Data Classification and Protection with Azure Information Protection (AIP)

Data Classification and Protection with Azure Information Protection (AIP)

To cope with the Data Classification and Data Governance Policy for protecting University’s digital information, an information protection system with Azure Information Protection – AIP, (formerly Right Management Service – RMS), is implemented for protecting digital information according to the defined data class.

Available to

Departments

Service Charge and Application

Free; no application required

Service Availability

Office hours

Support

Please submit to ITSC Service Desk, Information Security > General Enquiry or Azure Information Protection (AIP)

 

1. Policy Background

The University has endorsed the Data Classification and Data Governance Policy in Aug 2016 which aims to protect the University digital information from being accessed by unauthorized person. The paper proposes a comprehensive framework with 3 components:

  1. Data Classification Standard – to define confidentiality level of data
  2. Data Governance Policy – to define accountabilities and decision rights of people
  3. Enforcement of data protection with Azure AIP – to enforce data security policies for the protection on various data class

 

2. Azure Information Protection (AIP) Implementation

Introduction

Azure Information Protection – AIP (formerly Right Management Service – RMS) is a data protection solution which helps you to classify, label and protect the documents according to the confidential level of the information.  Once a document is classified and labelled, corresponding predefined security policy will be applied immediately to protect the document and limit the access against unauthorized person.  Document owner can also monitor the access of the document and revoke the access of the document anytime if it is found misuse.

Implementation Scope

Include:

  • Microsoft Office (and AIP Client)
  • Exchange Online (including OWA for Exchange Online)

Supported Platforms

  • Windows 7, 8, 10
  • Mac OS
  • iOS
  • Android

 

3. User Manuals and Briefing Sessions
4. Installation Files

Download the installation file “AZInfoProtection.exe” from Microsoft website at https://www.microsoft.com/en-us/download/details.aspx?id=53018.  (For Windows only)

Remarks: For central deployment, you may download the MSI file “AZInfoProtection_MSI_for_central_deployment.msi” instead.

 

5. FAQ

General

Q1: Could AIP encrypted MS documents be opened and edited in O365 on web or on mobile (Office 365 mobile apps for Android, Office 365 mobile apps for iOS) ?

A1: On web, AIP encrypted MS documents cannot be opened/edited in office 365 web app. However, it would prompt you to open a document locally (i.e. with local MS Office applications). After your editing and saving, the document would be automatically sync back to online storage such as OneDrive for Business or SharePoint Online.

On mobile, AIP encrypted MS documents can be opened/edited by Android and iOS office apps (Word, Excel, PowerPoint) developed by Microsoft.

 

Q2: For AIP encrypted (via outlook) emails , can recipients open and read them in Android and iPhone using the built-in mobile mail app but not an MS Outlook app?

A2: Protected emails will appear as an attachment with extension .rpmsg. You can open the message by AIP Viewer app. When you reply to this email, (1) conversation history would not be included in the reply message, and (2) reply message would not be encrypted/protected by AIP anymore.

 

Q3: Can AIP be applied to standalone forest (department AD) for the Data Governance Policy? We have our own Windows AD, is it necessary to join University AD?

A3: Currently, the University does not have any policies that mandatorily require department AD must be joined to the University’s AD. However, when sourcing solutions to support departments implementing IT policies, department managed IT resources may not be fully covered/supported owning to various factors.

To cope with the Data Classification and Data Governance Policy, the implementation of AIP can help to protect digital information according to defined data class. Departments with her AD joined to the University’s AD could enjoy benefits such as:

  • Single account and credential to sign in Office 365 and access AIP protected documents. User experience will be less complex and don’t need to remember multiple accounts when accessing department and university resources. Desktop support by LAN admin would be easier as well.
  • AIP configurations managed and updated by ITSC. ITSC will observe changes in Data Classification and Data Governance Policy and manage changes in AIP configurations. Such that changes in AIP would be tested and deployed to keep it complying with the policy.

 

Q4: Below is extracted from AIP User Guide, does ‘Offline Access’ mean that users can access confidential file without password in their mobile device for, say, 7 days?

Classification Label PermissionGranted Encryption Visual Markings Offline Access & Expiry Date
Confidential – All Staff Editable by All CUHK Staff Permission includes:

View, Edit, Save, Save as, Export, Copy, Print, Reply, Reply all, Forward

Yes – Header & Footer in both MS Office files and emails – Allow 7 days offline access

– No expiry date

Strictly Confidential – All Staff Viewable by All CUHK Staff Permission includes:

View, Reply, Reply all

Yes – Header & Footer in both MS Office files and emails

– Watermark in MS Office files

– Allow 1 day offline access

– No expiry date

A4: Offline access is a feature in AIP to balance between security and convenience. Simply speaking, after each authorization against AIP cloud service, users can access protected documents on that particular device for, say, 7 days, without re-authorization. Therefore, within these 7 days the device could in offline mode, do not need internet connection or login to O365, and still can access the documents. Detail workflow as described below:

  1. During first use of AIP client, or access to AIP protected documents, users will be prompted to input username/password for authentication.
  2. Authentication credential will be cached for a period of time on AIP client, or Microsoft Office. So users only need to input password once until the cache expires or password changed.
  3. Authorization is performed against AIP cloud service whenever users do not have a valid token for a document.
  4. Authorization token for that document would be cached on user device for a number of days (the offline access setting).
  5. If offline access is not set, authorization will be required on EVERY time users open the document. This requires an internet connection to AIP cloud service.
  6. If offline access is set to very large, permission revoke could not be effective timely, until the authorization token expires on user device.

 

Q5: If the original owner of AIP-protected file left the University, can we still access the file or update the file owner?

A5: Even the original owner left the University, the file should still be accessible by authorized users. But if update of file owner is needed, department would need to submit to ITSC Service Desk, Information Security > General Enquiry / Azure Information Protection (AIP), or contact infosec@cuhk.edu.hk for arranging updates.

Installation

Q1: My computer is AD-joined and my AIP is installed by the software assignment through AD Group Policy. After the software assignment and rebooted my computer, I fail to locate AIP client.

A1: Yes, the installation of the AIP would be started after your computer is rebooted, and the process is so transparent that you may feel nothing happened. The installation requires a few minutes to finish. When it is successfully installed, the ‘Azure Information Protection Viewer’ would be appeared on the Windows START menu.

Usage

Q1: My colleague sent me an AIP protected email and I can’t open it using Outlook, it prompted out:

 

     I clicked yes, it showed me that I already signed in:

I clicked on the current account and this pop-up windows closed. But I still failed to open the email.However, when I used web OWA, I can open the email. Don’t know if I have something mis-configured.

A1: We also experienced similarly before on AD joined computer where Office signed in automatically to on-premises AD account but not O365 account through ADFS. Please try to sign out your MS Office Application (in menu, File > Account > Sign out), and then sign in again.

 

Q2: My colleague sent me an AIP protected email and I can’t open it using my Outlook, it prompted out:

A2: Please check if the email could be read by using OWA (Direct link: https://outlook.office.com/owa/)? If it is readable on OWA, it means the permission should be correct. Please try to sign out your MS Outlook, and then sign in again.

 

Q3: It was told that protected emails sent to @cuhk.edu.hk had no expiry indicating that it could be always readable. However, protected emails sent to other domains (such as departmental email address or external email address) would be only readable in 60 days by default, and this default setting could not be amended. How should we interpret it?

A3: Please interpret as below:

  • The default labels (confidential / strictly confidential) will protect emails and allow access by accounts in @cuhk.edu.hk domain only.
  • If protected email sends to @cuhk.edu.hk directly, there is no expiry date and always readable.
  • If protected email sends to @cuhk.edu.hk then forwarded to @dept.cuhk.edu.hk, user need to access through the link to web portal and login using the @cuhk.edu.hk account, with 60 days expiry.
  • If protected email sends to @dept.cuhk.edu.hk directly, sorry there is no way to read.

 

Q4: Could I send protected emails or share protected documents with students?

A4: AIP is for CUHK staff (at their personal account – @cuhk.edu.hk) to apply protection on their emails or documents​. You could use “custom permissions” to share a protected documents with other users (such as students) by specifying the students email addresses in the designated dialogue box.