I’ve written about Azure Information Protection before. Microsoft has just announced public preview of a great extension of Azure Information Protection (AIP). Now this tool can recognize a larger list of credentials that may be sitting in emails or files. This is a big deal because credential theft is one of the main methods hackers use to breach organizations’ networks.
Communicating Credentials the Safe Way is Great
At CGNET we use an application called Privnote (link) to communicate credentials. Privnote is a use-it-once app that we use to share a username, password, or both. (Privnote destroys the note once it’s been opened.) Think of it like WhatsApp for credential communication. And by the way, the recommended practice is to send the username and password via separate methods, such as email and text message, or email and Privnote.
Automating Credential Checking is Even Better
This practice works great to protect credentials. But its weakness is that it relies on individuals to follow the practice. And we all know that’s not a strong security measure. (link to internal)
This is where Azure Information Protection comes in. Azure Information Protection is used to set up policies that are followed once a particular string is recognized in an email. For instance, if AIP discovers admin@organization.org, it can display a Policy Tip warning the user that they shouldn’t be communicating this credential in an email. Azure Information Protection also has a scanner that looks at file contents to see if certain strings are present. Administrators can then take action to modify or remove those strings. And of course, it comes with a pretty dashboard.
These are the new credentials that AIP can recognize.
- Azure Service Bus Connection String
- Azure IoT Connection String
- Azure Storage Account
- Azure IAAS Database Connection String and Azure SQL Connection String
- Azure Redis Cache Connection String
- Azure SAS
- SQL Server Connection String
- Azure DocumentDB Auth Key
- Azure DocumentDB Auth Key
- Azure Publish Setting Password
- Azure Storage Account Key (Generic)
These new credentials are primarily Azure-related. If you’re not using Azure now, this announcement won’t be as relevant for you. Regardless, this addition to AIP recognition capability signals Microsoft’s intent to continue extending the capability of AIP, as well as adding this capability to other security tools such as Data Loss Prevention. It’s how Microsoft secures their Azure environment, so you know they have a stake in seeing AIP work.
Stay tuned, there’s more to come!
0 Comments