Azure Information Protection Dan Plastina Director Information and Threat Protection @TheRMSguy

Challenges with the complex environment Lost device Users Data leaks Data Business partners Apps Compromised identity Customers You have these entities – users, devices, apps and data Data is being shared with employees, customers and business partners You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly Your managers (CxO) are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc. Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on-premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker Devices Employees Stolen credentials

The problem is ubiquitous Intellectual Property theft has increased Organizations no longer confident in their ability to detect and prevent threats 56% rise data theft 88% of organizations are Losing control of data Saving files to non-approved cloud storage apps is common Accidental or malicious breaches due to lack of internal controls We heard from you… and you are not alone 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided

How much control do you have? Unregulated, unknown How much control do you have? Hybrid data = new normal It is harder to protect Managed mobile environment Identity, device management protection On-premises You had control over your data when it resided within your boundaries Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment Once shared outside your environment, you lose control over your data. Perimeter protection

The evolution of Azure RMS LABELING CLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection

Classification & labeling Azure Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection Classification & labeling Protect Monitor & respond

Classify Data – Begin the Journey Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection IT admin sets policies, templates, and rules Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> SECRET CONFIDENTIAL PERSONAL INTERNAL NOT RESTRICTED

Automatic classification - example

Recommended classification - example

Reclassification and justification - example

User-driven classification - example

How Classification Works 10/3/2017 How Classification Works Reclassification You can override a classification and optionally be required to provide a justification User set Users can choose to apply a sensitivity label to the email or file they are working on with a single click Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Apply labels based on classification Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read it and a hash of policies, rules, and user information %$^#*@& FINANCE Labels stay with the data to enforce the policies and classification %##&$^#*!~@& CONFIDENTIAL

Protect data against unauthorized use Corporate apps VIEW EDIT COPY PASTE Email attachment FILE Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

10/3/2017 How Protection Works Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Rights Management Active Directory Key Vault 10/3/2017 How Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recommend Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS

Regulated Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Hold Your Own Key with on-premises key retention Authentication & collaboration BYO Key Rights Management No DMZ Exposure Key Management Authorization requests go to a federation service RMS connector AAD Connect ADFS

Road to sharing data safely with anyone Share internally, with business partners, and customers Internal user ******* Let Bob view and print Let Jane edit and print Bob Jane Sue File share SharePoint Email LoB Any device/ any platform - External user ******* Roadmap

Azure Active Directory 10/3/2017 9:22 PM How Sharing Works Using Azure AD for authentication On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup ADFS …and all of these organizations can interact with each other. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitor and Respond Monitor use, control and block abuse MAP VIEW Sue Bob Jane Sue Joe blocked in North America Jane accessed from India Bob accessed from South America MAP VIEW Jane blocked in Africa Jane Competitors Jane access is revoked

Industry Validated Approach 10/3/2017 9:22 PM Industry Validated Approach Must Read How to select the right EDRM solution 21 December 2015 G00292633 The role of EDRM in data-centric security June 2015 The role of EDRM in data-centric security June 2015 G00275948 G00275948 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PRELIMINARY SECTION Roadmap Secure Email to Anyone Futures Native Office Client Futures Azure Information Protection Futures

Secure Email to Anyone*, on Any* Client Clients Windows Mac iPhone/iPad Android Win Phone Web Applications Outlook Word Excel PowerPoint PDF (SPO) PPDF (Foxit) Identities Azure AD Federation Social Ids OneTimePW Service Office 365 Exchange Focus was on client and apps… but we fell short on who could consume content

Secure Email to Anyone, on Any Client Identities Azure AD Federation MSA Gmail Facebook OneTimePW Service Office 365 with OMEv2 Outlook.com Exchange Clients Windows Mac iPhone/iPad Android Win Phone Web Applications Outlook Word Excel PowerPoint PPDF (Foxit) PDF (SPO) Learning: Lead with recipients + leverage Office Message Encryption (done right)

Secure Email to Anyone, on Any Client Promises sought by our customers: Outlook is premiere client, always offering a premiere experience Any Client can consume content Office 365 acting as an ‘intelligent router’ to transmogrify formats ‘View online’ = OMEv2 with NN day Office 365 -side caching Any Recipient can consume content (via ‘view online’ experience) Office 365 users can log in with Azure AD or Federation identities Built-in federation with callouts to main providers: Gmail, MSA,… One Time Passwords as ‘catch all’ experience More Social Identity providers will be added

Secure Email to Anyone, on Any Client Email Only / Email with Word, Excel, and PowerPoint attachments Preview in Q4CY16; General Availability in early CY17 Initially Anyone is Azure AD, Federated, Microsoft Account, or Gmail Failing to have one of those identities, a One Time Password is used Other providers will be added in time: LinkedIn, Facebook, Yahoo, etc. Office Outlook is our enlightened client of choice Failing to have Outlook, Office 365 ‘view online’ sandboxed experience Prerequisites Office 365 Exchange Services (SKU tiered into Office E3/E5) Office Pro Plus client for publishing (consumption/reply remains free)

Sophia receives protected email on her Gmaill account Google ID Use Case Sophia receives protected email on her Gmaill account ❷ ❶

We recognize Sophia has a Google ID. Ask her to sign in ❷

Simple Consent dialog ❸

And voila! ❺

The same Gmail account on Outlook mobile

Opening emails with Microsoft Account just works! (No Consent) OWA Use Case Opening emails with Microsoft Account just works! (No Consent)

And then we have One Time passcode! OTP Use Case And then we have One Time passcode!

And then we have One Time passcode!

The email opens after putting in One Time Passcode

Office Client Futures Protection on All Clients Consumption on all clients in place now: Windows, Mobile, Mac, and Web. Publishing on Windows, Mac in place; Mobile coming in H1CY17. Dates for Outlook’s move to native RMS SDK remains undisclosed. Office for Windows vNext will have native experiences. Dates undislclosed. Document Tracking, Revocation, and Classification following same pattern as protection Windows first, Mac Next, Mobile as demand is heard. Prerequisites Office Pro Plus using new evergreen ‘Click to Run’ deployment model

Azure Info Protection Enhancements A Continuous post-GA wave of incremental updates… Policy Scopes, CLP for non-office formats, enhanced DLP, Logs/Reporting Deep Dives: Hold Your Own Key (HYOK) Office 365 Exchange with Bring Your Own Key (BYOK) Mobile Client Enhancements (and client unification) Service – both AIP and RMS – enhancements CLP SDK and better-together use cases Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

Hold Your Own Key (HYOK) In preview now; General Availability in Q4 CY16 Not for everyone; most don’t need this(!). See blog posts. If used, very sparing use is strongly encouraged HYOK servers should not be in your DMZ (defeats the purpose) Limit use to highly managed PCs only; no Mac/Mobile given no DMZ Secret B2B done via guest accounts in an AD domain you control Consider a sovereign partner/hoster if regulated (e.g.: Swisscom) For Germany, Office 365 ‘Black Forest’ will be a viable AIP-based alternative Prerequisites Azure Information Protection P2 or EMS E5

Office 365 Exchange with BYOK Exchange will make use of Azure RMS (vs running a private copy) RMS Service will rely on Azure Key Vault (vs private HSMs) Resultant behaviors: Customer BYOK use case is now enabled Exchange online ignores HYOK content (as requested) RMS consumption logging now in one place, the RMS logs RMS SDK v2 fixes some ‘paper cuts’; permits quick fix of those remaining Prerequisites Azure Key Vault // Already in market Azure Information Protection // Already supported. GA in Sept CY16 Office 365 Exchange E3+ // Internal now; GA in Q4CY16 to Q1CY17

Mobile Client Enhancements/Unification Client de-duplication; The RMS Sharing app replaced by AIP app PP in OCT, GA in Q4 – Simpler user model + model favoring IT-guidance Clients support RPMSG and PDF (PPDF, SharePoint PDF, Redacted) Mobile in OCT, Windows in Q4 – Viewers are free on all platforms Key policy enhancements underway: *@*, *@company, etc. (TBD) Clients migration: DNS-redirection for existing AD RMS users Enables config outside of GPO. GA in Q4 (Office 2016; no 2013 planned) Clients migration: Licensing-only AD RMS for existing AD RMS users Smooths transition to AIP/Azure RMS. GA in Q4

AIP ‘CLP’ SDK and better-together use cases RMS SDK grows to be AIP SDK for Classification, Labeling, Protection Better-together use cases: Label persistence format being standardized across the industry Office 365 DLP (EXO, SPO, …) and Cloud App Security will honor our labels Office native client and service awareness of labels All leading DLP vendors working with us on RMS, then ask is for labeling Your line of business (LOB) applications can also leverage this SDK ASK: Have your key app vendors contact us for RMS/AIP integration Prerequisites Use current SDK now Pick up Azure Information Protection SDK when ready H1CY17 Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

END OF SECTION Roadmap Secure Email to Anyone Futures Native Office Client Futures Azure Information Protection Futures

WHY AZURE INFORMATION PROTECTION? Persistent protection Safe sharing Intuitive experience Greater control

5 Steps Program 1. Classify 2. Label 3. Protect 4. Monitor 5. Respond Best Practice - Start small, do it now, and move quickly 1. Classify Take simple steps that generate value, quickly e.g.: ‘Do Not Forward’ for HR and Legal 2. Label Test, phase the roll out, and learn – IT can’t know it all 3. Protect Control sensitive internal email flow across all PCs/Devices 4. Monitor ‘Share Protected’ files with business partners (B2B) 5. Respond Teach and enable users to revoke access

Enterprise Mobility +Security A HOLISTIC SOLUTION Enterprise Mobility +Security Extend enterprise-grade security to your cloud and SaaS apps Microsoft Cloud App Security Microsoft Intune Azure Active Directory Premium Manage identity with hybrid integration to protect application access from identity attacks Azure Information Protection Protect your data, everywhere Protect your users, devices, and apps Microsoft’s enterprise & security solutions provide a holistic framework to protect your corporate assets across, on prem, cloud and mobile devices Advanced Threat Analytics helps IT detect threats early and provide forensic investigation to keep cybercriminals out Azure Active Directory Premium security reports help identify risky log ins. That paired with Azure Active Directory Identity Protection gives IT the ability to automatically block access to apps based on real time risk scoring of identities and log ins. Microsoft Cloud App Security provides deep visibility and control of data inside cloud applications Microsoft Intune manages and secures corporate data on mobile devices and collaborated within corporate apps. Azure Information Protection helps keep data secure and encrypted throughout a customers environment and extends security when data is shared outside the organization. Detect threats early with visibility and threat analytics Microsoft Advanced Threat Analytics

EMS: Enterprise Mobility and Security Identity and access management Managed mobile productivity Information protection Identity-driven security Azure Active Directory Premium P2 Identity and access management with advanced protection for users and privileged identities (includes all capabilities in P1) Azure Information Protection Premium P2 Intelligent classification and protection for files and emails shared inside and outside your organization (includes all capabilities in P1) Microsoft Cloud App Security Enterprise-grade visibility, control, and protection for your cloud applications EMS E5 Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises apps MFA, conditional access, and advanced security reporting Microsoft Intune Mobile device and app management to protect corporate apps and data on any device Azure Information Protection Premium P1 Manual classification and protection for files and emails shared inside and outside your organization Cloud-based file tracking Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics EMS E3

Resources Follow @ https://twitter.com/TheRMSGuy 10/3/2017 9:22 PM Resources Follow @ https://twitter.com/TheRMSGuy Technical Documentation @ https://docs.microsoft.com For questions email AskIPteam@Microsoft.com IT Pro Blog @ https://blogs.technet.microsoft.com/enterprisemobility/ Download @ https://www.microsoft.com/en-us/download/details.aspx?id=53018 Product page @ https://www.microsoft.com/en-us/cloud-platform/azure-information-protection © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/3/2017 9:22 PM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.