Tag Archives: Azure

Dynamic enforcement of protection controls to different recipients with Azure Information protection

In any data protection service, end user adoption is imperative for meeting the compliance goals of the organization. Having said this, it is very much essential to get equipped with a solution/service which does not disturb the end user workflow and enables us with rich set of automated controls which will be enforced from the rights management service.

Having this approach of automatic enforced policy controls to sensitive information in documents and emails enables to have the complete control of the data which is being shared to different recipients, because these controls are applied on the fly without the user’s interaction and thus without interfering the user’s productivity.

But, yes a little effort has to be taken before enabling these policies to gather information on the type of restrictions the organization is intended to enforce on other domains and partners.

Business use case: An email and an attachment is sensitive to the organization. It is being sent to different recipients ( shown below ) and we have to mitigate the risk of data leakage.

1. Same department with in the organization – HR as an example

2. External domains – Gmail

3. Different department with in the organization – Finance as an example

4. Any other domain/user which is not part of above 3 – Yahoo as an example

Now, my rights management service should not interfere the users workflow and apply protection to different recipients differently. The document and email when received by same user in same department, he/she should have full control (Read,write,print,reply, forward). When received by user in different department in the same organization, he/she should have limited controls (Read, Print, Save). When received by external parties/vendors who are using Gmail, he/should have all controls except print and save, when received by Yahoo users, he/she should not be authorized to open the email/content.

All these controls have to be applied on the fly without the sender’s interaction, thus giving the flexibility of minimizing the challenges of rights management service user adoption.Ideally, the controls should be applied automatically as per the below table.

Now, let’s get started by configuring policies in Azure Portal. I am not talking much about creating labels and enabling them with protection. If you want to know how to reach this step, Check my previous blog

So, basically I am defining controls and permissions to different recipients and mapping them to the label “Confidential”. I am giving access permissions to HR group, Finance Group and Gmail domain. So, if I send an email to any other user apart from HR and Finance in my organization or any other external domains apart from Gmail, the rights management service will not Authorize them.

Now, let me classify a PDF to confidential. I intentionally took a pdf file instead of a MS office document as I want to check its native rights management capabilities.

As PDF does not support native labelling in AIP, I selected the file, manually selected classify and protect

Selected the label as confidential so that the protection controls are applied to the PDF file.

Now, I am attaching this pdf to an email which is also classified as confidential ( for protection controls of e-mail ), sending this to different departments HR and Finance with in my organization, sending it to Yahoo and Gmail which are external to my organization.

Now let’s check whether the policies are applied automatically on the fly and applied to different recipients.

First let me compare the users within the organization – HR and Finance.

Email restrictions:

Document Restrictions:

I intentionally took pdf as a reference to show you that it prompts for AIP viewer to consume the protected file. As expected, it asks us to download Microsoft Azure Information Protection viewer application. It can be downloaded from playstore for Android and App store for iOS.

For desktop clients, AIP agent can be downloaded from here

After installing AIP viewer, try opening the PDF with it

Now, lets compare the email and document permissions for Gmail and Yahoo recipients