Smime vs Azure Information Protection

Question

Smime vs Azure Information Protection

Shaan 41

Hi All,

I've a question related to information protection. If an organization is utilizing Azure Information Protection (AIP) to protect the emails and documents, then they really need to use Smime for email protection? Will there be any requirement of using smime if the organization already deployed AIP? As we have good control over the action that a user can perform on email and document using AIP, can we replace Smime with AIP? Or could you please help me to understand the limitations of AIP over Smime?

Accepted answer

1 additional answer

Your answer

Answer 1

Vadims Podāns 9,186 MVP

S/MIME and Azure AIP aren't really interchangeable and one doesn't replace another. AIP provide persistent data privacy (on a storage), while S/MIME provide data privacy on transport.

The following features provided by S/MIME and not provided by AIP

S/MIME is a public standard (latest RFC revision is RFC 8551). This means that 3rd party interoperable tools can be used to handle S/MIME. AIP is not.
S/MIME operates only on email transport and provide end-to-end content privacy, including email body and attachments. AIP does not.
S/MIME is often integrated in email client and does not require any dependencies on tools or Azure. AIP does require dependencies and infrastructure.

I would say that S/MIME and AIP complement each other, but whether to use both -- depends on your security and threat model.

Enrique Saggese 0 Reputation points Microsoft Employee

2023-12-14T21:40:38.6+00:00
Thanks for the response. There are a few claims in the statements above that I want to correct though:

1.While it is true that s/MIME is a public standard and MIP is not, MIP is actually interoperable with third party tools, we offer a free, no royalty, multi-platform SDK through which third party apps and services can integrate with MIP-encrypted email and many third party apps and services do that.

https://learn.microsoft.com/en-us/information-protection/develop/overview

MIP operates on transport, at-rest and in-use, offering end to end persistent encryption of both emails and attachments. What is different in this regard between s/MIME and MIP, asides from s/MIME not offering at-use rights enforcement, is that s/MIME offers peer to peer encryption where encryption is done using a recipient's key so it cannot be "intercepted" even by authorized entities such as the organization's compliance tools. MIP performs end to end encryption using an organization's encryption keys, which means that the email can be decrypted by the sender's or recipient's organization for the sake of meeting compliance obligations. This is critical since with s/MIME, unless the organization is performing key escrow and integrates key escrow with their compliance services, neither organization is able to perform due-diligence on an encrypted email, including malware scanning, scanning for sensitive content to prevent exfiltration, communication monitoring to meet FINRA obligations, eDiscovery, etc. With s/MIME organizations must accept that anything the user chooses to encrypt is outside of the boundaries of any regulations imposed on the company, which is generally not acceptable for most regulated organizations. And of course, if the org implements key escrow, the "peer to peer" encryption privacy aspect is moot since now the organization can decrypt the email in transit (and still most compliance solutions won't be able to inspect the email or attachments).

MIP is integrated into Outlook across all platforms, including mobile and web, it is also integrated with Titus Mail, Nitrodesk, Samsung mail, 9 folders, Windows mail, Blackberry Work, Citrix WorxMail, VMWare Workplace One Boxer, and other software, without any plug-ins or add-ins being required.

https://learn.microsoft.com/en-us/azure/information-protection/requirements-applications

And while it is true that MIP does have a dependency on some services (for policy definition, authentication, etc.), so does s/MIME since there's a requirement for using a Public Key Infrastructure certification authority. In fact, unlike MIP, s/MIME requires that both organizations implement such infrastructure. With MIP only the sender's organization needs to have MIP services deployed, and the recipients can view the emails in a web viewer and authenticate through multiple different factors, including one-time passwords in case the user doesn't have an identity in any supported identity service.

The only real capability s/MIME has that MIP doesn't have is email signing, since MIP only supports encryption today.

Hope this helps clarify the difference between the two solutions.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 2

Shaan 41

Thanks Crypt32..

Share via

Smime vs Azure Information Protection

1 additional answer

Your answer