Protecting documents with Azure Information Protection

Classified

Management with PowerShell

As is so often the case with Microsoft products, AIP can only offer its latest possibilities in combination with PowerShell. The AzureInformationProtection PowerShell module needs to be installed on the client with the AIP client. The following command displays all the cmdlets from the module:

> Get-Command -Module AzureInformationProtection

The list contains useful cmdlets for classifying multiple files or discovering the status of individual files, even without a mouse. However, these are more like cmdlets for the end user. The administrator will not find anything here for administrative work from the command line. The AADRM PowerShell module [6] is available for this purpose. Before you get started, you need to connect the PowerShell session to AIP using the

Connect-AadrmService

cmdlet (Figure 2). Without parameters, the browser opens, and you can log on with a Microsoft account. It is possible to pass in a PSCredential object as a parameter (e.g., to avoid entering a username and password as a result of script processing). To do this, the password is entered at the beginning, and the PSCredential object is generated and used later.

Figure 2: The AADRM PowerShell module allows the administrator to work from the command line.

It is highly recommended that you explore the possibilities of the AADRM cmdlets, because essential settings have unfortunately not yet found their way into the GUI portal. For example, you can activate and maintain the superuser list. Members of this list are able to decrypt files encrypted by users if an employee has left the company, for example. Files for which an end date has been defined for access can also be opened after the end date by administrators included in the superuser list. The

Enable-AadrmSuperUserFeature

cmdlet enables this functionality. To extend the list of superusers, use the command:

> Add-AadrmSuperUser -EmailAddress "christa@kbcorp.de"

It is advisable to practice the working methods and the possibilities of the superuser extensively so that you do not experience any surprises in an emergency and are always in control. Encryption can become a problem, and the loss of sensitive data hurts if it can no longer be decrypted.

Tracking Access

Microsoft offers a web page to help you track who accessed protected documents and when. The end user can access this from track.azurerms.com or even more easily by opening the Protect | Track and Revoke icon in this menu from an Office application via the AIP client. Users now have a variety of options for dealing with the documents they protected. It is irrelevant whether they emailed the documents or whether third-party access has taken place from services released on the Internet.

The page is used to check who has opened files, what access was denied, and at what time access to files occurred if the procedure for access to documents and email was defined in the protection settings of a designation. One interesting function here is that email notifications can be used to let the user know of certain events (e.g., when someone tries to open a file without authorization). The ability to export all the file and status information to a CSV file rounds off the functions of the tracking page.

Locksmith Service Included

By default, Microsoft manages the private key used to protect the data. This default configuration is also known as Managed by Microsoft and is sufficient in most cases. Additionally, the user can create the key and manage it themselves in a Hardware Security Module (HSM) within Azure Key Vault.

Another option in this context is the HYOK option (hold your own key), wherein the key is isolated from the cloud. The customer also manages the key, but in their own HSM on-premises. This option might be necessary for particularly sensitive information (e.g., because of legal regulations). You should check in advance which variant makes sense or is necessary. Commissioning AIP will be somewhat more complex in this case. Also consider that the costs will be higher if you deviate from the standard configuration.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus