Upload
morgan-simonsen
View
9
Download
0
Embed Size (px)
Citation preview
About Your Speaker: Morgan Simonsen• Cloud Evangelist@Lumagate• P-TSP@Microsoft• MCSE, MCSA, MCT• MVP• Twitter: @msimonsen• Email: [email protected]• Blog: morgansimonsen.com
Agenda• Threat Landscape 2017• Azure RMS 101• Introducing Azure Information Protection• Data Classification and Labelling• Tracking and Revocation• Deployment
Audience Participation1. How many are using Azure
RMS today?2. How many are using Azure IP
today?3. (How many are using AD DS
Rights Management?)
Enterprise Mobility+Security The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
Azure Information Protection
Protect your data, everywhere
Microsoft Cloud App Security
Azure Active Directory
Detect threats early with
visibility and threat analytics
Advanced Threat Analytics
Extend enterprise-grade security to your cloud and SaaS apps
Intune
Protect your users, devices,
and apps
Manage identity with hybrid integration to protect
application access from identity attacks
Enterprise Mobility+SecurityThe Microsoft solution
Privileged Identity Management
Identity Protection
ENFORCE MFA
ALLOW
BLOCK
Conditional Access
Windows 10Azure AD Join,
Health Attestation,
Windows Hello, BitLocker
Challenges with the complex environment
Employees
Business partners
CustomersApps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
It’s 11PM, do you know where your data is?
The problem is ubiquitous Intellectual Property theft has increased
56% rise data theft
Accidental or malicious breaches due to lack of internal controls
88% of organizations are Losing control of data
80% of employees admit to use non-approved SaaS app
91% of breaches could have been avoided
Organizations no longer confident in their ability to detect and prevent threats
Saving files to non-approved cloud storage apps is common
“Our primary challenge with information protection:
we don’t know what information we have, where it’s stored and how
it’s used”
“We want to migrate our data to SPO – but don’t know how to identify first our high-value-information-records, and how to treat it”
“We use 900 cloud services. We can’t identify what information is stored on these services and what should be protected”
“Our confidential data has customer records and users store it in the cloud. We want to know this data and protect it!”
CISO’s Information Protection Challenges
Unregulated, unknown
Managed mobile environment
How much control do you have?
On-premisesPerimeter protection
Identity, device management protection
Hybrid data = new normal It is harder to protect
Why Rights Management?• Protection that travels with the data• Azure RMS is a complete end to end
information protection solution for documents, email, and any unstructured data that is sensitive for your organization
• Highly integrated into Office, O365, Windows Server, and 3rd party applications for broad reach and consistent user experience
• Built on modern encryption and authentication standards (PKI, AES, OAuth, ….)
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use rights +
Secret cola formula
WaterSugarBrown
#16PROTEC
T
Usage rights and symmetric key stored in file as “license”
Each file is protected by a unique AES symmetric
License protected by customer-owned
RSA key
WaterSugarBrown
#16UNPROTECT
How Protection Works
Use rights+
Azure RMS never sees the file content, only the license
How Protection Works
Apps protected with RMS enforce
rights
SDK
Apps use the SDK to communicate with
the RMS service/servers
File content is never sent to the RMS server/service
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use rights+
LOCAL PROCESSING ON PCs/DEVICES
Let Bob view and printLet Jane edit and print
Road to sharing data safely with anyoneShare internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/ any platform
Roadmap
Sue
File share
SharePointEmail
LoB
How Sharing Works
Azure Active Directory
On-premises organizations doing full syncOn-premises organizations doing partial sync
Organizations completely in cloud
…and all of these organizations can interact with each other.
Organizations created through ad-hoc signup
ADFS
Using Azure AD for authentication
The evolution of Azure RMS
DOCUMENT TRACKING
DOCUMENT REVOCATION
Monitor & respond
LABELINGCLASSIFICATION
Classification & labeling
ENCRYPTION
Protect
ACCESS CONTROL
POLICY ENFORCEMENT
Data Lifecycle Classification and Protection
CLASSIFY LABEL PROTECT
At data creation
Manual classification
Automatic classificationas much as possible
Persistent tag
User awareness through visual labels
Industry standard, enables wide ecosystem
Encryption with Azure RMS
DLP & Compliance actions
Audit trails to track data
ORCHESTRATE
Classify Data – Begin the Journey
SECRET
CONFIDENTIALINTERNAL
NOT RESTRICTED
IT admin sets policies, templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most sensitiveIT can set automatic rules; users can complement it Associate actions such as visual markings and protection
Apply labels based on classification
FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to documents
Labels are in clear text so that other systems such as a DLP engine can read it
How Classification Works
Reclassification
You can override a classification and optionally be required to provide a justification
AutomaticPolicies can be set by IT Admins for automatically applying classification and protection to data
Recommended
Based on the content you’re working on, you can be prompted with suggested classification
User setUsers can choose to apply a sensitivity label to the email or file they are working on with a single click
Azure IP Header, Footer, or Watermark variables
• Example: If you specify the string Document: ${item.name} Classification: ${item.label} for the Secret label footer, the footer text applied to a documented named project.docx will be Document: project.docx Classification: Secret
Variable Description Example
${Item.Label} Selected label Internal
${Item.Name} File name or email subject JulySales.docx
${Item.Location} Path and file name for documents, and the email subject for emails
\\Sales\2016\Q3\JulyReport.docx
${User.Name} Owner of the document or email (Windows SAMAccountName)
rsimone
${User.PrincipalName} Owner of the document or email (Azure Information Protection client signed in email address (UPN))
${Event.DateTime} Date and time when the selected label was set
8/16/2016 1:30 PM
VIEW EDIT COPY PASTE
Email attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a definition of use rights (permissions) to the data
Providing protection that is persistent and travels with the data
Protect data against unauthorized use
Personal apps
Corporate apps
Key Management
Who generates the key? Microsoft Customer
Azure RMS Azure KV (software)
Azure KV (HSM)
Customer HSM
Where is the key stored?
Location
This is BYOK. Customer generates key, exports/imports into Azure KV HSM
This is HYOK. ADRMS uses the on-premises HSM for keys.
Azure RMS AD RMS
HYOK: Overview
Azure Information Protection
Azure Rights Management
HYOK
Customer Key Management
Azure Key Management
BYOK
Label A Apply Protection: AzRMS
Label B Apply Protection: ADRMS
Data that can be stored anywhere, travel, collaborated on and protected by a cloud
service
Toxic data that must reside on-premises and be protected by
customer held keys
Licensing• Azure Active Directory Premium P2 required
• Enterprise Mobility+Security E5
Plan featuresEnterprise Mobility + Security E3
Enterprise Mobility + Security E5
Information protection
•Azure Information Protection Premium P1•Encryption for all files and storage locations•Cloud-based file tracking
•Azure Information Protection Premium P2•Intelligent classification and encryption for files shared inside and outside of your organization•Includes all P1 capabilities