1. Adam Hall twitter.com/Adman_NZ aka.ms/askipteam

2. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture

3. Hard Challenges You have a perimeter You have managed devices within a broader perimeter Your business requires you to store and/or share sensitive data outside of your on-premises boundary

4. How To Solve? Keep all data on premises?!? Managing all identities in your own directory?!? Lock down devices, PCs, and users to restrictive policy?!? Accept that data will leak?!?

5. Identity-Bound Protection External sharing of data requires identity-bound data protection Disparate storage requires the data itself to be protected. Secured data Company external Your perimeter Company internal Managed devices Company internal

6. Observations from visits with 500+ Organizations The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly CxO’s are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’ Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on- premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker

7. Your Common Limiters That Slow Progress Few IT leaders know what is sensitive, what is not. Everyone wants to focus on the data that is most sensitive; data that causes problems. Hybrid is the new normal… data protection got a lot harder. For some, even if Office 365 is the destination, the journey is long. The cloud is a bit scary… but oh so compelling The small fraction of ‘Secret’ data is unfairly clouding (pun intended) your decisions. Complexity is overwhelming when working on ‘grand plans’ Many factors dictate simpler projects. Small, bite-sized approaches are needed.

8. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture

9. Azure Key Vault

10. Information Protection Vision On any device EmailLOB appsFiles Share internallyShare externally (B2C) Share externally (B2B) Policy enforcement Document revocation Document tracking Access control Encryption Classification and labeling In any part of the world US EU APAC China Germany

11. Authentication & collaboration BYO Key RMS connector Authorization requests go to a federation service Typical Hybrid Topology Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on- premises assets with minimal effort ADFS AAD Connect

13. #1: Classify your data Not all data is sensitive Do you know where yours is? Classification enables focus Make your job 5-10x easier! Classify however you need to Manual, Auto, or Recommended Classification on use

14. #2: Leverage Labels Classification persists ‘labels’ Watermarking too Partners honoring these labels are more valuable 1+1+1 = 10 Start the innovation cycle now! Ask Partners for support Leverage Labels Everywhere DLP, eDiscovery, Compliance Top DLP Vendors

15. #3: Protect Data Protected at birth, at rest, in transit, and even after use. You don’t have to care where the data goes! Very strong security until user authenticates. ‘Guard rails’ after that Enforces policy on use Apply data-bound protection Cloud Drive

16. #4: Monitor Use/Abuse IT gets raw logs (now free, on-by-default) Use SIEM, PowerBI, Splunk, etc. IT can leverage in-box and vendor dashboards for monitoring Inbox is ‘Just ok’ now. More to come + Partner offers. ‘Act-As User’ forensics behavior coming soon Use User/ITPro logs/portals

17. #5: Respond Watch for ‘blinking lights’ Watch, assess, respond Remind users to care for their data Doc tracking & revocation Invest in cloud-powered machine learning. Sorry, but alone you can’t keep up Act on Use/Abuse/Overuse

18. DEMOS Classify, Label, and Protect

19. Automatic classification

22. Manual classification

30. Classification Recommendations

37. Reclassification Justification

39. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture

40. Waiting is not one of the 5 steps! Aiming for 10 = looking for a unicorn On a 0 to 10 scale, where are you? Initial steps generate much larger value ‘Do Not Forward’ for HR and Legal ‘Company Internal' for SAP reports Learning is fastest when on the job You don’t know what you don’t know Start small, now, and move quickly

41. Your first steps Control sensitive internal email flow across all PCs/Devices ‘Share Protected’ files with business partners (B2B) Secure sensitive SAP-generated reports ‘at birth’ Requires a for-fee partner product by www.Secude.com Prepare a classification taxonomy / evaluate Secure Islands Ask us at AskIPTeam@Microsoft.com

42. Follow @ https://twitter.com/TheRMSGuyhttps://twitter.com/TheRMSGuy Learn more @ http://aka.ms/rmshomehttp://aka.ms/rmshome Discover @ http://aka.ms/rmsgetstartedhttp://aka.ms/rmsgetstarted For questions email AskIPteam@Microsoft.comAskIPteam@Microsoft.com IT Pro blog @ http://aka.ms/rmsbloghttp://aka.ms/rmsblog Get involved @ https://www.yammer.com/AskIPteamhttps://www.yammer.com/AskIPteam Sign up @ http://portal.aadrm.comhttp://portal.aadrm.com Download @ http://portal.aadrm.com/home/downloadhttp://portal.aadrm.com/home/download Next steps Video of this talk at http://aka.ms/rmsvideohttp://aka.ms/rmsvideo

43. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Archive

45. aEZQAR]ibr{qU @M]BXNoHp9nMD AtnBfrfC;jx+T g@XL2,Jzu ()&(*7812(*: aEZQAR]ibr{qU @M]BXNoHp9nMD AtnBfrfC;jx+T g@XL2,Jzu ()&(*7812(*: Use Rights + Rights management 101 Secret cola formula Water Sugar Brown #16 ProtectUnprotect Usage rights and symmetric key stored in file as ‘license ’ Each file is protected by a unique AES symmetric License protected by customer-owned RSA key Water Sugar Brown #16

46. Local processing on PCs/devices Apps protected with RMS enforce rights SDK Apps use the SDK to communicate with the RMS service/servers File content is never sent to the RMS server/service. aEZQAR]ibr{q U@M]BXNoHp9n MDAtnBfrfC;j x+Tg@XL2,Jzu ()&(*7812(*: Use Rights + Azure RMS never sees the file content, only the license.

47. Authentication & collaboration BYO Key RMS connector Authorization requests go to a federation service Topology Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on- premises assets with minimal effort AAD Connect ADFS

48. Use Azure AD as the trusted fabric Azure Active Directory ADFS On-premises organizations doing full sync On-premises organizations doing partial sync Organizations completely in cloud …and all of these organizations can interact with each other. Organizations created through adhoc sign up

49. Minimum sync profile for Azure RMS Cn (common name)jdoe displayNameJohn Doe Mailjohn.doe@contoso.com proxyAddressesSMTP:john.doe@contoso.com userPrincipalNamejohn.doe@contoso.com accountEnabledTrue objectSID (sync ID)01 05 00 05 15 00 00 E2 DB … CF A1 29 71 04 00 00 pwdLastSet20141013171110.0Z sourceAnchor (for Licensing)NyWoidInKk2S4xtxK+GsbQ== usageLocation (for Licensing)DE Only PII data is first name, last name, and email address