For any team that is tasked with managing the security of an organisation, making sure staff adhere to best practice can often be a challenge. If you’ve moved to the cloud, or in the process of moving to Office 365 there is one key requirement: to make sure your critical data is protected and secure. To do this technology must be in place that is; a) able to secure and encrypt sensitive files, documents and emails that are sent both internally and externally; and b) able to ensure that staff are guided to always protect corporate data and reduce data leak risks with automated tools with suggestions for labelling and securing files.
Currently, Office 365 can deliver multiple encryption options with the ability to meet an organisation’s requirements for email security. In this article we’re going to evaluate Office 365 Message Encryption (OME) and Azure Information Protection (AIP) – both online services that are built on Microsoft Azure Rights Management (Azure RMS).
What is Azure Information Protection (AIP)?
Azure Information Protection (AIP) is a cloud-based Azure service that helps organisations to protect, label and classify documents and emails within on-premises, cloud or hybrid environments. Actions can be undertaken automatically by IT admins, who can set rules for data, or manually by users. AIP also allows for a combination where users can be given recommendations by IT Admins.
Document classification and labelling with AIP
Azure Information Protection has a variety of classification options that range from watermarking right through to automatic classifications of header/footers within documents. Depending on the level of AIP package within Office 365, users can assign a variety of pre-defined or custom classifications within any given document.
Rules can be automatically applied to documents and emails reducing the risk of human error. Rules can be applied by meeting content criteria or simply applying rules to all outgoing email to a specific domain. In addition, AIP allows the classification of documents directly from File Explorer. This is a very useful feature for users and admins who wish to classify large quantities of existing files and/or documents.
Enhanced protection of documents and emails
Within AIP, email protection includes encryption, identity and authorisation policies set by the administrator to meet specific business requirements and compliance. Protection settings will also remain with the document/email whether it’s sent internally/externally. The technology itself adds an extra layer of security, encryption, expiration rules and forward or reply all prevention to ensure your critical data is always protected.
These protection settings can be part of the label configuration so that users both classify and protect documents and emails simply by applying a label. However, the same protection settings can also be used by applications that support protection, but not labelling. For these applications and services, the protection settings become available as Rights Management templates instead.
What is Office 365 Message Encryption (OME)?
Office 365 Message Encryption, or OME, is an online service built on Azure RMS, that makes up part of Azure AIP. This service enables Office 365 administrators to create and define mail flow rules using Azure RMS templates to automatically determine specific conditions for the encryption of mail.
Flexible mail flow rules
The control admins have over mail flow is incredibly flexible. Mail flow rules can be applied in a very granular level, allowing the split of rules between different departments within an organisation. Rules can also be combined to meet specific security requirements within a single mail flow rule. Each of these rules, in turn, determines under what conditions emails should be encrypted at.
External emails are protected to the highest level whilst maintaining a consistent user experience
One of the primary benefits of OME is that protected emails sent to external parties remain secure and CAN be read on any device. Protected or encrypted emails sent to external parties can be opened from any device; improving collaboration with clients, partners and third parties. This means that even if the user cannot view the email within a native email client, or are not running the Office suite, protected emails can still be opened via a web browser or other applications.
Admins can also track the access to files that are sent to external parties. There is also the option to manually revoke access should there be a need to do so.
Ultimately, by formalising classifications through AIP and OME, organisations have greater visibility into the various rules and permissions set up on an Office 365 tenant; improving their ability to respond to compliance audits.
Tips for managing the on-going security of your data and Office 365 environment
Always start by creating a test environment. Make sure that you can demonstrate a set-up and config of AIP/OME within a test environment. By doing so you will be able to visualise how the tech can make an impact on the security of your sensitive data. It will also allow you to bug test and sanity check your configurations, classifications and labelling. (You’d be surprised by the amount of times we see this not done.)
When setting up rules, document them and maintain the integrity of these settings. Make sure you are testing permissions thoroughly with within a test environment or a control group before deploying to full production. When rolling out any new policy or technology, undertake UAT. This technology does need some level of user interaction and the end-user will need an understanding for this to work effectively.
Make sure that you are continually troubleshooting any issues found with labels or classifications. You must ensure that you are taking an agile approach to make adjustments quickly if end-user requirements or policies change. Keep logs. Analyse usage trends for audit purposes or identify if there is a requirement for further training to ensure maximum user adoption.