Azure Information Protection and Message Encryption

April 19, 2017   //   Cloud Microsoft Security, ,

In our last few blog articles, we discussed ways that Azure Information Protection (AIP) allowed data to be secured inside and outside the organization (read AIP – Manual and Automatic File Classification and AIP File Tracking and Security for more info).  But in some cases, even sending information that might be sensitive or contain personal data via standard email protocols could be dangerous. Even more importantly, your end users may not always realize the danger and, even with the best of intentions, some important information might slip into an email.

There is now an easy solution if you are currently on Office 365 for email or are using Exchange Online Protection (EOP) for spam filtering. As an add-on to these services, Azure Information Protection includes a Message Encryption feature to ensure that all sensitive messages are protected. Since this service integrates with your existing email system, the setup and configuration are extremely easy because your email is already flowing through the Microsoft services.

How does Message Encryption work?

Just like a spam filter, Message Encryption scans every message that is sent out from your email system and looks for specific keywords or content. Just as with AIP, the rules for what content is discovered is fully customizable and can be matched against specific words and text patterns in both the email body and attachments. Social Security numbers, credit card numbers or just the word “Secure” in the subject are just a few examples of what can be monitored and automatically encrypted.

Once the message matches a rule, Office 365 automatically converts the message to an encrypted message and puts it into a secure website. Instead of transmitting the whole message across the Internet, a shorter message asking the recipients to log into the secure website is transmitted instead. The recipients can then view and respond to the email using the secure website which uses the familiar Outlook Web Access interface. Since this is all based on Office 365, no additional on-premises hardware or software is needed.

What if the recipient is not an Office 365 or EOP user?

One of the key benefits of using Microsoft’s encryption service is that it integrates with Microsoft’s Live ID system to allow anyone to login and access their messages. If the recipient doesn’t have a Live ID or doesn’t want to log in, a one-time passcode can also be emailed to them.

We have now finished discussing four of the five products in Enterprise Mobility + Security.  In our final blog, we will be reviewing the last component of EMS – Advanced Threat Analytics (ATA).