Azure Information Protection Versus Windows Information Protection Overview -- Part 1

In the security world, the saying that locks keep honest people honest is a hoary old saying. The saying lingers because it is true. One time-tested way to reduce the risk that someone will accidentally or purposefully leak sensitive information is to lock it up. In this article, I will talk about two “locks” that Microsoft provides for helping to reduce information leakage, Azure Information Protection (AIP) and Windows Information Protection (WIP). They are related but different. I will explain when to use each one.



Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

The Disclosure Problem

Information leakage is a real and growing problem for organizations of all sizes. A 2017 Ponemon Institute Study that was funded by IBM estimates the average cost of a data breach worldwide is $3.6 million. The breaches we hear about in the news mostly involve two things, intentional attacks that steal financial data and insiders who leak sensational data about politically sensitive matters. However, many organizations have suffered lower-level breaches when someone forwarded, lost, or leaked a sensitive document or message to someone else who was not supposed to have it. Sometimes, these breaches are accidental and sometimes they are on purpose. Either way, preventing them requires adding more security controls but those controls carry baggage. This baggage can make it harder for users to work and be productive. It can restrict legitimate sharing and make it more difficult to support BYOD. It also requires extra infrastructure. A useful solution for leakage protection has to:

  • Allow users and organizations to keep work and personal data on the same devices without mixing them
  • Keep unauthorized people from seeing or modifying data
  • Protect data when it is stored, in transit, or shared
  • Not get in the way when users are trying to work

Of course, besides these problems, we still have the need to protect against other threats such as malware and device theft.

You can break these protection requirements up into four categories, as shown below. AIP and WIP play multiple roles in protecting against these threats.

Microsoft Is Offering Solutions to Four Major Classes of Threats

Azure Information Protection

AIP is a cloud-based set of tools that lets you label, classify, and protect documents and messages. Think of it as a superset of the Rights Management System (RMS) functionality offered both on-premises (Active Directory RMS) and as part of Office 365 (Office 365 RMS). The naming is a little confusing because until recently, AIP was known as Azure RMS. The differences are subtle:

  • With Office 365 RMS you can protect documents and messages using the Office web and desktop applications. It is included with most enterprise Office 365 SKUs and requires very little setup. You protect items by specifying a template, such as company confidential or do not forward. This controls what the client app will allow a user to do. Let’s refer to this feature level as protection.
  • With AD RMS, you can protect documents and messages using on-premises hardware. You do not need any subscriptions or extra licenses. AD RMS uses templates too and it can be connected to Office 365 RMS for hybrid use.
  • With AIP, you need EMS or Secure Productive Enterprise SKUs. AIP offers the same template-based protection features as Office 365 RMS using templates. It also adds tools for specifying the classification of confidential, sensitive, secret, etc. The P1 SKU of AIP allows your users to manually classify and visually label files with classification information. The P2 SKU adds the ability to create rules to automatically classify and label objects based on content.

AIP also includes some other features, such as the ability to connect to on-premises Exchange, SharePoint, or AD RMS servers. I will cover these in future articles.

Windows Information Protection

AIP is intended to provide leak protection and sharing protection but it cannot solve one critical problem, mixed data on user devices. Consider your personal tablet, phone, and laptop. If you are synced to your company-provided email or OneDrive for Business account, then your employer’s possibly-sensitive data is mixed in with your personal photos, music, email, etc. If your device is lost, broken, stolen, or you leave the company, you and your employer have different interests. They will want to ensure that their data is securely removed and you will want to ensure that you do not lose your personal data. WIP builds data separation into the operating system so that work data is tagged as such. Work data is automatically encrypted using Windows EFS. It uses a key owned by the organization. The operating system and applications can treat different objects differently, according to whether it is enterprise or personally-owned.

To use WIP, you need three things:

  • You need Windows 10 Anniversary Edition or later.
  • You need a mobile device management system. Currently, Microsoft supports both SCCM and InTune. Third parties will be supporting WIP policy deployment in the future
  • You need A WIP policy that specifies which applications are allowed to work with which types of data. For example, you might allow both enterprise and personal data to be edited in Word but only allow AutoCAD to work with enterprise data.

One key difference between AIP and WIP is that WIP tags data according to its source. When you deploy WIP, your policy also specifies the IP addresses and domain names associated with your intranet. It also specifies which cloud sources you trust. For example, you can allow OneDrive for Business and Dropbox but block Box and Google Drive. When you download or copy a file, WIP knows whether it came from an intranet site, server, or a trusted cloud source. It determines whether it should be tagged as work data or not. In the latter case, it will be marked as personal data.

Getting Started with Information Protection

Both WIP and AIP have complete deployment guides available from Microsoft. They are surprisingly easy to deploy for basic use. In the next articles in this series, I will explain how to set up AIP on clients and in the cloud and how to design and deploy WIP policies. Because you can use these two “locks” together or separately, you can pick the best combination to reduce the risk of accidental or purposeful information leakage.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Azure Information Protection Versus Windows Information Protection Overview — Part 1”

  1. <p>Good afternoon,</p><p><br></p><p>First thanks to this helpful post.</p><p><br></p><p>You say "<span style="color: rgb(34, 34, 34);">For example, you can allow OneDrive for Business and Dropbox but block Box and Google Drive"</span></p><p><br></p><p><span style="color: rgb(34, 34, 34);">That's exactly what i want to do, but it doesn't work.</span></p><p><br></p><p><span style="color: rgb(34, 34, 34);">I Have a WIP policy, and i add and my box URL to "cloud resources" but it doesn't appear as protected.</span></p><p><br></p><p>I use Edge, who correctly protect office online apps (briefcase icon next to the URL) when adding their URL in "Cloud Resources"</p><p><br></p><p>Do you know the syntax to add custom website like box ?</p><p><br></p><p>Thanks in advance,</p><p><br></p><p>Best regards,</p>

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: