1. The Secure Productive Enterprise Azure Information Protection Training
Level

2. Part I –Overview
Information Protection Challenges
AIP for Information Protection
Identify opportunities and use-cases
Consumption
Competition

3. The Snowden Effect
“When you’re in positions of privileged access, like a systems administrator you’re exposed to a lot more information on a broader scale than the average employee.”
- Edward Snowden

4. Information Protection Challenge – Identify Sensitive Data
10/3/2017
Information Protection Challenge – Identify Sensitive Data
“We use 900 cloud services. We can’t identify what information is stored on these services and what should be protected”
“Our primary challenge with information protection: we don’t know what information we have, where it’s stored and how it’s used”
“Our confidential data has customer records and users store it in the cloud We want to know this data and protect it!”
“We want to migrate our data to SPO – but don’t know how to identify first our high- value-information-records, and how to treat it”
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Information Protection Challenge
Intellectual Property theft has increased
Organizations no longer confident in their ability to detect and prevent data theft
56% rise data theft
88% of organizations are Losing control of data
Saving files to non-approved cloud storage apps is common
Accidental or malicious breaches due to lack of internal controls
80% of employees admit to use non-approved SaaS app
91% of breaches could have been avoided
Sources:

6. Information Protection Challenge – Protection Anywhere
Unregulated,
Cloud,
Partners
Information Protection Challenge – Protection Anywhere
new normal
It is harder to protect
Managed mobile environment
device management protection
On-premises
Perimeter protection

7. Policy + Enforcement + Automation
10/3/2017
AIP : Data Centric Lifecycle Protection
CLASSIFY
LABEL
PROTECT
At data creation Manual and automatic - as much as possible
Persistent labels
Industry standard that enables a wide ecosystem
User awareness through visual labels
Data Loss Prevention
Encryption with RMS
Control over data
Policy + Enforcement + Automation
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Protect your data throughout its lifecycle
10/3/2017 9:44 AM
Protect your data
Protect your data throughout its lifecycle
Identify, Classify & Tag
Share &Protect
Usage Tracking
Revoke Access
Encryption / RMS Path
Identify
Encryption
Global access tracking
Revoke Document
Classify
Access Control
Who / Where / When
Tag
Permissions
Grant / Denied
DLP Path
Microsoft tools and framework to protect your data throughout its life-cycle
- Sine the moment on creation, on transit, at rest, in-use, on-prem, on-cloud, track-usage, and how to revoke access to documents
Cloud DLP (at rest)
File access tracking
Make private
EXO DLP (in motion)
Who / Where / When
Quarantine
Enhance on-prem DLP
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. 10/3/2017 9:44 AM
The story of a file
File is created (via multiple sources)
User opens the file for editing
User uploads to SPO
for internal sharing
Another user in the group uses the file
The user uploads the file to an EFSS to share externally
Azure Information Protection client
Office DLP
Microsoft Cloud App Security
Persistent labels are the glue for a unified information protection language
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. How Classification Works
Classify data based on sensitivity
User manually classify content
IT can set automatic rules
Associate actions such as visual markings and protection
SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
Data is born protected,
Using companies’ criteria
Enforced by IT
Enforced on any device
<keep personal data.... Personal>
PERSONAL

11. How Classification Works
10/3/2017
How Classification Works
Reclassification
You can override a classification and optionally be required to provide a justification
Manual
Users can choose to apply a sensitivity label to the or file they are working on with a single click
Automatic
Policies can be set by IT Admins for automatically applying classification and protection to data
Recommended
Based on the content you’re working on, you can be prompted with suggested classification
Best case – IT sets up policy
But IT can’t catch all so... Recommendations is the next best
Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation
Users also have the option to label if they deem necessary, even when not automatically classified
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Automatic classification - example

13. Recommended classification - example

14. Reclassification and justification - example

15. Discussion Points / Use-cases / Opportunities
Is your account in the market for data classification?
Companies either “have”/“ actively evaluating”/or “will have” a classification solution.
Is your account looking for a solution to help identify and control sensitive unstructured-data?
Discover, classify, protect, and track sensitive files and s?
Is there an existing DLP strategy? What DLP tools they use today? Is persistent classification part of the strategy?
Does your account consider RMS/encryption for sensitive documents, and for secure B2B collaboration?
Is security an inhibitor for a data migration projects to Office 365?

16. AIP and Consumption EMS E3 Consumption AIP P1 – a low hanging fruit
Consider – Initial production implementation without RMS – only tagging and water-marking
EMS E5 Consumption
AIP P2 & CAS – Automatic classification and extending “classification aware” DLP to the cloud
Office365 Consumption
When security is an inhibitor, AIP could be used to relief the concerns around exposing sensitive data

17. Competition (based on Secure Islands)
Classification + RMS enablers
DRM
DLP
Titus
Vera
Digital Guardian
Bolden James
Ionic
(McAfee)
Watchful
(Symantec)
(Websense)
Classification / RMS Enablers 
Until now niche market / no-market standard
With the acquisition – Classification is built into the MS platform.
Microsoft is the new market standard for classification and tagging
DRM 
Garner - By 2019, 90% of EDRM deployments will incorporate Microsoft RMS components
DLP 
Microsoft is the new standard for classification

18. Information Protection Vision
Build 2012
10/3/2017
Information Protection Vision
Policy enforcement
Document revocation
Document tracking
Access control
Encryption
Classification and labeling
LOB apps
Files
Share internally
Share externally (B2C)
Share externally (B2B)
On any device
In any part of the world US EU
China
APAC
Germany

19. Benefits Maintain visibility and control Protect your data anywhere
Enable B2B secure collaboration
Empower users to make right decisions

20. Part 2 – Product deepdive
Functionality breakdown
Demo
Architecture
How classification works
How protection works
Roadmap
Implementation best practices
Cryptographic and protection flow detailed
Troubleshooting

21. AIP Functionality Breakdown
LABELING
CLASSIFICATION
Classification and
Automation
ENCRYPTION
IRM
ACCESS CONTROL
POLICY ENFORCEMENT
DOCUMENT TRACKING
DOCUMENT REVOCATION
Tracking
Document tracking – for compliance, for control, for forncesis, when you aggregate it you have great data for risk officers that want to know where is the sensitive data and how uses it.
Framework that was missing

22. Classification & labeling
Azure Information Protection
Full Data Lifecycle
CLASSIFICATION
LABELING
ENCRYPTION
ACCESS CONTROL
POLICY ENFORCEMENT
DOCUMENT TRACKING
DOCUMENT REVOCATION
For years, Azure RMS has helped organizations provide persistent protection over their data through encryption, authentication and use rights
We also added tracking and revocation capabilities for greater visibility and control over shared data
Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
This comprehensive solution that provides security at every stage of data lifecycle is Azure Information Protection.
Classification & labeling
Protect
Monitor & respond

23. Protect your data throughout its lifecycle
10/3/2017 9:44 AM
Protect your data
Protect your data throughout its lifecycle
Identify, Classify & Tag
Share &Protect
Usage Tracking
Revoke Access
Encryption / RMS Path
Identify
Encryption
Global access tracking
Revoke Document
Classify
Access Control
Who / Where / When
Tag
Permissions
Grant / Denied
DLP Path
Microsoft tools and framework to protect your data throughout its life-cycle
- Sine the moment on creation, on transit, at rest, in-use, on-prem, on-cloud, track-usage, and how to revoke access to documents
Cloud DLP (at rest)
File access tracking
Make private
EXO DLP (in motion)
Who / Where / When
Quarantine
Enhance on-prem DLP
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Demo
End User Experience
Admin Console
Usage Tracking

25. Architecture

26. Architecture Clients – AIP
Functionality :
Manual and automatic classification.
Tag files, apply content marketing, and apply RMS template
Audit user classification actions
Packaging : Office add-on
Prerequisites : For Windows 7 and above
Roadmap : MAC, Mobile, Office Online, 3rd party LOB applications (e.g. PDF, CAD, etc)
Competition : Titus enables classification of files and from mobile

27. Architecture Clients – Office
For Windows / Mac Office 2016
Functionality :
Apply RMS template
Consume RMS protected documents
Manage RMS level permissions
For Outlook - Create ad-hoc protection template for the recipients – “Do Not Forward/Secure-SEnd”
Supported platforms : Outlook, Word, Excel, PowerPoint, Visio, Project)
Prerequisites : RMS client, Azure RMS active in tenant
Roadmap :
Mobile (iOS / Android)
O365 online
Competition : Titus has RMS enabled and document mobile apps

28. Architecture Clients – RMS Sharing Application
For Windows :
Enhances File Explorer to allow RMS-protect and share a single file, or bulk protect multiple files as well as all files within a selected folder.
Protect more file types (pfile)
A built-in viewer for commonly used text, pdf, and image file types.
For Mobile / Mac :
Open RMS-protected PDF files, pictures, text files, and any other file format protected as a .pfile.
Protect pictures with an RMS policy before you share them.
RMS Sharing came mainly to enable B2B collaboration from both a sender and consumption standpoint, but it all added some other capabilities

29. Architecture Clients – Others
FCI (File Classification Infrastructure) – scan, classify(*) , and protect files on Windows Servers File Shares
Exchange on-prem RMS protection for s- via Transport Rule
Exchange online RMS protection for s – via transport protection rules
SharePoint on-prem – RMS protect files on download
SharePoint online – RMS protect files on download
RMS SDK – For 3rd parties
AIP SDK – For 3rd parties (roadmap)

30. Backend Architecture Azure RMS Client AD RMS Client
optional
Azure RMS Client
Azure Information Protection
Azure AD
Azure Key Management
Authentication & collaboration
BYO Key
Authorization requests go to a federation service
RMS connector
AAD Connect
ADFS
Rights Management
HYO Key – roadmap
Key Management
AD RMS Client

31. BYOK via HSM Benefit you create the key and not Microsoft
hardware security module
RMS is a cloud tanent and Microsfot generates a teanent RMS key. Some customers don’t like it.
BYOK – they generate the KEY on prem. Send it with a hardware device called HSM (Microsfot doesn’t have access to the private keys)

32. HYOK (road-map) -
optional
Azure Information Protection
Azure AD
Azure Key Management
For highly regulated companies that don’t what to put their key on Microsoft cloud
Policy can dictate using an RMS template from a local AD RMS server
How is it going to work : TBD
Authentication & collaboration
Authorization requests go to a federation service
Policy
ADFS
Rights Management
HYO Key – roadmap
Key Management
RMS

33. RMS Connector
Relay component between on-prem servers (Exchange, SP, FCI)
Installed on prem on Windows Servers or Virtual Machines
Support Hybrid scenarios (on-prem and on-line mailboxes)

34. How It Works

35. How RMS Protection Works
10/3/2017
How RMS Protection Works
Usage rights and symmetric key stored in file as “license”
License protected by customer-owned RSA key
Use rights +
Water
Sugar
Brown #16
Water
Sugar
Brown #16
()&(*7812(*:
PROTECT
UNPROTECT
Each file is protected by a unique AES symmetric
Secret cola formula
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. How RMS Protection Works
10/3/2017
How RMS Protection Works
LOCAL PROCESSING ON PCS/DEVICES
Use rights +
Azure RMS never sees the file content, only the license
SDK
()&(*7812(*:
Use rights +
Rights Management Active Directory Key Vault
File content is never sent to the RMS server/service
Apps protected with RMS enforce rights
Apps use the SDK to communicate with the RMS service/servers
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37. Azure Active Directory
10/3/2017 9:44 AM
How B2B Sharing Works
Using Azure AD for authentication Via or Templates with external users (AD B2B)
On-premises organizations doing full sync
Azure Active Directory
On-premises organizations doing partial sync
Organizations completely in cloud
Organizations created through ad-hoc signup
…and all of these organizations can interact with each other.
ADFS
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Roadmap

39. Azure Information Protection
Scope
2016 Q3
2016 Q4
2017 H1
SKU
Item
Support for all file types and all devices PP GA
AIP P1/EMS E3
Default, manual, and override classification via classification bar
AIP P2/EMS E5
Automatic and Recommended classification
Manual classification for non office files
Enable SDK for developers
Define policy scope based on groups/identities
Comprehensive Information Protection and inter-operability
CAS enabled to see file labels and use in policies
O365 DLP enabled to see file labels and us in policies
Integration with Windows Information Protection
Merge RMS Sharing App into AIP
Still private preview
This is a solution that extends across multiple components – classification as the foundation. Classify on creation and so you can apply the relevant security controls later

40. Azure Information Protection
Scope
2016 Q3
2016 Q4
2017 H1
SKU
Item
Secure Collaboration PP GA
In Office
Manual and Automatic classification and protection of sensitive s/documents via Outlook
Support for Google Ids to open protected Outlook s and documents
Office 2016 adds support for document tracking and revocation
Office on iOS supports creation of RMS protected documents
Azure RMS is enabled by default for all eligible Office 365 tenants
SharePoint Protected and Redacted PDFs can be opened in all AIP apps (iOS, Android, Mac)
Better Management and Control
AIP P2/EMS E5
Hold Your Own Key (HYOK) for highly regulated customers
Reports for data creation and usage
BYOK supported for EXO
Better support for migration to Azure RMS
Secure Collaboration – a key business req

41. Implementation

42. Implementation Map Requirements Manual Classification
Enable Echo-System
Automation
RMS Protection
SIEM + Advanced Use-Cases

43. Prerequisites
An Office 365 subscription that includes Azure AIP (EMS E3 at least)
A subscription for Azure, so you can access the Azure portal
Global administrator account to sign in to the Office 365 admin center or the Azure
A computer running Windows (minimum of Windows 7 with Service Pack 1),
and which has installed either Office Professional Plus 2016, Office Professional
Plus 2013 with Service Pack 1, or Office Professional Plus 2010.

44. Implementation Best Practices
Step 1 – Map requirements:
Figure out customer’s existing classification methodology and guidelines
Most companies already have a data classification policy (see example)
Map requirements for enforcement points (where and when)
For data-at-rest, data-in-use, data-in-motion
Figure out security controls per classification level
Visual marking, DLP, and Encryption

45. Implementation Best Practices
Step 2 – Implement manual classification
Configure labels and visual marking. Don’t include RMS at this point. Let the end-users get used to the new UI/functionality.

46. Implementation Best Practices
Step 3 – Enable echo-system
DLP
Add rules to on-prem DLP and s GW
Add rules to Office365 DLP
Add rules to MCAS
ECM
Configure SharePoint to show sensitivity tags

47. Implementation Best Practices
Step 4 – Add automation based on content inspection
Add content inspection rules to drive recommendations and automation

48. Implementation Best Practices
Step 5 – Add and enable RMS Protection
Build relevant RMS templates and add to AIP policy
Recommendation : Start with 1-3 templates [Company internal, Company FTE, Executives].

49. Implementation Best Practices
Step 6 – Integrate with SIEM
Pull usage data to SIEM to enable visibility to classified data usage, classification actions, and justifications.

50. Implementation Best Practices
Step 7 – Use API/SDK to extend auto-classificaion and protection to other components
3rd party scanners
Non office home grown applications
Unsupported O/S (UNIX, …)
More …

51. Cryptographic and Detailed Protection Flow

52. Cryptographic controls used by Azure RMS: Algorithms and key lengths

53. Step 1 : Initialing the User Environment

54. Step 2 : Initialing the User Environment

55. Step 1 : Content Protection

56. Step 2 : Content Protection

57. Step 3 : Content Protection

58. Step 1 : Content Consumption

59. Step 2 : Content Consumption

60. Step 3 : Content Consumption

61. Variations :
Mobile devices – No registration process – get publication license and consumption license over TLS
RMS Connector – Same flow but RMS connector acts as a relay between the on-prem services (e.g. Exchange, SharePoint) and Azure RMS.
Generic protection (.pfile) – Same flow but client creates a policy that grants all rights. On consumption file is decrypted before it is passed to the native app.

62. RMS Analyzer
Local admin
MSIPC folder
Debug View (PGC View)

63. Resources Follow @ https://twitter.com/TheRMSGuy
10/3/2017 9:44 AM
Resources
Technical
For questions
IT Pro
Product
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64. 10/3/2017 9:44 AM
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.