Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Azure Information Protection
!
Customized by [email protected]
Customized by [email protected]
Enterprise Mobility +SecurityIDENTITY - DRIVEN SECURITY
Extend enterprise-grade security
to your cloud and SaaS apps
Microsoft Cloud App Security
Manage identity with hybrid
integration to protect application
access from identity attacks
Azure Active Directory
Premium
Microsoft
Advanced Threat Analytics
Detect threats early with visibility and threat analytics
Microsoft
Intune
Protect your users, devices, and apps
Azure Information
ProtectionProtect your data, everywhere
Enterprise Mobility & Security capabilities
Microsoft
Intune
Mobile device and app
management to protect corporate
apps and data on any device.
Managed Mobile Productivity
Microsoft Advanced Threat
Analytics
Identify suspicious activities &
advanced attacks on premises.
Microsoft
Cloud App Security
Bring enterprise-grade visibility,
control, and protection to your
cloud applications.
Identity Driven SecurityIdentity and access management
Azure Active Directory
Premium P1
Single sign-on to cloud and on-
premises applications. Basic
conditional access security
Azure Active Directory
Premium P2
Advanced risk based identity
protection with alerts, analysis, &
remediation.
Azure Information
Protection Premium P1
Encryption for all files and storage
locations. Cloud based file
tracking
Existing Azure RMS capabilities
Information Protection
Azure Information
Protection Premium P2
Intelligent classification, &
encryption for files shared inside &
outside your organization
Secure Islands acquisition
EM
S E3
EM
S E5
Vortrag von der Technical Summit 2016:https://channel9.msdn.com/events/microsoft-techncial-summit/Technical-Summit-2015-The-Next-Level/Bring-your-own-key-fuer-Azure-RMS-und-Azure-Key-Vault
Recap Azure RMS und Azure Key Vault
Azure RMS
Schutz ist an die Datei gebunden, nicht an den Speicherort oder das Medium.Verbindliche und persistente Regeln für den ZugriffSchutz am Speicherort, im Transport und während der Nutzung
RMS entspricht einem Non-Discretionary Access Control (Access Management Terminologie)
Recap Azure RMS und Azure Key Vault
Azure RMS - BYOK
Bring Your Own Key (BYOK) verwendet nun Azure Key Vault.
• Azure Key Vault ist nicht Bestandteil der Azure Information Protection Lizenz
• Azure Key Vault Premium für geschützte HSM-Schlüssel(€0,8433 pro Schlüssel und Monat + €0,0253/10.000 Vorgänge)
Update Azure RMS und Azure Key Vault
Azure RMS – BYOK
• Segregation of Duties mitAzure Key Vault
• Integration in Azure RBAC
Update Azure RMS und Azure Key Vault
Azure Key Vault – Integration in Azure RBAC (Beispiel)
Update Azure RMS und Azure Key Vault
Azure Key Vault – AAD Gruppen für Segregation of Duties
Update Azure RMS und Azure Key Vault
Azure Key Vault – AAD Gruppen für Segregation of Duties
Update Azure RMS und Azure Key Vault
Azure Key Vault – AAD Gruppen für Segregation of Duties
Update Azure RMS und Azure Key Vault
Authentication & collaboration BYO Key
RMS connector
Authorization requests go to a federation service
Standard Topologie
Schutz von Daten für eine
hybride Infrastruktur
Einfache Integration
Bring Your Own Key Option
AAD Connect
ADFS
Authentication & collaboration BYO Key
RMS connector
Authorization requests go to a federation service
Hold Your Own Key
(Azure Information Protection
P2)
AAD Connect
ADFS
No DMZ Exposure
Schutz von Daten für eine
hybride Infrastruktur
Einfache Integration
Bring Your Own Key Option
Regulierte Topologie
Pragmatische Denkweise für eine moderne IT im Kontext Mobility und Cloud
Risikobasierter Ansatz
Assume Breach bedeutet nicht „Assume Failure“!
Assume Breach
• Prävention• Firewalls, Netzwerk Segmentierung, IDP, Funktionstrennung etc.
• Mitigation / Risikominderung• Risiko Management, Systems Hardening, Patch Management, System-
undDaten Klassifizierung, Verschlüsselung etc.
• Monitoring/Detection• Event Correlation, SIEM, Anomaly Detection etc.
• Recovery/Remediation• BCP/DRP, Contingency Planning, Backup & Restore etc.• Continuous improvement
Assume Breach
Externe
Zusammenarbeit
Verwaltete Mobile
Systeme
Information Protection
On-Premises
Daten innerhalbdes Perimeters
Verwaltete Identitätenund verwaltete Geräte
Hybride Daten
Probleme beim Schutz
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitoring &
Reaktion
LABELINGCLASSIFICATION
Klassifizierung
& Labeling
ENCRYPTION
Schutz von Daten
ACCESS
CONTROLPOLICY
ENFORCEMENT
Azure InformationProtection DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitoring &
Reaktion
LABELINGCLASSIFICATION
Klassifizierung
& Labeling
ENCRYPTION
Schutz von Daten
ACCESS
CONTROLPOLICY
ENFORCEMENT
Voller Daten-
Lifecycle
Constoso Page|1 CONFIDENTIAL
DueDiligenceDocumentationDueDiligenceCategory DocumentationTask Owner Status
BusinessPlan,CorporateStructure,Financing
Businessplan Currentfive-yearbusinessplan
Priorbusinessplan
Corporateorganization
Articlesofincorporation
Bylaws
Recentchangesincorporatestructure
Parent,subsidiaries,andaffiliates
Shareholders’agreements
Minutesfromboardmeetings
Shareholders Numberofoutstandingshares
Stockoptionplan
Samplesofcommonandpreferredstockcertificates,debentures,andotheroutstandingsecurities
Warrants,options,andotherrightstoacquireequitysecurities
Currentshareholders,includingnumberofsharesowned,datesthatshareswereacquired,considerationsreceived,andcontact
information
Relevantprivateplacementmemorandaandotherofferingcirculars
Lenders Convertible,senior,orotherdebtfinancing
Banklinesofcredit,loanagreements,orguarantees
Loandefaultsorexpecteddefaults
Recentcorporatetransactions
Descriptionandrationaleforeachtransaction
Purchaseandsaleagreements
Regulations Businesslicenses
Environmentalpermits
Workers’healthandsafetypermits
Marketing,Products,Sales,Service
Marketanalysis Competitionbyproductline(includecontactdetails,marketsize,marketshare,andcompetitiveadvantagesanddisadvantages)
Industryandmarketresearch
Tradepublicationsandcontactinformation
Policy Einstellungen
Label Einstellungen
Label Einstellungen – Protection
• Konfigurierte Azure RMS Templates
• „Remove Protection“
• Beibehaltung der Klassifizierung auch wenn der Schutz nicht verwendet werden kann.
• Do Not Forward (nur für E-Mail)
• AD RMS Templates (AzIP P2 - HYOK)
• Azure Information Protection hat keineVerbindung zum AD RMS
Label Einstellungen
Label Einstellungen
• Bedingungen für automatischeRegeln können verbundenwerden
• AzIP P2 Funktionalität
Policy- und Label Einstellungen werden bei Programmstartautomatisch synchronisiert
Policy- und Label Einstellungen können optional manuell exportiert werden
• Verwendung bei Offline-Clients(z.B. rote Netze etc.)
• Testen von Policies vor Deployment
• Archivierung von Policies
• Überprüfung von Policies
• ...
More information
Enterprise Mobilityhttp://www.microsoft.com/de-de/server-cloud/products/enterprise-mobility-suite/default.aspx
AzureRMShttp://aka.ms/rmshome and http://aka.ms/ipdeck
Microsoft Intunehttp://www.microsoft.com/de-de/server-cloud/products/windows-intune/default.aspx
Cloud App Securityhttps://www.microsoft.com/en-us/cloud-platform/cloud-app-security
Advanced Threat Analyticshttp://www.microsoft.com/ata
Forefront Identity Manager / Microsoft Identity Managerhttp://technet.microsoft.com/en-us/library/jj133852(v=ws.10).aspx
Standard-Konnektoren von FIM finden Sie unterhttp://technet.microsoft.com/en-us/library/ff608275%28WS.10%29.aspx