While Azure Information Protection (AIP) may not be the most commonly deployed solution in the EM+S product suite offered by Microsoft, it is certainly gaining ground. Recently, more customers are being drawn towards AIP for its tracking and control capabilities over the movement of confidential and sensitive information externally and within an organization. Furthermore, many organizations own EMS E3 or E5, which includes AIP, but we still run into customers that have not yet deployed AIP. For organizations that are ready to dip their toe into their AIP investment, here’s what you need to know.

Demonstrations of AIP’s technology are amazing and it’s exciting to see the possibilities of tight control over organizational data. In the haste to turn on the technology, however, many AIP implementations stall, fail, or just don’t get utilized. Why? It’s simple – the business conversations get bypassed.

Introducing rights management concepts and capabilities that AIP brings to an organization is a challenge because of the prerequisites necessary before getting started with AIP – namely Data Classification and Data Labeling.  Since conversations surrounding these two areas are business oriented, communication tends to breakdown because IT is focused on the technology, and there is nobody to broker the conversation with the business.

Since data classification and data labeling are two keys to understanding how AIP will be architected let’s take a look into how these conversations will set the stage for making an AIP rollout as smooth as possible.

Data Classification and Data Labels

When I think of data classification, I think of one of the federal government’s highest classification schemes – Top Secret.  Most people have at least heard this phrase or have seen references to this in the movies.  Do you know what Top Secret means?  You likely have a really good idea – it’s a very high level of sensitivity of information, only allowed to be viewed by individuals with a “Top Secret” or higher clearance.  The “Top Secret” designation is the data label, which is applied to documents, emails, etc. and the classification is the understanding of what information falls into this category.  Regulated entities typically have classification schemes already defined.  Healthcare has PHI (Protected Health Information) and banks have NPI (Non-Public Information).  Each of these labels have regulations and standards defining what falls within those classifications and how to handle the data.

Another good example of classification is “Internal Use Only”.  The classification indicates that documents with this label are to only be used internally and viewed by individuals within the organization.

I’ve been involved in many data classification projects with our clients at Peters & Associates. During these initiatives, we help our clients determine the sensitivity of a particular data set and what protections should be placed on them. Most regulated organizations understand what data classification is, but even unregulated companies have an understanding of what data constitutes the “crown jewels” and we likely know where it resides.  This is certainly a prerequisite for an AIP implementation.

In a typical AIP alignment workshop, the workflow looks as follows:

Within this workflow, we start by looking at any existing corporate data classification methodologies currently in place.  We can either discover this by doing a data analysis and strategy session with management or we can begin by exploring the regulatory requirements placed on the organization. As pointed out earlier, most regulated organizations have data classification standards already defined, but, as we will see, some of them may need to be enhanced and there may be cases for adding additional labels.

The next step is to look at the controls AIP can place on documents, email, SharePoint, and OneDrive repositories.  As we explore the AIP control-set, there will inevitably be additional ideas on how information can be protected. Here is a breakout of possible controls within AIP:

A common question we are asked with projects like this is: How do you handle all of the other controls that we have over data? Will they be used as a complimentary control-set or as back-stop controls?

In most cases, AIP will be introduced as part of a multi-pronged security strategy. Once AIP is implemented with the data labeling and categorization defined, you can determine how you want it to be applied. Without going too deep into licensing, with AIP Plan 2 you can automate the classification and labeling of documents that meet certain criteria.  With the Plan 1 license, you will be relying on the user population or other technologies to take the necessary steps to label each of their emails and files accordingly.  This supports the need to keep many of the backstop controls listed below, in place:Implementing AIP is not as easy as flipping the switch.  A real AIP project will consist of pre-implementation planning and road-mapping.  AIP is usually piloted at an organization, and training for the new capabilities is essential for the project to be a success.

Do you have more questions on AIP or other components of EM+S? We’re standing by to help. Email us at info@peters.com to get started.