skip to main content

Protecting documents and emails with Digital Rights Management (DRM) in Office 365

by Becky Driscoll SharePoint Microsoft Office Office 365 Legislation

Protecting documents and emails with Digital Rights Management (DRM) in Office 365

2018 is the year of the data-conscious consumer. Customers are becoming increasingly wary of their data trail and how businesses are stepping up to the mark to protect their personal identifiable information (PII). Many businesses are using Office 365 to capture and manage documentation and email trails, but it is the Digital Rights Management (DRM) technologies within Office 365 that are getting everybody talking. These technologies are integral to classifying, labelling and protecting sensitive information.

The General Data Protection Regulation (GDPR) specifies the need for Digital Rights Management technologies to prevent sensitive information from being shared, printed, forwarded or copied to unauthorised recipients. The PCI-DSS 3.0 compliance further requires that cardholder information is protected.

With this in mind, Office 365 provides the solution. The software includes several cloud-based DRM technologies such as:

  1. Azure Rights Management Service (Azure RMS) – included with Office 365 Enterprise E3/E4/E5 licences.

  2. Azure Information Protection (AIP) Premium P1 licence – an extension of Azure RMS.

  3. Azure Information Protection (AIP) Premium P2 licence – an extension of AIP P1.

1. Azure Rights Management Service (Azure RMS):

The Azure RMS is a cloud-based service that can be applied to Office applications: Word; Excel; PowerPoint; and Outlook and Office services: Microsoft Exchange Online, Microsoft SharePoint Online, and OneDrive for Business. Azure RMS uses encryption, identity, and authorisation policies to help secure documents and emails across multiple devices – phones, tablets and PC’s.

The technology includes a SharePoint Information Rights Management (IRM) feature that can be applied to SharePoint Online document libraries with check out enabled - (including Office 365 Groups, Microsoft Teams, and OneDrive for Business). This feature protects how downloaded documents are used by authorised users (based on specified information protection policies). For example, this may include: the enforcement of read-only state; the disabling of copy of text; the prevention of saving a local copy; and the prevention of printing.

2. Azure Information Protection (AIP) Premium P1 licence:

The Azure Information Protection (AIP) Premium P1 licence is part of the Microsoft Enterprise Mobility + Security E3 licence and Microsoft Secure Productive Enterprise E3 licence and can also be subscribed to separately. The cloud-based service extends the capabilities of Azure RMS to include the manual document classification and consumption of classified documents. Features include:

  • Manual document classification and consumption of classified documents.
  • Departmental template support to define which templates are visible to different client applications.
  • RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector.
  • Document tracking and revocation.

3. Azure Information Protection (AIP) Premium P2 licence

The Azure Information Protection (AIP) Premium P2 licence is part of the Microsoft Enterprise Mobility + Security E5 licence and Secure Productive Enterprise E5 licence and can also be subscribed to separately. The cloud-based service extends the capabilities of AIP P1 to include:

  • Automated data classification and administrative support for automated rule sets.
  • Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios.

What are the benefits?

The Security & Compliance Center (included with Office 365) provides a Classification Label capability that is designed for the auditing and retention of documents stored on Office 365. AIP extends this labelling capability to include the persistent classification and protection of documents, independent of where the document is stored.

  • Users can create and consume protected content whether viewed using Office Online or downloaded to a local machine.
  • Enhance the security of your SharePoint document libraries by using Information Rights Management (IRM) to set up appropriate permissions.
  • Apply Rights Management Services custom templates.

How can I access these DRM technologies?

The AIP client for Windows, iOS and Android is a free downloadable client for organisations that use AIP to classify and protect documents and emails or use the Azure RMS to protect data. The client includes a viewer that can be used by external clients that do not have AIP and Azure RMS but wish to consume content that has been protected.

In the real world, organisations may choose to apply default RMS policies to content stored in document libraries, or individually apply labels to protect specific documents or emails. For example, a “Finance Restricted” label could be manually applied to financial documents, which marks the content as sensitive and prevents the information from being shared externally, or downloaded, saved as, or printed.

Office 365 architectures the option of automatically labelling content based on pre-defined rules to avoid mistakes, whilst saving time. For example, a “HR Restricted “label could be recommended or automatically applied when a user types HR related data or stores a document in various Office 365 locations.

Find out more about how Office 365 and Digital Rights Management (DRM) can help your organisation. Contact Deltascheme today.