Microsoft AIP Doesn’t Measure Up

Data security is a measure twice, cut once type of activity. Mistakes in data security are expensive. IBM's recent Cost of a Data Breach report states that the US's average data breach costs companies $3.84 million. Many data security solutions have a fatal flaw that creates a risk for data loss. (see Move Beyond DLP's Failures). What are Microsoft's Azure Information Protection (AIP) failures? AIP fails in three ways:

· Security is only transparent for Microsoft Office applications.

· Data classification relies on users.

· After identification or classification, AIP doesn't protect data immediately.

Security is only transparent to Microsoft Office or RMS-enlightened applications.

Securing data in the Microsoft walled garden works. The real world, however, is made up of applications beyond Microsoft. Like DLP, AIP only supports native Microsoft applications or applications that have the Microsoft RMS SDK integrated. Once you introduce external applications and file types, security looks more like file encryption. File encryption can keep data safe in transit or at rest. The flaw with file encryption is that users must decrypt the file for use. And once the user decrypts the file, security relies on the user re-applying encryption after using it.

Data classification relies on users.

Similar to DLP, AIP requires users to become part of the security process. People are fundamentally prone to make mistakes. Even the most diligent employees will still classify based on their best interpretation of the data. As discussed previously on “Data Loss Prevention’s Classification To Security Gap”, data is in constant motion. The only way to correctly classify information is to monitor the data and automatically label and secure it based on content.

Security not applied during classification

Microsoft's AIP documentation recommends that confidential and highly confidential data tags are secured immediately while internal and public tags are not. By not securing data during classification, data labeled Internal or Public today could evolve to confidential information while the label remains Internal. Eventually, users can accidentally or maliciously send files outside the company. Why not secure all data by default?

Companies should not worry about measure twice and cut once. By removing employees from the security process, securing all data immediately on the endpoint regardless of classification tag, and ensuring security can protect all types of data from any application, companies can finally reduce their data loss risk.

SecureCircle is compatible with all file types and applications without any modifications to workflows or applications. Custom enterprise applications with unique file types are secured in the same way as a Docx Microsoft Word file.

Unlike AIP or other DLP tools, SecureCircle does not require any security decisions from the user. Data is automatically secured using content and contextual information. Securing data by content includes protecting data similar to previously protected data or securing a specific class of data such as PII, PCI, or PHI. Examples of contextual security:

· Securing data downloaded from

· Applying security to locations such as the Finance folder on a central file server

· Automatically securing all output from Excel orVisual Studio

Because SecureCircle is transparent to users and workflows, SecureCircle secures data immediately upon detection. Unlike legacy solutions, which only apply security when users try to transfer data from the endpoint, SecureCircle's persistent data security works at rest, in transit, and in use.

SecureCircle - no measuring required - transparent continuous automated data security.

Microsoft AIP Doesn’t Measure Up