Risc IT Blog
A word to the wise
Classification and Labelling in AIP
Azure Information Protection (AIP) from Microsoft is designed to protect communication of sensitive information (emails and documents) both internally and externally from your organisation, ensuring they can only be seen by the intended recipient.
An important feature of AIP is the ability to classify and label documents. This allows you to choose who can and can’t see certain documents and folders, and assign levels of confidentiality and importance.
Classification and Labelling
As an example, if a folder had a ‘Finance only’ label applied to it and an employee tried to email it to a customer, AIP would mean it simply wouldn’t work. The recipient would not be able to open the email, so the information would not, and could not, be shared.
AIP also prevents the information from being copied, sent, or screen grabbed as well. If a user were to mark an email as ‘do not forward’ the recipient will be able to view the email and that is all – they cannot capture it using the snipping tool or screen capturing software for example.
Whilst preventing external sharing is important, information needs to be protected internally as well. We wouldn’t, for example, want employees to have open access to each others’ payslips. The labels that are used are customisable, so administrators can tailor them to your organisation’s needs. You might need ‘Internal’, ‘HR’, ‘Finance’ for example, or you might choose to define by impact ‘Low Business Impact’, ‘Medium Business Impact’ and ‘High Business Impact’. This customisation means that your business has complete control over where information can go.
Classifying your data also allows staff to explicitly see which information is sensitive, so there’s no confusion and less chance of human error. Additionally, this also means that employees are consciously identifying the risks and potential business impact sharing that data might cause.
How does it work?
When a document is created labels can be applied. This means that the relevant policy dictates where this document can go. If an internal document were to be shared outside the organisation, the action wouldn’t work and the administrator would be notified. The administrator notification is important because it ensures transparency and allows the admin to respond appropriately.
For emails, similarly to when a document is created, users will be prompted to apply a label.
Is there automatic classification?
Automatic classification and labelling is available in the AIP P2 plan. This allows you to apply policy so that documents and emails are automatically labelled. The automatic labelling can be done using predefined patterns (if an email contains a credit card number for example), or you can use customised labelling based on your policies. For example, all HR documents might be automatically labelled as strictly confidential. If administrators allow it, users can overwrite these labels if they’re not appropriate for the document. All overwrites are audited to provide traceability.
The biggest benefit of automatic labelling is that it isn’t reliant on employees to classify the documents themselves. This prevents users overlooking classification thereby eliminating the chances of data being shared into the wrong hands.
How do I get it?
AIP is available as a stand alone add-on to your Microsoft 365, or can be purchased as part of the EM+S (Enterprise Mobility and Security) suite.