WIXLIB

Data Classificationand Protectionwith MicrosoftInformationProtection(2021 Updates for LAN Administrators)Information Technology Services CentreDecember 2020Photo by Avel Chuklanov on Unsplash

Agenda The Need for Document Protection Microsoft Information Protection Migration from Classic Client to Unified Client

The Need for Document Protection Maintaining high levels of document security keeps the Universityfrom loss of intellectual property, damage in reputation and facinglegal consequences.Photo by Bill Oxford, Akshay Chauhan, Kelly Sikkema, Markus Winkler and Samuel Ramos on Unsplash.

The Need for Document Protection Data Classification and Data Governance Policy, published in Aug2016, proposes a comprehensive framework for protectingUniversity’s digital information, particularly digital-based documents.

Microsoft Information Protection

Microsoft Azure Information Protection (AIP) A data protection solution which helps you to classify, label andprotect the documents according to the confidential level of theinformation. Once a document is classified and labelled, corresponding predefinedsecurity policy will be applied immediately to protect the documentand limit the access against unauthorized person.

AIP Supported Document TypesDocument TypeMicrosoft Office(.docx / .xlsx / .pptx)Create / Open Protected DocumentOffice 2016 Use AIP clientPDFEmailOffice 2019 & Office 365 Use AIP client add-in Office built-in capability 1,2Use AIP clientOffice 2016 Use AIP client add-in Use Outlook on the web 21Office 2019 & Office 365 Use AIP client add-in Office built-in capability 1,2 Use Outlook on the web 2Sign-in to Office app required.2Starting 7 Jan 2021.

Installing AIP Client Download the installer fromITSC WebsiteAzInfoProtection UL.exe

Predefined Classification Labels and VisualMarkings Make your documents compliant with the policy in 1 click.1. Select the classification label2. Classification Label appliedto the document3. Visual Marking addedin document header

Open Protected Documents Outsiders are unable to open protected documents as they areencrypted.Open by CUHK staffOpen by outsiders

Predefined Classification Labels and VisualMarkings Corresponds to Data Classification and Data Governance Policy.Classification Label Permissions to all StaffStrictly Confidential– All Staff View Reply / Reply-allConfidential– All Staff Visual Markings inOffice Documents* /EmailsEditHeader, and FooterSave / Save-as / ExportPrintWatermark (for OfficeForwardDocuments only) Copy-n-paste / screenshot ViewEditSave / Save-as / ExportReply / Reply-all / ForwardHeader and FooterOfflineAccess1 day7 days * Microsoft Word (.docx), Excel (.xlsx) and PowerPoint (.pptx)

Open Office Documents from Mobile Device Use official Microsoft Office apps.Word in iOSWord in Android

Open Office Documents in Office 365,OneDrive and SharePoint (web) Currently not supported.Please open protectedfiles using desktop ormobile device. Same for OneDrive andSharePoint unless files areopened in desktop appvia a network drive.

Open PDF Documents Use AzureInformationProtectionViewer. Standardmessage willbe shown forunsupportedPDF viewer.Azure IP ViewerUnsupported PDF Viewer

Open PDF Documents using AzureInformation Protection Viewer (Windows) or right-click the PDF file Open with Azure InformationProtection ViewerLaunch the app fromStart Menu

Starting7 Jan 2021Open PDF Documents using AzureInformation Protection Viewer (iOS / Android) Install AzureInformation ProtectionViewer (iOS / Android)prior openingprotected PDF files. Open protected PDFfiles in AIP Viewer app.iOS: ‘Share file via ’ and pickAIP ViewerProtected file viewed inAIP viewer

Starting7 Jan 2021Open PDF Documents using AzureInformation Protection Viewer (iOS / Android) Install AzureInformation ProtectionViewer (iOS / Android)prior openingprotected PDF files. Open protected PDFfiles in AIP Viewer app.Android: Choose AIP Viewerwhen promptedProtected file viewed inAIP viewer

Create Protected PDF Document using AzureInformation Protection App (Windows)1. Right-click the PDFfile and click‘Classify andprotect’ from thecontext menu.2. Select preferredprotection andclick ‘Apply’ fromAIP app.

Send Protected Email Protect your email using the same way as protecting your documents.1. Select the classification labeldemouser@cuhk.edu.hk2. Classification Label appliedto the email

Read Protected Email (by CUHK Staff)‘Forward’ button is disabled(for Strictly Confidential)Classification labeldemouser@cuhk.edu.hkVisual marking(for Strictly Confidential)

Send Protected Email (Tips) Put #confidential and #strictlyconfidential hashtag in your emailsubject to achieve the same resultSubject includes appropriate hashtagClassification label applieddemouser@cuhk.edu.hkAttachment and content will havecorresponding restrictionsapplied, through visual marking isnot available

Read Protected Email (by Outsider) In case sender sendout the email to a nonCUHK email address,outsider won’t haveaccess to the protectedemail. demouser@cuhk.edu.hk outsider@externalmail.comdemouser@cuhk.edu.hk

Start ProtectYour DocumentsTODAY!

Create Protected Documents Word PDFDemoView Protected Documents By CUHK Staff By OutsidersSend Protected EmailView Protected Email By CUHK Staff By Outsiders

Migrate fromClassic Client toUnified LabelingClient

Classic Client (v1)Classic ClientBased on Azure Information Protection Word / Excel / PowerPoint Desktop Outlook DesktopConfidentialStrictly ConfidentialAzure Information Protection Portal Word / Excel / PowerPoint Mobile(Requires AIP viewer) Outlook on the web Acrobat ReaderSource: Announcing timelines for sunsetting label management in the Azure portal and AIPclient (classic) - Microsoft Tech CommunitySource: Understanding Unified Labeling migration - Microsoft Tech Community

Unified Labeling Client(v2)Based on Microsoft 365 Security andCompliance Center Word / Excel / PowerPoint Desktop Outlook Desktop Word / Excel / PowerPoint Mobile Outlook Mobile Office for the web (coming soon) Outlook for the web Power BI Data protection Apps based on Microsoft InformationProtection SDK (e.g. Adobe Acrobat)Source: Announcing timelines for sunsetting label management in the Azure portal and AIPclient (classic) - Microsoft Tech CommunitySource: Understanding Unified Labeling migration - Microsoft Tech CommunityUnified Labeling Client Word / Excel / PowerPoint Desktop Outlook Desktop Word / Excel Confidential/ PowerPoint Mobile(Requires AIPStrictlyviewer)ConfidentialMicrosoft 365 Security and Compliance Portal

Azure PortalLabel Management in Azure Portal willno longer available after 31 Mar 2021Classic ClientClassic client will no longer work after31 Mar 2021Photo by Sergey Pesterev on Unsplash

Migration Anatomy

Stage 1(Now – 6 Jan 2021) Preparation work byITSC. You: No action needed– apply documentprotection as usual.Classic ClientUnified Labeling ClientConfidentialStrictly ConfidentialAzure Information Protection PortalMicrosoft 365 Security and Compliance Portal

Stage 2(7 Jan – 31 Mar 2021) Transition period. Usershould upgrade toUnified Labeling client. Protected documentscreated by eitherclient can be openedby the other.Classic ClientUnified Labeling ClientConfidentialStrictly ConfidentialMicrosoft 365 Security and Compliance Portal

Stage 3(1 Apr 2021 onwards) Users are expected toread and createprotected contentsusing Unified Labeling(i.e. new) client.Unified Labeling ClientConfidentialStrictly Confidential Files protected usingClassic client can stillbe opened.Microsoft 365 Security and Compliance Portal

Major Changes inUnified LabelingClient

Major Changes in Unified Labeling Client‘Custom Permissions’ no longer accessible from Office app‘Track and Revoke’ is no longer supportedClassic ClientUnified Labeling Client

Major Changes in Unified Labeling ClientClassic ClientUnified Labeling Client

Major Changes in Unified Labeling ClientFeatureDescriptionCreation of protected PDF files using .ppdfextension PDF files are protected using ISO standard (i.e.using .pdf extension) Still be able to read .ppdf filesDisplay of the user identity that applied theprotection Not planned in Unified Labeling clientClassicUnifiedSource: The client for Azure Information Protection - AIP Microsoft Docsdemouser@cuhk.edu.hk?

InstallingUnifiedLabelingClient‘AzInfoProtection UL.exe’ forgeneral users‘AzInfoProtection UL MSI for central deployment.msi’ for mass deploymentITSC Website Services Information Security Data Classification and Protection with Azure Information Protection (AIP)

Migration Timeline Recap7 January – 31 March 2021 Users who need to create /frequently access protecteddocuments should upgrade their IPclient starting 7 Jan 2021.From 1 April 2021 Users must use Unified Labeling(new) client to create and openprotected documents. Documents created by ClassicClient could still be opened byUnified Labeling client. All AIP (old) clients should beremoved.

Questions ?

Frequently Asked Questions1. Can a protected document be created using a ProjectAccount ? AIP service is also enabled for project accounts. When a protected document is sent to project account (viaemail), users can open the protected document using his / heruser identity.

Frequently Asked Questions2. My faculty member used to forward all University emails tohis/her personal email (e.g., Gmail). Does AIP also work inthis scenario? Protected email does NOT work (requires @cuhk.edu.hk mailbox). Protected attachment that included in an unprotected emailworks. Please be reminded that to view the protected document,users are required to either (1) install latest AIP viewer or, (2)from 7 Jan 2021 onwards, open the protected file using Office2019/Office365.

Starting7 Jan 2021Frequently Asked Questions3. Can I send a message to student / alumni / vendor anddon’t allow them to forward it? This is an advanced topic, achievable using Outlook on the webonly and available on or after 7 Jan 2021. CAUTION: do not mix up with ‘labels’ which is targeted to CUHKstaffLabel / Custom Security LevelTargetReadCopyForwardOpen by OutsiderLabel: Strictly Confidential – All StaffCUHK Staff (@cuhk.edu.hk)YesNoNoNoLabel: Confidential – All StaffCUHK Staff (@cuhk.edu.hk)YesYesYesNoEncryptSpecific recipientYesYesYesYes (using OTP*)Do Not ForwardSpecific recipientYesNoNoYes (using OTP*)* One-time passcode

Frequently Asked QuestionsStarting7 Jan 20213. (Continued) Compose a message in Outlook on the web. Click ellipsis ( )button Encrypt Do Not Forward.DON’T choose ‘Sensitivity’ as it doesn’tapply to outsiders.outsider@gmail.com

Starting7 Jan 2021Frequently Asked Questions3. (Continued) Recipient will be asked to enter a one-time passcode. The codewill be sent to user’s mailbox as soon as ‘Read the messagebutton’ is clicked.outsider@gmail.com

Starting7 Jan 2021Frequently Asked Questions3. (Continued) Outsiders will see the message upon successful validation. NoteForward and Print buttons are e to copy messageForward and Print buttons are disabled

Appendix 1: Possible User Scenario (since 7 January2021)ScenarioChanges / Impact1Office 2016AIP classic client NOT installedNo Change2Office 2016AIP classic client installedNo Change3Office 2019 / Office 365AIP classic client NOT installedNo Change if user don’t sign in Office.After signed in Office 365, “Sensitivity” button will be shown No more “Track and Revoke” function The function “Custom Permission” will disappear under "Sensitivity" button.4Office 2019 / Office 365AIP classic client installedNo ChangeOWA Email Encryption 5The change applies to ALL users, NOT depending on AIP client version.All the 2 labels are available under the "Sensitivity" button."Encrypt" and "Do Not Forward" is moved under " Encrypt“