什么是 Azure 信息保护?What is Azure Information Protection?

适用范围: Azure 信息保护Applies to: Azure Information Protection

Azure 信息保护(有时也称为 AIP)是基于云的解决方案,有助于组织通过应用标签对其文档和电子邮件进行分类和有选择地保护。Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. 标签可以由定义规则和条件的管理员自动应用、由用户手动应用或是二者组合应用(在这种情况下会向用户提供建议)。Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

下图显示在用户计算机上实际操作中的 Azure 信息保护示例。The following picture shows an example of Azure Information Protection in action on a user's computer. 管理员已配置具有检测敏感数据的规则的标签,在我们的示例中,敏感数据是信用卡信息。The administrator has configured a label with rules that detect sensitive data and in our example, this is credit card information. 当用户保存包含信用卡号的 Word 文档时,她会看到一个自定义工具提示,建议她应用管理员配置的标签。When a user saves a Word document that contains a credit card number, she sees a custom tooltip that recommends the label that the administrator has configured. 此标签将对文档进行分类并保护。This label classifies the document and protects it.

用于 Azure 信息保护的建议分类示例

来自 Azure 信息保护客户端(经典)的屏幕截图Screenshot from the Azure Information Protection client (classic)

内容进行分类(以及保护(可选))之后,随后可以跟踪并控制其使用方式。After your content is classified (and optionally protected), you can then track and control how it is used. 可以分析数据流以深入了解业务、检测危险行为和采取修正措施、跟踪对文档的访问、防止数据泄露或误用,等等。You can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, prevent data leakage or misuse, and so on.

标签如何应用分类How labels apply classification

可使用 Azure 信息保护标签对文档和电子邮件应用分类。You use Azure Information Protection labels to apply classification to documents and emails. 执行此操作时,分类是可识别的,无论数据的存储位置在哪里或者与谁共享。When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. 标签可包括视觉标记,如页眉、页脚或水印。The labels can include visual markings such as a header, footer, or watermark. 元数据以明文形式添加到文件和电子邮件标头。Metadata is added to files and email headers in clear text. 明文形式确保其他服务(如数据丢失防护解决方案)可以识别分类并执行相应的操作。The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.

例如,下面的电子邮件已分类为“常规”。For example, the following email message has been classified as "General". 标签已将“敏感度:常规”页脚添加到电子邮件。The label has added a footer of "Sensitivity: General" to the email message. 此页脚是所有收件人的一个可视指示器,它用于一般业务数据,不应在组织外部发送。This footer is a visual indicator for all recipients that it's intended for general business data that should not be sent outside the organization. 该标签嵌入在电子邮件标头中,以便电子邮件服务可以检查此值,并且可以创建审核项或阻止在组织外部发送它。The label is embedded in the email headers so that email services can inspect this value and could create an audit entry or prevent it from being sent outside the organization.

显示 Azure 信息保护分类的示例电子邮件页脚和标头

来自 Azure 信息保护客户端(经典)的屏幕截图Screenshot from the Azure Information Protection client (classic)

如何保护数据How data is protected

保护技术使用 Azure Rights Management (通常缩写为 Azure RMS)。The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). 此技术已与其他 Microsoft 云服务和应用程序(例如 Office 365 和 Azure Active Directory)集成。This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. 它还可与你自己的业务线应用程序和软件供应商提供的信息保护解决方案搭配使用,无论这些应用程序和解决方案是在本地还是在云中。It can also be used with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises, or in the cloud.

此保护技术使用加密、标识和授权策略。This protection technology uses encryption, identity, and authorization policies. 与应用的标签类似,使用权限管理能够始终为文档和电子邮件提供保护,而不受其位置的影响 – 不管是在组织、网络、文件服务器和应用程序的内部还是外部。Similarly to the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications. 此信息保护解决方案让你可以始终控制你的数据,即使在这些数据与他人共享时也是如此。This information protection solution keeps you in control of your data, even when it is shared with other people.

例如,可以配置报告文档或销售预测电子表格,以便仅允许组织内人员进行访问,并且可以控制是否可以编辑该文档、是否将其限制为只读,以及是否禁止打印它。For example, you can configure a report document or sales forecast spreadsheet so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. 同样,你也可以配置电子邮件,并禁止转发电子邮件或使用“全部答复”选项。You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.

这些保护设置可以是标签配置的一部分,这样用户就只需应用标签即可分类并保护文档和电子邮件。These protection settings can be part of your label configuration, so that users both classify and protect documents and emails simply by applying a label. 不过,支持保护的应用程序和服务也可以使用相同的保护设置,但不能应用标签。However, the same protection settings can also be used by applications and services that support protection, but not labeling. 对于这些应用程序和服务,保护设置以 Rights Management 模板 形式提供。For these applications and services, the protection settings become available as Rights Management templates.

Rights Management 模板Rights Management templates

在激活 Azure Rights Management 服务之后,便会为你提供两个默认模板,用于将数据访问权限限制为你组织内的用户。As soon as the Azure Rights Management service is activated, two default templates are available for you that restrict data access to users within your organization. 可以使用这些模板立即帮助防止从你的组织泄露数据。You can use these templates to immediately help prevent data leaking from your organization. 你还可以通过配置应用更多限制性控件的自己的保护设置来补充这些默认模板。You can also supplement these default templates by configuring your own protection settings that apply more restrictive controls.

事实上,针对包含保护设置的 Azure 信息保护创建标签时,此操作会创建相应的 Rights Management 模板。When you create a label for Azure Information Protection that includes protection settings, under the covers, this action creates a corresponding Rights Management template. 然后,还可将该模板用于支持 Azure Rights Management 的应用程序和服务。You can then additionally use that template with applications and services that support Azure Rights Management.

例如,可从 Exchange 管理中心配置 Exchange Online 邮件流规则来使用这些模板:For example, from the Exchange admin center, you can configure Exchange Online mail flow rules to use these templates:

为 Exchange Online 选择模板的示例

有关 Azure Rights Management 保护的详细信息,请参阅什么是 Azure Rights Management?For more information about Azure Rights Management protection, see What is Azure Rights Management?

与文档和电子邮件的最终用户工作流集成Integration with end-user workflows for documents and emails

安装 Azure 信息保护客户端时,Azure 信息保护会与最终用户的现有工作流集成。Azure Information Protection integrates with end users' existing workflows when the Azure Information Protection client is installed. 此客户端会将信息保护栏安装到 Office 应用程序(如在 Word 中显示此栏的第一张图片所示)。This client installs the Information Protection bar to Office applications, which we saw in the first picture that showed this bar in Word. 相同的信息保护栏会添加到 Excel、PowerPoint 和 Outlook。The same Information Protection bar is added to Excel, PowerPoint, and Outlook. 例如:For example:

Excel 中的 Azure 信息保护栏的示例

来自 Azure 信息保护统一标记客户端的屏幕截图Screenshot from the Azure Information Protection unified labeling client

此信息保护栏使最终用户能够轻松选择用于正确分类的标签。This Information Protection bar makes it easy for end users to select labels for the correct classification. 如有需要,还可以自动应用标签以避免用户猜测,或者用于遵循组织策略。If required, labels can also be applied automatically to remove the guesswork for users, or to comply with your organization's policies.

若要对其他文件类型进行分类和保护,并想要一次性支持多个文件,用户可在 Windows 文件资源管理器中右键单击文件或文件夹:To classify and protect additional file types, and to support multiple files at once, users can right-click files or a folder from Windows File Explorer:

在文件资源管理器中,右键单击“使用 Azure 信息保护进行分类和保护”

如果用户在文件资源管理器中选择“分类和保护” 菜单选项,那么他们可以选择一个标签,操作方式类似于他们在 Office 桌面应用程序中使用信息保护栏。When users select the Classify and protect menu option from File Explorer, they can then select a label similarly to how they use the Information Protection bar in their Office desktop apps. 如果需要,他们还可以设置自己的自定义权限。They can also set their own custom permissions, if required.

高级用户(和管理员)可能会发现,针对管理和设置多个文件的分类和保护,使用 PowerShell 命令更有效。Power users (and administrators) might find using PowerShell commands more efficient for managing and setting classification and protection for multiple files. 虽然也可以单独安装 PowerShell 模块,但完成这些操作的 PowerShell 命令会自动包含在此客户端中。The PowerShell commands to do these actions are automatically included with the client, although you can also install the PowerShell module separately.

文档受到保护后,用户和管理员可以使用文档跟踪站点监视访问这些文档的人员和时间。After a document has been protected, users and administrators can use a document tracking site to monitor who is accessing these documents and when. 如果他们怀疑存在误用,还可以撤销对这些文档的访问权限:If they suspect misuse, they can also revoke access to these documents:


其他电子邮件集成Additional integration for email

将 Azure 信息保护与 Exchange Online 一起使用时,用户将获得额外的好处:可以将受保护的电子邮件发送给任何用户,并确保他们可以在任意设备上阅读该电子邮件。When you use Azure Information Protection with Exchange Online, you get an additional benefit: The ability to send protected emails to any user, with the assurance that they can read it on any device.

例如,用户需要将敏感信息发送到使用 Gmail、Hotmail 或 Microsoft 帐户的个人电子邮件地址 。For example, users need to send sensitive information to personal email addresses that use a Gmail, Hotmail, or a Microsoft account. 或者,向在 Office 365 或 Azure AD 中没有帐户的用户发送敏感信息。Or, to users who don't have an account in Office 365 or Azure AD. 这些电子邮件应静态加密并在传输中加密,且只有原始收件人才能阅读。These emails should be encrypted at rest and in transit, and be read only by the original recipients.

此方案需要 Office 365 邮件加密中的新功能This scenario requires the new capabilities from Office 365 Message Encryption. 如果收件人在本机电子邮件客户端中无法打开受保护的电子邮件,可以使用一次性密码,通过浏览器阅读敏感信息。If the recipients cannot open the protected email in their native email client, they can use a one-time passcode to read the sensitive information in a browser.

例如,Gmail 用户在电子邮件中看到以下信息:For example, a Gmail user sees the following in an email message:

OME 和 AIP 的 Gmail 收件人体验

对于发送电子邮件的用户,他们的工作流与将受保护电子邮件发送到其组织内的用户相同。For the users sending the email, their workflow is no different from sending a protected email to a user in their own organization. 例如,他们可以选择“不要转发”按钮,Azure 信息保护客户端可以将该按钮添加到 Outlook 功能区 。For example, they can select the Do Not Forward button that the Azure Information Protection client can add to the Outlook ribbon. 或者,此“不要转发”功能可以集成到用户选择的标签,使电子邮件分类并受到保护。Or, this Do Not Forward functionality can be integrated into a label that users select, so that the email is classified as well as protected. 例如:For example:


来自 Azure 信息保护统一标记客户端的屏幕截图Screenshot from the Azure Information Protection unified labeling client

或者,可以通过使用应用权限保护的邮件流规则,为用户自动提供保护。Alternatively, you can automatically provide the protection for users, by using mail flow rules that apply rights protection.

将 Office 文档附加到这些电子邮件时,这些文档也会自动受到保护。When you attach Office documents to these emails, these documents are automatically protected as well.

对现有文档进行分类和保护Classifying and protecting existing documents

理想情况下,在首次创建文档和电子邮件时,就对其进行标记。Ideally, documents and emails are labeled when they are first created. 但是,你可能在数据存储中已经有很多文档,并且希望对这些文档也进行分类和保护。But you likely have many existing documents in data stores and want to classify and protect these documents as well. 这些文档存储可能是在本地,也可能是在云中。These data stores could be on-premises or in the cloud.

对于你的本地数据存储,请使用 Azure 信息保护扫描程序,以发现本地文件夹、网络共享以及 SharePoint Server 站点和库中的文档,并对其进行分类和保护。For your on-premises data stores, use the Azure Information Protection scanner to discover, classify, and protect documents on local folders, network shares, and SharePoint Server sites and libraries. 扫描程序在 SharePoint Server 上将作为服务运行。The scanner runs as a service on Windows Server. 可在策略中使用同一规则,以检测敏感信息,并向文档应用特定标签。You can use the same rules in the policy to detect sensitive information and apply specific labels to documents. 或者,也可以向数据存储库中的所有文档应用默认标签,无需检查文件内容。Or you can apply a default label to all documents in a data repository without inspecting the file contents. 此外,也可以仅在报告模式下使用扫描程序,以帮助你发现可能不知道的敏感信息。You can also use the scanner in reporting mode only, to help you discover sensitive information that you might not know you had.

有关部署和使用扫描程序的详细信息,请参阅部署 Azure 信息保护扫描程序,以自动对文件进行分类和保护For more information about deploying and using the scanner, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

对于你的云数据存储,请使用 Microsoft Cloud App Security,将你的标签应用于 Box、SharePoint Online 和 OneDrive for Business 中的文档。For your cloud data stores, use Microsoft Cloud App Security to apply your labels to documents in Box, SharePoint Online, and OneDrive for Business. 有关详细信息,请参阅自动应用 Azure 信息保护分类标签Azure 信息保护集成For more information, see Automatically apply Azure Information Protection classification labels and Azure Information Protection integration.

Microsoft 365 的最新标签更新Latest labeling updates for Microsoft 365

请参阅有关 Azure 信息保护如何帮助你发现、分类、保护和监视敏感信息的最新信息,无论该敏感信息位于何处:See the latest information about how Azure Information Protection helps you to discover, classify, protect, and monitor your sensitive information, wherever it lives:

Azure 信息保护的资源Resources for Azure Information Protection

其他资源:Azure 信息保护的信息和支持Additional resources: Information and support for Azure Information Protection

Microsoft IgniteMicrosoft Ignite

Microsoft Ignite 2018 大会在美国奥兰多开幕,期间举办了多场以 Azure 信息保护为题的会议。Microsoft Ignite 2018 in Orlando had many sessions that are tagged Azure Information Protection. 所有会议都进行了录制,因此,即便未参加此次大会,还是可以在之后观看这些会议。All sessions were recorded so if you couldn't join us there, you can still watch the sessions afterwards. 我们最推荐观看的五场会议:Our top five sessions that we recommend:

有关此次 Ignite 大会上的公告汇总,请参阅博客文章 Announcing availability of information protection capabilities to help protect your sensitive data(宣布推出信息保护功能来帮助保护你的敏感数据)。For a rollup of announcements that were made at this Ignite, see the blog post Announcing availability of information protection capabilities to help protect your sensitive data.

后续步骤Next steps

可通过观看我们的快速入门教程教程,自行配置和使用 Azure 信息保护。Configure and see Azure Information Protection for yourself, with our quickstarts and tutorials. 或者,如果已准备好部署组织的此项服务,请转到操作方法指南Or, if you're ready to deploy this service for your organization, head over to the how-to guides.