In the security world, the saying that locks keep honest people honest is a hoary old saying. The saying lingers because it is true. One time-tested way to reduce the risk that someone will accidentally or purposefully leak sensitive information is to lock it up. In this article, I will talk about two “locks” that Microsoft provides for helping to reduce information leakage, Azure Information Protection (AIP) and Windows Information Protection (WIP). They are related but different. I will explain when to use each one.
Information leakage is a real and growing problem for organizations of all sizes. A 2017 Ponemon Institute Study that was funded by IBM estimates the average cost of a data breach worldwide is $3.6 million. The breaches we hear about in the news mostly involve two things, intentional attacks that steal financial data and insiders who leak sensational data about politically sensitive matters. However, many organizations have suffered lower-level breaches when someone forwarded, lost, or leaked a sensitive document or message to someone else who was not supposed to have it. Sometimes, these breaches are accidental and sometimes they are on purpose. Either way, preventing them requires adding more security controls but those controls carry baggage. This baggage can make it harder for users to work and be productive. It can restrict legitimate sharing and make it more difficult to support BYOD. It also requires extra infrastructure. A useful solution for leakage protection has to:
Of course, besides these problems, we still have the need to protect against other threats such as malware and device theft.
You can break these protection requirements up into four categories, as shown below. AIP and WIP play multiple roles in protecting against these threats.
AIP is a cloud-based set of tools that lets you label, classify, and protect documents and messages. Think of it as a superset of the Rights Management System (RMS) functionality offered both on-premises (Active Directory RMS) and as part of Office 365 (Office 365 RMS). The naming is a little confusing because until recently, AIP was known as Azure RMS. The differences are subtle:
AIP also includes some other features, such as the ability to connect to on-premises Exchange, SharePoint, or AD RMS servers. I will cover these in future articles.
AIP is intended to provide leak protection and sharing protection but it cannot solve one critical problem, mixed data on user devices. Consider your personal tablet, phone, and laptop. If you are synced to your company-provided email or OneDrive for Business account, then your employer’s possibly-sensitive data is mixed in with your personal photos, music, email, etc. If your device is lost, broken, stolen, or you leave the company, you and your employer have different interests. They will want to ensure that their data is securely removed and you will want to ensure that you do not lose your personal data. WIP builds data separation into the operating system so that work data is tagged as such. Work data is automatically encrypted using Windows EFS. It uses a key owned by the organization. The operating system and applications can treat different objects differently, according to whether it is enterprise or personally-owned.
To use WIP, you need three things:
One key difference between AIP and WIP is that WIP tags data according to its source. When you deploy WIP, your policy also specifies the IP addresses and domain names associated with your intranet. It also specifies which cloud sources you trust. For example, you can allow OneDrive for Business and Dropbox but block Box and Google Drive. When you download or copy a file, WIP knows whether it came from an intranet site, server, or a trusted cloud source. It determines whether it should be tagged as work data or not. In the latter case, it will be marked as personal data.
Both WIP and AIP have complete deployment guides available from Microsoft. They are surprisingly easy to deploy for basic use. In the next articles in this series, I will explain how to set up AIP on clients and in the cloud and how to design and deploy WIP policies. Because you can use these two “locks” together or separately, you can pick the best combination to reduce the risk of accidental or purposeful information leakage.