At Microsoft Ignite 2017, we announced the public preview of conditional access for AIP-protected files to further enhance security for your sensitive files. With the integration of Azure Information Protection (AIP) and Azure Active Directory (AAD), conditional access can be set up to allow or block access to AIP protected documents or enforce additional security requirements such as Multi-Factor Authentication (MFA) or device enrollment based on the device, location or risk score of users trying to access sensitive documents.
Below is a list of some common scenarios that light up when conditional access policies are enabled for AIP-protected content:
- Require Multi-Factor Authentication: Enforce an MFA challenge to access AIP-protected documents. This can help protect against the risk of stolen and phished credentials.
- Device Compliance/Domain Joined: Allow access only if the user device is domain joined and/or is compliant as per company MDM/MAM policy (device compliance policies are configured in Intune).
- Risky Sign-in: Block access to sensitive content when a user has any of High, Medium or Low likelihood of risky-sign in (i.e., sign-in attempt was not performed by the legitimate owner of a user account).
- Trusted Network: Block access when the user is not at work. In other words, you can require access to sensitive content to be only from a network you trust.
You can see more details on this feature by reading Conditional Access policies for Azure Information Protection.
However, our customers in the regulated industries have asked that we take additional attributes and for other systems beyond the Microsoft ecosystem into account when making the decision of who should be allowed to access the sensitive files. Often, these attributes exist outside of the general Azure Active Directory boundaries, in customer’s own trusted line-of-business apps, ERP solutions and so forth. In addition, some customers have the need for a common, consistent policy management which can span beyond just their Microsoft 365 to their internal application environments. For example:
- A financial advisor is allowed to open a “Highly Confidential” customer data file only if she has completed training. This data is available in a line-of-business ERP application.
- A Swiss bank employee currently in the U.S. cannot open a “Confidential – Swiss data” document based on the travel information available in the customer’s Travel Agency database and their current jurisdiction.
- A customer service representative is allowed to access documents that contain “Confidential – Fabrikam Material” only when the organization’s CSR ticket management system has the representative on an active ticket for Fabrikam.
- An organization wants to utilize existing policies related to access control, maintained in their current environment, to sensitive files in their Microsoft 365 solution as well.
These policy decisions are typically tied to file sensitivity and scope contained within AIP and captured via the AIP Labels. We are excited to announce that using Azure Active Directory conditional access extensibility features, we are building a model where the customer can choose to apply externalized policies per AIP label. Ionic Security’s cross-cloud Data Trust platform is the first such provider of external decision points to our new extensibility service.
Here’s a simple scenario through which you will see this working:
Meet Joe, the Information Security admin at our company Contoso.
- Joe deploys the Ionic Security Data Trust Platform service and configures it with Contoso’s ERP solution to provide a runtime access decision point of Yes/No triggered by the following attributes: User ID and AIP Label ID, both provided by the Azure Information Protection and AAD workflows.
- Joe then sets up Azure Active Directory’s conditional access feature to communicate at run time with Contoso’s Ionic Security instance.
- Finally, Joe creates an AIP Highly Confidential label. Joe configures the label to add a new Conditional Access control which calls into Ionic Security’s policy decision point (PDP).
When Amy, a financial advisor at Contoso, tries to open a Highly Confidential file, AIP will check the claims in her AAD access token to verify if the conditional access policies have been satisfied.
- In this case, they won’t be as the decision is not being deferred to Ionic Security instance. So, AIP will direct Amy’s request to Azure Active Directory conditional access which calls into the Ionic Security instance behind the scene.
- Ionic Security will be asked to evaluate the decision trigged by Amy’s user ID and the label information.
- If Amy has enough training credentials, as determined by the most appropriate system within Contoso, Ionic Security will return a ‘Yes’ and AIP will allow Amy to open the document. If Ionic Security returns a ‘No’, Amy will continue to be denied access.
This new extensibility model will help solve two of the biggest challenges customers face today: usability and policy consistency. You would be able to utilize the simple and native AIP protection end user experience across mobile and desktop environments while ensuring that the access decisions are being made on your behalf by third party services that you trust. In this case, we chose to bring these new features to market with Ionic Security first as their Data Trust Platform allows for a lot of flexibility and consistency in policy management.
A bunch of functionality that will make this end-to-end scenario available are going to be developed over a period of time.
Our customers want these scenarios to work both in Azure powered BYOK and on-premises HYOK. We are pleased to announce that starting today, we are enabling this functionality on our HYOK module in preview mode for select customers. You can learn more about this and sign up for the preview here.