Author Archives: kartikkopalle

Dynamic enforcement of protection controls to different recipients with Azure Information protection

In any data protection service, end user adoption is imperative for meeting the compliance goals of the organization. Having said this, it is very much essential to get equipped with a solution/service which does not disturb the end user workflow and enables us with rich set of automated controls which will be enforced from the rights management service.

Having this approach of automatic enforced policy controls to sensitive information in documents and emails enables to have the complete control of the data which is being shared to different recipients, because these controls are applied on the fly without the user’s interaction and thus without interfering the user’s productivity.

But, yes a little effort has to be taken before enabling these policies to gather information on the type of restrictions the organization is intended to enforce on other domains and partners.

Business use case: An email and an attachment is sensitive to the organization. It is being sent to different recipients ( shown below ) and we have to mitigate the risk of data leakage.

1. Same department with in the organization – HR as an example

2. External domains – Gmail

3. Different department with in the organization – Finance as an example

4. Any other domain/user which is not part of above 3 – Yahoo as an example

Now, my rights management service should not interfere the users workflow and apply protection to different recipients differently. The document and email when received by same user in same department, he/she should have full control (Read,write,print,reply, forward). When received by user in different department in the same organization, he/she should have limited controls (Read, Print, Save). When received by external parties/vendors who are using Gmail, he/should have all controls except print and save, when received by Yahoo users, he/she should not be authorized to open the email/content.

All these controls have to be applied on the fly without the sender’s interaction, thus giving the flexibility of minimizing the challenges of rights management service user adoption.Ideally, the controls should be applied automatically as per the below table.

Now, let’s get started by configuring policies in Azure Portal. I am not talking much about creating labels and enabling them with protection. If you want to know how to reach this step, Check my previous blog

So, basically I am defining controls and permissions to different recipients and mapping them to the label “Confidential”. I am giving access permissions to HR group, Finance Group and Gmail domain. So, if I send an email to any other user apart from HR and Finance in my organization or any other external domains apart from Gmail, the rights management service will not Authorize them.

Now, let me classify a PDF to confidential. I intentionally took a pdf file instead of a MS office document as I want to check its native rights management capabilities.

As PDF does not support native labelling in AIP, I selected the file, manually selected classify and protect

Selected the label as confidential so that the protection controls are applied to the PDF file.

Now, I am attaching this pdf to an email which is also classified as confidential ( for protection controls of e-mail ), sending this to different departments HR and Finance with in my organization, sending it to Yahoo and Gmail which are external to my organization.

Now let’s check whether the policies are applied automatically on the fly and applied to different recipients.

First let me compare the users within the organization – HR and Finance.

Email restrictions:

Document Restrictions:

I intentionally took pdf as a reference to show you that it prompts for AIP viewer to consume the protected file. As expected, it asks us to download Microsoft Azure Information Protection viewer application. It can be downloaded from playstore for Android and App store for iOS.

For desktop clients, AIP agent can be downloaded from here

After installing AIP viewer, try opening the PDF with it

Now, lets compare the email and document permissions for Gmail and Yahoo recipients

Consuming AIP (Azure Information Protection) protected documents by different recipients

Document protection is an important aspect in data protection and security, which emphasises and empowers the users to control sensitive content to be shared across the enterprises.

With the new enforcements of Global Data Protection Regulation (GDPR) and other regulations in different regions, it is mandatory to have the control and visibility of the sensitive information across the boundaries and to be data compliant. Information Rights Management service enables the enterprises with rich tool sets and functionalities to be compliant with different data protection regulations and laws. Azure Information Protection, which is a SaaS offering from Microsoft will give rich functionalities and tool sets to achieve the goals of data protection.

With Azure Information Protection, we can enable email and document protection with customized controls to restrict the functionalities and capabilities of the recipient. For details on AIP protected email consumption by different recipients, please refer my previous blog

When we consider any rights management service, as the protection carries along with the file, it is essential to educate and create adoption plan for different recipients. This will help them to consume the protected documents seamlessly across different platforms

Given below are the list of some scenarios considered for consuming rights management protected document with AIP

Scenario-1:Office 365 to O365

In this scenario, the sender and recipient, both are hosted in Office 365, let us see the the consumption workflow

Outlook: Seamless with MS Office documents. for other formats like pdf, which is not natively supported, Azure Information Protection client has to be installed.

AIP client can be installed from here

Outlook Web Access: As encrypted documents cannot be consumed with browser based apps, it will prompt to download the document.

Mobile: Seamless with MS office documents. For other formats, AIP mobile client is to be installed. AIP mobile client can be installed from android play store or Apple Appstore.

Scenario-2: External Domains: Yahoo/Gmail

When Gmail or Yahoo mail is accessed using a browser, it will prompt to download the encrypted document to local machine. This protected document can be consumed when AIP agent is installed.

When Yahoo/Gmail is configured in mobiles, the protected documents can be consumed seamlessly with MS Office apps. For other formats, AIP mobile client has to be installed, which can be downloaded from Play store (Android) /Appstore (iOS)

Scenario-3: On-premise Exchange: Seamless when AIP client is installed.

when the recipient is an on-premise Exchange user, he/she has to install AIP client to consume the encrypted document.

AIP client can be downloaded from here.

Outlook Web Access: As encrypted documents cannot be consumed with browser based apps, it will prompt to download the document.

Scenario-4: Sharepoint online– Seamless for MS Office files

When the protected document is uploaded to Sharepoint, authorized recipients can access the MS office documents seamlessly using Sharepoint online portal as it integrated with AIP service.

For other formats like pdf, the recipients have to download the file to local machine and consume it with AIP client.

Scenario-5: OneDrive for Business – Seamless with MS Office files

When the protected document is uploaded to OneDrive for Business, authorized recipients can access the MS Office files seamlessly as OneDrive for Business integrated with AIP service.

For other file formats like pdf, the recipient has to download the document to local machine and consume it with AIP client.

Consuming AIP (Azure Information Protection) protected emails by different recipients

Azure Information Protection is a rights management service offered by Microsoft which helps the organization to classify and optionally protect the documents and emails. Having this service in an enterprise gives the visibility of the sensitive information which is getting exchanged.

Enabling this service to an enterprise bridges the security gaps and concerns to an extent but definitely disturbs the recipients workflow. All the users are to be well educated on how to use and consume this service. To an extent, we can educate the internal users, but it is quite challenging to educate and train the recipients who are not adapted to cloud, who are using external email services like Yahoo/Gmail, who are using on-premise Exchange for hosting their mailboxes.

As the recipient experience is seamless with only O365 services, other recipients have to follow certain procedures/guidelines for consuming the AIP protected content. These procedures are different for different recipients and this blog will help to understand them

When protection is enforced with Azure Information protection for an email, it will enable the DNF (Do Not Forward) functionality, which will restrict the recipient from forwarding, editing, printing and even taking screenshot of the protected email.

Let us consider different scenarios where a protected email is sent to different recipients and understand the recipeint workflow

Scenario-1: Sending protected email from O365 sender to O365 recipient ( Business to Business )

Outlook: Seamless

Outlook Web Access: Seamless

Mobile: Seamless with MS Office application

Scenario-2: O365 sender sending to Gmail/Yahoo recipient

Gmail and Yahoo, as they are federated with Azure Active Directory, the recipients either can authenticate with Yahoo/Gmail accounts or can use OTP to consume the protected email.

Scenario-3: O365 sender sending email to Exchange-on- premise recipient

Outlook and no AIP agent : OTP

Outlook : when AIP agent is installed at endpoint: Seamless consumption

Outlook Web Access: OTP

Mobile: Seamless

kartikkopalle

February 3, 2020

Rights management solutions revolves around protection for encrypting and decrypting the content. Each document which is being protected will be issued with a unique content key (private key) and each Organization will be issued with a tenant key(public key) and authorization of the appropriate recipients happens with these keys.  There will be certain scenarios where authorized account(s) have to be given privileges to decrypt any content  for below said reasons

  1. Owner of the protected content leaves the organization
  2. Integration with other Data Protection technologies like DLP ( content analysis ) and Exchange ( Email searches ) to decrypt any protected content
  3. Bulk decryption as a part of Legal and compliance reasons
  4. Decrypting the content during Exit plan

Considering these scenarios, Azure Information Protection (AIP) gives an option to configure an account, superuser, which will have complete access to any protected content.

Steps to configure Super user role in AIP:

Create a user account and add to Global admin group

1

Create a sample spreadsheet and restrict access only to the owner

6
4
Spreadsheet protected rights

Send the spreadsheet to super user

Sending email to superuser

As the super user role is not configured in AIP, the spreadsheet is restricted to view and open

Not able to open the file attachment

Configure Super user role 

Connect to AIP Service using below commandlet.  This will take to organization sign in page for authentication. AIP powershell module can be installed with the below command

Install-module AIPservice

Import-module AIPservice

connect-Aipservice

2

Configure super user role

Add-aipservicesuperuser -Emailaddress “Email address of the super user account”

Powershell to configure Super user role in AIP

Enable Super user role by executing Enable-AIPServicesuperuserrolefeature

Check if the super user role is enabled

get-aipservicesuperuserfeature

3

Now, check the access to the restricted spreadsheet which was shared earlier. As we can see, super user account is now able to open the spreadsheet which is restricted only to the owner.

Super user able to open the restricted spreadsheet
super user pening the spreadsheet

Additional permissions mapped to super user:

These additional permissions will give the options to remove/change permissions to the restricted documents, thus unlocking them for further use and sharing

Additional permissions to super user

Auditing Super User Activity

Analytics in Azure Information Protection

When we are managing cloud based solutions, it is important to have visibility to anything that can impact availability, performance and compliance. Analytics in Azure Information protection (AIP) gives deeper insights on usage reports, Activity logs, Data discovery and recommendation

This analytics service in AIP gives the organization complete visibility and control of the user activity and device activity with respect to documents/emails which are getting classified and protected.

Few examples of metrics being collected for AIP

Usage report:

  • Labels being applied to a document/email
  • Number of documents/emails classified/protected
  • Count of users and devices labeling the documents/emails

Activity report:

  • Labeling actions performed by a user/device
  • Which users have accessed a specific document
  • which labeling actions were performed by a specific application

These reports make use of Azure monitor service to store the data in Log Analytics workspace the organization owns which provides single source for monitoring Azure sources.

Prerequisites:

  • Azure subscription that includes log analytics with Azure Monitor. For pricing, refer here 
  • Windows-10 client machine which is installed with AIP agent.

Steps to enable Analytics in AIP:

login to Azure portal  https://portal.azure.com

11

Navigate to Azure Information protection pane

13

 

Enable Analytics for Azure tenant 

1

 

2

Create  a new Log Analytics workspace

3

Create sample AIP Labels 

4

login to a client machine which is installed with AIP client

AIP client can be downloaded from here

Classify few sample documents and emails 6

7

Navigate to Analytics section and validate the user activity with respect to labeling

12

8

9

Hence, these analytics will help us to get the granular details of the user and device activity for classification and protection