Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Information Protection

Published byΜέλισσα Μπλέτσας Modified over 5 years ago

Similar presentations

Presentation on theme: "Azure Information Protection"— Presentation transcript:

1 Azure Information Protection
Speaker Name Title

2 Challenges with the complex environment
Lost device Users Data leaks Data Business partners Apps Compromised identity Customers You have these entities – users, devices, apps and data Data is being shared with employees, customers and business partners You have to manage the complexity of protecting your users’ identities, and data stored on their devices and apps You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience The cloud is here to stay The ‘cloud accepting’ population is growing… VERY rapidly Your managers (CxO) are changing their minds… or soon will… or are being replaced Microsoft is meeting organizations ‘in the middle’: abilities like lockbox, ‘going local’, etc. Your competition will use the cloud to their advantage You can’t compete with cloud vendors on substrate services (time, cost, innovation) You can’t lay the substrate and do value-add at the same rate as your cloud peers There will be breaches… both in the cloud and on-premises Cloud vendors, with billions invested and far better ‘signals’, will act/evolve far quicker Devices Employees Stolen credentials

3 The problem is ubiquitous
Intellectual Property theft has increased Organizations no longer confident in their ability to detect and prevent threats 56% rise data theft 88% of organizations are Losing control of data Saving files to non-approved cloud storage apps is common Accidental or malicious breaches due to lack of internal controls We heard from you.. And you are not alone 80% of employees admit to use non-approved SaaS app 91% of breaches could have been avoided Sources:

4 How much control do you have?
Unregulated, unknown How much control do you have? Hybrid data = new normal It is harder to protect Managed mobile environment Identity, device management protection On-premises You had control over your data when it resided within your boundaries Now that boundary has expanded with managed devices and cloud assets. MDM solutions help but not when data moves outside of your controlled environment Once shared outside your environment, you lose control over your data. Perimeter protection

5 The evolution of Information Protection
LABELING CLASSIFICATION Classification & labeling ENCRYPTION Protect ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION Monitor & respond 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection

6 The evolution of Information Protection
Azure Information Protection The evolution of Information Protection Full Data Lifecycle CLASSIFICATION LABELING ENCRYPTION ACCESS CONTROL POLICY ENFORCEMENT DOCUMENT TRACKING DOCUMENT REVOCATION 1.For years, RMS helped businesses provide persistent protection over their data through encryption, access control and policy enforcement 2.We added tracking and revocation capabilities for greater control over shared data 3. Now we also have classification and labeling capabilities so that you can identify what data needs protection and protect only the data that needs protection Classification & labeling Protect Monitor & respond

7 Classify Data – Begin the Journey
Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection SECRET CONFIDENTIAL INTERNAL NOT RESTRICTED IT admin sets policies, templates, and rules Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> PERSONAL

8 Scoped Policies Policies for specific groups/departments
Can be viewed and applied only by the members of that group Customization options for labels, sub-labels, and settings like mandatory labeling, default label, and justifications Scoped Policies allow you to build sets of labels that are only visible and usable to specific employees and groups of employees such as teams, business units or projects. In all instances, a global set of policies is made available to all users. The new scoped policies are layered over this global set, available to just users in the specified security group membership. It is important to note that scoped policies are an admin concept, users will not be aware as they just see a combined set of labels they are assigned. Each set of scoped policies allows for customization, including labels, sub-labels, and settings like mandatory labeling, default label, and justifications. The scoping model is consistent with Azure RMS template scoping, in that it is based on Azure Active Directory users and groups. A few important notes on scoped policies: Scopes are optional, you don’t have to define a set or group for a policy. If not set, the policy has global scope for everyone in the tenant. Policies are ordered by administrators. This order defines which scopes are considered higher than others. Policies are combined into an effective policy, which is given to the client.

9 Automatic classification - example

10 Recommended classification - example

11 Reclassification and justification - example

12 User-driven classification - example

13 How Classification Works
11/6/2018 How Classification Works Reclassification You can override a classification and optionally be required to provide a justification User set Users can choose to apply a sensitivity label to the or file they are working on with a single click Automatic Policies can be set by IT Admins for automatically applying classification and protection to data Recommended Based on the content you’re working on, you can be prompted with suggested classification Best case – IT sets up policy But IT can’t catch all so... Recommendations is the next best Flexibility for users to reclassify because policies won’t get it right all the time. But everything is logged so IT can audit in case of violation Users also have the option to label if they deem necessary, even when not automatically classified © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Manual (right-click) labeling and protection for non-Office files
With the new, unified AIP client, Classification, Labeling and Protection support is now extended beyond ‘just’ Office files. We have brought together the existing AIP client with the RMS Sharing App features to provide a more complete Information Protection experience in AIP. When you install this new client, you can now classify, label and protect your files through Office applications, through the Windows Explorer shell extension and through PowerShell commands. A user can label and protect any file through the windows shell-explorer, select either one file, multiple files or a folder and apply a label.  (Note: some file types do not offer an ability to attach persistent metadata, for these file types you can only label when protecting). Label and protect any file through the windows shell-explorer Select either one file, multiple files or a folder and apply a label

15 Bulk classification for data at rest using PowerShell
Query for file labels and protection attributes Set a label and/or protection for documents stored locally or on file shares RMS PowerShell commands have been updated to support Label and Protection actions based on Azure Information Protection policies. Administrators and data-owners can label and protect files in bulk on File stores, or query for the file’s status. The PowerShell cmdlets, which are installed as part of the new unified client, are now GA and enable our customers to: Query for a files Label and Protection attributes Set a Label and/or Protection for documents stored locally or on file servers and network shares that are accessible through SMB/CIFS (e.g. \\server\finance\)

16 Apply labels based on classification
Persistent labels that travel with the document Labels are metadata written to documents Labels are in clear text so that other systems such as a DLP engine can read it FINANCE Labels stay with the data to enforce the policies and classification CONFIDENTIAL

17 Protect data against unauthorized use
Corporate apps attachment FILE VIEW EDIT COPY PASTE Personal apps Protect data needing protection by: Encrypting data Including authentication requirement and a definition of use rights (permissions) to the data Providing protection that is persistent and travels with the data Extra protection is available for sensitive data Not just encryption, but rights of who can access it and what they can do with the data

18 11/6/2018 How Protection Works Usage rights and symmetric key stored in file as “license” License protected by customer-owned RSA key Use rights + Water Sugar Brown #16 Water Sugar Brown #16 ()&(*7812(*: PROTECT UNPROTECT Each file is protected by a unique AES symmetric Secret cola formula © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Rights Management Active Directory Key Vault
11/6/2018 How Protection Works LOCAL PROCESSING ON PCS/DEVICES Use rights + Azure RMS never sees the file content, only the license SDK ()&(*7812(*: Use rights + Rights Management Active Directory Key Vault File content is never sent to the RMS server/service Apps protected with RMS enforce rights Apps use the SDK to communicate with the RMS service/servers © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Topology optional Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Azure AD Azure Rights Management Azure Key Management Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS

21 Regulated Environments Topology
optional Azure AD Azure Rights Management Azure Key Management Data protection for organizations at different stages of cloud adoption Ensures security because sensitive data is never sent to the RMS server Integration with on-premises assets with minimal effort Hold your key on premises (roadmap) Authentication & collaboration BYO Key Authorization requests go to a federation service RMS connector AAD Connect ADFS Rights Management HYO Key Key Management

22 Road to sharing data safely with anyone
Share internally, with business partners, and customers Bob Jane Internal user ******* External user Any device/ any platform Roadmap Let Bob view and print Let Jane edit and print Sue File share SharePoint LoB -

23 Azure Active Directory
11/6/ :27 PM How Sharing Works Using Azure AD for authentication On-premises organizations doing full sync Azure Active Directory On-premises organizations doing partial sync Organizations completely in cloud Organizations created through ad-hoc signup …and all of these organizations can interact with each other. ADFS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Monitor and Respond Monitor use, control and block abuse MAP VIEW
Sue Bob Jane Sue Joe blocked in North America Jane accessed from India Bob accessed from South America MAP VIEW Jane blocked in Africa Jane Competitors Jane access is revoked

25 Visibility and control in cloud environments with CAS integration
Cloud App Security can read labels set by AIP giving admins visibility into sharing of sensitive files Cloud App Security admins can set policies for controlling sharing of sensitive files and also get alerted if the policies are violated

26 Industry Validated Approach
11/6/ :27 PM Industry Validated Approach How to select the right EDRM solution 21 December 2015 G The role of EDRM in data-centric security June 2015 The role of EDRM in data-centric security June 2015 G G © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 WHY AZURE INFORMATION PROTECTION?
Summary of the key benefits Protect all data with the right level Help share Easy to use with great IT control Persistent protection Safe sharing Intuitive experience Greater control

28 Enterprise Mobility +Security
A HOLISTIC SOLUTION Enterprise Mobility +Security Extend enterprise-grade security to your cloud and SaaS apps Microsoft Cloud App Security Microsoft Intune Azure Active Directory Premium Manage identity with hybrid integration to protect application access from identity attacks Azure Information Protection Protect your data, everywhere Protect your users, devices, and apps Microsoft’s enterprise & security solutions provide a holistic framework to protect your corporate assets across, on prem, cloud and mobile devices Advanced Threat Analytics helps IT detect threats early and provide forensic investigation to keep cybercriminals out Azure Active Directory Premium security reports help identify risky log ins. That paired with Azure Active Directory Identity Protection gives IT the ability to automatically block access to apps based on real time risk scoring of identities and log ins. Microsoft Cloud App Security provides deep visibility and control of data inside cloud applications Microsoft Intune manages and secures corporate data on mobile devices and collaborated within corporate apps. Azure Information Protection helps keep data secure and encrypted throughout a customers environment and extends security when data is shared outside the organization. Detect threats early with visibility and threat analytics Microsoft Advanced Threat Analytics

29 5 Steps Program 1. Classify 2. Label 3. Protect 4. Monitor 5. Respond
Best Practice - Start small, do it now, and move quickly 1. Classify Take simple steps, it generates high-impact quickly (ie.‘Do Not Forward’ for HR and Legal) 2. Label Test, phase the roll out, and learn – IT can’t know it all 3. Protect Control sensitive internal flow across all PCs/Devices Data is born protected, Using companies’ criteria Enforced by IT Enforced on any device <keep personal data.... Personal> 4. Monitor ‘Share Protected’ files with business partners (B2B) 5. Respond Teach and enable users to revoke access

30 11/6/ :27 PM © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Azure Information Protection"

Similar presentations

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Understanding Active Directory

Understanding Active Directory
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.

Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Adam Hall twitter.com/Adman_NZ aka.ms/askipteam. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture.

Adam Hall twitter.com/Adman_NZ aka.ms/askipteam. Agenda Your Challenges Observed Industry Trends Our Views and Approach Recommended Next Steps Architecture.
Protect communications Conditions Actions Exceptions Conditions Actions Exceptions.

Protect communications Conditions Actions Exceptions Conditions Actions Exceptions.
The Secure Productive Enterprise Azure Information Protection Training

The Secure Productive Enterprise Azure Information Protection Training
Azure Information Protection

Azure Information Protection
Secure your complete data lifecycle using Azure Information Protection

Secure your complete data lifecycle using Azure Information Protection
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Azure Information Protection

Azure Information Protection
Azure Information Protection

Azure Information Protection
Microsoft Virtual Academy

Microsoft Virtual Academy
Deployment Planning Services

Deployment Planning Services
Azure Rights Management

Azure Rights Management
9/12/2018 6:21 PM BRK2203 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.

9/12/2018 6:21 PM BRK2203 Protect and control your sensitive s with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.
Microsoft Virtual Academy

Microsoft Virtual Academy

Similar presentations

Ads by Google