Azure Information Protection – File Tracking and Security

April 17, 2017   //   Cloud Microsoft Security

In our last EMS blog post, we discussed how to protect data with Azure Information Protection (AIP). But once data is protected, how do you ensure that only the right people are accessing it?  What if you want to share the document with only a select group of vendors or customers?  One of the added features of AIP is the ability to share your documents, track their usage, and revoke access when appropriate.

Sharing data and Tracking usage with Azure Information Protection

Just as with classification, sharing and tracking usage is part of the Azure Information Protection plugin in your Microsoft Office products.  To share a file, simply click on the Share Protected link and share out the document in a secure manner to vendors or customers.
Azure Track Usage

Even if the recipient is not in your organization, once they receive the document they can use the standard applications (Word, Excel, Acrobat, etc.) to open the document.  Once the document is opened, they will be prompted for their AIP account information associated with their email address and only those users who were listed as shared will be able to open the file.  If the recipient does not already have Azure Information Protection or Office 365, it is not a problem. They can create a free account that will allow them to access the data.

Once a document has been shared, using the same menu drop down, the Track Usage option allows you to view and track who has viewed the document as well as any failed access attempts.  This will allow you to confirm that only authorized people are viewing the document, but also that there are not others who you either might have forgotten to share it with or who are trying to break into the document.

What if I see suspicious activity on my document tracking or I don’t want my document shared out anymore, what can I do to remove access?

If you want to block access to a shared document, you can do so by revoking access.  Even though the document has been sent by others and copies are now available outside the organization, revoking access means that no one will be able to use that document and it will remain locked for anyone who tries to access it.  This is possible because the document is designed to check in with AIP every time someone tries to access it and AIP will deny the request.  Revoking access does not delete the file. You will still have the original copy so you can modify the original and then redistribute it if necessary.

I’m an administrator, can I see what documents have been shared and revoke them if they don’t meet our company policies?

Yes!  The Admin section of AIP allows administrators to track and revoke documents for others in the organization.

So far, we have discussed how to protect data, but what about encrypting the contents of an email?  In our next blog we will be discussing Message Encryption for securing your sensitive emails.