It has historically been difficult to enable users to easily and seamlessly restrict a document or set of documents within the document itself. Well, all of that is changing. A recent release (as of this writing) allows Mac OS X machines to lock down a document or restrict access with three clicks. Below is an example of this in action using the Microsoft Word client.
Users can easily apply Azure Information Protection (AIP) labels within the Review tab - the same location for common tools like Tracked Changes and Commenting. Here you can select the Protect dropdown and then the Restrict Permission dropdown.
Many may be wondering (depending upon when you are reading this) why this is not available for Windows machines *yet*. Currently there is an AIP standalone client that allows users to restrict documents, but not natively within each Office application. OS X, on the other hand, does not have an AIP client, and is the first to receive this update as a result. Eventually all clients across all operating systems will have native AIP-based restriction capabilities.
What in the World is Azure Information Protection? or AIP?
Azure Information Protection (AIP) adds additional security to documents in addition to the container they are already secured within. AIP allows us to classify documents - such as General, Company Proprietary, Vendor Related, and Confidential - for the purpose of both adding technical security controls as well as modifying documents to ensure the visibility of the secure nature of the file.
For example, a Confidential file could have controlled access and also contain a watermark, automatically, noting it’s file type. This helps to adhere to compliance regulations and keep the content within the need to know circle it was intended for. This file could also have a footer or header, in addition to or in place of the watermark.
AIP provides an additional layer of document protection beyond the standard platform security. One of the key features of AIP is it protects a document as it moves around the enterprise – regardless of location. It gives a document a “have security, will travel” capability without compromising security. To learn about the other layers of the Microsoft Security Onion, you should check out this quick video series.
One last note - if you are a federal contractor and, therefore, need to manage CUI/CDI data, you will need to read this resource! It'll help you better take what's discussed here and apply to your organization.