How well does Azure Information Protection (AIP) protect your data?
Choosing the right encryption software for your company is a decision of enormous significance. We have compiled important details about the file encryption solution, Azure Information Protection, to help you make the right decision.
Table of Contents
- What is Azure Information Protection?
- File Formats and Platforms supported by Azure Information Protection
- Classification of Documents
- Check on Azure Information Protection’s Data Security and Encryption
- An Alternative and Flexible Encryption Solution
What is Azure Information Protection?
Azure Information Protection (AIP) is a Microsoft product. It’s a cloud-based encryption software that enables companies to recognize, classify and protect documents and emails. These processes are automated in the background. The target group of AIP are mainly companies that are already fully integrated within the "Microsoft universe".
File Formats and Platforms supported by Azure Information Protection
AIP is optimized to classify and protect Microsoft Office files processed on a Windows machine and stored in OneDrive or SharePoint.
This means that for companies that have this exact use case, Azure Information Protection is a good encryption solution. If you work on Windows devices within the Windows universe exclusively, you can use AIP to protect and process most of your files. However, you will encounter limitations if you use other file formats or work on other platforms, such as macOS or iOS.
AIP supports the file formats of all Windows programs on Windows. Generic file formats (JPEG, PNG, GIF, PDF, SVG, or MP4), however, can only be displayed in a viewer app and cannot be edited. On macOS, iOS, and Android, any AIP-protected file formats can only be opened with a viewer app but not edited.
All details about the file formats supported by Azure Information Protection can be found directly on Microsoft's website: Admin Guide: File types supported by the Azure Information Protection classic client.
In everyday work, being limited to certain file formats can be an inconvenient restriction. It may encourage unauthorized use of software that has not been approved by the company. Read more about this in our article on Shadow-IT.
When choosing encryption software for your business, make sure it supports encryption of all file formats.
Classification of Documents
Another service offered by Azure Information Protection is the classification of documents by the AIP Scanner. This is a program that scans all files and emails in an organization for confidential information. For example, all documents that contain an email address can be classified as a file with a personal date. This feature automatically ensures technical and organizational compliance with the GDPR.
The labels are:
- Strictly Confidential
Users also have the option to select the appropriate label for individual files themselves via a drop-down menu.
The AIP unified labeling client entered maintenance mode in January 2022. Thus, no more features will be added to the AIP unified labeling client. Here you can find more information on Microsoft's decision.
The classification restricts, for example, whether a document can be printed and by whom. The classification also determines whether a file is encrypted or not. This saves valuable computing power.
The AIP scanner can only scan files located in the following datastores:
- UNC paths for network sharing that uses SMB or NFS (preview version) protocols.
- SharePoint document libraries and folders.
Learn more about the sensitivity labels of Azure Information Protection here: Information about Sensitivity Labels.
External Classification and Security – a Contradiction
Nonetheless, such a scanner contradicts the principle of never granting external parties (be they people or computer programs) access to one's data. Such access is always tied to a certain loss of control. And losing control is not recommended in IT security. We would also like to mention at this point that Microsoft is subject to the jurisdiction of the USA: All data to which the company has access must be handed over to the US authorities upon request.
If you would like to use and secure the classification feature of Azure Information Protection, we recommend using AIP in combination with Boxcryptor. More information on Boxcryptor and AIP can be found here
A feature worth mentioning is the tracking of activities which allows admins to see which users have opened which files and when.
Check on Azure Information Protection’s Data Security and Encryption
Besides helpful functions, other key criteria when choosing the right security solution are the quality standard of data protection and the type of encryption. In the following, we explain the most important information about the key length and its secure management.
Key length is a crucial factor for encryption. What matters here is the bit length; the higher the number of bits, the more rounds of encryption are added. With each additional key bit, the encryption complexity increases. This means that the key space becomes larger and thus slows down attack attempts, since sifting through the various key options takes longer. Azure Information Protection uses the 2048-bit encryption algorithm.
Particularly for companies based in Germany, the recommendations of the German Federal Office for Information Security (BSI) offer a good guide for making decisions about IT security. The office recommends using a key length of 3,000 bits, starting from 2023.
For a period of use beyond 2022, this guideline recommends using a key length of
3000 bits in order to achieve a comparable security level for all asymmetric procedures.
Source: BSI TR-02102-1, Page 15
This means that the key length currently used by AIP will no longer meet the BSI's requirements as of 2023 (at the latest). It’s important to note that the BSI's requirements are by no means excessive. On the contrary, encryption with a 4096-bit length – which Boxcryptor has been using for over 10 years – is quite common:
Cryptographic Key Management in Azure Information Protection
Microsoft offers four options for key management:
- Microsoft Managed Keys: The default setting in Azure Information Protection is for Microsoft to provide the keys.
- __Bring Your Own Key/BYOK __: Organizations also have the option to bring their key.
- Hold Your Own Key/HYOK: Additionally, organizations can hold on to their own keys. Azure Key Vault can be used for this, and there is support for Hardware Security Modules.
- Double Key Encryption
With these options, Microsoft has access to the keys and can thus theoretically decrypt encrypted data again and hand it over in the event of government requests (CLOUD Act).
Double Key Encryption (DKE): Full control on individual Documents
At the beginning of 2021, Microsoft introduced a fourth variant, Double Key Encryption. Here, enterprise customers have sole control over the encryption keys. Since Microsoft itself can no longer access the keys, the company cannot release any data at government request. Of course, the double key procedure also protects against access by employees of Microsoft itself. Whether with malicious intent or due to a honest mistake, even if files fall into the wrong hands, they are completely unusable. Therefore, there is no danger to data security.
An Alternative and Flexible Encryption Solution
Organizations that primarily use Microsoft products and whose requirements are well met by Azure Information Protection will be satisfied with this solution. However, after having many conversations with organizations of all sizes, we have made a different experience: Most teams don't work exclusively with Windows devices and programs, and often use multi-cloud strategies to utilize their benefits to the maximum.
In sum: Azure Information Protection does not provide enough flexibility that is required by most businesses nowadays. While being a solid service, it comes with limitations.
Employees want mobile workplaces, use a variety of devices, and expect to be able to use their preferred operating system. These modern businesses need data security solutions that are equally flexible and versatile. Organizations have the responsibility to find a suitable encryption solution that meets these requirements. With AIP you achieve a good level of protection for your data. If you need more flexibility, it's worth it to take a look at Boxcryptor.