Azure Information Protection Speaker Name Title

Challenges with the complex environment Lost device Users Data leaks Data Business partners Apps Compromised identity Customers You have these entities – users, devices, apps and data Data is being shared with employees, customers and business partners You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly Your managers (CxO) are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc. Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on-premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker Devices Employees Stolen credentials

The problem is ubiquitous Intellectual Property theft has increased Organizations no longer confident in their ability to detect and prevent threats 56% rise data theft 88% of organizations are Losing control of data Saving files to non-approved cloud storage apps is common Accidental or malicious breaches due to lack of internal controls We heard from you.. And you are not alone 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided Sources:

How much control do you have? Unregulated, unknown How much control do you have? Hybrid data = new normal It is harder to protect Managed mobile environment Identity, device management protection On-premises You had control over your data when it resided within your boundaries Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment Once shared outside your environment, you lose control over your data. Perimeter protection

The evolution of Information Protection LABELING CLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection

The evolution of Information Protection Azure Information Protection The evolution of Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection Classification & labeling Protect Monitor & respond

Classify Data – Begin the Journey Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection SECRET CONFIDENTIAL INTERNAL NOT RESTRICTED IT admin sets policies, templates, and rules Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> PERSONAL

Scoped Policies Policies for specific groups/departments Can be viewed and applied only by the members of that group Customization options for labels, sub-labels, and settings like mandatory labeling, default label, and justifications Scoped Policies allow you to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects. In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set, available to just users in the specified security group membership. It is important to note that scoped policies are an admin concept, users will not be aware as they just see a combined set of labels they are assigned. Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups. A few important notes on scoped policies: Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant. Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.

Automatic classification - example

Recommended classification - example

Reclassification and justification - example

User-driven classification - example

How Classification Works 4/20/2018 How Classification Works Reclassification You can override a classification and optionally be required to provide a justification User set Users can choose to apply a sensitivity label to the email or file they are working on with a single click Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Manual (right-click) labeling and protection for non-Office files With the new, unified AIP client, Classification, Labeling and Protection support is now extended beyond ‘just’ Office files. We have brought together the existing AIP client with the RMS Sharing App features to provide a more complete Information Protection experience in AIP. When you install this new client, you can now classify, label and protect your files through Office applications, through the Windows Explorer shell extension and through PowerShell commands. A user can label and protect any file through the windows shell-explorer, select either one file, multiple files or a folder and apply a label.  (Note: some file types do not offer an ability to attach persistent metadata, for these file types you can only label when protecting). Label and protect any file through the windows shell-explorer Select either one file, multiple files or a folder and apply a label

Bulk classification for data at rest using PowerShell Query for file labels and protection attributes Set a label and/or protection for documents stored locally or on file shares RMS PowerShell commands have been updated to support Label and Protection actions based on Azure Information Protection policies. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. The PowerShell cmdlets, which are installed as part of the new unified client, are now GA and enable our customers to: Query for a files Label and Protection attributes Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)

Apply labels based on classification Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read it FINANCE Labels stay with the data to enforce the policies and classification CONFIDENTIAL

Protect data against unauthorized use Corporate apps Email attachment FILE VIEW EDIT COPY PASTE Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

4/20/2018 How Protection Works Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Rights Management Active Directory Key Vault 4/20/2018 How Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Topology optional Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Azure AD Azure Rights Management Azure Key Management Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS

Regulated Environments Topology optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Hold your key on premises (roadmap) Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS Rights Management HYO Key Key Management

Road to sharing data safely with anyone Share internally, with business partners, and customers Bob Jane Internal user ******* External user Any device/ any platform Roadmap Let Bob view and print Let Jane edit and print Sue File share SharePoint Email LoB -

Azure Active Directory 4/20/2018 10:21 AM How Sharing Works Using Azure AD for authentication On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup …and all of these organizations can interact with each other. ADFS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitor and Respond Monitor use, control and block abuse MAP VIEW Sue Bob Jane Sue Joe blocked in North America Jane accessed from India Bob accessed from South America MAP VIEW Jane blocked in Africa Jane Competitors Jane access is revoked

Visibility and control in cloud environments with CAS integration Cloud App Security can read labels set by AIP giving admins visibility into sharing of sensitive files Cloud App Security admins can set policies for controlling sharing of sensitive files and also get alerted if the policies are violated

Industry Validated Approach 4/20/2018 10:21 AM Industry Validated Approach How to select the right EDRM solution 21 December 2015 G00292633 The role of EDRM in data-centric security June 2015 The role of EDRM in data-centric security June 2015 G00275948 G00275948 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

WHY AZURE INFORMATION PROTECTION? Summary of the key benefits Protect all data with the right level Help share Easy to use with great IT control Persistent protection Safe sharing Intuitive experience Greater control

Enterprise Mobility +Security A HOLISTIC SOLUTION Enterprise Mobility +Security Extend enterprise-grade security to your cloud and SaaS apps Microsoft Cloud App Security Microsoft Intune Azure Active Directory Premium Manage identity with hybrid integration to protect application access from identity attacks Azure Information Protection Protect your data, everywhere Protect your users, devices, and apps Microsoft’s enterprise & security solutions provide a holistic framework to protect your corporate assets across, on prem, cloud and mobile devices Advanced Threat Analytics helps IT detect threats early and provide forensic investigation to keep cybercriminals out Azure Active Directory Premium security reports help identify risky log ins. That paired with Azure Active Directory Identity Protection gives IT the ability to automatically block access to apps based on real time risk scoring of identities and log ins. Microsoft Cloud App Security provides deep visibility and control of data inside cloud applications Microsoft Intune manages and secures corporate data on mobile devices and collaborated within corporate apps. Azure Information Protection helps keep data secure and encrypted throughout a customers environment and extends security when data is shared outside the organization. Detect threats early with visibility and threat analytics Microsoft Advanced Threat Analytics

5 Steps Program 1. Classify 2. Label 3. Protect 4. Monitor 5. Respond Best Practice - Start small, do it now, and move quickly 1. Classify Take simple steps, it generates high-impact quickly (ie.‘Do Not Forward’ for HR and Legal) 2. Label Test, phase the roll out, and learn – IT can’t know it all 3. Protect Control sensitive internal email flow across all PCs/Devices Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> 4. Monitor ‘Share Protected’ files with business partners (B2B) 5. Respond Teach and enable users to revoke access

Resources Follow @ https://twitter.com/TheRMSGuy 4/20/2018 10:21 AM Resources Follow @ https://twitter.com/TheRMSGuy Technical Documentation @ https://docs.microsoft.com For questions email AskIPteam@Microsoft.com IT Pro Blog @ https://blogs.technet.microsoft.com/enterprisemobility/ Download @ https://www.microsoft.com/en-us/download/details.aspx?id=53018 Product page @ https://www.microsoft.com/en-us/cloud-platform/azure-information-protection © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/20/2018 10:21 AM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.