Microsoft to Solve Document Cloud Compliance and Visibility Issues With Azure Information Protection
Microsoft is planning to preview a new addition to its Azure security portfolio in July. Named Microsoft Azure Information Protection it combines the Azure Rights Management System (RMS) with the data classification and labeling technology acquired with the purchase of Secure Islands in November 2015. The purpose is to provide greater clarity and control over the movement of documents in and through the cloud in the face of increasing geographically based privacy and data protection laws.
An increasingly mobile and global economy with different compliance requirements in different jurisdictions requires both greater control and increased user flexibility over that control. Microsoft is supplying this by integrating rights management (for control) with easier document labeling (Secure Islands).
This will start at document creation. Policies can be established to help generate automatic suggestions to the author, or the author can set the level purely manually. Once the document has been labeled, that label and associated protection stays and travels with the document, whether it is internally or with and between external partners.
The level of protection can be set by the author/owner of the document. “Document owners can define who can access data and what they can do with it; for example, recipients can view and edit files, but they cannot print or forward,” states an associated blog post. It goes on to explain that “Data classification and protection controls are integrated into Office and common applications. These provide simple one-click options to secure data that users are working on.”
Through Information Protection, Microsoft will solve three major cloud problems in one go. Firstly it will go a long way to solving compliance issues. Secondly it will provide the missing visibility into the cloud that security teams need but often do not get. And thirdly it will protect against unseen and unknown data leakage of intellectual property. “Document owners can track activities on shared data and revoke access when necessary. IT can use logging and reporting to monitor, analyze and reason over shared data,” says the announcement.
How effective this will be remains to be seen. Data labeling is traditionally a huge problem for security teams. Left to their own devices, users often over-compensate and classify everything as ‘top secret’. Automatic suggestions from the system based on rules developed by IT and security could solve this — or they could add an additional level of complexity if the rules keep getting things wrong.
What isn’t yet clear is whether the arrival of Information Protection will replace the existing Azure RMS. Microsoft merely says that RMS will continue ‘as is’ until the general availability of Information Protection, “when they will begin to receive expanded capabilities.” It doesn’t say whether those expanded capabilities (presumably the automated document labeling features directly in Word) will come with additional cost.