How to Protect Office 365 by Classifying Your Data with Microsoft’s AIP Labels

Azure Information Protection labels or AIP labels can be created and applied to documents and emails. These labels can be used to classify content based on what the data is and how sensitive it is. This approach is extremely powerful when properly implemented as it provides security on your data even after it leaves your environment (if the label allows it to). In this post, I’ll walk through setting up Azure Information protection to use labels to classify and protect your content.

Supported File Types

Below is a list of file types supported by AIP:

• Adobe Portable Document Format: .pdf
• Microsoft Visio: .vsdx, .vsdm, .vssx, .vssm, .vsd, .vdw, .vst
• Microsoft Project: .mpp, .mpt
• Microsoft Publisher: .pub
• Microsoft Office 97, Office 2010, Office 2003: .xls, .xlt, .doc, .dot, .ppt, .pps, .pot
• Microsoft XPS: .xps .oxps
• Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi.png, .tif, .tiff
• Autodesk Design Review 2013: .dwfx
• Adobe Photoshop: .psd
• Digital Negative: .dng

Prerequisites

1. You must have an Azure Information Protection license in order to use the service. Different AIP licenses will give you access to different features underneath the AIP umbrella. AIP can be purchased either standalone or through or through one of the several O365 license suites/programs.

A brief overview of the plans-

Free Azure Information Protection:

• Self-service subscription for users in an organization who have been sent sensitive files that have been protected by Azure Information Protection, but that can’t be authenticated because the users’ IT department does not manage an account for them in Azure—for example, the IT department doesn’t have Office 365 or use Azure services. Price Free

Azure Information protection for O365:

• Microsoft Azure Information Protection is included in the Office 365 Enterprise E3 and above plans.

Azure Information Protection Premium Plan 1:

• Provides additional rights to use the on-premises connectors, track and revoke shared documents, and enable users to manually classify and label documents. Price $2

Azure Information Protection Premium Plan 2:

• Builds on Azure Information Protection Premium P1 with automated and recommended classification, labeling, and protection, with policy-based rules and Hold Your Own Key (HYOK) configurations that span Azure Rights Management and Active Directory Rights Management. Price $5
  • Note: Also part of Enterprise mobility + Security E5 and Microsoft 365 E5

2. You must install the Azure Information Protection client on your desktop as well as any endpoints you wish to protect. Link to downloads: Link

Labels

With AIP, a classification label is leveraged to identify and protect sensitive content that matters to your business.  Admins and users may use out of the box or customized labels to either manually or automatically apply a label to a document. (Automated labeling requires AIP plan 2) For this example, I will walk through the process of setting up AIP to label documents containing credit card information.

Creating a Label

Navigate to the Azure Information pane from within the Azure Portal. Underneath ‘Classifications’ select Label -> Add a new label.

3. Name your label and give it an appropriate description.

4. Protection: Configure access and protection options for the label.

• Choose what users can access content with this label (and what level of access they have)
• Set an expiration date
• Configure offline access

5. Set visual marking (optional)

• When enabled this option will cause a header, footer and/or a watermark to be applied to labeled documents.

6. Configure conditions for automatically applying this label (requires AIP plan 2 or greater).

• Choose one of the default Information Types which align to what you are looking for, for this example I chose Credit Card Numbers.
• If none of the default information types suite your requirements then create a custom Information Type by clicking on ‘Custom’. Here you will have options to add in a phrase, keyword or regular expression that reflects the type of information you want to classify.

Applying a Label

Here I’ve got a word document which contains some fake credit card numbers, notice that there is a recommendation that we label the document as ‘Credit Cards’.

AIP is flexible in that you can choose to have these labels automatically applied or automatically make a recommendation to apply. Without automation, users must manually choose the label which applies to the content of the document. Although it leaves room for human error, this may be preferred to avoid false positives.

If you have some labels which are responsible for classifying highly sensitive information, you may want to have those automatically apply labels but be weary as labels prone to false positives may cause frustration to end-users.

Conclusions

While there are some gaps which cannot be ignored, Azure Information Protection is a powerful tool that can really help you protect your data.

Pros:

• Added security on documents allows added control on who can access it no matter where it goes.
• Easy to set up
• Automated capabilities will help to label files at mass

Cons:

• Limited capabilities in the automated discovery of the files. It seems label policies only get applied when a file is interacted with leaving data at rest vulnerable.
• No options for configuring character proximity or confidence level when creating information type criteria.

Learn more about how STEALTHbits can help with the discovery and classification of your data, including the collection and reporting of AIP labels here.