Learn about the challenges and risks of sensitive corporate data being able to leave the firewall, be on personal devices, and more.
- [Instructor] As people and data become more mobile, managing both who can access that data and what they can do with it is even more important. As we've talked about before, just depending on a firewall or traditional data loss prevention system to make sure that all of your data doesn't leave the network doesn't work the way it used to. Instead, we need to make sure that that protection follows the data and, in turn, because it follows the data, let people work on it however they want to versus saying that, you know, you can only work with this document on your corporate laptop inside the office.
Azure Information Protection is part of Microsoft's solution to this and lets you do two really key things that we're going to take a look at in more depth. One that lets you classify data, we can mark it as a confidential document, maybe a document that's suitable for a release to the public, or maybe it contains trade secrets and we need to mark it as such. And then, based on those classifications, we can protect the document or the data and make sure that only the people that we say can take the actions that we allow with that data. And because that protection travels with the document, even if someone puts it on a USB key or they take it off the network, they'll be fine and you won't have to worry, because that document is encrypted and only the people that are listed will actually be able to work with it.
And the other nice thing, this protected data Microsoft makes the apps available to consume this on virtually any device. So whether it's a Windows laptop, or a MacBook, or an iPad, or an Android, all those devices can consume protected data. There's a few different components of Azure Information Protection. The first one is the data classification labeling. This is key. You have to have your end users know how to look at a document and decide what the sensitivity or classification of it is. Based on that labeling, you define what are called protection policies that enable the data to automatically be protected based on the classification.
And inside that protection, it lets you define a couple of things. Who has access to the data, maybe it's all your full-time employees or it's full-time employees and contractors, and what they can do with it. Can they open it? Can they edit it? Are they allowed to print, copy, and paste, or take a screenshot? All these types of protections, you get to define and once that protection's applied, it actually encrypts the file in place with a list of who has access to it and what they can do with it, and that means that if I don't have access to that data, but I still come upon a copy of the file, there's nothing I can do with it, because I won't be able to get the keys to decrypt it.
- Authentication options with Azure AD
- Configuring Azure AD Connect for sync and authentication
- Securing remote access with the Azure Application Proxy
- Managing apps and devices with Intune
- Building and deploying a basic Intune policy for iOS or Android
- Protecting data beyond the firewall with Azure Information Protection (AIP)
- Configuring AIP classification labels and protection
- Integrating Exchange and SharePoint with AIP
- Managing risk with Advanced Threat Analytics
- Connecting Office 365 to cloud app security