ADMIN
Tools Azure Information Protection Lead image: Lead Image © Aleksey Mnogosmyslov, 123RF.com
Lead Image © Aleksey Mnogosmyslov, 123RF.com
 

Protecting documents with Azure Information Protection

Classified

Azure Information Protection helps businesses control how information in communications between employees is handled. By Klaus Bierschenk

Employees communicate with different people on many levels, ranging from the boss, through the intern, to external service providers. Ideally, not every email or document should be accessible to everyone. Azure Information Protection (AIP) is a cloud-based solution for classifying, identifying, and protecting documents and email. The administrator determines whether this is done manually by the user, automatically, or with a combination of both methods.

Microsoft uses Rights Management Services (RMS) technology to protect documents, which has been around a few years under the Active Directory (AD) RMS short form. Compared with this on-premises version, the advantage of AIP is that no complex server infrastructure is required; instead, Microsoft takes care of the public key infrastructure (PKI) certificates and the servers.

With AIP, you can be up and running as quickly as with AD RMS, including support for mobile devices. In some areas, the feature set goes even further: Templates for departments, for example, help limit the group of users, as does the option of tracking documents and locking them if necessary.

Meshing with Azure AD

To try AIP, you need an Office 365 subscription that includes AIP. If you already have a subscription, see the Azure documentation when you compare the different options [1] to find out which subscription or plan is available and what you need to do. From here, you can purchase a trial subscription directly or extend your existing subscription if you are already a customer of Microsoft's cloud. In both cases, you can test AIP for 90 days.

Each user must be assigned a license from the selected subscription in Office 365. How these users in the cloud access Azure AD – the location for Office 365 user and group identities – does not matter. The most direct way is to use Azure AD Connect to synchronize your on-premises AD with the AD in the cloud, especially if you are using "scoped policies," which can be activated using group memberships; thus, a central AD that sends all changes into the cloud makes sense so that users can be managed centrally in the local AD. Otherwise, it would be necessary to maintain users and groups in parallel in Azure AD, which would result in increased overhead.

The use of information protection is rounded off by integration into end users' workflows. For this purpose, Microsoft provides an AIP client that integrates seamlessly into the Microsoft Office suite and slots into the Office products' menus. Additionally, the client extends the context menu in File Explorer to protect or classify individual files (Figure 1). AIP supports the current Windows and Office versions. If you need special information (e.g., which ports need to be open on the firewall), you can find this information on TechNet [2]. Users outside the company network who do not have a Microsoft account need to register their email addresses with RMS for Individuals, a free self-service subscription for the authentication of user accounts that are not located in Microsoft's cloud cosmos that allows access to files that have been protected by AIP.

With AIP, documents can be protected directly with an Office add-on.
Figure 1: With AIP, documents can be protected directly with an Office add-on.

Quick Start

AIP can be deployed in several ways: through the classic Azure portal, with PowerShell, or from the Office 365 admin center. Unfortunately, the classic Azure portal exists in parallel to the new Azure portal, and the setting options overlap here and there. This problem is confusing and not transparent to newcomers. Therefore, it is best to avoid using the old portal, which should not be a big problem with AIP, because templates can be managed, for example, with PowerShell. Microsoft itself recommends using the new portal at portal.azure.com. As an admin you are then always certain to find the newest functions.

If you decide to activate AIP in the Office 365 admin center, you will find it in the Services & add-ins settings. Before using AIP in the new Azure portal, you also need to activate it there. You will find AIP under New | Security + Identity. From there you are taken directly to the AIP central admin page. When you get there, you can edit the policies and define what happens when dealing with email and documents on mobile devices.

Finally, you need the previously mentioned AIP client. The setup after downloading [3] is largely unspectacular. Besides the setup executable, an MSI package, which is suitable for software distribution, also is included in the download. Run the AIP client setup, ignoring the ability to create a local policy, which would be overwritten by centrally defined policies from the Azure portal. The portal contains two standard templates and some descriptions that can be used for illustration purposes and adapted if necessary. However, before you change things here, the strategy should be clear in advance as to which levels of protection or classification make sense for your own IT landscape.

Classification Strategy

With AIP, nothing is set in stone, and subsequent adjustments are possible at any time. Nevertheless, it makes sense to prepare a roadmap for the implementation in advance that takes into account the business processes or departmental structures. Document protection at the departmental level makes sense in many cases, so it is best to familiarize yourself with the default policy, which provides illustrative material for your own ideas and can be adapted to your needs.

For a description of the initial settings, see the Microsoft documentation [4] and roadmap [5] for AIP, which provide information that can be helpful when choosing a strategy. In general, AIP is based on terms that contain certain rules. You can see them on the Azure portal on the AIP homepage.

High Degree of Automation

AIP is very practical thanks to two elements that offer a great variety for daily use. On the one hand, scoped policies are only applied to the client if either the user is entered directly in the policy or is a member of an AD group contained there. Other users will not even see the policy's name. The only condition is that the group or user account has an email address in its properties.

The second guarantee of high practicality is the ability to classify documents automatically on the basis of document content, in addition to the manual procedure. The result could be a simple label (e.g., a watermark in a Word document or a header or footer) and can be done automatically if certain character strings appear in the document. If desired, documents can also be encrypted in this context.

In a practical example, it works as follows: Assume you are an administrator and are writing instructions for server installations, in which you might need to document passwords. In this case, the document should have a header that indicates the confidential content, and access to the document should be protected. Because this is a special policy, another requirement is that only administrators should see it.

Creating User Policies

To create user policies, first open the AIP administration page in the Azure portal and create a scoped policy by assigning it a name and selecting Add a new policy. The difference from a default policy is that you can specify a group or user object for which this policy and the terms it contains apply – a kind of filter. For example, you could use an AD group named ROL-Cust-ITAdmins, which is maintained in the local AD and synchronized with Office 365 using AD Connect.

It would be a bit more complicated to manage users and groups directly in Azure AD. In this case, and for the policy, it does not matter where the group comes from; it is only important that an email address is entered in the properties. The scoped policy allows users to see all the terms from this policy on their end devices. What is still missing is a designation within the directive that defines in detail what is to be done. To stick to the example, specify that the document should have a header and activate protection; then, enter two conditions that search for the strings "password" or "confidential" in the text. If these are found when processing documents later, the security settings are applied.

Now you just have to publish the directive. The new terms are displayed at the next update interval on the mobile device or when an Office application starts. The first time a user saves a document that fulfils these conditions, a note indicating the actions taken is displayed. Depending on how the designation is configured, the user has the choice to apply the policy, or it is automatically enabled without the user's intervention. This is a simple example of how AIP works.

One great feature of such policies is that no matter in which Office product the user typed the password string, it is always recognized, and the actions defined in the policy are applied. The client does not distinguish between a PowerPoint presentation or Excel spreadsheet. If you have created confidential files with an application for which there is no AIP client, you can select the file with a right-click in File Explorer and assign a designation from the context menu using the Classify and protect command. If you do this for a folder, all files in it are given the new designation. If the folder already contains classified files, a stricter setting will apply to all files without feedback.

If the protection is weakened, the AIP client alerts you and lets you skip individual files. If you copy files into the folder later on, these files remain unchanged and are not classified automatically. This is different from the familiar process of inheriting rights in the filesystem. It should also be noted that only one designation is used for email and documents. The exception would be if a subordinate designation exists, which you should indicate by using characteristics such as the header; otherwise, it quickly becomes unclear.

Logging On to the AIP Client

The AIP client complements the Office applications with a snap-in. At first launch, the snap-in is initialized and the user needs to enter their login information just once. AIP remembers the login details and acts in this context from that point on, and the policies and designations that are relevant for the user are displayed in the toolbar. Unfortunately, it is not possible to log off and back on to the Microsoft cloud from an Office application. Also, the AIP client does not contain any software that can be called to change the user context.

For example, if the administrator has to work with other user information for test purposes, the TokenCache value under HKEY_CURRENT_USER\Software\Microsoft\MSIP first needs to be removed from the registry. This does not mean the content of the character string; instead, the entire word can be deleted. When the snap-in is initialized at the next launch, the client prompts for login information again and creates TokenCache once again.

Management with PowerShell

As is so often the case with Microsoft products, AIP can only offer its latest possibilities in combination with PowerShell. The AzureInformationProtection PowerShell module needs to be installed on the client with the AIP client. The following command displays all the cmdlets from the module:

> Get-Command -Module AzureInformationProtection

The list contains useful cmdlets for classifying multiple files or discovering the status of individual files, even without a mouse. However, these are more like cmdlets for the end user. The administrator will not find anything here for administrative work from the command line. The AADRM PowerShell module [6] is available for this purpose. Before you get started, you need to connect the PowerShell session to AIP using the

Connect-AadrmService

cmdlet (Figure 2). Without parameters, the browser opens, and you can log on with a Microsoft account. It is possible to pass in a PSCredential object as a parameter (e.g., to avoid entering a username and password as a result of script processing). To do this, the password is entered at the beginning, and the PSCredential object is generated and used later.

The AADRM PowerShell module allows the administrator to work from the command line.
Figure 2: The AADRM PowerShell module allows the administrator to work from the command line.

It is highly recommended that you explore the possibilities of the AADRM cmdlets, because essential settings have unfortunately not yet found their way into the GUI portal. For example, you can activate and maintain the superuser list. Members of this list are able to decrypt files encrypted by users if an employee has left the company, for example. Files for which an end date has been defined for access can also be opened after the end date by administrators included in the superuser list. The

Enable-AadrmSuperUserFeature

cmdlet enables this functionality. To extend the list of superusers, use the command:

> Add-AadrmSuperUser -EmailAddress "christa@kbcorp.de"

It is advisable to practice the working methods and the possibilities of the superuser extensively so that you do not experience any surprises in an emergency and are always in control. Encryption can become a problem, and the loss of sensitive data hurts if it can no longer be decrypted.

Tracking Access

Microsoft offers a web page to help you track who accessed protected documents and when. The end user can access this from track.azurerms.com or even more easily by opening the Protect | Track and Revoke icon in this menu from an Office application via the AIP client. Users now have a variety of options for dealing with the documents they protected. It is irrelevant whether they emailed the documents or whether third-party access has taken place from services released on the Internet.

The page is used to check who has opened files, what access was denied, and at what time access to files occurred if the procedure for access to documents and email was defined in the protection settings of a designation. One interesting function here is that email notifications can be used to let the user know of certain events (e.g., when someone tries to open a file without authorization). The ability to export all the file and status information to a CSV file rounds off the functions of the tracking page.

Locksmith Service Included

By default, Microsoft manages the private key used to protect the data. This default configuration is also known as Managed by Microsoft and is sufficient in most cases. Additionally, the user can create the key and manage it themselves in a Hardware Security Module (HSM) within Azure Key Vault.

Another option in this context is the HYOK option (hold your own key), wherein the key is isolated from the cloud. The customer also manages the key, but in their own HSM on-premises. This option might be necessary for particularly sensitive information (e.g., because of legal regulations). You should check in advance which variant makes sense or is necessary. Commissioning AIP will be somewhat more complex in this case. Also consider that the costs will be higher if you deviate from the standard configuration.

Conclusions

Azure Information Protection's snap-in integrates seamlessly with Office products and is robust even when faced with frequent policy changes. The administrator and corporate security have to consider which document protection workflows ultimately make sense. The modular structure of AIP meets many requirements. If you are already using AD RMS, Microsoft offers a fast migration path to AIP [7].