This document discusses how Azure Information Protection can help organizations classify, label, and protect their most sensitive data. It notes challenges around protecting data across employees, partners, customers and apps. Azure Information Protection allows automatic and manual classification of data based on sensitivity levels. Labels can then be applied to data which travel with the data and include encryption and access controls. The document demonstrates how Azure Information Protection works and integrates with applications like SharePoint. It concludes that Azure Information Protection helps secure data by understanding how to classify and protect information based on an organization's needs.

1. Secure Collaboration: Start
classifying, labeling, and protecting
your (most valuable) data
Bram de Jager
Lead Architect - delaware

3. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials

4. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches due
to lack of internal controls
88% of organizations are Losing control of
data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common

5. Unregulated,
unknown
Managed mobile
environment
How much control do you have?
On-premises
Perimeter
protection
Identity, device
management protection
Hybrid data = new normal
It is harder to protect

6. The evolution of Azure RMS
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROL
POLICY
ENFORCEMENT

7. Azure Information
Protection DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROL
POLICY
ENFORCEMENT
Full Data
Lifecycle

8. Classify Data – Begin the Journey
SECRET
CONFIDENTIAL
INTERNAL
PUBLIC
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users can
complement it
Associate actions such as visual
markings and protection

9. How Classification Works
Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click

10. Apply labels based on classification
%##&$^#*!~@&
FINANCE
CONFIDENTIAL
%$^#*@&
Persistent labels that travel with the document
Labels are metadata written to documents
Labels are in clear text so that other
systems such as a DLP engine can read it
and a hash of policies, rules, and user
information

11. Protect data against unauthorized use
VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps

12. Demo
Set an information protection platform for your business - in minutes

13. Demo – scenarios
Manual and default labels
Label action: content marking & RMS protection
Conditions: Automatic & recommended
Setting your information protection policy in minutes (administration
experience)

14. Using variables in visual markings
• ${Item.Label} for the selected label. For example: Internal
• ${Item.Name} for the file name or email subject. For example: JulySales.docx
• ${Item.Location} for the path and file name for documents, and the email
subject for emails. For example: Sales2016Q3JulyReport.docx
• ${User.Name} for the owner of the document or email, by the Windows
signed in user name. For example: rsimone
• ${User.PrincipalName} for the owner of the document or email, by the Azure
Information Protection client signed in email address (UPN). For example:
rsimone@vanarsdelltd.com
• ${Event.DateTime} for the date and time when the selected label was set. For
example: 8/16/2016 1:30 PM

15. Azure Information Protection and SharePoint
SharePoint supports Information Rights Management, based on Azure RMS
Not “integrated” with Azure Information Protection (yet?)
Automation based on AIP SDK would be a option to auto apply labels
based on context
Align Data Loss Prevention with Azure Information Protection

16. Wrap-up

17. Azure Information Protection Premium P1/P2
Feature Azure Information
Protection Premium
P1 (EMS E3)
Azure Information
Protection Premium
P2 (EMS E5)
Manual labeling (user driven) Yes Yes
View labels and watermarks in Office Yes Yes
Apply content marking and RMS protection in Office Yes Yes
Automatic and recommended labeling (conditions) Yes
Classification, labeling and protection with MCAS Yes
HYOK (Hold your own key – multi RMS server support) Yes

18. Key takeaways
Azure Information Protection is about securing your data
Helps your organization to understand and really use business information
protection based on data classification
Think about compliancy for the General Data Protection Regulation (GDPR),
which is active as off May 25th 2018

19. Thank you!
@bramdejager
bram.dejager@delaware.pro
bramdejager.wordpress.com

20. Thanks for attending