What is MIP? (Microsoft Information Protection)

-

I think most of us who have been working with Microsoft cloud (Azure) have heard about MIP, but not everyone knows what it is, because this question comes up more often than one should think, based on how much information has been released about it since last Ignite. Some have asked me if MIP is just AIP (Azure Information Protection) renamed, but this is not the case. 



I heard the MIP abbreviation for the first time in last years Ignite. A lot of great presentations about information security/protection news and changes were presented, and the term MIP was used in many of them. I also saw the illustration below for the first time then, and I think it is pretty cool. it presents all the different features/possibilities that belongs under the "MIP umbrella". 



In many ways it describes what MIP is much better than what I am able to do, but as you all can see, AIP is in there, so are many other well-known features, like Office 365 Message Encryption (OME), Office 365 Data Loss Prevention and Windows Information Protection (WIP). So let’s look through them all, and see if we can’t explain a little bit closer what they all are.

Azure Information Protection
For those of you who are reading my blog you probably know very well what AIP is, but to sum it up it is a way to gain control of your information no matter where it is or who has access to it. Depending on how you have configured it you can choose to classify your information, and at the same time (if you want) you can encrypt the information and thereby control sharing of it, and even revoke access to the information you have protected and then shared.  

Microsoft Cloud App Security
Another well known security feature that Microsoft have given us lately. More and more people are “implementing” it every day, and if you have the license for it, you should. MCAS is more than one thing. It gives us an overview of what is going on in our cloud organization, enabling us to take action (automatically or manually) when something threatening is happening. This can for instance be when someone in our organization are sharing sensitive information with people on the outside of our organization.  

Office 365 Data Loss Prevention
Stolen from my own blog post (Setup office 365 DLP rules for Exchange) DLP, or Data Loss Prevention is a term for software created to prevent, detect and react to data breaches. If you think that sounds kind of non-specific and that it doesn’t really explain anything, you are right. A lot of different software types detect and react to data breaches. Or try to prevent it. Antivirus and anti-malware can do some of it. A firewall as well. But DLP is not designed to prevent people from gaining access to our network, or spreading malware in our systems, it is designed to identify and protect our sensitive information across many locations and stop it from leaving our organization.

Office 365 Message Encryption
OME allows us to send encrypted mail and it works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content.

Windows Information Protection
In my experience WIP is less used then it should be. It makes it possible to separate your work data from personal data on one PC. You can also make it work with AIP labels or Office 365 Sensitivity labels, and for instance prohibit the user from taking a work document and putting it in a non-work system. (for instance, Gmail, twitter etc.) You will need a management solution for WIP to work, like Intune or SCCM.

Office 365 Advanced Data Governance
One of the less known features in my experience. Office 365 Advanced Data Governance also can use labels, and, in a way, it can be seen as quite close to AIP/Sensitivity labels, where we also can manage data based on content. With Advanced Data Governance however, we do not work with sensitivity or encryption, but governance, for instance how long we want to retain data or when I want to delete them etc.

Conditional Access
Conditional Access allows us to give (or deny) access based on certain conditions. Those conditions can be sign-in risk, network location (is the user in one of our networks or outside?), is he/she using a device that we manage or a BYOD etc. that the user needs to use Multi-Factor Authentication (MFA) if he/she is outside of the office, but it can also be used with AIP (Azure Information Protection) to allow or block access to AIP protected documents or enforce additional security requirements such as Multi-Factor Authentication (MFA) or device enrollment based on the device, location or risk score of users trying to access sensitive documents.

Office Apps
This one is a bit weird. Office Apps is not a part of MIP the way I see it, but the use of labels and protection (Azure Information Protection (AIP) or Sensitivity labels in Office 365) is. So Office Apps have MIP integrations either through the AIP client (AIP client or AIP unified labeling client) or Office 365 Message Encryption etc.

SharePoint and Groups
Well, SharePoint and Groups is not part of MIP, but MIP functionality is being implemented. Protecting SharePoint Online is not new. We have been able to use Information Rights Management (IRM) in SharePoint Online for a long time and protect (Encrypt) files in libraries and lists. This is also (as AIP/Sensitivity labels and Office 365 Message Encryption) using the encryption options in Azure RMS, but this is evolving and will be better now. This is one of the functionalities that are being worked on these days. So far, I have not been able to use sensitivity labels on libraries and lists, but I know it is coming.

Azure Security Center Information Protection
I've not seen or worked with this at all, but as Microsoft says, we can classify & label sensitive structured data in Azure SQL, SQL Server and other Azure repositories. It makes it possible to automatically discover sensitive data and label them, and in that way protecting and preventing access to highly sensitive data in SQL.

SDK for partner Ecosystem & ISVs
First of all, for those of you that do not know the term ISV, that means: independent software vendor (ISV). By this we mean a company not affiliated with Microsoft that builds solutions/develops software. The Software Development Kit (SDK) for Azure Information Protection makes it possible to use the possibilities in AIP and create our own solutions for it.
Interestingly enough Microsoft seems to have changed the name from Azure Information Protection SDK to Microsoft Information Protection SDK. (Setup and configure MIP SDK)

Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more