Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Secure Productive Enterprise Azure Information Protection Training

Similar presentations


Presentation on theme: "The Secure Productive Enterprise Azure Information Protection Training"— Presentation transcript:

1 The Secure Productive Enterprise Azure Information Protection Training
Level

2 Part I –Overview Information Protection Challenges AIP for Information Protection Identify opportunities and use-cases Consumption Competition

3 The Snowden Effect “When you’re in positions of privileged access, like a systems administrator you’re exposed to a lot more information on a broader scale than the average employee.” - Edward Snowden

4 Information Protection Challenge – Identify Sensitive Data
10/3/2017 Information Protection Challenge – Identify Sensitive Data “We use 900 cloud services. We can’t identify what information is stored on these services and what should be protected” “Our primary challenge with information protection: we don’t know what information we have, where it’s stored and how it’s used” “Our confidential data has customer records and users store it in the cloud We want to know this data and protect it!” “We want to migrate our data to SPO – but don’t know how to identify first our high- value-information-records, and how to treat it” © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Information Protection Challenge
Intellectual Property theft has increased Organizations no longer confident in their ability to detect and prevent data theft 56% rise data theft 88% of organizations are Losing control of data Saving files to non-approved cloud storage apps is common Accidental or malicious breaches due to lack of internal controls 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided Sources:

6 Information Protection Challenge – Protection Anywhere
Unregulated, Cloud, Partners Information Protection Challenge – Protection Anywhere new normal It is harder to protect Managed mobile environment device management protection On-premises Perimeter protection

7 Policy + Enforcement + Automation
10/3/2017 AIP : Data Centric Lifecycle Protection CLASSIFY LABEL PROTECT At data creation Manual and automatic - as much as possible Persistent labels Industry standard that enables a wide ecosystem User awareness through visual labels Data Loss Prevention Encryption with RMS Control over data Policy + Enforcement + Automation © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Protect your data throughout its lifecycle
10/3/2017 9:44 AM Protect your data Protect your data throughout its lifecycle Identify, Classify & Tag Share &Protect Usage Tracking Revoke Access Encryption / RMS Path Identify Encryption Global access tracking Revoke Document Classify Access Control Who / Where / When Tag Permissions Grant / Denied DLP Path Microsoft tools and framework to protect your data throughout its life-cycle - Sine the moment on creation, on transit, at rest, in-use, on-prem, on-cloud, track-usage, and how to revoke access to documents Cloud DLP (at rest) File access tracking Make private EXO DLP (in motion) Who / Where / When Quarantine Enhance on-prem DLP © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 10/3/2017 9:44 AM The story of a file File is created (via multiple sources) User opens the file for editing User uploads to SPO for internal sharing Another user in the group uses the file The user uploads the file to an EFSS to share externally Azure Information Protection client Office DLP Microsoft Cloud App Security Persistent labels are the glue for a unified information protection language © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 How Classification Works
Classify data based on sensitivity User manually classify content IT can set automatic rules Associate actions such as visual markings and protection SECRET CONFIDENTIAL INTERNAL NOT RESTRICTED IT admin sets policies, templates, and rules Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> PERSONAL

11 How Classification Works
10/3/2017 How Classification Works Reclassification You can override a classification and optionally be required to provide a justification Manual Users can choose to apply a sensitivity label to the or file they are working on with a single click Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Automatic classification - example

13 Recommended classification - example

14 Reclassification and justification - example

15 Discussion Points / Use-cases / Opportunities
Is your account in the market for data classification? Companies either “have”/“ actively evaluating”/or “will have” a classification solution. Is your account looking for a solution to help identify and control sensitive unstructured-data? Discover, classify, protect, and track sensitive files and s? Is there an existing DLP strategy? What DLP tools they use today? Is persistent classification part of the strategy? Does your account consider RMS/encryption for sensitive documents, and for secure B2B collaboration? Is security an inhibitor for a data migration projects to Office 365?

16 AIP and Consumption EMS E3 Consumption AIP P1 – a low hanging fruit
Consider – Initial production implementation without RMS – only tagging and water-marking EMS E5 Consumption AIP P2 & CAS – Automatic classification and extending “classification aware” DLP to the cloud Office365 Consumption When security is an inhibitor, AIP could be used to relief the concerns around exposing sensitive data

17 Competition (based on Secure Islands)
Classification + RMS enablers DRM DLP Titus Vera Digital Guardian Bolden James Ionic (McAfee) Watchful (Symantec) (Websense) Classification / RMS Enablers  Until now niche market / no-market standard With the acquisition – Classification is built into the MS platform. Microsoft is the new market standard for classification and tagging DRM  Garner - By 2019, 90% of EDRM deployments will incorporate Microsoft RMS components DLP  Microsoft is the new standard for classification

18 Information Protection Vision
Build 2012 10/3/2017 Information Protection Vision Policy enforcement Document revocation Document tracking Access control Encryption Classification and labeling LOB apps Files Share internally Share externally (B2C) Share externally (B2B) On any device In any part of the world US EU China APAC Germany

19 Benefits Maintain visibility and control Protect your data anywhere
Enable B2B secure collaboration Empower users to make right decisions

20 Part 2 – Product deepdive
Functionality breakdown Demo Architecture How classification works How protection works Roadmap Implementation best practices Cryptographic and protection flow detailed Troubleshooting

21 AIP Functionality Breakdown
LABELING CLASSIFICATION Classification and Automation ENCRYPTION IRM ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Tracking Document tracking – for compliance, for control, for forncesis, when you aggregate it you have great data for risk officers that want to know where is the sensitive data and how uses it. Framework that was missing

22 Classification & labeling
Azure Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION For years, Azure RMS has helped organizations provide persistent protection over their data through encryption, authentication and use rights We also added tracking and revocation capabilities for greater visibility and control over shared data Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection This comprehensive solution that provides security at every stage of data lifecycle is Azure Information Protection. Classification & labeling Protect Monitor & respond

23 Protect your data throughout its lifecycle
10/3/2017 9:44 AM Protect your data Protect your data throughout its lifecycle Identify, Classify & Tag Share &Protect Usage Tracking Revoke Access Encryption / RMS Path Identify Encryption Global access tracking Revoke Document Classify Access Control Who / Where / When Tag Permissions Grant / Denied DLP Path Microsoft tools and framework to protect your data throughout its life-cycle - Sine the moment on creation, on transit, at rest, in-use, on-prem, on-cloud, track-usage, and how to revoke access to documents Cloud DLP (at rest) File access tracking Make private EXO DLP (in motion) Who / Where / When Quarantine Enhance on-prem DLP © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Demo End User Experience Admin Console Usage Tracking

25 Architecture

26 Architecture Clients – AIP
Functionality : Manual and automatic classification. Tag files, apply content marketing, and apply RMS template Audit user classification actions Packaging : Office add-on Prerequisites : For Windows 7 and above Roadmap : MAC, Mobile, Office Online, 3rd party LOB applications (e.g. PDF, CAD, etc) Competition : Titus enables classification of files and from mobile

27 Architecture Clients – Office
For Windows / Mac Office 2016 Functionality : Apply RMS template Consume RMS protected documents Manage RMS level permissions For Outlook - Create ad-hoc protection template for the recipients – “Do Not Forward/Secure-SEnd” Supported platforms : Outlook, Word, Excel, PowerPoint, Visio, Project) Prerequisites : RMS client, Azure RMS active in tenant Roadmap : Mobile (iOS / Android) O365 online Competition : Titus has RMS enabled and document mobile apps

28 Architecture Clients – RMS Sharing Application
For Windows : Enhances File Explorer to allow RMS-protect and share a single file, or bulk protect multiple files as well as all files within a selected folder. Protect more file types (pfile) A built-in viewer for commonly used text, pdf, and image file types. For Mobile / Mac : Open RMS-protected PDF files, pictures, text files, and any other file format protected as a .pfile. Protect pictures with an RMS policy before you share them. RMS Sharing came mainly to enable B2B collaboration from both a sender and consumption standpoint, but it all added some other capabilities

29 Architecture Clients – Others
FCI (File Classification Infrastructure) – scan, classify(*) , and protect files on Windows Servers File Shares Exchange on-prem RMS protection for s- via Transport Rule Exchange online RMS protection for s – via transport protection rules SharePoint on-prem – RMS protect files on download SharePoint online – RMS protect files on download RMS SDK – For 3rd parties AIP SDK – For 3rd parties (roadmap)

30 Backend Architecture Azure RMS Client AD RMS Client
optional Azure RMS Client Azure Information Protection Azure AD Azure Key Management Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS Rights Management HYO Key – roadmap Key Management AD RMS Client

31 BYOK via HSM Benefit you create the key and not Microsoft
hardware security module RMS is a cloud tanent and Microsfot generates a teanent RMS key. Some customers don’t like it. BYOK – they generate the KEY on prem. Send it with a hardware device called HSM (Microsfot doesn’t have access to the private keys)

32 HYOK (road-map) - optional Azure Information Protection Azure AD Azure Key Management For highly regulated companies that don’t what to put their key on Microsoft cloud Policy can dictate using an RMS template from a local AD RMS server How is it going to work : TBD Authentication & collaboration Authorization requests go to a federation service Policy ADFS Rights Management HYO Key – roadmap Key Management RMS

33 RMS Connector Relay component between on-prem servers (Exchange, SP, FCI) Installed on prem on Windows Servers or Virtual Machines Support Hybrid scenarios (on-prem and on-line mailboxes)

34 How It Works

35 How RMS Protection Works
10/3/2017 How RMS Protection Works Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 How RMS Protection Works
10/3/2017 How RMS Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 Azure Active Directory
10/3/2017 9:44 AM How B2B Sharing Works Using Azure AD for authentication Via or Templates with external users (AD B2B) On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup …and all of these organizations can interact with each other. ADFS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Roadmap

39 Azure Information Protection
Scope 2016 Q3 2016 Q4 2017 H1 SKU Item Support for all file types and all devices PP GA AIP P1/EMS E3 Default, manual, and override classification via classification bar AIP P2/EMS E5 Automatic and Recommended classification Manual classification for non office files Enable SDK for developers Define policy scope based on groups/identities Comprehensive Information Protection and inter-operability CAS enabled to see file labels and use in policies O365 DLP enabled to see file labels and us in policies Integration with Windows Information Protection Merge RMS Sharing App into AIP Still private preview This is a solution that extends across multiple components – classification as the foundation. Classify on creation and so you can apply the relevant security controls later

40 Azure Information Protection
Scope 2016 Q3 2016 Q4 2017 H1 SKU Item Secure Collaboration PP GA In Office Manual and Automatic classification and protection of sensitive s/documents via Outlook Support for Google Ids to open protected Outlook s and documents Office 2016 adds support for document tracking and revocation Office on iOS supports creation of RMS protected documents Azure RMS is enabled by default for all eligible Office 365 tenants SharePoint Protected and Redacted PDFs can be opened in all AIP apps (iOS, Android, Mac) Better Management and Control AIP P2/EMS E5 Hold Your Own Key (HYOK) for highly regulated customers Reports for data creation and usage BYOK supported for EXO Better support for migration to Azure RMS Secure Collaboration – a key business req

41 Implementation

42 Implementation Map Requirements Manual Classification
Enable Echo-System Automation RMS Protection SIEM + Advanced Use-Cases

43 Prerequisites An Office 365 subscription that includes Azure AIP (EMS E3 at least) A subscription for Azure, so you can access the Azure portal Global administrator account to sign in to the Office 365 admin center or the Azure A computer running Windows (minimum of Windows 7 with Service Pack 1), and which has installed either Office Professional Plus 2016, Office Professional Plus 2013 with Service Pack 1, or Office Professional Plus 2010.

44 Implementation Best Practices
Step 1 – Map requirements: Figure out customer’s existing classification methodology and guidelines Most companies already have a data classification policy (see example) Map requirements for enforcement points (where and when) For data-at-rest, data-in-use, data-in-motion Figure out security controls per classification level Visual marking, DLP, and Encryption

45 Implementation Best Practices
Step 2 – Implement manual classification Configure labels and visual marking. Don’t include RMS at this point. Let the end-users get used to the new UI/functionality.

46 Implementation Best Practices
Step 3 – Enable echo-system DLP Add rules to on-prem DLP and s GW Add rules to Office365 DLP Add rules to MCAS ECM Configure SharePoint to show sensitivity tags

47 Implementation Best Practices
Step 4 – Add automation based on content inspection Add content inspection rules to drive recommendations and automation

48 Implementation Best Practices
Step 5 – Add and enable RMS Protection Build relevant RMS templates and add to AIP policy Recommendation : Start with 1-3 templates [Company internal, Company FTE, Executives].

49 Implementation Best Practices
Step 6 – Integrate with SIEM Pull usage data to SIEM to enable visibility to classified data usage, classification actions, and justifications.

50 Implementation Best Practices
Step 7 – Use API/SDK to extend auto-classificaion and protection to other components 3rd party scanners Non office home grown applications Unsupported O/S (UNIX, …) More …

51 Cryptographic and Detailed Protection Flow

52 Cryptographic controls used by Azure RMS: Algorithms and key lengths

53 Step 1 : Initialing the User Environment

54 Step 2 : Initialing the User Environment

55 Step 1 : Content Protection

56 Step 2 : Content Protection

57 Step 3 : Content Protection

58 Step 1 : Content Consumption

59 Step 2 : Content Consumption

60 Step 3 : Content Consumption

61 Variations : Mobile devices – No registration process – get publication license and consumption license over TLS RMS Connector – Same flow but RMS connector acts as a relay between the on-prem services (e.g. Exchange, SharePoint) and Azure RMS. Generic protection (.pfile) – Same flow but client creates a policy that grants all rights. On consumption file is decrypted before it is passed to the native app.

62 RMS Analyzer Local admin MSIPC folder Debug View (PGC View)

63 Resources Follow @ https://twitter.com/TheRMSGuy
10/3/2017 9:44 AM Resources Technical For questions IT Pro Product © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64 10/3/2017 9:44 AM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "The Secure Productive Enterprise Azure Information Protection Training"

Similar presentations


Ads by Google