Microsoft is set to offer a new cloud-based service that lets businesses classify, label, and protect data at the time of creation or modification. That protection then stays with the data at all times, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android, or Windows, according to Microsoft.
The new Microsoft Azure Information Protection builds on and integrates both Microsoft Azure Rights Management (Azure RMS) and data classification and labeling technology from Secure Islands, which Microsoft acquired last December. The new service is a component of Microsoft's Azure cloud computing platform.
The new service aims to address concerns over better protection of information that travels beyond the boundary of the corporate network and across many devices outside of a company’s control.
“At its core we are solving a central challenge for businesses and organizations around how they share sensitive information,” says Andrew Conway, senior director of enterprise mobility product marketing with Microsoft. “How do they do that in a way that they can be clear that the data is secure not just within their own organizations,” but also as the data is accessed by employees and business partners remotely.
Typically, in the past, organizations would establish point-to-point relationships with a particular partner to securely exchange information, but that was cumbersome to manage. “This is where identity is critically important,” Conway says. “Microsoft has made a huge investment in running a cloud directory service, a cloud identity system, at scale in the Azure cloud. That is enabling companies to connect to that cloud and share information securely.”
Under-Protecting or Over-Protecting
Organizations often wrestle with how to determine the level of security of specific data. “Organizations struggle with understanding which information is in need of protection – encryption, for instance -- versus what is just information that is personal to their employees or regular information for the business that they don’t need special controls around,” Conway says.
As a result, companies are either under-protecting things or encrypting everything. “So the ability to classify information before you encrypt it is super important,” Conway says.
Azure RMS basically encrypts data from the get-go. As a file or email is created, that data is encrypted and a set of permissions travel with that data. The encryption and permissions apply to the data no matter where it goes; if the data is sent to someone outside the organization or that person operates on it with a different application, the permissions still apply.
For example, a manager can classify data automatically based on what is included in a file, such as a credit number or social security number. Or they can let their employees classify data. The creator of the document can decide whether some data is personal, confidential or secret. “When that happens, there are a set of activities that happen on the back-end that will then watermark that data or encrypt it using the encryption technologies we have today,” Conway says.
Data Control in the Cloud
“Because this is a cloud service, we have visibility and control over that shared data,” he says.
Document owners can see where their documents go, and they can time-bomb a document if it is particularly sensitive, or remotely revoke access to the document. It also lets you track and log where the document has traveled, who has opened it or tried to, Conway says.
Identity-driven security is important because existing security perimeters are no long sufficient since today’s workforce is more mobile, as is data, says Mark Bowker, a senior analyst of mobility with the Enterprise Strategy Group.
“What is significant [about the Microsoft announcement] is users can do their own classification on their files. I think that it is interesting when you get the user doing self-administration of the data and the documents they are working on,” ESG’s Bowker says.
“I like the fact that it is not this classification of ‘alright, we have terabytes of data in the company and now we have to classify it,’” he says. It’s more about recognizing that there are documents used in a business process on a daily basis and some are more important than others.
Other enterprise file-sharing providers are looking to offer similar capabilities. But Microsoft has the advantage of its integration with Microsoft Office, tools that users are used to operating in, he notes. “When you can enable the policy at the data level, suddenly that opens up the door where people can use different devices knowing that data is still protected,” Conway says.
Microsoft Azure Information Protection will be available for public review in July and generally available by the end of the year.
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio