New Microsoft service puts a leash on documents on the web

Azure Information Protection is in Microsoft’s view data loss prevention (DLP) on steroids, and one that the Redmond company claims is better built for the organisation with porous borders. In other words, any organisation that uses the cloud.

The service combines Microsoft’s Azure Rights Management (ARM) and data protection technology it gained through its acquisition of Israel-based Secure Islands late last year, which it said would bolster Microsoft’s DLP-related data classification capabilities that are already built in to Windows and Office 365.

Microsoft announced on Wednesday that it will roll out a public preview of Azure Information Protection by July, showcasing its integration of Secure Islands’ technology and Microsoft’s ARM.

“This new approach delivers data protection, as well as innovative and intelligent new detection capabilities for security teams, while retaining great productivity experiences for people at work,” Microsoft said in a blogpost.

Microsoft wants to make employee identity the root of protecting information assets, whether they’re in the cloud, on mobile devices, or in apps.

While Office 365 already assesses what corporate data to protect, the new service will help organisations protect the document itself, even after the document has moved beyond the corporate firewall.

As with DLP, organisations will still need to define what is sensitive and what is not, but Microsoft is going to help label the content, with a focus on the most sensitive documents. It aims to strike a balance between end-user convenience and burdens on admins as users navigate anti-leak protections.

It will also automate processes to protect documents whether they’re inside and outside the organisation. Once restrictions on a document are narrowed down, admins will have tools to monitor for use or abuse.

Additionally, users will have the option to select whether a document is “confidential” or “secret” and restricted to the finance department. If the document has been marked as the latter, the rules for it will stay with the document beyond the firewall.

Key capabilities that Microsoft says the service will deliver include:

• Classify, label and protect data at the time of creation or modification. Use policies to classify and label data in intuitive ways based on the source, context and content of the data. Classification can be fully automatic, user-driven or based on a recommendation. Once data is classified and labeled, protection can be applied automatically on that basis.
• Persistent protection that travels with your data. Classification and protection information travels with the data. This ensures that data is protected at all times, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows.
• Enable safe sharing with customers and partners. Share data safely with users within your organization as well as with external customers and partners. Document owners can define who can access data and what they can do with it; for example, recipients can view and edit files, but they cannot print or forward.
• Simple, intuitive controls help users make the right decisions and stay productive. Data classification and protection controls are integrated into Office and common applications. These provide simple one-click options to secure data that users are working on. In-product notifications provide recommendations to help users make the right decisions.
• Visibility and control over shared data. Document owners can track activities on shared data and revoke access when necessary. IT can use logging and reporting to monitor, analyze and reason over shared data.
• Deployment and management flexibility. Protect data whether it is stored in the cloud or on-premises, and choose how your encryption keys are managed with Bring Your Own Key options.