This document discusses information rights management and protecting data in the cloud. It introduces Microsoft's Enterprise Mobility + Security solution, which provides identity-driven security, comprehensive security solutions, and managed mobile productivity. Key capabilities include Azure Active Directory for identity management, Azure Information Protection for data protection across apps and devices, and Microsoft Cloud App Security. The document also discusses challenges of protecting data and identities in complex environments and how these solutions can help.
1. Informations Rights Management
ANK Business Services GmbH
Michael Kirst-Neshva
Microsoft MVP Office 365
GWAVACon EMEA 2016
Daten in der / mit der Cloud schützen
2. 2016
Michael Kirst-Neshva
ANK Business Services GmbH
Senior IT-Infrastructure Architect
Microsoft MVP Office 365
Communities:
Office365 CommunityDeutschland (Lead)
UserGroup Office365 Deutschland(Lead)
Azure CommunityDeutschland(Mitglied)
Verband „Voice ofInformation“ (Mitglied)
http://www.voi.de
Competence Center „SharePoint MajorLeague“
http://www.mlsharepoint.de
http://www.ankbs.de
E-Mail:mkn@ankbs.de
E-Mail:b-mikirs@microsoft.com
Twitter: @ankbs
Blog | http://blog.ugoffice365.ms
3. Is it possible to keep up?
Employees
Business partners
Customers
Is it possible to stay secure?
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen
credentials
4. Is it possible to keep up?
Employees Business partners Customers
The Microsoft vision
Secure and protect against new threats
Maximum productivity experience
Integrate with what you have
Apps
Devices
Data
Users
5. User freedomSecure against new threats Do more with less
Customers need
Identity – driven security Productivity without
compromise
Comprehensive
solutions
Microsoft solution
ENTERPRISE MOBILITY + SECURITY
Identity-driven
security
Comprehensive
solution
Managed mobile
productivity
7. Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaSAzure
Public
cloud
CloudMicrosoft Azure Active Directory
8. 1000s of apps,
1 identity
Provide one persona to the
workforce for SSO to 1000s of
cloud and on-premises apps
Manage access
at scale
Manage identities and
access at scale in the cloud
and on-premises
Cloud-powered
protection
Ensure user and admin
accountability with better
security and governance
Enable business
without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory. Identity at the core of your business
9. Secure remote access to on-
premises
apps
Single sign
-on to mobile
apps
Support for
lift-and-
shift of
traditional
apps to
the cloud
Provide one persona to the
modern workforce for SSO
to 1000s of cloud and on-
premises applications
Single sign-on
to SaaS apps
1000s of apps,
1 identity
"Azure AD Premium makes life simpler for
the business and for employees. It gives
them access to enterprise applications
from any device with a single sign-on
that is secure and reliable. That is
fundamental in increasing the adoption
of cloud technology.
Bristow is also using Application Proxy,
and Azure AD Connect”
- Kapil Mehta
Productivity & Directory Services Manager,
Bristow Group Inc.
11. CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation
recommendations
Risk-based conditional access automatically
protects against suspicious logins and
compromised credentials
Gain insights from a consolidated view of
machine learning based threat detection
Leaked
credentials
Infected
devices Configuration
vulnerabilities
Risk-
based
policiesMFA Challenge
Risky Logins
Block attacks
Change bad
credentials
Machine-Learning Engine
Brute force
attacks
Suspicious sign-
in activities
12. Collaboration in a borderless world
Users want collaboration and productivity, you want protection and control
Data
Apps
DevicesUsers
Access everything
from everywhere
Share and store data
across boundaries
Protect sensitive data
Employees Business partners Customers
13. Intune
Azure Information
Protection
Protect your users,
devices, and apps
Detect problems
early with visibility
and threat analytics
Protect your data,
everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Advanced Threat Analytics
Cloud App Security
Azure Active Directory
Identity Protection
15. Challenges with the complex environment
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen
credentials
16. The problem is ubiquitous
Intellectual Property theft has
increased
56% rise data theft
Accidental or malicious breaches
due to lack of internal controls
88% of organizations are Losing control
of data
80% of employees admit to
use non-approved SaaS app 91% of breaches could have
been avoided
Organizations no longer confident in
their ability to detect and prevent threats
Saving files to non-approved cloud
storage apps is common
Sources:
19. Azure Information
Protection
The evolution of Azure RMS
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROL
POLICY
ENFORCEMENT
Full Data
Lifecycle
20. Our solution: Data Lifecycle Classification and Protection
At data creation
Manual and automatic -
as much as possible
Persistent labels
Industry standard that
enables a wide ecosystem
User awareness through
visual labels
Encryption with RMS
DLP & compliance
actions
Audit trails to track data
Orchestrate
21. SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
Start with the data that is most
sensitive
IT can set automatic rules; users
can complement it
Associate actions such as visual
markings and protection
22. Due Diligence Documentation
Due Diligence
Category Documentation Task Owner Status
Business Plan, Corporate Structure, Financing
Business plan Current five-year business plan
Prior business plan
Corporate
organization
Articles of incorporation
Bylaws
Recent changes in corporate structure
Parent, subsidiaries, and affiliates
Shareholders’ agreements
Minutes from board meetings
23.
24.
25.
26. Reclassification
You can override a
classification and
optionally be required
to provide a justification
Automatic
Policies can be set by IT
Admins for automatically
applying classification and
protection to data
Recommended
Based on the content you’re
working on, you can be
prompted with suggested
classification
User set
Users can choose to apply a
sensitivity label to the email
or file they are working on
with a single click
27. FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can
read it
28. VIEW EDIT COPY PASTE
Email
attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Personal apps
Corporate apps
29. Share internally, with business partners, and customers
Bob
Jane
Internal user
*******
External user
*******
Any device/
any platform
Roadmap
Sue
File share
SharePoint
Email
LoB
30. Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
Azure Information
Protection
Premium P2
(includes P1 features)
Azure Information
Protection
Premium P1
Microsoft Cloud
App Security
Microsoft Advanced
Threat Analytics
Microsoft Intune
Azure Active Directory
Premium P2
(includes P1 features)
Azure Active
Directory
Premium P1
E3
E5
31. Azure Information Protection Premium P1/P2
Feature Azure Information
Protection Premium P1
(EMS E3)
Azure Information
Protection Premium P2
(EMS E5)
View labels and watermarks in Office Yes Yes
Manual labeling (user driven) Yes Yes
Apply content marking and RMS protection in Office Yes Yes
Automatic and recommended labeling Yes
Classification, labeling and protection with MCAS Yes
HYOK (Hold you own key – multi RMS server support) Yes
32. Apps and Data
SaaS
Microsoft protecting you
Malware Protection Center Cyber Hunting Teams Security Response Center
DeviceInfrastructure
CERTs
PaaS IaaS
Identity
INTELLIGENT SECURITY GRAPH
Cyber Defense
Operations Center
Digital Crimes Unit
Antivirus NetworkIndustry Partners
33. SECURE MODERN ENTERPRISE
Identity Apps
and Data
Infrastructure Devices
Identity
Embraces identity as primary security perimeter and protects
identity systems, admins, and credentials as top priorities
Apps and Data
Aligns security investments with business priorities including
identifying and securing communications, data, and applications
Infrastructure
Operates on modern platform and uses cloud intelligence to
detect and remediate both vulnerabilities and attacks
Devices
Accesses assets from trusted devices with hardware security
assurances, great user experience, and advanced threat detectionSecure Platform (secure by design)
34. Identity Pillar
Phase 2: Identity
Embraces identity as primary security perimeter and protects identity systems,
admins, and credentials as top priorities
35. Identity Pillar
Phase 2: Identity
Embraces identity as primary security perimeter and protects identity systems,
admins, and credentials as top priorities
Azure Active Directory (AAD)
Cloud App Security (CAS)
Windows 10
Windows Hello
Cybersecurity Architect
Windows 10
Credential Guard
Microsoft Passport
Managed ATA
Windows Server 2016
Shielded VMs
Code Integrity
Advanced Threat Analytics
(ATA)
• Enhanced Security
Administrative
Environment (ESAE)
• Active Directory Service
Hardening (ADSH)
• Windows Server 2016
Deployment
Windows 10 Deployment
Managed ATA
36. Apps and Data Pillar
Phase 2: Apps and Data
Aligns security investments to business priorities and applies both security
fundamentals and modern protections
37. Apps and Data Capability Mapping
Phase 2: Apps and Data
Aligns security investments to business priorities and applies both security
fundamentals and modern protections
Cloud App Security (CAS)
Cybersecurity Architect
• Windows 10 Deployment
Cybersecurity Architect
• Rights Management Services
• Azure RMS
• Office 365 Integration
• Office 365
• Data Leakage Protection
(DLP)
• Exchange Online Advanced
Threat Protection
• Conditional Access
• Intune
• Azure Active Directory
• Windows 10
• Enterprise Data Protection
• Cloud App Security (CAS)
• Conditional Access