locked
Security Hole of Azure Information Protection RRS feed

  • Question

  • Hi,

    I am studying Azure Information Protection via https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-quick-start-tutorial . I find there are some obvious security holes of the protection schema, as follows:

    In step 5, i.e., https://docs.microsoft.com/en-us/azure/information-protection/infoprotect-tutorial-step5 , if the owner of the document use “Classify and Protect” to protect a document, and use “Protect with custom permissions” to allow another employee, such as david@mycompany.com to view the document. Then there will be several security holes:

    1. Assuming the company policy does not allow employee to release the document to any computers outside the company. But David can easily send the protected document to his personal email and view it in his home.
    2. Assuming the company policy does not allow employee to share the documents to others. But David can easily share the document to others by emails or USB flash drive. Others can view the document by using David’s login details in the RMS system if David disclose these information together with the protected document.

    Thus the whole protection seems useless at all. The employee can do prohibited things and unauthorized persons can view the protected documents.

    Please advise.

    Sunday, September 2, 2018 3:43 AM

All replies

  • Hi, if someone wants to look data, it will leak. For example make a photo of content from mobile phone (screenshot will not work). But you can prevent even more like with watermarks and so on.

    If someone has David credentials, it is like he is David. System cannot distinct these. It is if I have your password, I am you. Basically.

    But you can restrict these scenarios easily. Implement MFA. So there must be David action to approve access. Or implement Conditional Access to AIP actions. In that case you can for example restrict opening protected files only in domain workstation or stations which are secured from your point of view.

    Sunday, September 2, 2018 4:49 PM
  • Hi, if someone wants to look data, it will leak. For example make a photo of content from mobile phone (screenshot will not work). But you can prevent even more like with watermarks and so on.

    If someone has David credentials, it is like he is David. System cannot distinct these. It is if I have your password, I am you. Basically.

    But you can restrict these scenarios easily. Implement MFA. So there must be David action to approve access. Or implement Conditional Access to AIP actions. In that case you can for example restrict opening protected files only in domain workstation or stations which are secured from your point of view.

    Hi, Kazzan,

    Thank you very much. 

    I search online for "conditional access Azure Information Protection" and get the following link:

    https://cloudblogs.microsoft.com/enterprisemobility/2017/10/17/conditional-access-policies-for-azure-information-protection/

    But I still cannot figure out how to setup a conditional access policy. I try to add a new policy in "Azure Protection Information Policies", but in the interface, I find the options are completely different from those show in the above document. Why?

    Thank you very much


    • Edited by chcw Monday, September 3, 2018 9:09 AM
    Monday, September 3, 2018 9:08 AM
  • Conditional Access is function of Azure AD Premium paid plan, it is not included within AIP.
    Monday, September 3, 2018 9:29 AM
  • Conditional Access is function of Azure AD Premium paid plan, it is not included within AIP.

    Hi,

    Then how can I pay for the plan? I just subscribe a free trial of enterprise mobility security.

    Thank you very much.

    Monday, September 3, 2018 9:53 AM
  • AAD Premium is included in EMS Trial. Just move in Azure Portal to Azure AD blade to configure Conditional Access.
    Monday, September 3, 2018 10:09 AM
  • AAD Premium is included in EMS Trial. Just move in Azure Portal to Azure AD blade to configure Conditional Access.

    Hi,

    Thank you so much. I find it. It really difficult to find a function in so many resources.

    Monday, September 3, 2018 12:08 PM
  • AAD Premium is included in EMS Trial. Just move in Azure Portal to Azure AD blade to configure Conditional Access.
    By the way, what is the relationship between Azure Active Directory and Azure Information Protection, and Right Management Service? They are similar, why MS will create three things and put some in one and others in another. All these make me confused.
    Monday, September 3, 2018 12:28 PM
  • These are kind of different systems and apps:

    Azure AD - Stores identities (and passwords) and apps access rights and all configuration.

    Rights Management Services - Protect content by restricting access based on identities and access rights to this access.

    Azure Information Protection - Use RMS as protection technology, but above, it supports labeling and classification (you do not need to protect, you only classify and needed protection is applied automatically by Office or Exchange by example).

    Monday, September 3, 2018 12:39 PM
  • These are kind of different systems and apps:

    Azure AD - Stores identities (and passwords) and apps access rights and all configuration.

    Rights Management Services - Protect content by restricting access based on identities and access rights to this access.

    Azure Information Protection - Use RMS as protection technology, but above, it supports labeling and classification (you do not need to protect, you only classify and needed protection is applied automatically by Office or Exchange by example).

    Hi,

    Thank you very much.

    I understand their relationships are:

    Azure AD(lowest level) -> Right Management Services(Middle Level) -> Azure Information Protection(Highest Level/Application Level).

    Is that correct?

    Tuesday, September 4, 2018 2:30 AM
  • These are kind of different systems and apps:

    Azure AD - Stores identities (and passwords) and apps access rights and all configuration.

    Rights Management Services - Protect content by restricting access based on identities and access rights to this access.

    Azure Information Protection - Use RMS as protection technology, but above, it supports labeling and classification (you do not need to protect, you only classify and needed protection is applied automatically by Office or Exchange by example).

    Hi,

    I have a new understanding on that.

    Azure AD controls how system identify a specific person.

    Right Manage Services controls what a a specific person can do.

    Azure Information Protection use labeling and classification to protect resources so that defines what a specific person can do with the resources.

    Correct me if I am wrong.

    Tuesday, September 4, 2018 2:35 AM
  • These are kind of different systems and apps:

    Azure AD - Stores identities (and passwords) and apps access rights and all configuration.

    Rights Management Services - Protect content by restricting access based on identities and access rights to this access.

    Azure Information Protection - Use RMS as protection technology, but above, it supports labeling and classification (you do not need to protect, you only classify and needed protection is applied automatically by Office or Exchange by example).

    Hi,

    Sorry but I have one more question. in Azure AD, I can create the identify for david@mycompany.com . But it seems that when a document is protected by Azure Information Protection and send to david@mycompany.com, then he can create an account with his email address directly via https://aka.ms/rms-signup without Azure AD. Moreover, the created account will not appear Azure AD, so it is not controlled by Azure AD at all. In such a case, why Azure AD is still called "centralized identity management service"?

    Tuesday, September 4, 2018 4:02 AM
  • Theoretically yes.

    Azure AD = Verify, if user account is enabled, his credentials or MFA are right and allow access service.

    RMS = Verify, if user has rights to open document and e-mail and handle tasks (print, copy).

    AIP = Based on classification, it tells RMS what user can with document. For example in "Internal = Open, Copy, Print" or "Secret = Only Open".

    Tuesday, September 4, 2018 6:42 AM
  • Yes!
    Tuesday, September 4, 2018 6:42 AM
  • First, you muse have this domain verified in Office 365/Azure AD so no else can use it for subscription (subscription can be free).

    In default state, every user in organization can add free services like RMS. You can see, if you do not disable this and someone use RMS, tenant gave you 10000 free licenses of RMS. And they are automatically assigned to users who open protected documents. Until, you gave them a more advanced license like AIP.

    You can send a protected e-mail to everyone. They can create personal Microsoft Account which can read this on specific domains like outlook.com, but to company e-mails, it create Azure AD tenant.

    If the domain is verified in tenant, it provision the license to current user if he exists. If not, he cannot sign-in to this content.

    Tuesday, September 4, 2018 6:46 AM