Microsoft AIP Validates the Data-Centric Security Approach


2019 – The Shift to Data-Centric Security

Earlier this year Microsoft made an announcement that marked a significant shift in their approach to best protect sensitive data with Azure Information Protection (AIP). The announcement validates that now is the time for enterprises to embrace data-centric security solutions in the fight to protect data from hackers and inside threats that continue to plague enterprises worldwide.

So, why was their announcement significant?

On the surface, the announcement itself wasn’t anything ground-breaking. New subscription packages for products that were previously only available in the highest priced M365 or O365 subscriptions. One of the packages included Azure Information Protection (AIP) which is Microsoft’s base entry into the data-centric security world. However, AIP itself isn’t the driver for the shift. It wasn’t the first solution of this type to market. Although Microsoft continues to work on it; AIP isn’t currently the most feature rich or flexible solution in the market. It marked a shift because it signals that Microsoft are throwing their hat in the data-centric security ring. For many vendors like Nucleus Cyber this provides a level of validation that it is time to consider adding a data-centric solution to your cybersecurity arsenal.

If you don’t think of Microsoft as a security leader, think again. In 2002 Microsoft launched its Trustworthy Computing initiatives, and it’s since evolved into the broad range of cybersecurity products and services that are available today. They invest over $1B annually into security, protection and risk management which, if nothing else, funds their very cool, movie set-like Cyber Defence Operations Center. Some insiders have joked that Microsoft is the biggest cybersecurity company that nobody has heard of. Their foray into data-centric security signals a market shift in how to best protect sensitive information in an age of digital collaboration.

Why Data-Centric Security?

I’ve previously talked about data-centric security but it’s worth a brief recap. The traditional approach in both our personal lives and within IT was to select or create a special location that we would use to store things of value. Our next step to securing our valuables is usually to place a lock on that location and only give certain people a copy of the key. If location-based security was an effective strategy, we’d see huge reductions in e.g. the number of vehicles and other items stolen from garages. The same is true for IT. Thinking that we are protecting our data by creating secure information silos is a strategy that is destined to fail.

A recent survey of collaboration tool users highlights the risks of a traditional location-based data security strategy:

  • 24% of respondents were aware of their organizations IT security guidelines but don’t follow them
  • 27% knowingly connect to an unsecure network
  • 25% share confidential information through collaboration tools including Skype, Slack, and Microsoft Teams

Data-centric security is built with collaboration in mind. The security, protection and control focuses on the data itself rather than the location in which is currently resides. And note that I said security, protection and control – in other words solutions of this type provide much more than preventing the wrong person from gaining access to data.

In a collaboration scenario this means by using a data-centric approach we can now technically enforce information governance policies that previously relied solely on users knowing and following them. Where we previous perhaps added “Confidential – Do Not Share” in the footer of a document we can now actually implement solutions that physically prevent a user from doing just that. However, the user is still able to access the file themselves and therefore continue to get their job done.

The Flexibility of Data-centric Security

A data-centric approach respects the boundaries and capabilities of the data repository. But it also recognizes that protection must also be applied when a file is in transit during the collaboration and sharing process as the data leak risk profile changes. The key to the approach is recognizing that the content within the file and the context of the user accessing the file must both be used to determine the type of access and protection that is needed.

When the sensitivity of the content changes over time the protection must identify when this occurs and dynamically adapt the access or usage rights accordingly. The same is true for users. The policies and systems must recognize that users need access across a variety of devices and locations. The protection mechanisms must once again be dynamic enough to recognize the context of the user and make the appropriate adjustments on the fly.

Different users will be allowed different usage rights, some will be allowed full control to edit the file and share it as they see fit while others may only be allowed to view the file. The same file being accessed by the same user can also have different protection based on the device or location. In the office, allow the file to be fully opened on the local machine in Word, etc., but while in the local coffee shop or from a mobile device only allow the file to be viewed within a secure browser.

AIP is a start but…

While AIP is undoubtedly a good first step there are some drawbacks to the “out of the box” implementation that may make it fall short for many customers who need a full data-centric solution. Microsoft’s own guidance states that due to how AIP applies protection to files it is not recommended for all customers. Several key O365 functions – namely Search, eDiscovery, Delve and other collaborative features no longer function for AIP protected content. With AIP on its own you are often forced to choose between the level of security and the amount of collaboration that is allowed.

Luckily, as I mentioned earlier, data-centric security solutions do not start and stop with AIP. Our NC Protect solution can use certain elements of AIP such as its’ classification labels to determine what protection should be applied. We then apply the protection “in-transit” – in other words at the time of access. AIP and other similar DLP solutions apply the protection “at-rest” locking the file to only the users allowed by the policy which will not include the various services powering many O365 features hence loss of Search, eDiscovery etc. for these files. With NC Protect these limitations are now removed.

This is just one example of NC Protect augmenting AIP base features and working together to give customers the best of both worlds – all the collaboration features but with the security, classification and protection that their business policies demand.