Series 1 of 5 – Access and Information Protection (AIP)
Author: Enterprise Mobility Team
Setting up the environment
Last week, we looked at desktop virtualization. Now, let’s turn our attention to Access and Information Protection.
In many ways, Access and Information Protection (AIP) are two sides of the same coin. When you think of the term access, you may first think of access controls—that is, permissions and other constraints—but that’s not how users think of access. They simply think of wanting to access “their” data and the applications that they need to work with, no matter where, no matter when, no matter what device they happen to be using.
In many parts of the world, users have ample access to affordable and fast cellular and Wi‑Fi networks. These users are increasingly mobile and want to blend access to personal and corporate data on their devices (whether owned by the company or the individual).
At the same time, your organization views that same data as a corporate asset, one that needs to be protected. As an IT pro, you must manage security, identity, and access control. You likely face increasingly stringent regulatory requirements, such as the Health Insurance Portability and Accountability Act Privacy Rule and Sarbanes-Oxley Act of 2002 if you’re in the United States (or do business there) and similar legislation in many other countries. Even if you don’t have a legislative or regulatory duty, you probably have standards that industry associations, payment processors (such as Payment Card Industry Data Security Standard), auditors, or senior management have imposed.
You need to retain control and compliance, deploy and configure capabilities for providing access and enabling both productivity and information protection. This is the realm of AIP.
To learn how our Access and Information Protection solutions can help secure your organization’s information, see the Access & Information Protection: Master of Mobility video.
That video illustrates what Microsoft Access and Information Protection solutions offer. Over the next few days, I’ll explore the technology more deeply through a five-part blog series.
Scenarios
Microsoft’s products are designed to enable access and provide information protection. In these products, Microsoft considers AIP from a people-centric IT point of view, where it contains three pillars:
- Enable users to be productive
- Protect your corporate data
- Unify your environment
In this week’s series of posts, we won’t be discussing how to unify your environment: You’ve already seen elements of that, particularly in the discussions about Hybrid Identity. Instead, we will focus on enabling users while protecting your data.
Here are some examples:
- Use Workplace Join (a feature of Active Directory Federation Services), Web Application Proxy, and Active Directory Domain Services (AD DS) to allow users to register devices to gain access to corporate resources.
- Use Work Folders so that users can synchronize their work files across all of their devices.
- Use Web Application Proxy so that the IT department can publish corporate resources to users working outside the LAN on various devices.
- Use Microsoft Azure Multi-Factor Authentication (MFA) along with these other features to enforce additional user identity verification on access.
- Use Dynamic Access Control and File Classification to ensure that compliance requirements are met.
- Use Microsoft Rights Management services to protect corporate information at rest and in transit, and require authentication on open
Sounds exciting, doesn’t it? Are you ready to enter this new world, where access and information protection are ubiquitous?
Setting up your environment
Like most things in computer technology, some steps have to happen first. Each version of the operating system introduces new features, but another key component of Microsoft’s strategy is building on your existing investments.
The most important starting point is a consistent view of identity—of who your users are and what you know about them. We discussed this in some detail a couple of weeks ago, so if you didn’t read that at the time, you might want to review those posts.
The good news is that most of you are well on your way, because you’re probably already using Active Directory and Microsoft Azure Active Directory. About 93 percent of Fortune 500 organizations use Active Directory, and Azure Active Directory is currently completing over 2 billion authentications per day.
Your environment can be completely on-premises (AD DS) or completely cloud based (Azure Active Directory), but for most of us, there will be a combination of the two. Review the Hybrid Identity posts to learn about how to federate or synchronize between the two.
To use some of the new features, certain elements must be in place. Refer to the following table to see which features are available to you and where you might want to upgrade.
| Feature | Requires |
| Workplace Join | Windows Server 2012 R2 Active Directory Federation ServicesAny of the following:
|
| Work Folders | Windows Server 2012 R2 File ServicesAny of the following:
|
| Web Application Proxy | Windows Server 2012 R2 Remote AccessWindows Server 2012 R2 Active Directory Federation Services |
| Azure MFA | Other than an Azure subscription, prerequisites vary between cloud-based and on-premises scenarios. Check out the download center page for more information. |
| Dynamic Access Control | Windows Server 2012 or later |
| Automatic File Classification | Windows Server 2012 or later |
| Rights Management services | Microsoft Rights Management services are available either on-premises or cloud based.Windows Server 2012 R2 Active Directory Rights Management Services
Azure Rights Management Services |
Now that you have an idea of what you need, tune in tomorrow to start making resources available to users.
Learn more about Access and Information Protection here.
