Upload
benoit-hamet
View
2.748
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation on how to enable and use Azure Active Directory Right Management (AADRM) on Office 365 Presentation held at Microsoft MVP ANZ event on June 2013
Citation preview
Use ADDRM with Office 365
Benoit HAMETSydney, June 5th 2013
Microsoft MVPJune 2013 Event
This work is licensed under aCreative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
The information contained in this presentation is proprietary.© 2012 Capgemini. All rights reserved.
Who am I
Benoit HAMETManager – Microsoft Technologies Specialist at CapgeminiMVP Office 365
http://blog.hametbenoit.info
http://www.linkedin.com/in/benoithamet
http://twitter.com/benoit_hamet
3Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Agenda
Terminology and Definition Information Protection Requirements & ApproachWhat is Right Management and how it works?RMS in Office 365 Integration with Exchange, Office and SharePoint
4Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Glossary
IRM: Information Rights ManagementDRM: Digital Rights ManagementRMS: Right Management ServerRMS Online (AADRM): Cloud based Right Management ServicePublishing License: the license a document is published withUsage License: the license to use the documentAD: Active directoryADFS: Active Directory Federation Services
5Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Terminology and Definition
Protection: Encryption + Policy + Policy enforcement Encryption: Targets securing data in transit or at
rest but only until consumed Policy: Definition of who (identity) can do what
(conditions) on a protected item Policy Enforcement: Application specific code to
enforce common, standardized behaviors
Windows Azure AD Rights Management : An offering that is a part of Office 365
RMS: Right Management Services IRM: Information Rights Management
interchangeable with Rights Management ERM/DRM: Enterprise or Digital Rights
Management Content-Aware Data Leakage Protection (DLP):
Relies on ‘agents’ to apply Protection (encryption + policy) to content
Enterprise DRMServices
Content ProtectionPoliciesSoftware
responsible to protect content
People responsible to protect content
6Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Information Protection Requirements
Data is protected at the source Modern apps save directly to ‘foreign storage’ so they must encrypt before data leaves the app
Data is protected in ‘usable chunks’ Use patterns are at the document level; not at the full drive level (e.g.: BitLocker) Especially true on constrained-resource mobile devices; on shared cloud-based storage
Very strong encryption at rest is required; pretty good protection in apps is fine Assume the data is exposed to adversaries when at rest (pre-authorization) Presume the user is “trustworthy but possibly absent minded” (post-authorization) Flexible model to support offline use or online authorization; ITPro decides
Per-app policies and customization(s) to increase usability (reduce friction) Per-application optimizations (Outlook vs. Word); App Context Matters
7Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Information Protection Approach
Protect files with EFS Everyday Metaphor: Locking bike rack – useful at that particular location but nowhere else. Once a good idea but not very useful in modern times… who has only one device?
Lock up personal data stores with BitLocker / BitLocker to Go Everyday Metaphor: Lock on the front door of your home. Good, but once open, everyone gets in. Great way to protect against lost laptops and other assets but not at a granular level
Rights Management on-premises, in the cloud, across ‘tenants’ and to guests Everyday Metaphor: Certified mail that, when closed, requires re-certification before reuse. Protection for data ‘in the wild’ with flexible terms-of-use, and transport agnostic Generic file protection using ‘Rights Protected Folders’
SharePoint ‘Secure Libraries’ Everyday Metaphor: A well run public Library who’s librarian actually asks to see your identity Great way to host data that can be centralized; data that leaves is protected
Pro-active protection (aka DLP) via Exchange, FOPE, FCI, ISV offers, etc. Everyday Metaphor: A persistent yard caretaker for your ‘digital landscape’ Volunteer application of RM will only get you so far DLP offers at strategic points does wonders!
Combined, these offers give you protection of lost assets, data in repositories, data in flight (user protected or not), and IT controlled* auditing of data usage.
8Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
What is Rights Management?
Information Protection technology Protection is persisted with the data, content can travel anywhere (desktops, file shares,
USB keys, network and devices)
Combines encryption, access controls and policy expression and enforcement Prevent the accidental disclosure of sensitive data by applying usage polices (cannot forward,
cannot print, read-only)
Simple to use Authors just select a policy option, consumers just open documents Securely share data with individuals within and outside of your organization.
9Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
How RMS works?
Galactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.
User certificates Use License
Galactic Empire Confidential – You cannot copy, print or export this information in unprotected form to droids of any class.
Publishing License + keys
10Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
AADRM in Office 365
AADRM: Azure Active Directory Rights ManagementAADRM is only available to Office 365 Enterprise plans
Easy to setup and useStart protecting data within minutes of when you subscribe to Office 365, no on-premises infrastructure required.
Integrated within Exchange Online, SharePoint Online and Office, users will use applications and services they are already familiar with today.
Additional controls available in Exchange Online and SharePoint Online to meet your business requirements.
11Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
RMS in Office 365
CapabilitiesSimple mechanism to enable Rights management capabilities across applications and services.
Once Rights Management is enabled, Exchange and Office integration is also enabled including IRM in Office, OWA and EAS.
Provides default templates for to apply common usage rightsSimple templates to restrict access to users within a company.Will assess usage policies during preview timeframe to gather feedback to add or tune policies.
“Do Not Forward” and Ad-hoc Policies are also available.
Demo
Enable RMS in Office 365
14Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Office 2010 and 2013 Integration
Information Worker Applications are already familiar to users, just learn File, Protect, Restrict Permissions Policy Templates available to easily apply protection Users can create ad-hoc policy to provide an addition level of control. Office IRM integration supports Outlook, Word, Excel, PowerPoint and InfoPath
Information Control Integrated with Exchange and SharePoint Online (more in a few minutes) Word, Excel, PowerPoint integrated with SharePoint Document Libraries Outlook works with Exchange IRM integrated features Outlook 2013 is integrated with DLP and can use IRM to apply protection Protection persisted independent of how the data is stored Desktop, USB Drive, File Share, SkyDrive etc…
15Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Exchange Online Integration
Information Worker Outlook Web App – IRM messages can be created and consumed in Outlook Web App Exchange Active Sync – IRM messages can be consumed in EAS based clients that
have enabled Rights Management including Windows Phone 7.5 and Touchdown for Android.
Supports collaboration across organizations
Information Control Journaling- Creates an unprotected copy of messages for compliance purposes Exchange Transport Rules – Enables automatic protection of content by complementing
the DLP capabilities in Exchange Online Decryption – Can decrypt content for Malware scanning and the additions of disclaimers
to messages.
16Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
SharePoint Online Integration
Information Worker Protection is applied when documents are downloaded from a document library, users will
not observe a difference. Provides view only capabilities for Web Access Companion Applications
Information Control Great for a centralized repository of documents.
• When documents are downloaded from SharePoint protection is applied which resides with the document no matter where it goes.
Supports all IRM functionality for policy definition• Can define usage restrictions, policy renewal, and distribution groups on per document library
basis.
Supports collaboration scenarios across organizations• Can set access policies to enable users from other organizations to access your document library
and stay in control of your data.
Demo
Integration with Exchange Online and SharePoint Online
23Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP EventUse AADRM with Office 365 | June-13
Take Away
Data can flow anywhere anytime Access based control does not protect content once it has been accessed. Rights Management provides encryption that is persisted with the content. Enables rich policy to be associated with content to prevent accidental disclosure of
content.
Rights Management is now integrated within the Office 365 Does not require any additional on-premise infrastructure and takes a few minutes to
configure. Available as a part of the Office 365 Enterprise. Deep Integration with Office 2013, SharePoint Online and Exchange Online.