The modern, mobile enterprise has brought with it the need to protect our data outside the traditional perimeter. The cloud based Azure Rights Management Service (RMS) made that type of protection a reality for many organizations. But RMS has now been supercharged with new features to become Azure Information Protection. We will give you an introduction to cloud based information protection and take you on a tour of the new features.

2. Did you like Azure RMS?
You will like Azure Information Protection even more!

3. About Your Speaker: Morgan Simonsen
• Cloud Evangelist@Lumagate
• P-TSP@Microsoft
• MCSE, MCSA, MCT
• MVP
• Twitter: @msimonsen
• Email: morgan.simonsen@lumagate.com
• Blog: morgansimonsen.com

4. Agenda
• Threat Landscape 2017
• Azure RMS 101
• Introducing Azure Information Protection
• Data Classification and Labelling
• Tracking and Revocation
• Deployment

5. Threat Landscape 2017

6. Audience Participation
1. How many are using Azure RMS
today?
2. How many are using Azure IP
today?
3. (How many are using AD DS
Rights Management?)

7. Enterprise Mobility+Security
The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers

8. Azure Information
Protection
Protect your data,
everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early
with visibility and
threat analytics
Advanced
Threat Analytics
Extend enterprise-grade
security to your cloud
and SaaS apps
Intune
Protect your users,
devices, and apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Enterprise Mobility+Security
The Microsoft solution
Privileged Identity
Management
Identity
Protection
ENFORCE
MFA
ALLOW
BLOCK
Conditional Access
Windows 10
Azure AD Join,
Health Attestation,
Windows Hello,
BitLocker

9. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen
credentials
It’s 11PM, do you know where your data
is?

10. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches
due to lack of internal controls
88% of organizations are Losing control
of data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common

11. CISO’s Information Protection Challenges

12. Unregulated,
unknown
Managed mobile
environment
How much control
do you have?
On-premises
Perimeter
protection
Identity, device
management protection
Hybrid data = new normal
It is harder to protect

13. Azure RMS 101

14. Why Rights Management?
• Protection that travels with the data
• Azure RMS is a complete end to end
information protection solution for documents,
email, and any unstructured data that is
sensitive for your organization
• Highly integrated into Office, O365, Windows
Server, and 3rd party applications for broad
reach and consistent user experience
• Built on modern encryption and authentication
standards (PKI, AES, OAuth, ….)

15. aEZQAR]ibr{qU@M]
BXNoHp9nMDAtnBfr
fC;jx+Tg@XL2,Jzu
()&(*7812(*:
Use rights +
Secret cola formula
Water
Sugar
Brown #16
PROTECT
Usage rights and symmetric
key stored in file as “license”
Each file is protected by
a unique AES symmetric
License protected
by customer-owned
RSA key
Water
Sugar
Brown #16
UNPROTECT

16. Use rights
+
Azure RMS never
sees the file content,
only the license
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent
to the RMS server/service
aEZQAR]ibr{qU@M]B
XNoHp9nMDAtnBfrfC
;jx+Tg@XL2,Jzu
()&(*7812(*:
Use rights
+
LOCAL PROCESSING ON PCs/DEVICES

17. Share internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/
any platform
Roadmap
Sue
File share
SharePoint
Email
LoB

18. Azure Active Directory
On-premises organizations
doing full sync
On-premises organizations
doing partial sync
Organizations completely in cloud
…and all of these organizations
can interact with each other.
Organizations created
through ad-hoc signup
ADFS
Using Azure AD for authentication

19. Introducing Azure Information Protection

20. DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROL
POLICY
ENFORCEMENT

21. Data Lifecycle Classification and Protection
CLASSIFY LABEL PROTECT
At data creation
Manual classification
Automatic
classification
as much as possible
Persistent tag
User awareness
through visual labels
Industry standard,
enables wide
ecosystem
Encryption with Azure
RMS
DLP & Compliance
actions
Audit trails to track
data
ORCHESTRATE

22. SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users
can complement it
Associate actions such as visual
markings and protection

23. FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can
read it

24. Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click

25. Azure IP Header, Footer, or Watermark
variables
• Example: If you specify the string Document: ${item.name}
Classification: ${item.label} for the Secret label footer, the footer
text applied to a documented named project.docx will be
Document: project.docx Classification: Secret
Variable Description Example
${Item.Label} Selected label Internal
${Item.Name} File name or email subject JulySales.docx
${Item.Location} Path and file name for documents, and the
email subject for emails
Sales2016Q3JulyReport.docx
${User.Name} Owner of the document or email (Windows
SAMAccountName)
rsimone
${User.PrincipalName} Owner of the document or email (Azure
Information Protection client signed in email
address (UPN))
rsimone@vanarsdelltd.com
${Event.DateTime} Date and time when the selected label was
set
8/16/2016 1:30 PM

26. VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps

27. Azure RMS Key Management Options

28. Key Management
This is BYOK. Customer
generates key,
exports/imports into
Azure KV HSM
This is HYOK. ADRMS
uses the on-premises
HSM for keys.
Azure RMS AD RMS

29. HYOKBYOK
Label A
Apply Protection: AzRMS
Label B
Apply Protection: ADRMS
Data that can be stored anywhere,
travel, collaborated on and
protected by a cloud service
Toxic data that must reside on-
premises and be protected by
customer held keys

33. Licensing
• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5
Plan features
Enterprise
Mobility +
Security E3
Enterprise
Mobility +
Security E5
Information protection
•Azure Information Protection Premium P1
•Encryption for all files and storage locations
•Cloud-based file tracking
•Azure Information Protection Premium P2
•Intelligent classification and encryption for files
shared inside and outside of your organization
•Includes all P1 capabilities

34. Questions?

35. Please evaluate the session on your way
out…
Hated It! Meh…
Best session
ever!