Azure Information Protection: Unified labeling, on-prem scanning and protection across platforms

Azure Information Protection: Unified labeling, on-prem scanning and protection across platforms

– Coming up: We take a look at updates for information protection solutions for Microsoft 365. For pervasive protection of your data at rest, in use, and in motion wherever it may reside. Whether that’s in Microsoft’s Cloud, SaaS apps, in non-Microsoft Clouds, and even in your own data center in on-premises file
servers. We’ll also show you how the new unified
classification supports an even broader set of file types, including formats such as Adobe PDF. (tech music) – So, I’m joined today by Gagan from the Azure Information Protection Team, welcome to the show. – Thanks, Simon, great to be here! – So, since the last time we looked at Azure Information Protection on the show there’s been a lot of chatter in the public about the topic. And we’ve seen lots more data breaches hitting the news than ever before. Also, there’s a whole lot
of regulatory pressure from GDPR. It’s literally
a different world now. – And, you know, it’s almost inevitable that now, more than
ever, we need to address the topic of information protection. With the cloud, social, and just the dynamic nature in which we work and communicate today, sharing information is almost second nature to us. It’s a new wave of productivity, I mean it’s easier than ever before to access your data wherever you are on any device of your choice. And
this also brings a heightened sense of responsibility
about data security. – So, what’s the approach
that we’re taking to information protection and how are we actually evolving that? – So the first thing I want to point out is that given the exponential amount of data generated in
our environments today, not all of the data needs protection. So, how do you know what data to protect and what not to protect? The author of the document is the best judge of what data is sensitive and what’s not. So, in this case, I’m going to pick up a document. It’s marked as internal, but I can always go to confidential, credit card data, and I can then go and very easily make this
document confidential. As you can see here, the
header, the watermark, and even the footer are set up correctly and this document is now protected as well to my organization. And
all of it was possible because my IT admin
was able to set up this label, called Confidential
Credit Card Data. And, not only that, he was able to add encryption policies to
this document right here. – So, in the past those kinds of policies have actually applied to data inside of Microsoft services such as Office 365. – Yes, and it’s always been our vision to protect all your data,
whether it’s at rest, in use, or in motion.
What I’ll show you today is the next chapter of
that vision where we’re extending these capabilities to help you to discover, classify, label and protect your data even when it sits outside of the Microsoft Cloud. Such as on premises, on file servers, in
other Cloud depositories or SaaS apps, or even on
other platforms such as Apple/Mac. And, this also applies to non-Microsoft file types
including, by popular demand, PDFs in Adobe Reader. Also, to add to this, we are making these capabilities available with an SDK. And, finally, many of us
are in the email boat, and with our capabilities in Office 365 message encryption, we
protect your sensitive information in emails
that you send to both internal and external users. – Okay, that sounds
great. I know you’ve got a lot to show us, so can we
see some of this in action? – Yes, so let’s start out with a preview of our consistent labeling experience in the Security and Compliance Center. So, where would I define the labels, Azure or Office 365? They are consistently applied across all of your workloads. So, as you can see, we
already have created a few labels in the Security and Compliance Center. I’m going to create a new label. So, I click
on “Create a Label.” I am going to give it
a name, “Confidential Credit Card Data,” I will provide a similar tool tip, and click “Next.” So, what you’ll see now is that I can apply two types of policies for protection and for retention. For protection, I will choose the advanced protection, and then encryption.
But first, let’s go and take a look at what options are available to me. So, I will click “On,” and you’ll see that I have options ranging from block users from
sending email messages outside the organization, to sending incident reports in
emails. But in this case, as we said, we are going to click on “Advanced Protection,”
customize the settings, and add a few users from my organization. So, what I’m going to do is I’m literally going to choose all the users that exist in my organization, and click “Add,” and save this policy.
So, now the protection action, I’ve already
applied it. The next thing for me, is to go and choose the retention policies that I want to apply for my organization. So, I will turn on the retention policies. And in this case, the default is “Retain the
content for seven years.” What it really means is that if you have a document that has this label, then for the next seven
years, the document is going to get retained.
That’s a great default. I’m just going to choose that now, and click “Next.” We also have some advanced options available for you that allow you to add watermark, headers and footers. So, in this case, I’m going to add a
watermark. And now I have the choice to add whatever text I want for the watermark. In this case, I will choose the same text as I had added to the title of the label.
I will click “Save,” and then click “Next.” – [Simon] Okay. – [Ganan] Now we’re
going to add conditions to automatically apply these
labels to these documents. – And that’s really important because lots of users actually don’t always label their documents. – That’s correct. And that’s one of the feedbacks that we hear from you, that you would want to make sure that the automatic labelling happens more and more. So, now I’m going to automatically apply conditions to this label. I’m going
to click on “Next,” and I’m going to add
conditions. I will choose “Sensitive Info Types.”
What you will realize here is that Microsoft offers more than 80 information types
already available for you. So we’re going to click
on “Add,” and you can see these information types showing up on the screen. In this
case we want, because this is a credit card specific label, I’m going to choose
the word “Credit Card,” choose my sensitive type, and save. Now I can review all my settings and then I will just click on “Create,” and this will basically create a new label for me that I can start publishing for my organization by clicking on the “Publish Label” button that you see here. – And now, that label is going to apply across data in all of your workloads wherever they are. And
I know a lot of people that are watching are going to be really pleased to see that we have that kind of consistent labeling. How does what we’ve actually set up here translate to services outside of Microsoft? – So the idea here is that you create your classification and
labeling policies once, and they apply everywhere.
For the data inside of your organization, on
file servers, or SharePoint on-prem, we’re introducing the new capability called the AIP Scanner. So, as you can see on my screen, I have a document which contains a credit card number, which means it should be marked as
sensitive data. So, let me show you how the IP Scanner will help you scan and protect this data. So, first I’m going to close this
document. You can see behind the scenes I have a folder which contains a bunch of files, from Microsoft Word files and PDFs, and we are now going to start running the scanner. So, a simple powershift command, called Start Service IP Scanner
will run this scanner. And what will happen behind the scenes, is that you will see
that the icons changed. So, these files are now getting protected with the lock sign. What you’ll also see is it’s just not about
Microsoft file formats, but in this case PDFs,
and other file types are equally supported as well. Basically, behind the scenes, the scanner is discovering all of
these files, and it is now classifying, labeling, and protecting these files as well. I am now going to open a file and show you that the file actually got classified and protected as well just as I was
able to do it manually. So, you can see it’s the same file, but now it contains a sensitivity of confidential. You can see that it has applied the permissions, which means in my organization anybody can now open this file, but nobody
outside my organization. So, Simon, if you now go to SharePoint, what do you see? – [Simon] Okay, so I’m
seeing the file is there, the Order Receipt file,
if I go and click on the three dots, and then go select “Details,” then it’s going to try
and preview that file. But, okay, it’s going
to fail because of the, that’s what we expect
because of the protection. Then if I look in the properties, I can see the labels. Very good. – Absolutely. And that’s because now Office 365 also recognizes this common classification and label scheme. – Okay, so that’s pretty slick, and presumably I can set up AIP Scanner as a batch process to discover and protect my data on a regular schedule. – Yes, that’s right. You can now configure the scanner so it runs periodically on your file servers so you can discover and protect data as it
comes to the file scanner. Now, one more thing. You can see that I am on a MacBook, I am going to download the file that we have just uploaded. And now, I’m going to
try to open this file. When I double-click on this file, you will see that it is now trying to authenticate me but it’s actually sending a text to my phone. It’s actually forcing me to do an MFA, or a Multi- Factor Authentication. That’s conditional access working in the background for you. And it is set to require Multi-Factor Authentication, so as that when I open a confidential document
on a non-domain joined device, which is this document, Simon, I would be asked to verify my identity. So, in this case, I’m
going to go to my phone, and I see that I have
received a code for MFA. I’m going to put in this code, and click “Verify.” So, once I do that, I have finished my authentication, and now the Microsoft Word is trying to go into open the document. And that’s what happens here. So, as you can see here, as I mentioned before
as well, Office on Mac now has the same familiar look as Office on Windows for the policies of labeling and protection. In this case, the policy is “Confidential Credit Card Data.” I can click on “View
Permissions,” and it will give me the same
experience as I would have with Windows where it
shows me that it’s me and my organization that have ability to open this document, but nobody else. – Okay, so we’ve seen the unified of classification labels on premises, across Microsoft services, and even in non-Microsoft platforms like this Mac. What we haven’t seen yet is this working with other SaaS applications in non-Microsoft clouds. – Okay, so we’ll take this other document called “Confidential
Architecture” for which I actually don’t know the sensitivity of the document yet. And I’m going to upload it to Box. And now, as you can see, in near-instant mode,
the file has now moved to version V2. Behind
the scenes, Microsoft Cloud App Security has detected the file, and has classified and
protected it. Simon, why don’t you now try to download the file? – Okay. Let me go ahead and do that. So, I’ll go back here
and I’m inside of Box, and it’s the “Confidential Architecture” document. So, let’s go
ahead and open that. It’s not giving me a
preview. If I download, it’s going to download
it. I’ll select to open it in Word. And Word’s
asking me to sign in with my credentials. – Yes, remember, when we created the confidential label earlier, we specified that the access is only available for my company’s employees only. So, your access will be blocked until you provide identity
to my own organization. – Of course, many people work in vendors outside of their
organizations, who might be using a number of
different email services. And, obviously, we want to be able to protect that information, but we don’t want to get in the way of that kind of productivity. What kind of things have you got there? – So, we recently announced
a new functionality or a new version of Office
365 message encryption, which is built on top of Azure Information Protection. This allows you to send secure emails from Office 365,
or even if you have a hybrid exchange
infrastructure to anyone, inside or outside your organization. You can send protected emails to any email address, including
Office 365, Microsoft accounts, such as Hotmail or, and Google ID to just name a few. And you, as a recipient,
can open these emails from any app on any device. So, now I’m going to show you a demo of it. So, I’m here in Outlook,
and I’m going to share a confidential piece of information with you, Simon, on your Gmail account. So, I’m going to now send this email and hopefully it reaches you. – [Simon] Okay, so I’ve signed in to Gmail on my machine here, and yep, I’ve got that email from you and I’m going to go ahead and open that up. And I can see that I’ve
got some branding here that tells me that it’s from your company, it’s got your name there, I’ve got this big “Read the Message” button in the middle of the screen. I’m gonna go ahead and click that. And it’s asking me to sign in with my Google account, presumably that’s the same one that I’ve signed into my Gmail with. So, we’ll hit the sign in button there. – [Gagan] So, in this
case, we are preforated with Google, which means as soon as you give your consent, we know that we have proven your identity. And we will give you access to the email that I just sent you. – That’s pretty awesome! I’m here, in the document, I can read all of the contents of the email directly inside of the browser. That’s pretty cool. – [Gagan] Yes, and so try forwarding it and see what happens. – [Simon] So I’ve got my
Forward button up here, except it’s been grayed out. – [Gagan] Right, it’s grayed out because I sent the email to you with a “Do Not Forward” fashion, which means we don’t
allow you as a recipient to be able to forward
this email to others. – This is pretty cool. It means that my email is protected no matter which service it actually ends up in
and those protections are always going to be respected. What is it that you guys
are coming up with next? – So we want to continue to expand these capabilities beyond Microsoft services and also apps. The last thing I’m going to show you here is the work we have done with Adobe to further
extend our classification and protection capabilities within the Adobe Reader. So, why don’t we just go ahead and
open up a protected PDF from your desktop, Simon. – Okay, so, I’ve already opened up the Adobe Reader
application and I’ve got the confidential document we want to look at loaded in the middle there. Just go ahead and just
double click on that. And, it’s opened the document up, I can read the text in there. The left hand side of it here I’ve
got this padlock icon. I’ll go there and have a
look at Permission details. It’s actually telling me exactly what the documant restrictions
are and I can see that it is also being
protected by that security method there that says Microsoft Azure Information Protection. – Right, so we’re working with Adobe, as I said, to open these protected PDFs in Adobe Reader. And at
some point, in the future, we would make this available
in Preview form as well. – Really good to hear about all of the updates to Azure Information Protection in Microsoft 365, whereabouts can people go to learn more? – So, you can keep up with the latest information protection capabilities on our blog for Microsoft 365 and also check out the following link to see more on Azure Information
Protection in Microsoft 365 – And, of course, to see all of the latest in the tech action,
subscribe to our Microsoft Mechanics channel to see the latest shows. Thank you for watching.

8 Replies to “Azure Information Protection: Unified labeling, on-prem scanning and protection across platforms”

  1. When you went through the wizard in the Office portal under Security & Compliance and clicked Classifications, it seems that you have more options in that wizard than I do. Any reason for that? What am I missing?

  2. This is great! I'm testing some of this but with labels setup in azure information protection (azure portal). I assume the idea is that will now be presented through the S&C labels in Office365 portal?

    I'm testing this with a Office 365 business premium subscription and an Azure Information Protection P1 add-on. I've installed the AZInfoProtection.exe on my Win10 Pro laptop with Office2016 Business Premium. It seems to work this way. There was 1 point it was complaining about not have Office Pro but seems to have disappeared. Are there certain requirements that we should be aware of for full functionality? Am I missing anything with a Business Premium + AIP P1 subscription?

  3. @Gagan Gulati Your overview of AIP on Microsoft Mechanics 02/22/2018 is the best Microsoft service explainer video I have ever viewed, and I've viewed a lot of them. The reason it's the best is the logical pedagogical sequence of the information presented, the clarity of your language, and your respect that your audience includes "non-technical technicians" and "non-expert admins" who need to understand the service to do their overall job, which includes running a small business as well as looking after their small business IT hands on. Thank you. I want more explainers structured like yours – please share my feedback with the folks who can foster that across the services.

Leave a Reply

Your email address will not be published. Required fields are marked *