Solving the Challenges of Record Security with Record Center

As we look back at the typical challenges of Records Management, be it the ability to implement a non-invasive content ingress and approval processes, ensuring that the entire record lifecycle is properly managed—inclusive of disposition, or ensuring that users are able to find the content they need to do their jobs in as few clicks as possible, there’s one remaining pain point that has the potential to bring your entire records management strategy to its knees… security. The structure of your records management solution drives security, but security also often drives structure, so what comes first? Thankfully, Record Center solves these problems for you and stores your records in a structure designed to support your specific security needs.

Storage vs. Security Models

When first configuring a new Record Center instance, you’re asked to select both a Storage Model and a Security Model. These two options work in concert with one another to tell Record Center at what granularity you want to secure your records, and to ensure that they are stored using a structure that supports and enables that security methodology. These options are also impacted by other configuration settings of Record Center, such as your approval model—since determining who can approve records and at what point in their record lifecycle also contains an element of record security. Fundamentally, Record Center presents these options all in a way that is more intuitive than having to manually design what an overall repository architecture looks like—one of the challenges that B&R’s Managing Director, Mike Oryszak brushed on as part of his previous Keys to Designing and Managing Large Repositories blog post.

RecordApprovals1.png

Options for Record Security

Record Center offers three separate security models that may be configured to meet your organization’s individual needs. These record security models apply after a record has been loaded into the system and processed through any necessary approvals, so it’s important to note that the selection of a specific security model does not require a user to be a consumer of record content in order to participate in the upload/ingress of content, or to perform one or more of the record’s approval stages

Entity

The entity security model provides the least granularity for record security. This is often a good fit for small teams where the number of users consuming record content is low, the organization’s corporate structure is thin, or security doesn’t need to vary between individual record types. Every record added to Record Center is assigned to a legal entity, such as B&R Business Solutions, LLC. For organizations that only have one legal entity, this field will default to a single value, but from a security perspective this effectively means that all of that entity’s records are available to the same audience, be it every employee or a smaller subset such as a compliance team. This model is also particularly useful if an organization contains many different legal entities. This is often the case in the real estate industry where different properties are often separate legal entities. Using this model, records are easily classified and secured by the entity they belong to, simplifying the ability to grant users or owners of each entity access to only that entity’s records.

The entity security model is a good fit for small teams or where security doesn’t need to vary between individual record types

Series

The series security model ensures that each individual record series created within Record Center can be individually secured. This allows you to provide granular access to specific categories of records, including all of the document types that belong to that specific series. As an example, providing a user access to a “Service Contracts” series, would give them access to all service contracts document types, which might include things like equipment leases, maintenance contracts, master service agreements, etc.

Record Center’s Metadata-based security model allows for a more dynamic implementation of record security.

Metadata

Record Center’s Metadata-based security model allows for a more dynamic implementation of record security. When using this model, an organization defines one or more record metadata field(s) that can be used to determine that record’s security. As an example, if a record type has a “Business Unit” field, and the goal is to secure records based on if they were part of the Manufacturing business unit or Corporate business unit, metadata-based security would allow an organization to define users that will have access to any record where Business Unit is set to Manufacturing. This security is applied regardless of legal entity or record series, meaning that multiple metadata-based security fields may exist on any record type. Ultimately, this allows you to define the previous Business Unit based audiences in addition to say “Office Location”, where one or more users would be granted access to all records based on a specific Office Location value.

Record Center’s Metadata-based security model allows for a more dynamic implementation of record security.

Compliance Access

In addition to the previously mentioned security models, Record Center also facilitates simple access for those users that need access to every record, such as a corporate compliance department. These users may be given access to Record Center’s “Global Record Access” group, which is applied to every record that is loaded into the system.

Conclusion

Our goal with Record Center has always been to try and simplify the otherwise daunting and complex task of designing and implementing a robust Records Management solution, be it the initial installation of a solution, designing the overall implementation, identifying an organization’s various record types, defining individual retention plans for each of those types, and ensuring that the right people can find the content they need when they need it. While Record Center’s ability to manage record security in a way that’s easy to understand is just one component of that strategy, it is vital to reducing accidental exposure, and ensuring that sensitive records are locked down to only those users that have been identified as consumers of that content.

About Record Center

Record Center is your turnkey solution for enterprise-class record management. An extension of Microsoft SharePoint, Record Center arms your users and record managers with a feature-packed, intuitive solution to manage the entire life-cycle of your records. Configure, Approve and Search for records faster and easier than ever with Record Center.

calltoaction-recordcenter.jpg

Interested in learning more about Record Center?

Protecting and Classifying Your Data using Azure Information Protection

The Azure Information Protection (AIP) client is a much-welcomed improvement from the previous Azure RMS Sharing application.  The AIP client can be downloaded for free and its supported-on Windows 7++ and MacOS10.8++.  The AIP app also supports mobile devices running IOS or Android.  The AIP app replaces the RMS sharing app on both platforms. 

The AIP client provides enhanced usability for the everyday user to protect and classify files in a simple and straight forward manner.  The AIP client can protect most file types out of the box.  Users can easily protect other files types such as images, PDFs, music, and videos all through the AIP client.    The user can also use the AIP client to protect sensitive emails.  In this article, I am going to explain how users can protect and classify files by using the AIP client within Microsoft Office Word, Excel and PowerPoint 2016.  We will then touch on the configuring Azure Information Protection labels and policies within the Azure portal.

Azure Information Protection Requirements

Let’s use a real-world business use case as the foundation for this walkthrough.  This will provide a real example that can be replicated throughout your own organization if desired.  Here is a bulleted breakdown of the requirements:

  • All Office files and emails created by the Finance Management group must be automatically classified as confidential
  • The AIP policy should be scoped to the Azure AD group BR Management Team and should not affect all users in the organization
  • When a user that belongs to the BR Management Team group creates a new email the email should be automatically classified as confidential and protected
  • Emails that are classified as confidential cannot be forwarded
  • Users can override the recommended label classification but should be warned when doing so
  • A watermark should be applied to all files and emails classified as confidential in the footer
  • Protected data should be accessible offline

Now that we have gone through the requirements for the use case lets jump into how we can accommodate all of them in our final solution.  It is worth mentioning that there are some prerequisites for using the AIP client that I will not be covering in this article.  Please find that information in the getting started with AIP article found here.

Let’s begin with what the user sees within Office 20016 when AIP has been activated and installed.  As you can see in the screenshot below from Word the AIP client is an add-on to Office 2016.  Once installed you will see the protect button in the ribbon.

aip-1.png

If you click on the show bar option you will notice the sensitivity settings bar as shown below in the screenshot.  The sensitivity labels can be manually set by an end-user.  Labels can also be set automatically based on the file/email content though.  Labels belong to a default AIP global policy which includes all users within your organizations Azure AD.  The different default sensitivity labels are also shown in the screenshot below.  These labels can be customized and new labels can be created through the Azure Information Protection resource in the Azure Portal.

aip-2.png

Additionally, AIP administrators have the ability in the Azure portal to create scoped policies.  These scoped policies can be created for specific groups of users and edge cases where customized labels and protection is required. All users in a specific department such as finance management require a stricter set of standards for labeling and classification because of the sensitivity of the files and emails they deal with daily.

Configuring AIP Policies

Below I have created a new scoped policy called Finance Management Confidential.  I have selected the appropriate management team group.  This is important to note because this is the group of users who will get the Finance Management Confidential AIP policy.  When we customize this policy, we are customizing what the group of users we have selected will see in their sensitivity bars throughout all of the Office 2016.  Additional labels and sub-labels can be created specifically for the selected group of users.

aip-3.png

As you can see in the image above I have created a new sub-label under the Confidential label.  Sub-labels provide a further level of classification that can be scoped to a subset of users within your organization. 

In the sub-label configuration image below, I have configured the footer text to show the text “confidential”.  This is also where you can setup Azure protection for the specific AIP label that you are creating.

aip-4.png

Once you have selected Azure RMS under the protection heading you can then begin to configure the different Azure RMS permissions.  In here we will make sure that data that is classified with this sub-label cannot be printed or forwarded.  Now that we have configured the protection for our sub-label we can now save this sub-label.  This sub-label is officially configured with AIP and all files that are classified with this sub-label will be automatically protected with the permissions that were setup in the previous step.  Once you have saved the sub-label to the policy make sure that you publish your scope policy. 

aip-5.png

Using AIP in Office 2016

Once the policy has been published it will be pushed to the users detailed in the policy.  Users who belong to this policy will see that all files they create or open will have the recommended sub-label that was created in the previous steps.  If the user hovers over the recommended labeling the tool tip description will pop up which provides valuable information to the users when they are deciding the classification of the document.  It’s important to be concise and spend some extra time on the description of your organizational labels.  These will help guide users in making the right decision when classifying new files. 

aip-6.png

Of course, you can always force the classification and labeling of files and emails instead of recommending a label.  This is useful when using conditions with your policy.  You can force the label of a document or email if for example the condition detects that there is sensitive data such as social security numbers or credit card numbers.  Forcing could potentially erroneously label a file causing additional administrative overhead.  In most cases providing a recommendation and specifying in the policy that the user be warned when reclassifying files that have less restrictive protection.  Such as reclassifying a file recommended as confidential to public.  This would require an auditable action that the user in fact acknowledged that they were reclassifying the file.

Once the file is labeled it will inherit all the classification and protection rules that were applied while editing the policy in the Azure portal.  This includes any protection that was setup for the labels by administrators.  The image below shows a Word document that has been classified by the sub-label Finance Management that was created earlier in this article.  Notice the classification in the left-hand corner of the image below and the footer text which was automatically applied after selecting the recommended label.

aip-7.png

Using the AIP client, the user can decide to downgrade a classification if needed.  Users will be prompted with the image below to set a lower classification label.  This will deter users from simply declassifying files that may be sensitive.  The user acknowledgement is an auditable action.

aip-8.png

Users can manually setup custom Azure RMS permissions if needed by selecting the AIP protect button in the ribbon within their favorite Office 2016 application. 

aip-9.png

The one disadvantage with using this method is users will only be able to configure permissions for one level of rights.  To clarify, if you want to provide two groups of users with two different levels of permissions for example, read only and edit, you will need to use the protect document button within Office 2016.  To do this first select File then Info, then select the Protect button as shown in the image below.  You will notice that our custom confidential AIP sub-label that we configured is also showing up in the restricted access context menu. 

aip-10.png

A user could easily select a label if they wanted to from here.  To get around the issue with applying multi-level custom permissions users can select the restricted access menu item.  Using the permissions dialog box that pops up users can now assign multiple levels of permissions to users and groups.

aip-11.png

Now let’s open up Outlook as a user who belongs to the finance management group.  As you can see in the image below the policy is automatically recommended on all new emails.  The behavior for classification in the Outlook 2016 client for email classification is similar to the rest of the AIP supported Office applications (Word/Excel/PowerPoint).  Once the label is selected all policies are applied to that email.

aip-12.png

Conclusion

The Azure Information Protection client provides the easiest way to classify and protect files and emails when creating or editing them from within the Office desktop applications.  The client is just one piece to the entire puzzle that is AIP.  The real key is in the planning and creation of meaningful labels and classification policies for your users.  This helps to drive users to begin using these classification policies with ease.  I must say from past experience the less the users have to think about the better.  If the classification labels are clear and help guide the user than the users are more likely to engage.  Additionally, forcing users to classify files and emails isn’t always the answer except in specific highly sensitive scenarios.  The AIP client is constantly being improved and added to.  In fact, there was a new version with new capabilities pushed out just this week and can be downloaded here.

 
calltoaction-paas.png

B&R can help you leverage Azure Information Protection