Use AADRM (Right Management Services) with Office 365

Use ADDRM with Office 365

Benoit HAMETSydney, June 5th 2013

Microsoft MVPJune 2013 Event

This work is licensed under aCreative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

http://creativecommons.org/licenses/by-nc-sa/3.0/







The information contained in this presentation is proprietary.© 2012 Capgemini. All rights reserved.

Who am I

Benoit HAMETManager – Microsoft Technologies Specialist at CapgeminiMVP Office 365

http://blog.hametbenoit.info

http://www.linkedin.com/in/benoithamet

http://twitter.com/benoit_hamet

http://www.linkedin.com/company/capgemini

http://www.twitter.com/capgemini

3Copyright © Capgemini 2013. All Rights Reserved

Microsoft MVP EventUse AADRM with Office 365 | June-13

Agenda

Terminology and Definition Information Protection Requirements & ApproachWhat is Right Management and how it works?RMS in Office 365 Integration with Exchange, Office and SharePoint



Glossary

IRM: Information Rights ManagementDRM: Digital Rights ManagementRMS: Right Management ServerRMS Online (AADRM): Cloud based Right Management ServicePublishing License: the license a document is published withUsage License: the license to use the documentAD: Active directoryADFS: Active Directory Federation Services



Terminology and Definition

Protection: Encryption + Policy + Policy enforcement Encryption: Targets securing data in transit or at

rest but only until consumed Policy: Definition of who (identity) can do what

(conditions) on a protected item Policy Enforcement: Application specific code to

enforce common, standardized behaviors

Windows Azure AD Rights Management : An offering that is a part of Office 365

RMS: Right Management Services IRM: Information Rights Management

interchangeable with Rights Management ERM/DRM: Enterprise or Digital Rights

Management Content-Aware Data Leakage Protection (DLP):

Relies on ‘agents’ to apply Protection (encryption + policy) to content

Enterprise DRMServices

Content ProtectionPoliciesSoftware

responsible to protect content

People responsible to protect content



Information Protection Requirements

Data is protected at the source Modern apps save directly to ‘foreign storage’ so they must encrypt before data leaves the app

Data is protected in ‘usable chunks’ Use patterns are at the document level; not at the full drive level (e.g.: BitLocker) Especially true on constrained-resource mobile devices; on shared cloud-based storage

Very strong encryption at rest is required; pretty good protection in apps is fine Assume the data is exposed to adversaries when at rest (pre-authorization) Presume the user is “trustworthy but possibly absent minded” (post-authorization) Flexible model to support offline use or online authorization; ITPro decides

Per-app policies and customization(s) to increase usability (reduce friction) Per-application optimizations (Outlook vs. Word); App Context Matters



Information Protection Approach

Protect files with EFS Everyday Metaphor: Locking bike rack – useful at that particular location but nowhere else. Once a good idea but not very useful in modern times… who has only one device?

Lock up personal data stores with BitLocker / BitLocker to Go Everyday Metaphor: Lock on the front door of your home. Good, but once open, everyone gets in. Great way to protect against lost laptops and other assets but not at a granular level

Rights Management on-premises, in the cloud, across ‘tenants’ and to guests Everyday Metaphor: Certified mail that, when closed, requires re-certification before reuse. Protection for data ‘in the wild’ with flexible terms-of-use, and transport agnostic Generic file protection using ‘Rights Protected Folders’

SharePoint ‘Secure Libraries’ Everyday Metaphor: A well run public Library who’s librarian actually asks to see your identity Great way to host data that can be centralized; data that leaves is protected

Pro-active protection (aka DLP) via Exchange, FOPE, FCI, ISV offers, etc. Everyday Metaphor: A persistent yard caretaker for your ‘digital landscape’ Volunteer application of RM will only get you so far DLP offers at strategic points does wonders!

Combined, these offers give you protection of lost assets, data in repositories, data in flight (user protected or not), and IT controlled* auditing of data usage.



What is Rights Management?

Information Protection technology Protection is persisted with the data, content can travel anywhere (desktops, file shares,

USB keys, network and devices)

Combines encryption, access controls and policy expression and enforcement Prevent the accidental disclosure of sensitive data by applying usage polices (cannot forward,

cannot print, read-only)

Simple to use Authors just select a policy option, consumers just open documents Securely share data with individuals within and outside of your organization.



How RMS works?

Galactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.

User certificates Use License

Galactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.

Publishing License + keys



AADRM in Office 365

AADRM: Azure Active Directory Rights ManagementAADRM is only available to Office 365 Enterprise plans

Easy to setup and useStart protecting data within minutes of when you subscribe to Office 365, no on-premises infrastructure required.

Integrated within Exchange Online, SharePoint Online and Office, users will use applications and services they are already familiar with today.

Additional controls available in Exchange Online and SharePoint Online to meet your business requirements.



RMS in Office 365

CapabilitiesSimple mechanism to enable Rights management capabilities across applications and services.

Once Rights Management is enabled, Exchange and Office integration is also enabled including IRM in Office, OWA and EAS.

Provides default templates for to apply common usage rightsSimple templates to restrict access to users within a company.Will assess usage policies during preview timeframe to gather feedback to add or tune policies.

“Do Not Forward” and Ad-hoc Policies are also available.

Demo

Enable RMS in Office 365



Office 2010 and 2013 Integration

Information Worker Applications are already familiar to users, just learn File, Protect, Restrict Permissions Policy Templates available to easily apply protection Users can create ad-hoc policy to provide an addition level of control. Office IRM integration supports Outlook, Word, Excel, PowerPoint and InfoPath

Information Control Integrated with Exchange and SharePoint Online (more in a few minutes) Word, Excel, PowerPoint integrated with SharePoint Document Libraries Outlook works with Exchange IRM integrated features Outlook 2013 is integrated with DLP and can use IRM to apply protection Protection persisted independent of how the data is stored Desktop, USB Drive, File Share, SkyDrive etc…



Exchange Online Integration

Information Worker Outlook Web App – IRM messages can be created and consumed in Outlook Web App Exchange Active Sync – IRM messages can be consumed in EAS based clients that

have enabled Rights Management including Windows Phone 7.5 and Touchdown for Android.

Supports collaboration across organizations

Information Control Journaling- Creates an unprotected copy of messages for compliance purposes Exchange Transport Rules – Enables automatic protection of content by complementing

the DLP capabilities in Exchange Online Decryption – Can decrypt content for Malware scanning and the additions of disclaimers

to messages.



SharePoint Online Integration

Information Worker Protection is applied when documents are downloaded from a document library, users will

not observe a difference. Provides view only capabilities for Web Access Companion Applications

Information Control Great for a centralized repository of documents.

• When documents are downloaded from SharePoint protection is applied which resides with the document no matter where it goes.

Supports all IRM functionality for policy definition• Can define usage restrictions, policy renewal, and distribution groups on per document library

basis.

Supports collaboration scenarios across organizations• Can set access policies to enable users from other organizations to access your document library

and stay in control of your data.

Demo

Integration with Exchange Online and SharePoint Online



Take Away

Data can flow anywhere anytime Access based control does not protect content once it has been accessed. Rights Management provides encryption that is persisted with the content. Enables rich policy to be associated with content to prevent accidental disclosure of

content.

Rights Management is now integrated within the Office 365 Does not require any additional on-premise infrastructure and takes a few minutes to

configure. Available as a part of the Office 365 Enterprise. Deep Integration with Office 2013, SharePoint Online and Exchange Online.

Technology

Use AADRM (Right Management Services) with Office 365