
close
close
In the security world, the saying that locks keep honest people honest is a hoary old saying. The saying lingers because it is true. One time-tested way to reduce the risk that someone will accidentally or purposefully leak sensitive information is to lock it up. In this article, I will talk about two “locks” that Microsoft provides for helping to reduce information leakage, Azure Information Protection (AIP) and Windows Information Protection (WIP). They are related but different. I will explain when to use each one.
advertisment
Information leakage is a real and growing problem for organizations of all sizes. A 2017 Ponemon Institute Study that was funded by IBM estimates the average cost of a data breach worldwide is $3.6 million. The breaches we hear about in the news mostly involve two things, intentional attacks that steal financial data and insiders who leak sensational data about politically sensitive matters. However, many organizations have suffered lower-level breaches when someone forwarded, lost, or leaked a sensitive document or message to someone else who was not supposed to have it. Sometimes, these breaches are accidental and sometimes they are on purpose. Either way, preventing them requires adding more security controls but those controls carry baggage. This baggage can make it harder for users to work and be productive. It can restrict legitimate sharing and make it more difficult to support BYOD. It also requires extra infrastructure. A useful solution for leakage protection has to:
Of course, besides these problems, we still have the need to protect against other threats such as malware and device theft.
advertisment
You can break these protection requirements up into four categories, as shown below. AIP and WIP play multiple roles in protecting against these threats.
Microsoft Is Offering Solutions to Four Major Classes of Threats
AIP is a cloud-based set of tools that lets you label, classify, and protect documents and messages. Think of it as a superset of the Rights Management System (RMS) functionality offered both on-premises (Active Directory RMS) and as part of Office 365 (Office 365 RMS). The naming is a little confusing because until recently, AIP was known as Azure RMS. The differences are subtle:
AIP also includes some other features, such as the ability to connect to on-premises Exchange, SharePoint, or AD RMS servers. I will cover these in future articles.
AIP is intended to provide leak protection and sharing protection but it cannot solve one critical problem, mixed data on user devices. Consider your personal tablet, phone, and laptop. If you are synced to your company-provided email or OneDrive for Business account, then your employer’s possibly-sensitive data is mixed in with your personal photos, music, email, etc. If your device is lost, broken, stolen, or you leave the company, you and your employer have different interests. They will want to ensure that their data is securely removed and you will want to ensure that you do not lose your personal data. WIP builds data separation into the operating system so that work data is tagged as such. Work data is automatically encrypted using Windows EFS. It uses a key owned by the organization. The operating system and applications can treat different objects differently, according to whether it is enterprise or personally-owned.
advertisment
To use WIP, you need three things:
One key difference between AIP and WIP is that WIP tags data according to its source. When you deploy WIP, your policy also specifies the IP addresses and domain names associated with your intranet. It also specifies which cloud sources you trust. For example, you can allow OneDrive for Business and Dropbox but block Box and Google Drive. When you download or copy a file, WIP knows whether it came from an intranet site, server, or a trusted cloud source. It determines whether it should be tagged as work data or not. In the latter case, it will be marked as personal data.
Both WIP and AIP have complete deployment guides available from Microsoft. They are surprisingly easy to deploy for basic use. In the next articles in this series, I will explain how to set up AIP on clients and in the cloud and how to design and deploy WIP policies. Because you can use these two “locks” together or separately, you can pick the best combination to reduce the risk of accidental or purposeful information leakage.
More from Paul Robichaux
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group