What is Azure Information Protection?
Azure Information Protection (AIP) allows organizations to classify and protect documents by applying sensitivity labels. Sensitivity labels are metadata properties indicating the type of information a document contains. AIP also allows ‘Encryption’ to be turned for these labels. When a label with ‘Encryption’ turned on is applied to a document, the document is also protected/encrypted, and only authorized users will be able to access or edit the document. A sample Microsoft Word document with label ‘Confidential \ All Employees’ applied is shown below.
The administrators can define sensitivity labels in Office 365 Security and Compliance Center and optionally enable ‘Encryption’ for these sensitivity labels. When encryption is turned on for a label, administrators would be able to define granular access policies that will determine who can access documents classified with that label and what level of access do they have. A huge benefit of using Azure Information Protection is that the documents stay protected irrespective of where they are sent or with whom they are shared. At any point, only authorized users will be able to access the confidential documents classified and protected with Azure Information Protection labels.
What is the need? To classify and protect documents across multiple cloud services
As enterprise users upload and share documents with external users across multiple cloud applications as part of their daily workflow, it is imperative to detect sensitive or confidential documents and classify those documents automatically in real-time. While it is helpful in most of the cases to protect sensitive documents at rest in any cloud application, sometimes it would be useful to protect the documents only when they are downloaded to the endpoint to ensure there is no impact on user experience when these documents are accessed or searched for natively within the cloud application. Protecting the documents during download becomes even more important when users are accessing these documents from an unmanaged device. Also, it is not only about monitoring the data that is being uploaded, updated, or downloaded in real-time but also about scanning historical content stored in these cloud applications to identify those sensitive documents that do not have any classification labels associated and automatically classify and protect them.
How does MVISION Cloud classify and protect documents with Azure Information Protection?
McAfee MVISION Cloud now supports integration with Azure Information Protection. This allows security admins to take advantage of Azure Information Protection seamlessly across multiple cloud applications while managing policies with a single-pane-of-glass view provided by MVISION Cloud. Key use cases supported by McAfee MVISION Cloud with Azure Information Protection include:
1) Monitor sensitive documents uploaded to cloud applications such as Office 365, G Suite etc. and automatically classify and protect those documents with Azure Information Protection sensitivity labels.
– Use McAfee MVISION Cloud’s comprehensive DLP engine to identify sensitive content based on keywords, regular expressions, standard data-identifier templates representing PII, PHI, PCI or other types of sensitive information, file metadata, and structured or unstructured data fingerprints.
2) Monitor sensitive documents being downloaded to unmanaged devices and automatically protect the documents with AIP.
3) Define advanced policies to classify and protect documents being uploaded/downloaded in real-time based on rich set of attributes such as user, device type, location, user group etc.
4) Detect collaboration/sharing activity being performed on documents classified with given AIP sensitivity labels and automatically revoke or modify sharing permissions for external users.
5) Run a scan to look for documents with sensitive data in any cloud application (historical data) and classify the documents with AIP sensitivity labels.
6) Configure McAfee MVISION Cloud to work with multiple instances of Azure Information Protection each pointing to a different Office 365 tenant. This helps organizations having multiple instances of Office 365 for different regions or departments to seamlessly manage separate groups of policies for classifying documents with AIP sensitivity labels from the appropriate Office 365 tenant.
With McAfee MVISION Cloud and Azure Information Protection, users can safely collaborate on sensitive documents with internal users as well as authorized external users or partners without having to worry about compliance or data leakage issues.
About the Author
Categories: Cloud Security