The modern, mobile enterprise has brought with it the need to protect our data outside the traditional perimeter. The cloud based Azure Rights Management Service (RMS) made that type of protection a reality for many organizations. But RMS has now been supercharged with new features to become Azure Information Protection. We will give you an introduction to cloud based information protection and take you on a tour of the new features.
6. Audience Participation
1. How many are using Azure RMS
today?
2. How many are using Azure IP
today?
3. (How many are using AD DS
Rights Management?)
8. Azure Information
Protection
Protect your data,
everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early
with visibility and
threat analytics
Advanced
Threat Analytics
Extend enterprise-grade
security to your cloud
and SaaS apps
Intune
Protect your users,
devices, and apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Enterprise Mobility+Security
The Microsoft solution
Privileged Identity
Management
Identity
Protection
ENFORCE
MFA
ALLOW
BLOCK
Conditional Access
Windows 10
Azure AD Join,
Health Attestation,
Windows Hello,
BitLocker
9. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen
credentials
It’s 11PM, do you know where your data
is?
10. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches
due to lack of internal controls
88% of organizations are Losing control
of data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common
14. Why Rights Management?
• Protection that travels with the data
• Azure RMS is a complete end to end
information protection solution for documents,
email, and any unstructured data that is
sensitive for your organization
• Highly integrated into Office, O365, Windows
Server, and 3rd party applications for broad
reach and consistent user experience
• Built on modern encryption and authentication
standards (PKI, AES, OAuth, ….)
16. Use rights
+
Azure RMS never
sees the file content,
only the license
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent
to the RMS server/service
aEZQAR]ibr{qU@M]B
XNoHp9nMDAtnBfrfC
;jx+Tg@XL2,Jzu
()&(*7812(*:
Use rights
+
LOCAL PROCESSING ON PCs/DEVICES
17. Share internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/
any platform
Roadmap
Sue
File share
SharePoint
Email
LoB
18. Azure Active Directory
On-premises organizations
doing full sync
On-premises organizations
doing partial sync
Organizations completely in cloud
…and all of these organizations
can interact with each other.
Organizations created
through ad-hoc signup
ADFS
Using Azure AD for authentication
21. Data Lifecycle Classification and Protection
CLASSIFY LABEL PROTECT
At data creation
Manual classification
Automatic
classification
as much as possible
Persistent tag
User awareness
through visual labels
Industry standard,
enables wide
ecosystem
Encryption with Azure
RMS
DLP & Compliance
actions
Audit trails to track
data
ORCHESTRATE
22. SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users
can complement it
Associate actions such as visual
markings and protection
23. FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can
read it
24. Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click
25. Azure IP Header, Footer, or Watermark
variables
• Example: If you specify the string Document: ${item.name}
Classification: ${item.label} for the Secret label footer, the footer
text applied to a documented named project.docx will be
Document: project.docx Classification: Secret
Variable Description Example
${Item.Label} Selected label Internal
${Item.Name} File name or email subject JulySales.docx
${Item.Location} Path and file name for documents, and the
email subject for emails
Sales2016Q3JulyReport.docx
${User.Name} Owner of the document or email (Windows
SAMAccountName)
rsimone
${User.PrincipalName} Owner of the document or email (Azure
Information Protection client signed in email
address (UPN))
rsimone@vanarsdelltd.com
${Event.DateTime} Date and time when the selected label was
set
8/16/2016 1:30 PM
26. VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps
28. Key Management
This is BYOK. Customer
generates key,
exports/imports into
Azure KV HSM
This is HYOK. ADRMS
uses the on-premises
HSM for keys.
Azure RMS AD RMS
29. HYOKBYOK
Label A
Apply Protection: AzRMS
Label B
Apply Protection: ADRMS
Data that can be stored anywhere,
travel, collaborated on and
protected by a cloud service
Toxic data that must reside on-
premises and be protected by
customer held keys
30.
31.
32.
33. Licensing
• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5
Plan features
Enterprise
Mobility +
Security E3
Enterprise
Mobility +
Security E5
Information protection
•Azure Information Protection Premium P1
•Encryption for all files and storage locations
•Cloud-based file tracking
•Azure Information Protection Premium P2
•Intelligent classification and encryption for files
shared inside and outside of your organization
•Includes all P1 capabilities