Upload
valerie-norman
View
234
Download
0
Tags:
Embed Size (px)
Citation preview
Azure RightsManagement
Dan Plastinahttps://twitter.com/TheRMSGuy https://linkedin.com/in/danpl
What’s driving change?
IT
Employees CustomersBusiness partners
Devices AppsUsers Data
Why do you seek to protect information?
Survey conducted with: 313 organizations 17,000,000 users 54,000 users on average
Reduce leakage of data shared with others (B2B collaboration)Partitioning of sensitive data from unauthorized usersPrevent malicious employees from leaking of secretsMeet compliance requirements
96%
94%89
%87%
Other concerns…
Data privacy is mandated!
My existing DLP protection is too reactive. Can data be ‘born encrypted’?
How do I prepare for a fading perimeter?
Peer-to-peer federation is not practical or scalable. How do we establish ‘trust’?
IT must ‘reason over data’ to stay compliant, yet we need our sensitive data to be encrypted.
We want small steps to protect data now! We’re don’t want to slowly implement the ‘perfect grand solution’.
Secured dataCompany external
Managed devicesCompany internal
Another New Challenge
You have a perimeter
Your perimeterCompany internal
You have managed devices within a broader perimeterYour business requiresyou to share sensitivedata outside of your control for B2B/B2C
Persistent protection Storage independent solution
Permit all companies to authenticate
Authorization policies are enforced
Our promise<you> need to share <file types> between yourself and partners, suppliers, dealers, representatives, etc.
Powerful logging for reporting
End user use/abuse tracking
Ability to remote kill documents
Enable IT to reason over data
Tracking and Compliance
Works across all platforms
Free content consumption
Consistent user experience
Integrated into common apps/services
Ease of Use
Demos
Vision: Azure Rights Management
On any device
Email LOB appsFiles
Share internally Share externally (B2C)Share externally (B2B)
Policy enforcement
Document revocation
Document tracking
Access controlEncryption
Classification and labeling
In any part of the world
• US• EU• APAC
• China
• Germany
Gartner StudyThe Role of EDRM in Data-Centric Security Gartner #G00275948
In this June 2015 report Mario Boer says: • "EDRM is a mature technology for enterprise wide persistent protection of data".
• Enterprise digital rights management has long been in Gartner's famed 'Trough of Disillusionment'.
• He offered other points in the 'Key Finding' section that made us smile. Be sure to look them up!
• "A broader data-centric security strategy requires a combination of EDRM with other technologies such as classification, DLP and data- centric audit and protection.“• He’s right… and Microsoft is active on all of these.
• "Many vendors offer a cloud solution to replace on -premises servers. This means cloud and the DMZ are not that different for EDRM offers. Moreover, the server does not see the body of the document, which makes cloud EDRM deployments interesting for even cloud-reluctant organizations."• We strongly support the view that a cloud EDRM offer makes this much better, even if
in the cloud.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose."
Frost and Sullivan study
KuppingerCole study
Architecture
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights +
Rights management 101
Secret cola formula
WaterSugarBrown
#16Protect Unprotect
Usage rights and symmetric key stored in file as ‘license’
Each file is protected by a unique AES symmetric
License protected by customer-owned RSA key
WaterSugarBrown
#16
Local processing on PCs/devices
Rights management 101
Apps protected with RMS enforce rights
SDK
Apps use the SDK to communicate with the RMS service/servers
File content is never sent to the RMS server/service.
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights+
Use Rights+
Azure RMS never sees the file content, only the license.
Authentication & collaboration BYO Key
RMS connector
Authorization requests go to
a federation service
Topology
• Data protection for organizations at different stages of cloud adoption
• Ensures security because sensitive data is never sent to the RMS server
• Integration with on-premises assets with minimal effort
AAD Connect
ADFS
Use Azure AD as the trusted fabricAzure Active Directory
ADFS
On-premises organizations doing full sync
On-premises organizations doing partial sync
Organizations completely in cloud
…and all of these organizations can interact with each other.
Organizations created through adhoc sign up
Minimum sync profile for Azure RMS
Cn (common name) jdoe
displayName John Doe
Mail [email protected]
proxyAddresses SMTP:[email protected]
userPrincipalName [email protected]
accountEnabled True
objectSID (sync ID)01 05 00 05 15 00 00 E2 DB … CF A1 29 71 04 00 00
pwdLastSet 20141013171110.0ZsourceAnchor (for Licensing) NyWoidInKk2S4xtxK+GsbQ==
usageLocation (for Licensing) DE
Only PII data is first name, last name, and email address
Take action now
Every day you share sensitive items with no form of protection.
Act now to protect your information — even if only with small steps.
Defend your information against internal leakages and outside cyber-attacks.
Protect information with identity-based viewing privileges.
• Start with IT-controlled, DLP-performed protection• Users experience RMS protected data but don’t have to initiate the
protection• e.g.: DLP in Exchange Online, in Office apps*, and SharePoint online**• e.g.: FCI protection of data on a file share, MyDocs folder, or Work
Folder.
• Teach the critical few user initiating B2B to ‘share protected’• A small percentage of users do most of the sensitive B2B sharing• e.g: Automotive dealership price lists / sales incentives• e.g: Vendor bid manager• e.g: SAP reporting
• Enable broader RMS where users initiate themselves• Let users opt-in initially. Tracking, remote kill, Do-not-forward are strong
benefits
Examples of step-wise approaches
• Control sensitive email flow, internally, across all devices
• Share an Office file with external users• Board of Directors email communications• Document use tracking, abuse detection, and
revocation• Business-to-Customer secure email (and replies)• Control the download of files stored in
SharePoint• Securing reports generated from SAP• Protecting files on a user’s ‘Documents’ folder,
file share• Share CAD drawings, Redacted PDFs, and
analyst reports.
Top RMS Use Cases
Vision: Azure Rights Management
On any device
Email LOB appsFiles
Share internally Share externally (B2C)Share externally (B2B)
Policy enforcement
Document revocation
Document tracking
Access controlEncryption
Classification and labeling
In any part of the world
• US• EU• APAC
• China
• Germany
Follow @ https://twitter.com/TheRMSGuy
Learn more @ http://www.Microsoft.com/rms
Discover @ http://curah.microsoft.com/56313
For questions email [email protected]
IT Pro blog @ http://blogs.technet.com/b/rms
Get involved @ https://www.yammer.com/AskIPteam
Sign up @ http://portal.aadrm.com
Download @ http://portal.aadrm.com/home/download
Next steps
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
• Azure RMS Quick activation, B2B trust –enabled• RMS App RMS task assistant and viewer on all
platforms• RMS App (Mobile) RMS task assistant and viewer
on all platforms• Doc Tracking Permits viewing file usage /
remote revocation• Templates Global and departmental policies• Onboarding Easier pilots, partial deployments• Migration Toolkit AD RMS to Azure RMS phased
migration• BYOK Bring your own HSM-backed key to
the cloud• Cmdlets Power Shell commands for task
automation• RMS SDK Enable your own applications (LOB)
Resources – RMS
• Apps (Word, etc) Word, Excel, PowerPoint on all platforms.
• Outlook / OWA Outlook on all platforms; Web email• Exchange Mail service with an RMS-aware
pipeline• SharePoint Doc Library• Office DLP Office 365 Data Loss Prevention• OME Office Message Encryption enables
B2C• EDP Windows10 Enterprise Data
Protection w/RMS• File Classification DLP over file servers, My Docs,
& Work Folder• OneDrive Protection of data on OneDrive
Resources – Office and Windows
Resources – Partner ISVs
• Secude Protection of reports leaving SAP
• Secure Island Classification and RMS ‘enhancer’
• Titus Classification and RMS ‘enhancer’ • Watchful Software Classification and RMS
‘enhancer’
• Foxit PDF Reader with built-in RMS• Foxit Redaction Redacted PDF with ‘view all content ’
mode• Gigatrust Adobe Reader PDF extension for RMS