Friday, August 4, 2017

Starting the Azure Information Protection Conversation

While Azure Information Protection (AIP) may not be the most popular product in the EM+S product suite offered by Microsoft, it is certainly gaining ground because of its tracking and control capabilities over the movement of confidential and sensitive information externally and within an organization. Many organizations own EMS E3 or E5, which come with AIP, thus giving them the ability to manage the rights of documents and email, but the majority of them aren’t using this technology.

Demonstrations of AIP’s technology are amazing, and it’s exciting to see the possibilities with tight control over organizational data. In the haste to turn on the technology however, many AIP implementations stall, fail or just don’t get utilized. Why? It’s simple – the business conversations get bypassed.

Introducing rights management concepts and capabilities that AIP brings to an organization is a challenge because of the prerequisites necessary before getting started with AIP – namely Data Classification and Data Labeling. Since conversations surrounding these two areas are business oriented, communication tends to break down because IT is focused on the technology, and there is nobody to broker the conversation with the business.

Since data classification and data labeling are two keys to understanding how AIP will be architected let’s take a look into how these conversations will set the stage for making an AIP roll out as smooth as possible.

Data Classification and Data Labels 

When I think of data classification, I think of one of the federal government’s highest classification schemes – Top Secret. Most people have at least heard this phrase or have seen references to this in the movies. Do you know what Top Secret means? You likely have a really good idea – it’s a very high level of sensitivity of information, only allowed to be viewed by individuals with a “Top Secret” clearance, or higher clearance. The “Top Secret” designation is the data label, which is applied to documents, emails, etc. and the classification is the understanding of what information falls into this category. Regulated entities typically have classification schemes already defined. Healthcare has PHI (Protected Health Information) and banks have NPI (Non-Public Information). Each of these labels have regulations and standards defining what falls within those classifications and how to handle the data.

 Another good example of classification is “Internal Use Only”. The classification indicates that documents with this label are to only be used internally and viewed by individuals within the organization.

I’ve been involved in many data classification projects with my clients, where we help them determine sensitivity of a particular data set and what protections should be placed on them. Most regulated organizations understand what data classification is, but even unregulated companies have an understanding of what data constitutes the “crown jewels” and we likely know where it resides. This is certainly a prerequisite for an AIP implementation.  

In a typical AIP alignment workshop, the workflow looks as follows:

Within this workflow, we start by looking at any existing corporate data classification methodologies currently in place. We can either discover this by doing a data analysis and strategy session with management, or it can start by exploring the regulatory requirements placed on the organization. As pointed out earlier, most regulated organizations have data classification standards already defined, but, as we will see, some of them may need to be enhanced and there may be cases for adding additional labels.

The next step is to look at the controls AIP can place on documents, email, SharePoint and OneDrive repositories. As we explore the AIP control-set, there will inevitably be additional ideas on how information can be protected. Here is a breakout of possible controls within AIP:

A common question we are asked with projects like this is: What we do with all of the other controls we have over data and how they will be used as a complimentary control-set, or as back-stop controls. Once AIP is implemented with the data labeling and categorization defined, there will never be 100% adoption unless you are on the P2 licensing where you can automate the classification and labeling of documents meeting certain criteria. With the P1 license, you will be relying on the user population to take the necessary steps to label each of their emails and files accordingly. This supports the need to keep many of the backstop controls listed below, in place:

Implementing AIP is not as easy as flipping the switch. A real AIP project will consist of pre-implementation planning and road-mapping. AIP is usually piloted at an organization, and training for the new capabilities is essential for the project to be a success. If you are thinking about AIP, or other components of the EM+S product suite, let me know how I can help!

No comments: