The user-friendly Information Protection blog post.

The other day I had a thought: How about a blog post about Information Protection for people who are completely new to it? I sometimes hear that one of the things people like about blogs is that they take complicated information and makes it easier to understand and that has always been my ambition with this blog. I’m not claiming to have done that, but points for trying right? 

So, in this post we will take a look at Information Protection today, but also the changes we have seen in the last few years.

But I had plans tomorrow! (Photo: Pixabay)

I think most of you will agree with me on this: Sharing information has become considerably easier over the years, but at the same time, methods to secure the sharing of this information has become more important. When we no longer store our data on hard drives in separate data centers, but on Drobox, OneDrive, etc., the old security solutions will no longer work. We can lock the server room and servers as much as possible, but it does not help when the data is located everywhere else. We need solutions that safeguard the data wherever they are now that the cloud has given us all these storage locations and sharing methods. In this post I will use the Rights Management Service (RMS) and Azure Information Protection (AIP) in a way that might seem confusing to some, but just remember that Rights Management is the protection part of AIP. 

For information about what you may need to get started with AIP, you can read this post: 

How to protect data that is stored in many different places?

So, which possibilities do we have for securing information when it resides outside our own data center and our own solutions? Well, there are many. Microsoft (which is what we concentrate on here) has Rights Management (it exists as a part of the Azure Information Protection package now). It (AD RMS as it was called at the time) came as part of Windows Server 2003, and provided the ability to add a powerful encryption to the data, thus preventing anyone but the users in their own Active Directory, (or any other Active Directory with whom they had full trust), to read information. Helpful, but even more useful when Microsoft decided to “move” the service to Azure with the benefits it entailed. (e.g., the ability to exchange secure data with others who had an account in Azure AD, and not just organizations you had an explicit trust with).
Rights management moved to the cloud (Photo:

When this happened, Rights Management Service (RMS) started getting more traction and this happened pretty much at the same time as people started to get used to a new information world, where the data flowed freer and was available from many more platforms.


Bring your own Device was being  more and more utilized by organizations (sometimes by choice, sometimes by chance) which had positive results, but it also had serious consequences. Services like Intune and Airwatch helped companies getting back control, but more of the devices and services in their organization and less with the information itself. One example of the challenges that came with this newfound freedom had to do with that. The storing and sharing information. 

With the new BYOD workplace, a complete loss of control came to those who opened up, but retained old administration solutions. But they where not alone. Even companies that hadn’t officially done anything towards migrating to the cloud saw that their information ended up in users personal OneDrives, on USB drives, on Dropbox and many other places.

Chaos (Photo: Pixabay)

This is where rights management really shines. The way Azure RMS not only had the ability to protect our content, but also follow the secure data from then on, no matter where it went or who got access to it. With this control RMS could not only follow the information through it’s entire life cycle, but it could remove access to any user who got his/her hands on the information from that point. 

Let’s get technical (just a little).

I see everything (Photo: Pixabay)

So how does RMS/AIP do this you ask? To simplify it: Rights Management applies heavy encryption to the data, and the access rights are handled by Azure AD. This means that when information is protected with RMS (and later Azure Information Protection), people who wanted to read the information had to verify their identity with Azure AD. That means that we, when we protect data, can specify with what frequency users should verify their identity from every time they open a document, to occasionally. See how that can be very useful? If we protect data saying that users will have to verify their identity every time they open content, we also gain the possibility to instantly revoke access. 

Our new hero in a BYOD world: Azure Information Protection (AIP)

The name Azure Information Protection came in 2016, when Microsoft acquired an Israeli company called Secure Islands. They integrated Secure Islands' solutions together with their RMS solution and thus expanded the functionality to apply more than encryption. Now it was possible to classify and label the information, with or without protection. Why is this important? Well, knowing what data you have is important. Especially with regulations like GDPR and more that demands we have control of user data. When we know what data we have, we classify it (this is sensitive, this is not) and then label the information accordingly (this information is sensitive, and we therefore give it a label called sensitive for instance) we gain a completely new control. It also means that when our data is labeled, and the label has protection (RMS) we can track it, and if needed we can remove access to the content when we see that it is in places it shouldn’t be, or accessed by people who shouldn’t have access. (Know that the track and revoke feature is currently (as of 09.19) not available on the AIPv2 client/Unified labeling client).

GDPR (Photo: Pixabay)
2016 is also (for those who are interested in such things) shortly before stressed business owners and information workers began mumbling things like GDRP in the hallways. EU had begun to warn us that in 2018, this regulation would take effect. This was good news for AIP, since it had more functionality than the features we discussed earlier in the article. AIP also had a scan engine that could be connected to our local systems (like file servers and SharePoint installations) and search for sensitive information. In the GDPR context, this could mean that one could search through our storage looking for files that could be affected by the regulations. Practical, right?

AIP is not for all kinds of storage (Photo: Pixabay)

Microsoft has worked hard on their information protection, and over time, AIP has been integrated with other Microsoft cloud solutions such as Office 365 Data Loss Prevention and Cloud App security so that information stored in different cloud storage solutions, (SharePoint Online, Exchange Online and others) can be secured with the same security policies as in AIP. 

I know this sounds great, but there is something I have to mention. The elephant in the room if you will. Allthough much of this great functionality is included in AIP P1 license (or Enterprise Mobility + Security E3), some of the really great stuff, like the automatic behavior in e-mail/documents and with the AIP scanner, CloudApp security and more are AIP P2 features (Or EM+S E5 if you will). That means that to get all of this you will need to invest in the more expensive license. But the good news is that you do not need P2/E5 for  all your users. You have the ability to mix and match. Often you will have a subset of users that require more security than the rest. It can be your HR department, or legal, or any group of users working with extra sensitive information. You then have the opportunity to give those the E5/P2 license, while the rest uses E3/P1.

With E5 you can get automatic protection / suggestion of security based on content. (Photo:

So, what we have here is a solution that can:

1. Secure our information, wherever it is located and who has access to it.
2. Give us a better overview of the sensitive data we have, both on-premises and in the cloud.
3. Let users manually, or automatically apply, information security so that it can only be read by those who should be allowed to read it.

To find out more about AIP and other information security from Microsoft, you can read more here:   


Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label