Azure 資訊保護 (AIP) 標記、分類和保護Azure Information Protection (AIP) labeling, classification, and protection

*適用於:*Azure 資訊保護*Applies to: Azure Information Protection*

*適用于Azure 資訊保護統一標籤用戶端和適用于 Windows 的傳統用戶端**Relevant for: Azure Information Protection unified labeling client and classic client for Windows*

注意

為了提供統一且流暢的客戶體驗,自 2021 年 3 月 31 日 起,Azure 入口網站將 淘汰 Azure 資訊保護傳統用戶端標籤管理To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 此時間範圍可讓所有目前的 Azure 資訊保護客戶使用 Microsoft 資訊保護統一標籤平台轉換至我們統一的標籤解決方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 在正式的淘汰通知 (英文) 中深入了解。Learn more in the official deprecation notice.

Azure 資訊保護 (AIP) 是一種雲端式解決方案,其可讓組織套用標籤來分類及保護文件和電子郵件。Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails by applying labels.

例如,系統管理員可能會設定標籤,其中包含偵測信用卡資訊等敏感性資料的規則。For example, your administrator might configure a label with rules that detect sensitive data, such as credit card information. 在此情況下,將信用卡資訊儲存在 Word 檔案中的任何使用者都可能會在文件頂端看到工具提示,建議其套用適用於此案例的相關標籤。In this case, any user who saves credit card information in a Word file might see a tooltip at the top of the document with a recommendation to apply the relevant label for this scenario.

標籤可將文件分類,也可以選擇性地保護文件,讓您可以:Labels can both classify, and optionally protect your documents, enabling you to:

  • 追蹤及控制 內容的使用方式Track and control how your content is used
  • 分析資料流程 以取得您業務的見解 - 偵測有風險的行為 並採取矯正措施Analyze data flows to gain insight into your business - Detect risky behaviors and take corrective measures
  • 追蹤文件存取 並防止資料洩漏或誤用Track document access and prevent data leakage or misuse
  • 還有更多...And more ...

標籤如何使用 AIP 套用分類How labels apply classification with AIP

使用 AIP 標記您的內容包括:Labeling your content with AIP includes:

  • 分類,無論資料的儲存位置或與誰共用,皆可偵測分類。Classification that can be detected regardless of where the data is stored or with whom it's shared.
  • 視覺標記,例如頁首、頁尾或浮水印。Visual markings, such as headers, footers, or watermarks.
  • 中繼資料,以純文字新增至檔案和電子郵件頭。Metadata, added to files and email headers in clear text. 純文字中繼資料可確保其他服務能識別分類並採取適當動作The clear text metadata ensures that other services can identify the classification and take appropriate action

例如,在下圖中,標籤已將電子郵件訊息分類為 一般For example, in the image below, labeling has classified an email message as General:

顯示 Azure 資訊保護分類的電子郵件頁尾和頁首範例

在本範例中,標籤也:In this example, the label also:

  • **已在電子郵件訊息中新增敏感度的頁尾 *:一般***。Added a footer of Sensitivity: General to the email message. 此頁尾為視覺指標,讓所有收件者了解其為不應傳至組織外部的一般商務資料。This footer is a visual indicator for all recipients that it's intended for general business data that should not be sent outside of the organization.
  • 電子郵件標頭中的內嵌中繼資料Embedded metadata in the email headers. 頁首資料可讓電子郵件服務檢查標籤,並理論上建立稽核項目,或防止其傳送到組織外部。Header data enables email services can inspect the label and theoretically create an audit entry or prevent it from being sent outside of the organization.

使用規則和條件的系統管理員可自動套用標籤,使用者可以手動套用標籤,或使用系統管理員定義向使用者顯示之建議的組合。Labels can be applied automatically by administrators using rules and conditions, manually by users, or using a combination where administrators define the recommendations shown to users.

AIP 如何保護您的資料How AIP protects your data

Azure 資訊保護使用 Azure Rights Management Service (Azure RMS) 來保護您的資料。Azure Information Protection uses the Azure Rights Management service (Azure RMS) to protect your data.

Azure RMS 已與 Office 365 及 Azure Active Directory 等其他 Microsoft 雲端服務和應用程式整合,同時也可以與您自己或協力廠商的應用程式和資訊保護解決方案搭配使用。Azure RMS is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory, and can also be used with your own or third-party applications and information protection solutions. Azure RMS 適用於內部部署和雲端解決方案。Azure RMS works with both on-premises and cloud solutions.

Azure RMS 使用加密、身分識別和授權原則。Azure RMS uses encryption, identity, and authorization policies. 與 AIP 標籤類似,無論文件或電子郵件的位置為何,使用 Azure RMS 所套用的保護都會與文件與電子郵件保持一致,以確保您能夠控制內容,即使該內容與其他人共用也一樣。Similar to AIP labels, protection applied using Azure RMS stays with the documents and emails, regardless of the document or email's location, ensuring that you stay in control of your content even when it's shared with other people.

保護設定可以是:Protection settings can be:

  • 標籤 設定的一部分,讓使用者只要套用標籤,就能分類和保護檔和電子郵件。Part of your label configuration, so that users both classify and protect documents and emails simply by applying a label.

  • 由支援保護但不加上標籤的應用程式和服務 自行使用Used on their own, by applications and services that support protection but not labeling.

    針對僅支援保護的應用程式及服務,保護設定會作為 Rights Management 範本使用。For applications and services that support protection only, protection settings are used as Rights Management templates.

例如,建議設定報表或銷售預測試算表,使其只能由組織中的人員存取。For example, you may want to configure a report or sales forecast spreadsheet so that it can be accessed only by people in your organization. 在此情況下,您會套用保護設定以控制該文件是否可供編輯、將其限制為唯讀,或是防止其列印。In this case, you'd apply protection settings to control whether that document can be edited, restrict it to read-only, or prevent it from being printed.

電子郵件可有類似的保護設定,以防止其轉寄或使用 [全部回覆] 選項。Emails can have similar protection settings to prevent them from being forwarded or from using the Reply All option.

Rights Management 範本Rights Management templates

啟用 Azure Rights Management 服務之後,您就會有兩個預設 Rights Management 範本,可以用來限制組織內使用者的資料存取權。As soon as the Azure Rights Management service is activated, two default rights management templates are available for you to restrict data access to users within your organization. 請立即使用這些範本,或設定自己的保護設定,以在新範本中套用更嚴格的控制項。Use these templates immediately, or configure your own protection settings to apply more restrictive controls in new templates.

Rights Management 範本可搭配任何支援 Azure Rights Management 的應用程式或服務使用。Rights Management templates can be used with any applications or services that support Azure Rights Management.

下圖顯示來自 Exchange 系統管理中心的範例,您可在其中將 Exchange Online 郵件流程規則設定為使用 RMS 範本:The following image shows an example from the Exchange admin center, where you can configure Exchange Online mail flow rules to use RMS templates:

選取適用於 Exchange Online 範本的範例

注意

建立包含保護設定的 AIP 標籤也會建立對應的 Rights Management 範本,其可與標籤分開使用。Creating an AIP label that includes protection settings also creates a corresponding Rights Management template that can be used separately from the label.

如需詳細資訊,請參閱什麼是 Azure Rights Management?For more information, see What is Azure Rights Management?

文件和電子郵件的 AIP 與終端使用者整合AIP and end-user integration for documents and emails

AIP 用戶端會將資訊保護列安裝到 Office 應用程式,並讓終端使用者將 AIP 與其文件和電子郵件整合。The AIP client installs the Information Protection bar to Office applications and enables end users to integrate AIP with their documents and emails.

例如,在 Excel 中:For example, in Excel:

Excel 中的 Azure 資訊保護列範例

標籤可自動套用至文件和電子郵件,讓使用者無需揣測或是與組織的原則相符,而資訊保護列則可讓終端使用者選取標籤並自行套用分類。While labels can be applied automatically to documents and emails, removing guesswork for users or to comply with an organization's policies, the Information Protection bar enables end users to select labels and apply classification on their own.

此外,AIP 用戶端可讓使用者使用 Windows 檔案總管的右鍵功能表來分類並保護其他檔案類型,或同時保護多個檔案。Additionally, the AIP client enables users to classify and protect additional file types, or multiple files at once, using the right-click menu from Windows File Explorer. 例如:For example:

從檔案總管以滑鼠右鍵按一下 [分類並保護],使用 Azure 資訊保護來保護檔案

[分類並保護] 功能表選項的運作方式類似於 Office 應用程式中資訊保護列,可讓使用者選取標籤或設定自訂權限。The Classify and protect menu option works similarly to the Information Protection bar in Office applications, enabling users to select a label or set custom permissions.

提示

進階使用者或系統管理員可能會發現,PowerShell 命令對於管理及設定多個檔案的分類與保護更有效率。Power users or administrators might find that PowerShell commands are more efficient for managing and setting classification and protection for multiple files. 相關的 PowerShell 命令隨附於用戶端,亦可分開安裝。Relevant PowerShell commands are included with the client, and can also be installed separately.

使用者和系統管理員可使用文件追蹤網站來監視受保護的文件、監看其存取者及存取時間。Users and administrators can use document tracking sites to monitor protected documents, watch who accesses them, and when. 如果他們懷疑誤用,也可以撤銷這些文件的存取權。If they suspect misuse, they can also revoke access to these documents. 例如:For example:

文件追蹤網站中的撤銷存取權圖示

其他電子郵件整合Additional integration for email

將 AIP 與 Exchange Online 搭配使用的額外好處是可提供將受保護電子郵件傳送給任何使用者,並保證使用者可在任何裝置上讀取這些電子郵件。Using AIP with Exchange Online provides the additional benefit of sending protected emails to any user, with the assurance that they can read it on any device.

例如,您可能需要將敏感性資訊傳送到使用 GmailHotmailMicrosoft 帳戶的個人電子郵件地址,或傳送給 Office 365 或 Azure AD 中沒有帳戶的使用者。For example, you may need to send sensitive information to personal email addresses that use a Gmail, Hotmail, or Microsoft account, or to users who don't have an account in Office 365 or Azure AD. 這些電子郵件在待用及傳輸時都應加密,且只能由原始收件者讀取。These emails should be encrypted at rest and in transit, and be read only by the original recipients.

本案例需要 Office 365 訊息加密功能This scenario requires Office 365 Message Encryption capabilities. 如果收件者無法在內建的電子郵件客戶中開啟受保護的電子郵件,他們可以使用單次密碼來讀取瀏覽器中的機密資訊。If the recipients cannot open the protected email in their built-in email client, they can use a one-time passcode to read the sensitive information in a browser.

例如,Gmail 使用者可能會在收到的電子郵件訊息中看到下列提示:For example, a Gmail user might see the following prompt in an email message they receive:

OME 與 AIP 的 Gmail 收件者體驗

對於傳送電子郵件的使用者而言,其所需動作與傳送受保護電子郵件到自己組織內使用者的所需動作相同。For the user sending the email, the actions required are the same as for sending a protected email to a user in their own organization. 例如,選取 [不可轉寄] 按鈕,AIP 用戶端可在 Outlook 功能區中新增該按鈕。For example, select the Do Not Forward button that the AIP client can add to the Outlook ribbon.

或者,[不要 轉寄 ] 功能可以整合到一個標籤中,使用者可以選擇將分類和保護套用到該電子郵件。Alternately, Do Not Forward functionality can be integrated into a label that users can select to apply both classification and protection to that email. 例如:For example:

選取設定為「不要轉寄」的標籤

系統管理員也可以設定會套用版權保護的郵件流程規則,以自動為使用者提供保護。Administrators can also automatically provide protection for users by configuring mail flow rules that apply rights protection.

任何附加到這些電子郵件的 Office 文件也會自動受到保護。Any Office documents attached to these emails are automatically protected as well.

掃描現有內容以分類及保護Scanning for existing content to classify and protect

在理想的情況下,您會在文件和電子郵件建立時為其加上標籤。Ideally, you'll be labeling documents and emails as they're created. 不過,您可能有許多儲存在內部部署或雲端中的現有文件,且也想要分類並保護這些文件。However, you likely have many existing documents, stored either on-premises or in the cloud, and want to classify and protect these documents as well.

使用下列其中一種方法來分類及保護現有的內容:Use one of the following methods to classify and protect existing content:

  • 內部部署儲存體:使用 Azure 資訊保護掃描器來探索、分類及保護網路共用和 Microsoft SharePoint Server 網站與文件庫上的文件。On-premises storage: Use the Azure Information Protection scanner to discover, classify, and protect documents on network shares and Microsoft SharePoint Server sites and libraries.

    掃描器會在 Windows Server 上以服務的形式執行,並使用相同的原則規則來偵測敏感性資訊,並將特定標籤套用至文件。The scanner runs as a service on Windows Server, and uses the same policy rules to detect sensitive information and apply specific labels to documents.

    或者,使用掃描器將預設標籤套用至資料存放庫中的所有文件,而不檢查檔案內容。Alternately, use the scanner to apply a default label to all documents in a data repository without inspecting the file contents. 請僅在報告模式下使用掃描器,以發現可能不知道的敏感性資訊。Use the scanner in reporting mode only to discover sensitive information that you might not know you had.

  • 雲端資料儲存體:使用 Microsoft Cloud App Security 將標籤套用至 Box、SharePoint 與 OneDrive 中的文件。Cloud data storage: Use Microsoft Cloud App Security to apply your labels to documents in Box, SharePoint, and OneDrive. 如需教學課程,請參閱自動套用 Azure 資訊保護分類標籤For a tutorial, see Automatically apply Azure Information Protection classification labels

後續步驟Next steps

使用我們的快速入門和教學課程,為您自己設定和查看 Azure 資訊保護:Configure and see Azure Information Protection for yourself with our quickstart and tutorials:

如果已準備好為組織部署此服務,請移至操作指南If you're ready to deploy this service for your organization, head over to the how-to guides.