Today, Microsoft announced Azure Information Protection (AIP), a new system to help protect sensitive data even as it moves between applications and organizations. AIP builds on the existing Azure Rights Management (RMS) system to add data labelling and classification to ensure that the right protection policies are applied to sensitive data at the time it is created to help restrict data leaks.

Azure RMS provides a cloud-based system for performing rights management of sensitive information. With RMS, documents are encrypted and restricted in various ways; opening them requires authentication against Azure Active Directory (AD), allowing the usage of the documents to be tracked and recorded. Once opened, the documents can have their usage restricted to prevent, for example, printing or editing.

Unlike a traditional password-protected document, where knowing the password is sufficient to give permanent access to the file, the online authentication used by RMS means that access can be controlled on a more continuous basis. Accounts showing suspicious behavior such as impossible travel (where logins are made from different places around the world faster than one could travel between those places) can be locked out, blocking access to protected data.

Applications such as Exchange and SharePoint already have support for rights management policies, with Exchange being able to block the forwarding of sensitive e-mails to external addresses, for example.

AIP adds easy-to-use classification and labeling of data so that the right policies can be applied. RMS provides the core file encryption and authentication features; AIP provides an easy interface within Microsoft Office for picking a policy, along with automatic rules-based classification so that policies can either be suggested or applied automatically, based on document features. For example, a Word document containing a credit card number might suggest a policy that restricts access to the finance department. Users can be given the ability to override these suggestions (optionally requiring them to describe their reason for doing so), giving IT departments oversight of the system.

AIP has native support for Office documents, along with PDFs, AutoCAD files, and reports generated by SAP. This native support enables things like watermarks to be automatically added to protected Word documents to indicate their protection. Other data can also be protected by putting it inside an encrypted wrapper. The combination of encrypted data and cloud authentication means that the protection is applied wherever a file is accessed from, whether at the office or on a mobile device, and it works the same way whether the data is stored locally or in the cloud.

This labeling and classification capability is a result of Microsoft's late-2015 purchase of Israeli firm Secure Islands. The feature will go into preview in July, with the company planning general availability by the end of the year.

Microsoft's investment in this area signals a broader shift in the approach to data management. The widespread use of mobile devices and cloud services means that for many organizations, the network perimeter no longer represents the border beyond which sensitive data must not flow. Collaboration with external companies makes this problem harder still. RMS and AIP instead use what the company calls an "identity-driven" approach to securing data: users must authenticate with Azure AD, proving their identity, regardless of where they're using protected data.

While Microsoft is not alone in offering cloud-based rights management (we wrote about Egnyte, a cloud company offering some similar capabilities, earlier this month), Redmond argues that it's particularly well-positioned in this area. Companies using Office 365 already have Azure AD identities, so a large part of the setup that might otherwise be required is taken care of.