Lisa Figas | Marketing Manager
@meet_lisa
Wednesday, November 10, 2021

Azure Information Protection (AIP) and Boxcryptor – Comparison of Security and Application

Choosing the right encryption software for a company is a decision of enormous significance. We have compiled important details about the file encryption solution AIP compared to Boxcryptor to help you make the right choice.

Table of Contents

What is Azure Information Protection?

Azure Information Protection (AIP) is a Microsoft product. It is cloud-based encryption software that enables companies to recognize, classify and protect documents and emails. These processes are automated in the background. The target group of AIP are mainly companies that are already fully within the "Microsoft universe".

File Formats and Platforms

AIP is optimized for the classification and protection of Microsoft Office files processed on a Windows machine and stored in OneDrive or SharePoint.

For companies that have this exact use case, Azure Information Protection is, therefore, a good solution. If you work on Windows devices in the Windows universe, you can use AIP to protect and process most of your files. However, if you use other file formats or work on other platforms, such as macOS or iOS, you will encounter limitations.

AIP supports the file formats of all Windows programs on Windows. Generic file formats (JPEG, PNG, GIF, PDF, SVG, or MP4), however, can only be displayed in a viewer app and cannot be edited. On macOS, iOS, and Android, any AIP-protected file formats can only be opened with a viewer app but not edited.

All details about the file formats supported by Azure Information Protection can be found directly on Microsoft's website: Admin Guide: File types supported by the Azure Information Protection classic client.

In everyday work, being limited to certain file formats can be an inconvenient restriction. It may encourage unauthorized use of software that has not been approved by the company. Read more about this in our article on Shadow-IT.

Azure Information Protection Viewer App

When choosing encryption software for your business, make sure it supports encryption of all file formats. Boxcryptor encrypts file-independent and cross-platform, which means you don't have to put up with file format limitations.

Classification of Documents

Another service offered by Azure Information Protection is the classification of documents by the AIP Scanner. This is a program that scans all files and emails in an organization for confidential information. For example, all documents that contain an email address can be classified as a file with a personal date. Technical and organizational measures necessary for GDPR compliance are then automatically taken. The labels are:

  • Public
  • General
  • Confidential
  • Strictly Confidential

Users also have the option of selecting the appropriate label for individual files themselves via a drop-down menu. The classification restricts, for example, whether a document can be printed and by whom. The classification also determines whether a file is encrypted or not. This saves valuable computing power.

The AIP scanner can only scan files located in the following datastores:

  1. UNC paths for network sharing that uses SMB or NFS (preview version) protocols.
  2. SharePoint document libraries and folders.

In a company with many employees, you can never be sure that everyone involved in the process understands the privacy policy and can comply with it. That's where a scanner can be useful.

At the same time, however, such a scanner contradicts the principle of never granting external parties (be they people or computer programs) access to one's data. This access is always accompanied by a certain loss of control. And losing control is not recommended in IT security. In addition, we would like to mention at this point that Microsoft is subject to the jurisdiction of the USA: All data to which the company has access must be handed over to US authorities upon request.

Learn more about Azure Information Protection Sensitivity Labels here: Sensitivity Labels.

A feature worth mentioning is the tracking of activities. Thus, one can - with the necessary admin rights - see which users have opened which files and when.

Key Length

In encryption, the key length factor is very crucial. Here, a distinction is made according to the bit length. The higher the number of bits, the more rounds it goes through. With each additional key bit, the complexity increases. This means that the key space becomes larger and an attack that attempts to sift through the various key options takes longer. Azure Information Protection uses the 2048-bit encryption algorithm. Particularly for companies based in Germany, the recommendations of the German Federal Office for Information Security (BSI) are a good guide for making decisions about IT security. It recommends using a key length of 3,000 bits from 2023.

For a period of use beyond 2022, this guideline recommends using a key length of 3000 bits in order to achieve a comparable security level for all asymmetric procedures. Source: BSI TR-02102-1, Page 15

The key length used by AIP will, therefore, no longer meet the BSI's requirements from 2023 at the latest. However, the BSI's requirements are by no means excessive. On the contrary, encryption with a 4096-bit length - which Boxcryptor has been using for over 10 years - is quite common:

Robert Freudenreich, Boxcryptor CTO on key lenth

Cryptographic Key Management in Azure Information Protection

Microsoft offers four options for key management. The default setting in AIP is for Microsoft to provide the keys (Microsoft Managed Keys). Organizations also have the option to bring their key (Bring Your Own Key/BYOK) and hold on to it (Hold Your Key/HYOK). Azure Key Vault can be used for this, and there is support for Hardware Security Modules.

With these variants, Microsoft has access to the keys and can thus theoretically decrypt encrypted data again and hand it over in the event of government requests (CLOUD Act).

Double Key Encryption (DKE)

At the beginning of 2021, Microsoft introduced a fourth variant, Double Key Encryption. Here, enterprise customers have sole control over the encryption keys. Since Microsoft itself can no longer access the keys, the company cannot release any data at government request. Of course, the double key procedure also protects against access by employees of Microsoft itself. Whether with malicious intent or through a mistake, even if files fall into the wrong hands, they are completely unusable. Therefore, there is no danger to data security.

Double Key Encryption is similar in setup to Boxcryptor's Zero-Knowledge encryption, which means that data is just as well protected in terms of key management as it is in Boxcryptor. However, in Boxcryptor all data is protected with this strong encryption by default, while Microsoft recommends this only for very sensitive documents.

Here you can find all information about Key Management in AIP.

Zero-Knowledge Encryption and Labels by combining the solutions.

Did you know that Boxcryptor is compatible with AIP? Thus, it is possible to use Boxcryptor and AIP together: Boxcryptor encrypts all file contents and, if desired, file names; AIP labels your files. Technically, this is possible because the information about the AIP confidentiality classes of a document is stored in the document properties. Boxcryptor uses file-based encryption (unlike container solutions, for example). For this reason, the file properties, such as the AIP labels, are not affected by the encryption. Therefore, documents that have been encrypted with Boxcryptor can also be provided with a confidentiality class.

Flexible Encryption Solution

There might be organizations that have exactly the requirements that Microsoft meets with Azure Information Protection. However, our experience from many conversations with organizations of all sizes is different: Most teams don't work exclusively with Windows devices and programs, and multi-cloud strategies are often in use with many benefits. In sum: Flexibility is required. With AIP, however, such a way of working is not possible, or only with limitations.

The diversity of file formats is also taken into account in Boxcryptor's architecture. As a result, every department can use the same encryption software. Be it the HR department, the colleagues from marketing or the team from the legal department - file content, file format and storage location are nothing that could stop Boxcryptor from protecting a file with end-to-end encryption.

Employees want mobile workplaces, use a variety of devices, and also expect to be able to use their preferred operating system. These modern businesses need data security solutions that are equally flexible and versatile. Boxcryptor meets this need, offering apps for Android and iPhone, runs on Windows and macOS, and can natively encrypt more than 30 cloud storages.

Checklist: Enterprise Encryption Software

Which questions do you need to ask yourself when you search for a suitable encryption solution to protect your sensitive business files.

Use this checklist to become aware of your requirements and to compare different solutions in detail.

By entering my email address I agree that Secomba GmbH sends me information via email. I can revoke this agreement at any time.

Share this post