accessed by the people that need to see it and not your entire organisation?

We very often see organisations that have highly secure in-office set ups, but as soon as data leaves their network, the security practices are much less stringent. It’s important that we maintain absolute security outside of our offices, and also for our data regardless of where, when and how it’s accessed. This is where Azure Information Protection can help.

In this article, we’ll look at what Azure Information Protection is, we’ll delve into some of its functionality, explore some small business use cases, look at how it works alongside Copilot, and understand how to get it. Let’s dive in…

What is Azure Information Protection?

Azure Information Protection (AIP) is a Cloud service that allows you to protect, set policies for, and audit your sensitive data. Its key focus is protecting data by applying sensitivity labels and encryption.

You can use AIP to:

  • Apply encryption to your data, so that only authorised users can open it.
  • Track and revoke access to your data, even after it has been shared or downloaded.
  • Define who can access your data and what they can do with it (such as view, edit, print or forward).
  • Detect and prevent data leaks, by applying policies and rules to your data based on its classification label.

Prevent Data Exposure with Office Message Encryption

Encryption prevents data exposure by making it unreadable to anybody who has unauthorised access. This is done through Office Message Encryption (OME) which is part of AIP, which allows you to manually encrypt documents and emails. Policies can also be applied by your Administrator which sets encryption when sending or receiving from specific individuals or groups. This provides a much-needed additional layer of security for your emails, helping to keep yours and your customers’ data confidential.

Allowing and Rescinding Access to Documents

AIP also allows you to set limits on recipients’ actions – you can allow or disallow viewing, printing, copying, screen grabbing and forwarding of both emails and documents saved in SharePoint or OneDrive. Users can also rescind access to documents once permission has been granted either manually or automatically by specifying an allocated time when it is available. This feature is especially beneficial when sharing sensitive financial information or sales quotes as, for example, your prices may rise the following year.

Classification and Labelling in AIP

The primary focus and AIP’s main application for the majority of organisations is its classification and labelling functionality. This allows you to choose who can and can’t see certain documents and folders, and assign levels of confidentiality and importance.

When a document is created, classification labels can be applied. This means that the relevant policy dictates where this document can go and what can be done with it. If a labelled document were to be shared with a group or individual it’s not supposed to be, the action wouldn’t work and the administrator would be notified. The administrator notification is important because it ensures transparency and allows the admin to respond appropriately.

For emails, similarly to when a document is created, users will be prompted to apply a label and this will then dictate who can access the email and what can be done with it.

Adding classification labels to your data also allows staff to explicitly see which information is sensitive, so there’s no confusion and less chance of human error. Additionally, this also means that employees are consciously identifying the risks and potential business impact sharing that data might cause.

Classification and Labelling Use Cases

We know that whilst this sounds great in theory, it can be difficult to visualise how it can be used in practice for your organisation. To help, here are some of the uses we see most frequently.

AIP Classification for Internal and External

This is an extremely common use. It keeps internal information internal, so only people in your organisation can access it. If a document had an ‘Internal’ label applied to it and an employee tried to email it to a customer, it simply wouldn’t work. The recipient would not be able to open the email, so the information would not, and could not, be shared.

Do Not Forward Emails

Classification labels can be applied to emails as well as documents. Any emails that are labelled ‘Do Not Forward’, obviously cannot be forwarded on to anyone. As stated above, the action simply wouldn’t work and the administrator would be notified.

Department and Business Impact

Whilst preventing external sharing is important, information needs to be protected internally as well. We wouldn’t, for example, want employees to have open access to each other’s payslips. A common use we see to protect information internally is classification per team, ‘Leadership’, ‘HR’, ‘Finance’ for example, or you might choose to define by impact on the business if it gets into the wrong hands ‘Low Business Impact’, ‘Medium Business Impact’ and ‘High Business Impact’.

The beauty of classification labels in AIP is that they are customisable. Administrators can customise the labels so they can be tailored to suit your organisation’s needs. Virtually any classification system you can think of can be made a reality!

If you need help choosing and implementing the classification labels most suitable for your business, then please get in touch.

Automatic Labelling with AIP Plan 2

There are two business AIP plans to choose from – Plan 1 and Plan 2. The difference between the two is that AIP Plan 2 has Automatic and Recommended Labelling.

Automatic labelling can be done using predefined patterns (if an email contains a credit card number for example), or you can use customised labelling based on your policies. You might choose to have all HR documents automatically labelled as ‘strictly confidential’. If administrators allow it, users can overwrite these labels if they’re not appropriate for the document. All overwrites are audited to provide traceability.

The biggest benefit of automatic labelling is that it isn’t reliant on employees to classify the documents themselves. This prevents users overlooking classification or bypassing it because they’re pressed for time, thereby eliminating the chances of data being shared into the wrong hands.

Seamless and Easy to Use

AIP is easy to manage from the Microsoft 365 compliance centre, where you can also view reports and audit logs of your data activity. All of this makes it seamless and easy to use, and perfect for SMEs. You can customise the areas you want to, view reports and keep track of your security from an intuitive portal without needing in depth technical knowledge.

Secure Productivity with AIP and Copilot for Business

As more and more organisations are getting excited about and exploring Copilot for Business and its capabilities, we thought we’d address how Azure Information Protection works alongside Copilot.

Organisations can rest assured knowing that Copilot for Business always respects the security measures set up in Azure Information Protection. As an example, if a user were to ask Copilot to display some Sales Data in a table, Copilot would operate only within the context of that user’s permissions. It would only be able to display data that the user had access to – it would not, and could not, pull data from documents that the user doesn’t have permission to see.

In addition, Copilot wouldn’t pull data if access had been rescinded, and if printing and downloading is restricted by the AIP classification, Copilot generated content won’t be printable or downloadable either.

In other words, Copilot will always respect the permissions in AIP providing a secure, and context-aware experience for users. This means businesses can use the powerful tools of Copilot for Business with peace of mind that they are maintaining absolute data security.

Sounds great. How do I get it?

If you have Microsoft 365 E3, then you already have AIP Plan 1, and AIP Plan 2 is included in Microsoft 365 E5.

If you don’t have these plans, then AIP is also available as a stand alone product that can be added on to whichever Microsoft 365 plan you currently have.

More Information

For more information and to understand how we can help your organisation, please reach out to us.