Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland 11/19/2018 5:25 AM Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 11/19/2018 5:25 AM Prevent unwanted and embarrassing leakage with Azure Information Protection M318 Andrew McMurray Follow: @TheRMSGuy Principal Program Manager Mail: AskIPTeam@Microsoft.com Microsoft Corporation Twitter: @MaccaOz WOW: Automatisier –Level 108 Pandaren Hunter – Khaz’Goroth Horde © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enterprise Mobility + Security The Microsoft vision Identity Driven Security Users Devices Apps Data Managed Mobile Productivity Comprehensive Solution

Enterprise Mobility +Security The Microsoft solution Azure Active Directory Microsoft Cloud App Security Manage identity with hybrid integration to protect application access from identity attacks Extend enterprise-grade security to your cloud and SaaS apps Intune Protect your users, devices, and apps Detect threats early with visibility and threat analytics Advanced Threat Analytics Azure Information Protection Protect your data, everywhere

Azure Information Protection

How much control do YOU have? Unregulated, unknown How much control do YOU have? Hybrid data = new normal It is harder to protect Managed mobile environment Identity, device management protection On-premises Perimeter protection

The evolution of Information Protection LABELING CLASSIFICATION Classify & Label ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & Respond

Azure Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Classify & Label Protect Monitor & Respond

Classification + Automation + Protection + Reporting + Collaboration Microsoft Ignite 2016 11/19/2018 5:25 AM Classification + Automation + Protection + Reporting + Collaboration © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Classification Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Classify Data – Begin the Journey Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection IT admin sets policies, templates, and rules Confidential Restricted Personal Internal Public

Classification user experiences 11/19/2018 Classification user experiences Reclassification Manual Automatic Recommended © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Apply Labels based on classification Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read Labels travel with the document, regardless of location FINANCE CONFIDENTIAL

Protection Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protect data against unauthorized use Corporate apps Email attachment FILE VIEW EDIT COPY PASTE Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data

How Protection Works 11/19/2018 Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Rights Management Active Directory Key Vault 11/19/2018 How Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Azure Information Protection Microsoft Ignite 2016 11/19/2018 5:25 AM Demo Azure Information Protection © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Reporting Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitor and Respond Monitor use, control and block abuse MAP VIEW Sue Bob Jane Sue Joe blocked in Ukraine Jane accessed from France Bob accessed from North America MAP VIEW Jane Competitors Jane access is revoked

Reporting Coming (very) Soon Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Collaboration Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Road to sharing data safely with anyone Share internally, with business partners, and customers Bob Jane Internal user ******* External user Any device/ any platform Let Bob view and print Let Jane edit and print Sue File share SharePoint Email LoB

Azure Active Directory 11/19/2018 5:25 AM How Sharing Works Using Azure AD for authentication On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup …and all of these organizations can interact with each other. ADFS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Architectures Microsoft Ignite 2016 11/19/2018 5:25 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Management Model Who generates the key? Where is the key stored? Microsoft Ignite 2016 11/19/2018 5:25 AM Key Management Model Who generates the key? Where is the key stored? Notes Azure RMS Microsoft Azure RMS Service   Azure Key Vault software Azure KV Service Azure Key Vault hardware Azure KV HSM BYOK Customer Azure KV HSM Customer generates key, exports/imports into Azure KV HSM HYOK* *AIP P2 or EMS E5 Customer HSM This is a ‘split-brain’ mode using both Azure RMS and ADRMS. Azure RMS uses one of the above models. ADRMS uses the on-premises HSM for keys. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Authentication & collaboration Service supplied Key BYO Key Authorization requests via federation (optional) RMS connector AAD Connect ADFS

Regulated Environments Topology for Regulated Environments optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Hold your key on premises Authentication & collaboration Service supplied Key BYO Key Authorization requests via federation (optional) RMS connector AAD Connect ADFS Rights Management Hold-your-own Key Key Management

Azure Information Protection Microsoft Ignite 2016 11/19/2018 5:25 AM HYOK: Overview Azure Information Protection Label A Apply Protection: AzRMS Label B Apply Protection: ADRMS AD Rights Management HYOK Customer Key Management Azure Rights Management Azure Key Management BYOK Data that can be stored anywhere, travel, collaborated on and protected by a cloud service Toxic data that must reside on-premises and be protected by customer held keys © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Getting started with key scenarios Classification only Understand your data classification needs, enable the service and define a default policy so all documents are labelled. + Automation Define content based actions to automatically classify and label documents or make recommendations to users to confirm. + Protection For sensitive information, define protection policies that require authentication and enforce use rights. + Reporting Gain insights into the types of information you have, users that work with different sensitivity levels and trends in data creation. Securely share documents and email with internal and external recipients. + Collaboration

Resources Follow @ https://twitter.com/TheRMSGuy 11/19/2018 5:25 AM Resources Follow @ https://twitter.com/TheRMSGuy Technical Documentation @ https://docs.microsoft.com For questions email AskIPteam@Microsoft.com IT Pro Blog @ https://blogs.technet.microsoft.com/enterprisemobility/ Download @ https://www.microsoft.com/en-us/download/details.aspx?id=53018 Product page @ https://www.microsoft.com/en-us/cloud-platform/azure-information-protection © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/19/2018 5:25 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.