Adam Hall twitter.com/Adman_NZ aka.ms/askipteam
Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture
Hard Challenges You have a perimeter You have managed devices within a broader perimeter Your business requires you to store and/or share sensitive data outside of your on-premises boundary
How To Solve? Keep all data on premises?!? Managing all identities in your own directory?!? Lock down devices, PCs, and users to restrictive policy?!? Accept that data will leak?!?
Identity-Bound Protection External sharing of data requires identity-bound data protection Disparate storage requires the data itself to be protected. Secured data Company external Your perimeter Company internal Managed devices Company internal
Observations from visits with 500+ Organizations The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly CxO’s are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’ Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on- premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker
Your Common Limiters That Slow Progress Few IT leaders know what is sensitive, what is not. Everyone wants to focus on the data that is most sensitive; data that causes problems. Hybrid is the new normal… data protection got a lot harder. For some, even if Office 365 is the destination, the journey is long. The cloud is a bit scary… but oh so compelling The small fraction of ‘Secret’ data is unfairly clouding (pun intended) your decisions. Complexity is overwhelming when working on ‘grand plans’ Many factors dictate simpler projects. Small, bite-sized approaches are needed.
Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture
Azure Key Vault
Information Protection Vision On any device LOB appsFiles Share internallyShare externally (B2C) Share externally (B2B) Policy enforcement Document revocation Document tracking Access control Encryption Classification and labeling In any part of the world US EU APAC China Germany
Authentication & collaboration BYO Key RMS connector Authorization requests go to a federation service Typical Hybrid Topology Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on- premises assets with minimal effort ADFS AAD Connect
#1: Classify your data Not all data is sensitive Do you know where yours is? Classification enables focus Make your job 5-10x easier! Classify however you need to Manual, Auto, or Recommended Classification on use
#2: Leverage Labels Classification persists ‘labels’ Watermarking too Partners honoring these labels are more valuable = 10 Start the innovation cycle now! Ask Partners for support Leverage Labels Everywhere DLP, eDiscovery, Compliance Top DLP Vendors
#3: Protect Data Protected at birth, at rest, in transit, and even after use. You don’t have to care where the data goes! Very strong security until user authenticates. ‘Guard rails’ after that Enforces policy on use Apply data-bound protection Cloud Drive
#4: Monitor Use/Abuse IT gets raw logs (now free, on-by-default) Use SIEM, PowerBI, Splunk, etc. IT can leverage in-box and vendor dashboards for monitoring Inbox is ‘Just ok’ now. More to come + Partner offers. ‘Act-As User’ forensics behavior coming soon Use User/ITPro logs/portals
#5: Respond Watch for ‘blinking lights’ Watch, assess, respond Remind users to care for their data Doc tracking & revocation Invest in cloud-powered machine learning. Sorry, but alone you can’t keep up Act on Use/Abuse/Overuse
DEMOS Classify, Label, and Protect
Automatic classification
Manual classification
Classification Recommendations
Reclassification Justification
Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture
Waiting is not one of the 5 steps! Aiming for 10 = looking for a unicorn On a 0 to 10 scale, where are you? Initial steps generate much larger value ‘Do Not Forward’ for HR and Legal ‘Company Internal' for SAP reports Learning is fastest when on the job You don’t know what you don’t know Start small, now, and move quickly
Your first steps Control sensitive internal flow across all PCs/Devices ‘Share Protected’ files with business partners (B2B) Secure sensitive SAP-generated reports ‘at birth’ Requires a for-fee partner product by Prepare a classification taxonomy / evaluate Secure Islands Ask us at
Learn For questions IT Pro Get Sign Next steps Video of this talk at
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Archive
AtnBfrfC;jx+T ()&(*7812(*: AtnBfrfC;jx+T ()&(*7812(*: Use Rights + Rights management 101 Secret cola formula Water Sugar Brown #16 ProtectUnprotect Usage rights and symmetric key stored in file as ‘license ’ Each file is protected by a unique AES symmetric License protected by customer-owned RSA key Water Sugar Brown #16
Local processing on PCs/devices Apps protected with RMS enforce rights SDK Apps use the SDK to communicate with the RMS service/servers File content is never sent to the RMS server/service. aEZQAR]ibr{q MDAtnBfrfC;j ()&(*7812(*: Use Rights + Azure RMS never sees the file content, only the license.
Authentication & collaboration BYO Key RMS connector Authorization requests go to a federation service Topology Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on- premises assets with minimal effort AAD Connect ADFS
Use Azure AD as the trusted fabric Azure Active Directory ADFS On-premises organizations doing full sync On-premises organizations doing partial sync Organizations completely in cloud …and all of these organizations can interact with each other. Organizations created through adhoc sign up
Minimum sync profile for Azure RMS Cn (common name)jdoe displayNameJohn Doe accountEnabledTrue objectSID (sync ID) E2 DB … CF A pwdLastSet Z sourceAnchor (for Licensing)NyWoidInKk2S4xtxK+GsbQ== usageLocation (for Licensing)DE Only PII data is first name, last name, and address