使用分类、标记和保护来保护数据Secure data using classification, labeling and protection

现今,已实现从多台设备跨组织边界进行信息共享。Nowadays information sharing is taking place from multiple devices and across organizational boundaries. 务必确保在此过程中不会泄露重要的公司数据,同时保证用户可以安全地共享重要内容以开展工作。It becomes imperative to ensure that critical corporate data is not compromised in this process while enabling users to securely share what’s important for them to perform their jobs. 随着外包等趋势的出现,可能需要与承包商和供应商共享公司机密数据。With trends such as outsourcing, you may need to share company confidential data with contractors and vendors. 由于并非所有内容都需要相同保护,公司面临识别需要和不需要保护的数据的难题。Because not all content needs the same protection, companies are challenged to identify which data needs protection and which data does not.

继续阅读以了解有关企业移动性 + 安全性如何帮助处理这种情况的详细信息。Continue reading to learn more about how Enterprise Mobility + Security helps address this scenario.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 是唯一一个不仅保护设备自身上的公司数据,另外还通过标识、设备、应用和数据四重保护措施来提供保护的综合性云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that protects corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data. EMS 可帮助解决移动优先、云优先世界中的其中一个重大难题,即如何随时向员工传送安全数据。EMS helps you solve one of the key challenges in the mobile-first, cloud-first world – how to deliver secure data to employees on-the-go. 使用 EMS,可以让员工在组织内外安全地进行协作。With EMS, you will enable your employees to collaborate securely within and outside of your organization. EMS 允许 IT 管理员利用 Azure 信息保护帮助保护文件级的公司数据。EMS allows IT Administrators to leverage Azure Information Protection to help securing corporate data at the file level. 通过使用此功能,用户可以确信,无论数据存储的位置、共享的对象、处于静止状态还是在传输中,都会始终得到保护。By using this capability, they can rest assured the data is always protected–regardless of where it’s stored, with whom it’s shared, and whether it’s at rest or in transit.

通过 Azure 信息保护,组织可以在创建或修改数据时分类、标记和保护数据。Azure Information Protection lets organizations classify, label, and protect data at the time of creation or modification. 使用 Azure 信息保护,用户可以:With Azure Information Protection, users can:

  • 根据机密性手动或自动地分类数据和添加标签Classify data based on sensitivity, and add labels—manually or automatically
  • 通过加密、身份验证和使用权限保护数据Protect data using encryption, authentication and use rights
  • 为最终用户启用直观、非侵入式体验Enable intuitive, non-intrusive experience for end users

组织也有权访问详细跟踪和报告,可以查看共享数据所发生的状况,从而更好地管理数据。The organization also has access to detailed tracking and reporting so they can see what’s happening with the shared data to manage it better. 下图概括了信息保护生命周期:The following diagram summarizes the information protection lifecycle:


观看此简短视频,快速了解 Azure 信息保护如何简化分类、标记和保护信息(即使信息已不在组织内)。Watch this short video for a quick introduction on how Azure Information Protection makes it simpler to classify, label and protect information, even as it travels outside of your organization.

实现本解决方案的方式How to implement this solution

请遵循以下步骤使用 Azure 信息保护实现数据分类、标记和保护:Follow these steps to implement data classification, labeling and protection using Azure Information Protection:

  • 步骤 1:准备数据分类和保护Step 1: Preparing for data classification and protection
  • 步骤 2:配置信息保护策略和标签Step 2: Configure information protection policies and labels
  • 步骤 3:实现基于内容的自动分类Step 3: Implement content based automatic classification
  • 步骤 4:为自动和建议分类配置条件Step 4: Configure conditions for automatic and recommended classification

如何通过 Azure 信息保护使用分类、标记和保护来保护数据How to secure data using classification, labeling and protection with Azure Information Protection

公司需要识别哪些数据需要保护以及哪些数据不需要相同级别的保护。Companies need to identify which data needs protection and which data does not need the same level of protection. 以下步骤将介绍 IT 实现 Azure 信息保护所必须执行的核心任务。The steps that follows will guide you through core tasks that must be done to enable IT to implement Azure Information Protection.

步骤 1:准备文档保护和内容分类Step 1: Preparing for document protection and content classification

实现此解决方案之前,请查看 Azure 信息保护要求并确保已激活 Azure 权限管理。Before implementing this solution, review the requirements for Azure Information Protection and ensure that Azure Rights Management is activated. 如已激活,则应在 Azure 门户中看到以下屏幕:If it is activated, you should see the following screen in Azure Portal:

Azure 门户

激活 Azure 权限管理后,便可以使用此信息保护解决方案所支持的应用程序和服务保护重要数据。When you activate Azure Rights Management, you can protect important data by using applications and services supported by this information protection solution. 还可以管理和监视组织所拥有的受保护文件和电子邮件。You can also manage and monitor protected files and emails that your organization owns. 必须先激活 Azure 权限管理才能在 Office、SharePoint 和 Exchange 中使用权限管理功能保护敏感或机密文件。You must activate Azure Rights Management before you can use the Rights Management features within Office, SharePoint, and Exchange to protect sensitive or confidential files.

步骤 2:配置信息保护策略和标签Step 2: Configure information protection policies and labels

计划实现信息保护策略和标签时,请使用以下指南:When planning to implement information protection policies and labels, use the following guidelines:

  • 根据机密性分类数据Classify data based on sensitivity
  • 首先分类机密性最高的数据Start with the data that is most sensitive
  • IT 可以设置自动规则;用户可以补充规则IT can set automatic rules; users can complement it
  • 关联可视标记和保护等操作Associate actions such as visual markings and protection

下图演示了如何实现此操作:The following diagram has an example of how this could be implemented:


Azure 信息保护附带默认标签,但是你可以自定义并创建用户可在信息保护栏中看到的自己的标签或子标签。Azure Information Protection comes with default labels, however you can customize and create your own labels or sub-labels that users see on the Information Protection bar.


标签是写入文档的元数据。Labels are metadata written to documents. 标签以明文形式呈现,以便 DLP 引擎等其他系统可以读取。Labels are in clear text so that other systems such as a DLP engine can read it.

在以下示例中,你可以看到在“机密”标签下创建的自定义子标签:In the following example, you can see custom sub-labels that were created under the Secret label:


在定义使用(默认或自定义)标签的方式后,配置标签以应用权限管理保护Once you define how you will be using your labels (default or custom ones), configure a label to apply Rights Management protection.

步骤 3:实现基于内容的自动分类Step 3: Implement content based automatic classification

通过 Azure 信息保护,将数据分类和保护控件集成到 Office 和其他常见应用程序。With Azure Information Protection, data classification and protection controls are integrated into Office and other common applications. 此集成提供简单的单击选项以保护用户处理的数据。This integration provides simple one-click options to secure data that users are working on. 在 Azure 门户中,可以将预定义的模式(如“信用卡号”或“美国社会保障号”)用作自动分类的条件。In the Azure portal, you can apply predefined patterns, such as “Credit card numbers” or “USA Social Security Numbers”, as a condition for automatic classification. 或者,可以使用文本模式和正则表达式来定义自定义字符串或模式。Alternately, you can use text patterns and regular expressions to define a custom string or pattern.

配置标签的条件时,可以自动将标签分配到文档/电子邮件,或者也可以提示用户选择建议的标签。When you configure conditions for a label, you can automatically assign a label to a document/email or, you can prompt users to select the label that you recommend. 有关如何执行此配置的详细信息,请阅读如何配置 Azure 信息保护的自动和建议分类的条件Read How to configure conditions for automatic and recommended classification for Azure Information Protection for more information on how to perform this configuration.

IT 管理员可以设置策略,以自动对数据应用分类和保护。Policies can be set by IT Admins for automatically applying classification and protection to data. 还可以根据所处理的内容设置策略,并且可以配置策略以提示用户选择建议的分类。Policies can also be based on the content you’re working on and it can be configured to prompt users for suggested classification. 内置条件的列表为:The list of built-in conditions are:

  • SWIFT 代码SWIFT Code
  • 信用卡号Credit Card Number
  • ABA 路由号码ABA Routing Number
  • 美国身份证号 (SSN)USA Social Security Number (SSN)
  • 国际银行帐号 (IBAN)International Banking Account Number (IBAN)

有关这种实现的更多详细信息,请阅读有关内置条件的信息Read Information about the built-in conditions for more details about this type of implementation.