Using Azure Information Protection to classify and label corporate data
Balancing security in the midst of a digital transformation
As the speed of business increases, employees are more mobile—often bringing their personal devices to work. Corporate network perimeters are dissolving as the modern workplace moves to the cloud. In this evolving environment, protecting corporate and customer data is of the utmost importance to Microsoft. Layers of data security and protection measures, which align to corporate data security and compliance standards, help protect our information.
At Microsoft Core Services Engineering and Operations (CSEO), when we needed to modernize our information protection strategy, we upgraded our data classification framework and deployed Azure Information Protection (AIP), a data classification labeling and protection tool. Classification labels offer persistent protection because they travel with the data, regardless of where it’s stored, sent, or shared.
As described in the video embedded above, information protection at Microsoft is supported by device health, identity management, and data telemetry. Not all data is equal, nor does it require equal levels of protection. To apply the appropriate levels of security control in our environment, we need to identify the data we are protecting, and how much we need to protect it—based on its sensitivity and business value.
Microsoft is a global organization, which makes security compliance more complex. Different regions of the world have different data requirements. Complex data governance, retention, and encryption controls can be very difficult to enforce without tooling and automation. For example, identifying our data and controlling access to it are critical requirements of General Data Protection Regulation (GDPR) compliance.
In the past, we used a data classification framework with four main labels that were based on the possible business impact if information was leaked or mishandled. However, the naming convention was Microsoft-centric and not intuitive. Data was classified by templates that, when used properly, provided visual cues about file classification.
To help people classify data appropriately, we gave them a detailed data classification standard and a point-and-click application with simplified examples of common data elements. However, in many cases—such as Office documents—labeling was often a cosmetic exercise. If people classified a document, the protection did not travel with the file once it left SharePoint or a file share. People were responsible for following data classification standards when they shared files, but some didn’t really think about the classification requirements outside of SharePoint collaborative environments. Ultimately, labelling was inconsistent.
Employees and contingent staff are responsible for recognizing sensitive or confidential information and helping prevent unauthorized access. Their decisions affect our compliance state. Faced with the challenging and expensive task of educating people about data retention, encryption, and classification, we needed to look at more intuitive ways to help people classify data, so we could automatically apply policies and standards.
We also needed more visibility into what is happening with sensitive data, where it is stored, and where it is shared. Before AIP, once a file left the relative safety of a secure SharePoint portal, we had little visibility or control over how it was handled, unless explicit protection policies like encryption or rights management were applied at the file level. We wouldn’t know if sensitive data was copied from a confidential document and pasted into an unclassified, local file—and we couldn’t tell if data was improperly classified. We relied on employee training and education to help ensure that sensitive data was being handled appropriately.
Improving our classification framework
We worked with security and compliance groups across Microsoft to improve our classification framework. The new framework and labels are more intuitive, so our people can make better data-handling decisions. Data protection standards align more clearly and are easier for people to understand and follow. The classification framework we implemented has five labels:
- Non-Business. Non-business data that is created using Microsoft assets, but is not related to Microsoft business or our customers. Data is not encrypted and cannot be tracked or revoked.
- Public. Microsoft business information that is prepared and approved for public consumption. Data is not protected by Azure Rights Management service (RMS), and owners cannot track or revoke content using RMS.
- General. Business information that is not meant for public consumption; however, it can be shared with employees, contingent staff, business guests, and external partners. It is not RMS protected and owners cannot track or revoke content using RMS. If an employee does not select a classification label, AIP defaults to this label, but will provide labeling recommendations based on what’s being entered in the document.
- Confidential. Sensitive, strategic business information that could cause harm if shared inappropriately. It also represents personal information, regardless of identifiability. Data is protected using RMS and owners can track and revoke content. Recipients are trusted and get full delegation rights, including the ability to remove RMS protection.
- Highly Confidential. Very sensitive critical and high-risk data, requiring the strictest protection. This classification includes regulated data and sensitive personally identifiable information. Data is protected using RMS and owners can track and revoke content. Recipients do not get delegation rights or rights to modify or remove RMS protection.
For Confidential and Highly Confidential we also have sub-labels that address the scope of visibility:
- Microsoft Executive and Staff, which is visible only to the Microsoft Senior Leadership.
- Microsoft FTE, which is visible to all full-time employees.
- Microsoft Extended, which is visible to full-time employees and contingent staff.
Azure Information Protection helps protect data throughout the document lifecycle
We worked with security, privacy, and product groups at Microsoft to upgrade and unify our data loss prevention (DLP) program. As part of the unified DLP program, we implemented Azure Information Protection to help us protect documents throughout their lifecycle.
Figure 1. Azure Information Protection as part of data loss prevention lifecycle.
Classification and labeling
We are using Azure Information Protection to classify, label, and protect roughly 15 million documents and emails per month. With Azure Information Protection, employees can classify their own content, or we can automate classification by using the Azure Information Protection Scanner to scan documents for sensitive content, such as credit card and social security numbers.
We believe that the right combination of people, processes, and technology can effectively protect the organization’s data. Microsoft employees play a crucial role in protecting the corporate data that they create, collaborate on, and manage. In the absence of tools and automation, we still want them to think about the right way to classify and handle confidential data. We chose to have our employees classify data, and we scan content to provide classification recommendations.
With data constantly being created, edited, stored, and shared within and outside the company, from both corporate and personal devices, we needed to give people the tools and information to easily and correctly classify and label data.
Tools take the guesswork out of protection policies
The Azure Information Protection Protect button is an add-in for Office 365 productivity applications, including Outlook email, Word, Excel, and PowerPoint. Once installed, the Protect button gives employees classification tips and an automated method to classify files that they open or create in Office 365 productivity apps.
Since we’re asking employees to classify their own files, we use tool tip recommendations, shown below, to help them choose an appropriate classification and encourage their ongoing participation.
Figure 2. Azure Information Protection recommends data classification in Office 365 Word files
By default, unclassified documents open as General, but as content and data are added, Azure Information Protection makes recommendations. Those recommendations can be based on keyword scans and number patterns that indicate financial or personal information.
Figure 3. Azure Information Protection Protect button
Labels and classification inform automated protections that are applied using encryption, identity, and authorization policies. Azure RMS integrates with cloud services and applications such as Office 365, Azure Active Directory (Azure AD), and Windows Information Protection. The protection travels with documents and email whether they are inside or outside of the company network, files servers, and applications.
Azure RMS Data Encryption in Azure Storage helps secure data at rest and in transit. Azure Disk Encryption can be used to encrypt operating systems and data disks used by virtual machines. Data is protected in transit between an application and Azure, so it remains secure at all times.
Azure Key Vault helps safeguard cryptographic keys, certificates, and passwords that protect our data. Key Vault uses hardware security modules, and is designed so that we can control our keys and, therefore, our data. We can monitor and audit stored key use with Azure logging, and we can import logs into Azure HDInsight or our security information and event management system for more analysis and threat detection.
Azure helps us manage user identities and credentials to control access to data in several ways.
Azure AD helps ensure that only authorized users access our computing environments, data, and applications. We use multi-factor authentication for secure sign-in, and Azure role-based access control helps manage access to Azure services that contain personal data. And Azure AD Privileged Identity Management helps us reduce risks associated with administrative privileges through access control, management, and reporting.
Classification and labeling also inform enforcement of policies that restrict access to some document functions for higher classification levels. Once an employee applies a classification label and scope, our policy specifies which recipients and recipient actions are allowed. For example:
- By applying the Non-Business label, recipients can view, forward, print, and save the content. Content is not RMS protected.
- By applying the Confidential \ Recipients Only label, recipients can view, reply, print, and save the content. However, they can’t forward the content or remove RMS protection.
- By applying the Confidential \ Microsoft Executive and Staff label, only members of the executive and executive staff user groups can view, forward, reply, print, and save the content. Document owners can view tracking and logging of their confidential documents using the Azure Information Protection app or console.
Monitor and respond
When Azure Information Protection has been applied, employees can securely collaborate with people inside or outside the company, track use, and even revoke access remotely. With the Azure Information Protection app, they can see who has access to their content and where it’s located, even when it leaves the organization’s traditional boundaries.
We implemented a company-wide awareness campaign, which included digital displays in company offices, targeted communication, presentations at company events, and new-hire orientation. We included data protection information in mandatory employee and vendor training to raise awareness without additional training.
Our adoption program involved representatives from each business organization that helped shape the program. They helped develop a company-wide standard and provided feedback. We established company and organizational baselines, methods to measure classification label adoption, and key indicators that help us target more training and to drive awareness improvements and adoption.
Reporting and metrics
Measuring the amount of classified and protected data in our systems is a key requirement for reporting our GDPR compliance. Azure Information Protection audits and logs compliance data that we can analyze for business insights or monitor for abuse through a consolidated information protection console. We have delegated super users that can set policies and recover protected documents—for example, from an employee who has left the company.
We have recently deployed a new Azure service in Operations Management Suite that uses the same policies as our Azure Information Protection data at-rest scans.
The information protection journey
Azure Information Protection has been broadly deployed at Microsoft, and we have been working to educate users and promote adoption. A key benefit in deploying the Azure Information Protection button on the Office ribbon is that we can focus on teaching people how to use the toolbar, rather than the complexities of information protection. We don’t need them to remember which levels of sensitivity require encryption or how long the retention policy is for Highly Confidential information—we simply need to teach them how to use the tool.
We are working toward a unified data protection program that features native integration with Office 365 and seamless interoperability across all Microsoft cloud platforms. We are coordinating with teams from other areas of Microsoft including Azure Information Protection, Office Information Protection, and Windows Information Protection. We are working with Microsoft security and compliance teams on a unified console, where all data and documents are labeled and protected during their entire lifecycle, across all important endpoints, applications, and services.
For more information
© 2018 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.