什麼是 Azure 資訊保護?What is Azure Information Protection?

適用對象: Azure 資訊保護Applies to: Azure Information Protection

Azure 資訊保護 (有時稱為 AIP) 是一種雲端式解決方案,可協助組織來分類並選擇性地透過套用標籤來保護其文件和電子郵件。Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels. 標籤可以由系統管理員定義規則和條件來自動套用、由使用者手動完成,或在提供建議給使用者的情況下由系統管理員搭配使用者的組合來完成。Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given recommendations.

下圖顯示使用者電腦上 Azure 資訊保護運作方式的範例。The following picture shows an example of Azure Information Protection in action on a user's computer. 系統管理員已設定標籤,其中包含偵測敏感性資料的規則,在我們的範例中,這是信用卡資訊。The administrator has configured a label with rules that detect sensitive data and in our example, this is credit card information. 當使用者儲存包含信用卡號碼的 Word 文件時,會出現自訂工具提示,建議系統管理員所設定的標籤。When a user saves a Word document that contains a credit card number, she sees a custom tooltip that recommends the label that the administrator has configured. 此標籤會分類文件,並予以保護。This label classifies the document and protects it.

Azure 資訊保護的建議分類範例

來自 Azure 資訊保護用戶端 (傳統) 的螢幕擷取畫面Screenshot from the Azure Information Protection client (classic)

在您分類 (並選擇性地保護) 內容之後,您可以接著追蹤及控制內容的使用情況。After your content is classified (and optionally protected), you can then track and control how it is used. 您可以分析資料流程以深入探索您的業務、偵測風險行為並採取矯正措施、追蹤文件的存取、防止資料外洩或不當使用,以及執行其他作業。You can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, prevent data leakage or misuse, and so on.

標籤如何套用分類How labels apply classification

您可以使用 Azure 資訊保護標籤,將分類套用至文件和電子郵件。You use Azure Information Protection labels to apply classification to documents and emails. 當您這樣做時,即可識別分類,無論資料的儲存位置或與誰共用。When you do this, the classification is identifiable regardless of where the data is stored or with whom it’s shared. 標籤可以包括視覺標記,例如頁首、頁尾或浮水印。The labels can include visual markings such as a header, footer, or watermark. 中繼資料會以純文字加入檔案和電子郵件頁首。Metadata is added to files and email headers in clear text. 純文字讓其他服務 (例如資料外洩防護解決方案) 可以識別分類並採取適當動作。The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.

例如,下列電子郵件訊息已分類為「一般」。For example, the following email message has been classified as "General". 標籤已新增「敏感性:一般」頁尾至電子郵件訊息。The label has added a footer of "Sensitivity: General" to the email message. 此頁尾為視覺指標,讓所有收件者了解其為不應傳至組織外部的一般商務資料。This footer is a visual indicator for all recipients that it's intended for general business data that should not be sent outside the organization. 此標籤會嵌入電子郵件頁首,使電子郵件服務可以檢查此值,而無法建立稽核項目或傳送到組織外部。The label is embedded in the email headers so that email services can inspect this value and could create an audit entry or prevent it from being sent outside the organization.

顯示 Azure 資訊保護分類的電子郵件頁尾和頁首範例

來自 Azure 資訊保護用戶端 (傳統) 的螢幕擷取畫面Screenshot from the Azure Information Protection client (classic)

如何保護資料How data is protected

此保護技術使用 Azure Rights Management (通常縮寫為 Azure RMS)。The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). 這項技術與 Office 365 及 Azure Active Directory 等其他 Microsoft 雲端服務和應用程式整合。This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. 它也可以搭配使用您自己的企業營運系統應用程式與軟體廠商中的資訊保護解決方案,不論這些應用程式和解決方案是在內部部署環境還是雲端中。It can also be used with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises, or in the cloud.

這項保護技術使用加密、身分識別和授權原則。This protection technology uses encryption, identity, and authorization policies. 與套用的標籤類似,使用 Rights Management 所套用的保護會跟著文件和電子郵件,不受位置影響,不論是在貴組織、網路、檔案伺服器及應用程式的內部或外部。Similarly to the labels that are applied, protection that is applied by using Rights Management stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications. 此資訊保護解決方案可讓您在與他人共用資料的情況下,依然能控管資料。This information protection solution keeps you in control of your data, even when it is shared with other people.

例如,您可以設定讓報表文件或銷售趨勢預測試算表僅供貴組織中的人員存取,以及控制該文件是否可供編輯、限制成唯讀或防止列印。For example, you can configure a report document or sales forecast spreadsheet so that it can be accessed only by people in your organization, and control whether that document can be edited, or restricted to read-only, or prevent it from being printed. 您也可以使用類似方式設定電子郵件,還可以防止它們被轉寄或防止使用 [全部回覆] 選項。You can configure emails similarly, and also prevent them from being forwarded or prevent the use of the Reply All option.

這些保護設定可以是標籤設定的一部份,讓使用者只要套用標籤,就能同時分類並保護文件與電子郵件。These protection settings can be part of your label configuration, so that users both classify and protect documents and emails simply by applying a label. 不過,相同的保護設定也能用於支援保護的應用程式與服務,但不包含標記。However, the same protection settings can also be used by applications and services that support protection, but not labeling. 對於這些應用程式及服務,保護設定會以「Rights Management 範本」 形式提供使用。For these applications and services, the protection settings become available as Rights Management templates.

Rights Management 範本Rights Management templates

啟用 Azure Rights Management 服務之後,您就會有兩個預設範本,可以用來限制組織內使用者的資料存取權。As soon as the Azure Rights Management service is activated, two default templates are available for you that restrict data access to users within your organization. 您可以使用這些範本,立即協助防止資料從您的組織外洩。You can use these templates to immediately help prevent data leaking from your organization. 您也可以設定套用更嚴格控制的專屬保護設定,來補充這些預設範本。You can also supplement these default templates by configuring your own protection settings that apply more restrictive controls.

當您為包含保護設定的 Azure 資訊保護建立標籤時,另一方面,這個動作會建立對應的 Rights Management 範本。When you create a label for Azure Information Protection that includes protection settings, under the covers, this action creates a corresponding Rights Management template. 您可以另外搭配支援 Azure Rights Management 的應用程式和服務使用該範本。You can then additionally use that template with applications and services that support Azure Rights Management.

例如,您可以從 Exchange 系統管理中心將 Exchange Online 郵件流程規則設定為使用這些範本:For example, from the Exchange admin center, you can configure Exchange Online mail flow rules to use these templates:

選取適用於 Exchange Online 範本的範例

如需 Azure Rights Management 保護的詳細資訊,請參閱什麼是 Azure Rights Management?For more information about Azure Rights Management protection, see What is Azure Rights Management?

針對文件及電子郵件與終端使用者工作流程整合Integration with end-user workflows for documents and emails

安裝 Azure 資訊保護用戶端之後,Azure 資訊保護會與使用者的現有工作流程整合。Azure Information Protection integrates with end users' existing workflows when the Azure Information Protection client is installed. 此用戶端會將資訊保護列安裝到 Office 應用程式,如第一張圖片中所示在 Word 中顯示此列。This client installs the Information Protection bar to Office applications, which we saw in the first picture that showed this bar in Word. Excel、PowerPoint 和 Outlook 中會加入相同的資訊保護列。The same Information Protection bar is added to Excel, PowerPoint, and Outlook. 例如:For example:

Excel 中的 Azure 資訊保護列範例

來自 Azure 資訊保護用戶端的螢幕擷取畫面Screenshot from the Azure Information Protection unified labeling client

此資訊保護列讓終端使用者可輕易選取標籤以正確分類。This Information Protection bar makes it easy for end users to select labels for the correct classification. 必要時也可以自動套用標籤,讓使用者無須揣測或是與貴組織原則相符。If required, labels can also be applied automatically to remove the guesswork for users, or to comply with your organization's policies.

若要分類並保護其他檔案類型,以及同時支援多個檔案,使用者可以從 Windows 檔案總管以滑鼠右鍵按一下檔案或資料夾:To classify and protect additional file types, and to support multiple files at once, users can right-click files or a folder from Windows File Explorer:

從檔案總管以滑鼠右鍵按一下 [分類並保護],使用 Azure 資訊保護來保護檔案

當使用者從 [檔案總管] 選取 [分類並保護] 功能表選項時,他們可以選取標籤,這類似於他們在其 Office 傳統型應用程式中使用 [資訊保護] 列。When users select the Classify and protect menu option from File Explorer, they can then select a label similarly to how they use the Information Protection bar in their Office desktop apps. 如有必要,他們也可以設定自己的自訂權限。They can also set their own custom permissions, if required.

進階使用者 (和系統管理員) 可能會發現使用 PowerShell 命令針對多個檔案進行管理與設定分類與保護更有效率。Power users (and administrators) might find using PowerShell commands more efficient for managing and setting classification and protection for multiple files. 雖然您也可以個別安裝 PowerShell 模組,但是執行這些動作的 PowerShell 命令已自動包含於用戶端。The PowerShell commands to do these actions are automatically included with the client, although you can also install the PowerShell module separately.

在文件受保護之後,使用者和系統管理員可以使用文件追蹤網站來監視正在存取這些文件的人員和存取時間。After a document has been protected, users and administrators can use a document tracking site to monitor who is accessing these documents and when. 如果懷疑誤用,也可以撤銷這些文件的存取權:If they suspect misuse, they can also revoke access to these documents:

文件追蹤網站中的撤銷存取權圖示

其他電子郵件整合Additional integration for email

當您搭配 Exchange Online 使用 Azure 資訊保護時,您會獲得額外的好處:可傳送受保護電子郵件到任何使用者並確保使用者可在任何裝置上讀取該電子郵件的能力。When you use Azure Information Protection with Exchange Online, you get an additional benefit: The ability to send protected emails to any user, with the assurance that they can read it on any device.

例如,使用者需要將敏感性資訊傳送到使用 GmailHotmailMicrosoft 帳戶的個人電子郵件地址。For example, users need to send sensitive information to personal email addresses that use a Gmail, Hotmail, or a Microsoft account. 或是傳送給在 Office 365 或 Azure AD 中沒有帳戶的使用者。Or, to users who don't have an account in Office 365 or Azure AD. 這些電子郵件在待用及傳輸時都應加密,且只能由原始收件者讀取。These emails should be encrypted at rest and in transit, and be read only by the original recipients.

在這種情況下,就需要來自 Office 365 郵件加密的新功能This scenario requires the new capabilities from Office 365 Message Encryption. 若收件者無法在其原生電子郵件用戶端開啟受保護的電子郵件,可以使用單次密碼在瀏覽器中讀取機密資訊。If the recipients cannot open the protected email in their native email client, they can use a one-time passcode to read the sensitive information in a browser.

例如,Gmail 使用者會在電子郵件訊息中看到以下內容:For example, a Gmail user sees the following in an email message:

OME 及 AIP 的 Gmail 收件者體驗

對於傳送電子郵件的使用者而言,其工作流程與傳送受保護電子郵件到其組織內使用者的工作流程無異。For the users sending the email, their workflow is no different from sending a protected email to a user in their own organization. 例如,使用者可以選取 [不可轉寄] 按鈕;Azure 資訊保護用戶端可在 Outlook 功能區中新增該按鈕。For example, they can select the Do Not Forward button that the Azure Information Protection client can add to the Outlook ribbon. 或者,這個「不可轉寄」功能也可整合到使用者能夠選取的標籤中,讓電子郵件得以分類並接受保護:Or, this Do Not Forward functionality can be integrated into a label that users select, so that the email is classified as well as protected. 例如:For example:

選取設定為「不要轉寄」的標籤

來自 Azure 資訊保護用戶端的螢幕擷取畫面Screenshot from the Azure Information Protection unified labeling client

此外,您可以使用會套用版權保護的郵件流程規則,自動為使用者提供保護。Alternatively, you can automatically provide the protection for users, by using mail flow rules that apply rights protection.

當您將 Office 文件附加到這些電子郵件時,這些文件也會自動受到保護。When you attach Office documents to these emails, these documents are automatically protected as well.

分類和保護現有的文件Classifying and protecting existing documents

在理想情況下,文件和電子郵件在初次建立時會被標記。Ideally, documents and emails are labeled when they are first created. 但是,您可能在資料存放區中有許多現有的文件,並且想要分類並保護這些文件。But you likely have many existing documents in data stores and want to classify and protect these documents as well. 這些資料存放區可能是在內部部署環境或是在雲端中。These data stores could be on-premises or in the cloud.

針對內部部署資料存放區,請使用 Azure 資訊保護掃描器來探索、分類及保護本機資料夾、網路共用和 SharePoint Server 站台和文件庫上的文件。For your on-premises data stores, use the Azure Information Protection scanner to discover, classify, and protect documents on local folders, network shares, and SharePoint Server sites and libraries. 掃描器會作為服務在 Windows Server 上執行。The scanner runs as a service on Windows Server. 您可以在原則中使用相同的規則來偵測機密資訊,並將特定標籤套用至文件。You can use the same rules in the policy to detect sensitive information and apply specific labels to documents. 或者,您可以將預設標籤套用至資料存放庫中的所有文件,而不檢查檔案內容。Or you can apply a default label to all documents in a data repository without inspecting the file contents. 您也可以僅在報告模式下使用掃描器,以協助發現您可能不知道的機密資訊。You can also use the scanner in reporting mode only, to help you discover sensitive information that you might not know you had.

如需部署和使用掃描器的詳細資訊,請參閱部署 Azure 資訊保護掃描器以自動分類和保護檔案For more information about deploying and using the scanner, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

針對雲端資料存放區,請使用 Microsoft Cloud App Security 將標籤套用至 Box、SharePoint Online 和商務用 OneDrive 中的文件。For your cloud data stores, use Microsoft Cloud App Security to apply your labels to documents in Box, SharePoint Online, and OneDrive for Business. 如需詳細資訊,請參閱自動套用 Azure 資訊保護分類標籤Azure 資訊保護整合For more information, see Automatically apply Azure Information Protection classification labels and Azure Information Protection integration.

Microsoft 365 的最新標籤更新Latest labeling updates for Microsoft 365

請參閱有關 Azure 資訊保護如何協助您探索、分類、保護及監視您敏感性資訊 (不論它位於何處) 的最新資訊:See the latest information about how Azure Information Protection helps you to discover, classify, protect, and monitor your sensitive information, wherever it lives:

Azure 資訊保護的資源Resources for Azure Information Protection

其他資源:Azure 資訊保護的資訊與支援Additional resources: Information and support for Azure Information Protection

Microsoft IgniteMicrosoft Ignite

奧蘭多的 Microsoft Ignite 2018 有許多工作階段加上 Azure 資訊保護標籤。Microsoft Ignite 2018 in Orlando had many sessions that are tagged Azure Information Protection. 已記錄所有工作階段;因此,如果您無法加入我們,仍然可以觀看之後的工作階段。All sessions were recorded so if you couldn't join us there, you can still watch the sessions afterwards. 前五個建議的工作階段:Our top five sessions that we recommend:

如需在此 Ignite 進行的宣告彙總,請參閱部落格文章 Announcing availability of information protection capabilities to help protect your sensitive data (宣告資訊保護功能可用性以協助保護敏感性資料)。For a rollup of announcements that were made at this Ignite, see the blog post Announcing availability of information protection capabilities to help protect your sensitive data.

後續步驟Next steps

透過快速入門教學課程自行設定及查看 Azure 資訊保護。Configure and see Azure Information Protection for yourself, with our quickstarts and tutorials. 或者,如果您已準備好為組織部署此服務,請移至操作指南Or, if you're ready to deploy this service for your organization, head over to the how-to guides.