Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Information Protection

Published byGervase Hall Modified over 7 years ago

Similar presentations

Presentation on theme: "Azure Information Protection"— Presentation transcript:

1 Azure Information Protection
Dan Plastina Director Information and Threat Protection @TheRMSguy

2 Challenges with the complex environment
Lost device Users Data leaks Data Business partners Apps Compromised identity Customers You have these entities – users, devices, apps and data Data is being shared with employees, customers and business partners You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly Your managers (CxO) are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc. Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on-premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker Devices Employees Stolen credentials

3 The problem is ubiquitous
Intellectual Property theft has increased Organizations no longer confident in their ability to detect and prevent threats 56% rise data theft 88% of organizations are Losing control of data Saving files to non-approved cloud storage apps is common Accidental or malicious breaches due to lack of internal controls We heard from you… and you are not alone 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided

4 How much control do you have?
Unregulated, unknown How much control do you have? Hybrid data = new normal It is harder to protect Managed mobile environment Identity, device management protection On-premises You had control over your data when it resided within your boundaries Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment Once shared outside your environment, you lose control over your data. Perimeter protection

5 The evolution of Azure RMS
LABELING CLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection

6 Classification & labeling
Azure Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection Classification & labeling Protect Monitor & respond

7 Classify Data – Begin the Journey
Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection IT admin sets policies, templates, and rules Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> SECRET CONFIDENTIAL PERSONAL INTERNAL NOT RESTRICTED

8 Automatic classification - example

9 Recommended classification - example

10 Reclassification and justification - example

11 User-driven classification - example

12 How Classification Works
10/3/2017 How Classification Works Reclassification You can override a classification and optionally be required to provide a justification User set Users can choose to apply a sensitivity label to the or file they are working on with a single click Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Apply labels based on classification
Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read it and a hash of policies, rules, and user information FINANCE Labels stay with the data to enforce the policies and classification CONFIDENTIAL

14 Protect data against unauthorized use
Corporate apps VIEW EDIT COPY PASTE attachment FILE Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

15 10/3/2017 How Protection Works Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Rights Management Active Directory Key Vault
10/3/2017 How Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Recommend Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS

18 Regulated Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Hold Your Own Key with on-premises key retention Authentication & collaboration BYO Key Rights Management No DMZ Exposure Key Management Authorization requests go to a federation service RMS connector AAD Connect ADFS

19 Road to sharing data safely with anyone
Share internally, with business partners, and customers Internal user ******* Let Bob view and print Let Jane edit and print Bob Jane Sue File share SharePoint LoB Any device/ any platform - External user ******* Roadmap

20 Azure Active Directory
10/3/2017 9:22 PM How Sharing Works Using Azure AD for authentication On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup ADFS …and all of these organizations can interact with each other. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Monitor and Respond Monitor use, control and block abuse MAP VIEW
Sue Bob Jane Sue Joe blocked in North America Jane accessed from India Bob accessed from South America MAP VIEW Jane blocked in Africa Jane Competitors Jane access is revoked

22 Industry Validated Approach
10/3/2017 9:22 PM Industry Validated Approach Must Read How to select the right EDRM solution 21 December 2015 G The role of EDRM in data-centric security June 2015 The role of EDRM in data-centric security June 2015 G G © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 PRELIMINARY SECTION Roadmap
Secure to Anyone Futures Native Office Client Futures Azure Information Protection Futures

24 Secure Email to Anyone*, on Any* Client
Clients Windows Mac iPhone/iPad Android Win Phone Web Applications Outlook Word Excel PowerPoint PDF (SPO) PPDF (Foxit) Identities Azure AD Federation Social Ids OneTimePW Service Office 365 Exchange Focus was on client and apps… but we fell short on who could consume content

25 Secure Email to Anyone, on Any Client
Identities Azure AD Federation MSA Gmail Facebook OneTimePW Service Office 365 with OMEv2 Outlook.com Exchange Clients Windows Mac iPhone/iPad Android Win Phone Web Applications Outlook Word Excel PowerPoint PPDF (Foxit) PDF (SPO) Learning: Lead with recipients + leverage Office Message Encryption (done right)

26 Secure Email to Anyone, on Any Client
Promises sought by our customers: Outlook is premiere client, always offering a premiere experience Any Client can consume content Office 365 acting as an ‘intelligent router’ to transmogrify formats ‘View online’ = OMEv2 with NN day Office 365 -side caching Any Recipient can consume content (via ‘view online’ experience) Office 365 users can log in with Azure AD or Federation identities Built-in federation with callouts to main providers: Gmail, MSA,… One Time Passwords as ‘catch all’ experience More Social Identity providers will be added

27 Secure Email to Anyone, on Any Client
Only / with Word, Excel, and PowerPoint attachments Preview in Q4CY16; General Availability in early CY17 Initially Anyone is Azure AD, Federated, Microsoft Account, or Gmail Failing to have one of those identities, a One Time Password is used Other providers will be added in time: LinkedIn, Facebook, Yahoo, etc. Office Outlook is our enlightened client of choice Failing to have Outlook, Office 365 ‘view online’ sandboxed experience Prerequisites Office 365 Exchange Services (SKU tiered into Office E3/E5) Office Pro Plus client for publishing (consumption/reply remains free)

28 Sophia receives protected email on her Gmaill account
Google ID Use Case Sophia receives protected on her Gmaill account

29 We recognize Sophia has a Google ID. Ask her to sign in

30 Simple Consent dialog

31 And voila!

32 The same Gmail account on Outlook mobile

33 Opening emails with Microsoft Account just works! (No Consent)
OWA Use Case Opening s with Microsoft Account just works! (No Consent)

34 And then we have One Time passcode!
OTP Use Case And then we have One Time passcode!

35 And then we have One Time passcode!

36 The email opens after putting in One Time Passcode

37 Office Client Futures Protection on All Clients
Consumption on all clients in place now: Windows, Mobile, Mac, and Web. Publishing on Windows, Mac in place; Mobile coming in H1CY17. Dates for Outlook’s move to native RMS SDK remains undisclosed. Office for Windows vNext will have native experiences. Dates undislclosed. Document Tracking, Revocation, and Classification following same pattern as protection Windows first, Mac Next, Mobile as demand is heard. Prerequisites Office Pro Plus using new evergreen ‘Click to Run’ deployment model

38 Azure Info Protection Enhancements
A Continuous post-GA wave of incremental updates… Policy Scopes, CLP for non-office formats, enhanced DLP, Logs/Reporting Deep Dives: Hold Your Own Key (HYOK) Office 365 Exchange with Bring Your Own Key (BYOK) Mobile Client Enhancements (and client unification) Service – both AIP and RMS – enhancements CLP SDK and better-together use cases Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

39 Hold Your Own Key (HYOK)
In preview now; General Availability in Q4 CY16 Not for everyone; most don’t need this(!). See blog posts. If used, very sparing use is strongly encouraged HYOK servers should not be in your DMZ (defeats the purpose) Limit use to highly managed PCs only; no Mac/Mobile given no DMZ Secret B2B done via guest accounts in an AD domain you control Consider a sovereign partner/hoster if regulated (e.g.: Swisscom) For Germany, Office 365 ‘Black Forest’ will be a viable AIP-based alternative Prerequisites Azure Information Protection P2 or EMS E5

40 Office 365 Exchange with BYOK
Exchange will make use of Azure RMS (vs running a private copy) RMS Service will rely on Azure Key Vault (vs private HSMs) Resultant behaviors: Customer BYOK use case is now enabled Exchange online ignores HYOK content (as requested) RMS consumption logging now in one place, the RMS logs RMS SDK v2 fixes some ‘paper cuts’; permits quick fix of those remaining Prerequisites Azure Key Vault // Already in market Azure Information Protection // Already supported. GA in Sept CY16 Office 365 Exchange E3+ // Internal now; GA in Q4CY16 to Q1CY17

41 Mobile Client Enhancements/Unification
Client de-duplication; The RMS Sharing app replaced by AIP app PP in OCT, GA in Q4 – Simpler user model + model favoring IT-guidance Clients support RPMSG and PDF (PPDF, SharePoint PDF, Redacted) Mobile in OCT, Windows in Q4 – Viewers are free on all platforms Key policy enhancements underway: etc. (TBD) Clients migration: DNS-redirection for existing AD RMS users Enables config outside of GPO. GA in Q4 (Office 2016; no 2013 planned) Clients migration: Licensing-only AD RMS for existing AD RMS users Smooths transition to AIP/Azure RMS. GA in Q4

42 AIP ‘CLP’ SDK and better-together use cases
RMS SDK grows to be AIP SDK for Classification, Labeling, Protection Better-together use cases: Label persistence format being standardized across the industry Office 365 DLP (EXO, SPO, …) and Cloud App Security will honor our labels Office native client and service awareness of labels All leading DLP vendors working with us on RMS, then ask is for labeling Your line of business (LOB) applications can also leverage this SDK ASK: Have your key app vendors contact us for RMS/AIP integration Prerequisites Use current SDK now Pick up Azure Information Protection SDK when ready H1CY17 Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

43 END OF SECTION Roadmap Secure Email to Anyone Futures
Native Office Client Futures Azure Information Protection Futures

44 WHY AZURE INFORMATION PROTECTION?
Persistent protection Safe sharing Intuitive experience Greater control

45 5 Steps Program 1. Classify 2. Label 3. Protect 4. Monitor 5. Respond
Best Practice - Start small, do it now, and move quickly 1. Classify Take simple steps that generate value, quickly e.g.: ‘Do Not Forward’ for HR and Legal 2. Label Test, phase the roll out, and learn – IT can’t know it all 3. Protect Control sensitive internal flow across all PCs/Devices 4. Monitor ‘Share Protected’ files with business partners (B2B) 5. Respond Teach and enable users to revoke access

46 Enterprise Mobility +Security
A HOLISTIC SOLUTION Enterprise Mobility +Security Extend enterprise-grade security to your cloud and SaaS apps Microsoft Cloud App Security Microsoft Intune Azure Active Directory Premium Manage identity with hybrid integration to protect application access from identity attacks Azure Information Protection Protect your data, everywhere Protect your users, devices, and apps Microsoft’s enterprise & security solutions provide a holistic framework to protect your corporate assets across, on prem, cloud and mobile devices Advanced Threat Analytics helps IT detect threats early and provide forensic investigation to keep cybercriminals out Azure Active Directory Premium security reports help identify risky log ins. That paired with Azure Active Directory Identity Protection gives IT the ability to automatically block access to apps based on real time risk scoring of identities and log ins. Microsoft Cloud App Security provides deep visibility and control of data inside cloud applications Microsoft Intune manages and secures corporate data on mobile devices and collaborated within corporate apps. Azure Information Protection helps keep data secure and encrypted throughout a customers environment and extends security when data is shared outside the organization. Detect threats early with visibility and threat analytics Microsoft Advanced Threat Analytics

47 EMS: Enterprise Mobility and Security
Identity and access management Managed mobile productivity Information protection Identity-driven security Azure Active Directory Premium P2 Identity and access management with advanced protection for users and privileged identities (includes all capabilities in P1) Azure Information Protection Premium P2 Intelligent classification and protection for files and s shared inside and outside your organization (includes all capabilities in P1) Microsoft Cloud App Security Enterprise-grade visibility, control, and protection for your cloud applications EMS E5 Azure Active Directory Premium P1 Secure single sign-on to cloud and on-premises apps MFA, conditional access, and advanced security reporting Microsoft Intune Mobile device and app management to protect corporate apps and data on any device Azure Information Protection Premium P1 Manual classification and protection for files and s shared inside and outside your organization Cloud-based file tracking Microsoft Advanced Threat Analytics Protection from advanced targeted attacks leveraging user and entity behavioral analytics EMS E3

48 Resources Follow @ https://twitter.com/TheRMSGuy
10/3/2017 9:22 PM Resources Technical For questions IT Pro Product © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 10/3/2017 9:22 PM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Azure Information Protection"

Similar presentations

Key learnings from our customers Data privacy is important and is often mandated Regulatory requirements are on the rise IT must ‘reason over data’

Key learnings from our customers Data privacy is important and is often mandated Regulatory requirements are on the rise IT must ‘reason over data’
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.

FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.
Adam Hall twitter.com/Adman_NZ aka.ms/askipteam. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture.

Adam Hall twitter.com/Adman_NZ aka.ms/askipteam. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture.
The Secure Productive Enterprise Azure Information Protection Training

The Secure Productive Enterprise Azure Information Protection Training
Microsoft Virtual Academy

Microsoft Virtual Academy
ActiveSync & DLP management in Exchange Online

ActiveSync & DLP management in Exchange Online
Secure your complete data lifecycle using Azure Information Protection

Secure your complete data lifecycle using Azure Information Protection
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Azure Information Protection

Azure Information Protection
Azure Information Protection

Azure Information Protection
Microsoft Virtual Academy

Microsoft Virtual Academy
Deployment Planning Services

Deployment Planning Services
Office 365 is cloud-based productivity, hosted by Microsoft.

Office 365 is cloud-based productivity, hosted by Microsoft.
Azure Rights Management

Azure Rights Management
9/12/2018 6:21 PM BRK2203 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.

9/12/2018 6:21 PM BRK2203 Protect and control your sensitive s with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google