Security is one of the top priorities for each company, secure external collaboration is a big part of this. How can we, as a company, work together with customers, partners, and vendors without having the risk of sharing confidential documents? How can we share sensitive information through email within my organization?
In order to implement an information protection solution, you first need to understand what kind of information you need to protect; identifying your most critical assets is the first step in the data protection journey. Learn how you can leverage Azure Information Protection to enable secure sharing of information with employees, customers and partners in an easy and frictionless way.
3. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
4. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches due
to lack of internal controls
88% of organizations are Losing control of
data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common
8. Classify Data – Begin the Journey
SECRET
CONFIDENTIAL
INTERNAL
PUBLIC
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users can
complement it
Associate actions such as visual
markings and protection
9. How Classification Works
Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click
10. Apply labels based on classification
%##&$^#*!~@&
FINANCE
CONFIDENTIAL
%$^#*@&
Persistent labels that travel with the document
Labels are metadata written to documents
Labels are in clear text so that other
systems such as a DLP engine can read it
and a hash of policies, rules, and user
information
11. Protect data against unauthorized use
VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps
13. Using variables in visual markings
• ${Item.Label} for the selected label. For example: Internal
• ${Item.Name} for the file name or email subject. For example: JulySales.docx
• ${Item.Location} for the path and file name for documents, and the email
subject for emails. For example: Sales2016Q3JulyReport.docx
• ${User.Name} for the owner of the document or email, by the Windows
signed in user name. For example: rsimone
• ${User.PrincipalName} for the owner of the document or email, by the Azure
Information Protection client signed in email address (UPN). For example:
rsimone@vanarsdelltd.com
• ${Event.DateTime} for the date and time when the selected label was set. For
example: 8/16/2016 1:30 PM
14. Azure Information Protection and SharePoint
SharePoint supports Information Rights Management, based on Azure RMS
Not “integrated” with Azure Information Protection (yet?)
Automation based on AIP SDK would be a option to auto apply labels
based on context
Align Data Loss Prevention (DLP) with Azure Information Protection
16. Azure Information Protection Premium P1/P2
Feature Azure Information
Protection Premium
P1 (EMS E3)
Azure Information
Protection Premium
P2 (EMS E5)
Manual labeling (user driven) Yes Yes
View labels and watermarks in Office Yes Yes
Apply content marking and RMS protection in Office Yes Yes
Automatic and recommended labeling (conditions) Yes
Classification, labeling and protection with MCAS Yes
HYOK (Hold your own key – multi RMS server support) Yes
17. Key takeaways
Azure Information Protection is about Classify, Label, Protect, and Monitor
& Respond
Helps your organization to understand and really use business information
protection based on data classification
Think about compliancy for the General Data Protection Regulation (GDPR),
which is active as off May 25th 2018
You have these entities – users, devices, apps and data
Data is being shared with employees, customers and business partners
You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps
You need to prepare to mitigate the risks of providing freedom and space to your employees.
You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience
The cloud is here to stay
The ‘cloud accepting’ population is growing… VERY rapidly
Your managers (CxO) are changing their minds… or soon will… or are being replaced
Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc.
Your competition will use the cloud to their advantage
You can’t compete with cloud vendors on substrate services (time, cost, innovation)
You can’t lay the substrate and do value-add at the same rate as your cloud peers
There will be breaches… both in the cloud and on-premises
Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker
We heard from you… and you are not alone
You had control over your data when it resided within your boundaries
Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment
Once shared outside your environment, you lose control over your data.
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
Timelines
Active Directory RMS - 2003
Azure RMS – 2013/2014
Announcement: Microsoft acquisition of Secure Islands – June 2016
Azure Information Protection (AIP) preview – July 2016
Azure Information Protection (AIP) general available – October 2016
1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement
2.We added tracking and revocation capabilities for greater control over shared data
3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection
At data creation
Using known data classification, well known company terminology
Start small, learn based on experience
Question: who is working at a business who has information protection language? Like private, restricted,… Now lower your hand whose business is not using this very well?
Best case – IT sets up policy
But IT can’t catch all so... Recommendations is the next best
Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation
Users also have the option to label if they deem necessary, even when not automatically classified
Labels stay with the data to enforce the policies and classification
Persistent tag
User awareness through visual labels
Leverage AIP through SDK, third party integration or automation
Extra protection is available for sensitive data
Not just encryption, but rights of who can access it and what they can do with the data
Audit trails to track data (via portal)
https://www.microsoft.com/en-us/cloud-platform/azure-information-protection-features
HYOK vs BYOK >> HYOK on-premises for very highly confidential cases, other online with BYOK
BYOK (Bring Your Own Key) is supported by Azure