IT Connect
Information technology tools and resources at the UW

Azure Information Protection

Azure Information Protection (AIP) provides data encryption and protection capabilities leveraging cloud-issued, short-lived access keys with support across a broad set of client platforms. It may require additional purchase.

Background

AIP was previously called Azure Rights Management Services (RMS), and some of the capabilities are still called RMS.

AIP is a foundational technology that enables a variety of other Microsoft features like Office 365 Message Encryption (OME), Office 365 Data Loss Protection (DLP), and others.

Use

With AIP, a customer can protect files or other resources via encryption at that object level. The file might be stored anywhere, but the ability to open the file is protected by AIP and the access controls specified. This means that system administrators (or even those with physical access) of the file storage do not have access to the file. This technology provides protection against most breach scenarios and is excellent for confidential data. Since access requires an Azure AD issued access token, you must have internet connectivity to access an AIP protected file. Because all access is brokered via a centrally issued token, there is definitive auditing & tracking of AIP protected files–and you can easily revoke access to a given file regardless of where the file is stored.

The technology provides enterprise data recovery options so when access to a given file is lost, highly trusted individuals can recover the file. To exercise recovery of an AIP protected file, UW-IT uses an approval process that has been established by the Washington state Attorney General’s Office.

Because Azure Information Protection is embedded in other product features, there are several general scenarios where it might be in use:

  • Use directly via the Azure Information Protection client. Users apply labels to files, which trigger application of policies that protect the file.
  • Use indirectly via Office 365 features like OME or DLP. Users apply policies which Office 365 administrators have determined are commonly needed.
  • Use indirectly via bulk classification/labeling engines. System administrators for a file server might apply rules which result in protection of files.

Because access to AIP protected files or resources requires internet access, some thought and care should be applied when choosing which files should be protected–anyone who might need to access an AIP protected file should be prepared.

More Info

If you are interested in this technology, please send an email to help@uw.edu.

Additional planned topics for future documentation include:

  • Existing AIP policies and what controls they apply (short version: default policies at this time)
  • Platforms AIP supports (short version: MS documents this and the support is very broad)
  • How to get the direct AIP option