Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:18 PM
Connect Directly

Microsoft Rolls Out New Data Classification And Security Service

Azure Information Protection the first-fruit of Microsoft's acquisition of Secure Islands.

Microsoft is set to offer a new cloud-based service that lets businesses classify, label, and protect data at the time of creation or modification. That protection then stays with the data at all times, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android, or Windows, according to Microsoft.

The new Microsoft Azure Information Protection builds on and integrates both Microsoft Azure Rights Management (Azure RMS) and data classification and labeling technology from Secure Islands, which Microsoft acquired last December. The new service is a component of Microsoft's Azure cloud computing platform.

The new service aims to address concerns over better protection of information that travels beyond the boundary of the corporate network and across many devices outside of a company’s control.

“At its core we are solving a central challenge for businesses and organizations around how they share sensitive information,” says Andrew Conway, senior director of enterprise mobility product marketing with Microsoft. “How do they do that in a way that they can be clear that the data is secure not just within their own organizations,” but also as the data is accessed by employees and business partners remotely.

Typically, in the past, organizations would establish point-to-point relationships with a particular partner to securely exchange information, but that was cumbersome to manage. “This is where identity is critically important,” Conway says. “Microsoft has made a huge investment in running a cloud directory service, a cloud identity system, at scale in the Azure cloud. That is enabling companies to connect to that cloud and share information securely.”

Under-Protecting or Over-Protecting

Organizations often wrestle with how to determine the level of security of specific data. “Organizations struggle with understanding which information is in need of protection – encryption, for instance -- versus what is just information that is personal to their employees or regular information for the business that they don’t need special controls around,” Conway says.

As a result, companies are either under-protecting things or encrypting everything. “So the ability to classify information before you encrypt it is super important,” Conway says.

Azure RMS basically encrypts data from the get-go. As a file or email is created, that data is encrypted and a set of permissions travel with that data. The encryption and permissions apply to the data no matter where it goes; if the data is sent to someone outside the organization or that person operates on it with a different application, the permissions still apply.

For example, a manager can classify data automatically based on what is included in a file, such as a credit number or social security number. Or they can let their employees classify data. The creator of the document can decide whether some data is personal, confidential or secret. “When that happens, there are a set of activities that happen on the back-end that will then watermark that data or encrypt it using the encryption technologies we have today,” Conway says.


Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Data Control in the Cloud

“Because this is a cloud service, we have visibility and control over that shared data,” he says.

Document owners can see where their documents go, and they can time-bomb a document if it is particularly sensitive, or remotely revoke access to the document. It also lets you track and log where the document has traveled, who has opened it or tried to, Conway says.

Identity-driven security is important because existing security perimeters are no long sufficient since today’s workforce is more mobile, as is data, says Mark Bowker, a senior analyst of mobility with the Enterprise Strategy Group.

“What is significant [about the Microsoft announcement] is users can do their own classification on their files. I think that it is interesting when you get the user doing self-administration of the data and the documents they are working on,” ESG’s Bowker says.

“I like the fact that it is not this classification of  ‘alright, we have terabytes of data in the company and now we have to classify it,’” he says. It’s more about recognizing that there are documents used in a business process on a daily basis and some are more important than others.

Other enterprise file-sharing providers are looking to offer similar capabilities. But Microsoft has the advantage of its integration with Microsoft Office, tools that users are used to operating in, he notes. “When you can enable the policy at the data level, suddenly that opens up the door where people can use different devices knowing that data is still protected,” Conway says.

Microsoft Azure Information Protection will be available for public review in July and generally available by the end of the year.

Related Content:


Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
PUBLISHED: 2020-08-13
Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of unconditional marking in jsgc.c.