June2019 Meetup: Using Secure Document Encryption (AIP, Azure Information Protection), without getting Lost in the Cloud by Oliver Dörr

June2019 Meetup: Using Secure Document Encryption (AIP, Azure Information Protection), without getting Lost in the Cloud by Oliver Dörr

Have you ever wondered how you could benefit from the secure document encryption in Azure? This session will give you an overview over what is possible right now with the different label types (AIP Labels, O365 Labels, Unified Labels) and what you will have to pay for it. In addition it will highlight its actual limits and issues in a real world implementation (e.g. limits when collaborating with other companies).

Speaker: Oliver Dörr
Oliver Dörr has been working within the IT industry for over 15 years. He has a lot of experience in enabling different kinds of customers to leveraging collaboration solutions on-premise and of course in the cloud. He is thrilled by the opportunities which are given by using cloud solutions, even if they are changing on a very quick schedule.

You can find him at:
https://www.linkedin.com/in/oliver-doerr/

0754d30f3acc99a940aebdcd49d5af97?s=128

Azure Zurich User Group

June 11, 2019
Tweet

Transcript

  1. None
  2. What to expect • Introduction • Information Protection – How

    it is intended • Information Protection – Limits and boundaries • Demo • Conclusion • Q&A
  3. None
  4. Information Protection - How it is intended

  5. IN THE PAST, THE FIREWALL WAS THE SECURITY PERIMETER devices

    data users apps On-premises / Private cloud
  6. On-premises NOW THERE’S FEWER BOUNDARIES, MORE DATA, MORE COMPLEXITY

  7. None
  8. Challenges with the complex environment Employees Business partners Customers Apps

    Devices Data Users Data leaks Lost device Compromised identity Stolen credentials
  9. 88 % of organizations no longer have confidence to detect

    and prevent loss of sensitive data of employees use non-approved SaaS apps at work 80% 85 % of enterprise organizations keep sensitive information in the cloud 58 % Have accidentally sent sensitive information to the wrong person
  10. “I can’t apply unified policies across various data sources or

    to a specific repository” “My data is scattered across sources and the data continues to grow” “When enforcing compliance our business users’ productivity is disrupted” “I need complete coverage of all my devices and applications” “How do I protect sensitive information such as sensitive PII data across my enterprise?” “I want data governance to be automatic - not something I have to think about” “How do I find only relevant data when I need it?”
  11. Signature != Encryption • Signature • Encryption Read Everyone Doc.-Integrity

    Yes Read Only granted accounts Doc.-Integrity No
  12. None
  13. Classify Data – Begin the Journey SECRET CONFIDENTIAL INTERNAL NOT

    RESTRICTED IT admin sets policies, templates, and rules PERSONAL Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection
  14. CONFIDENTIAL What is a sensitivity label? Tag that is customizable,

    in cleartext, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
  15. None
  16. Label Discover Classify Sensitivity Retention  Encryption  Restrict Access

     Watermark  Header/Footer  Retention  Deletion  Records Management  Archiving  Sensitive data discovery  Data at risk  Policy violations  Policy recommendations  Proactive alerts Data protection & data governance go hand-in-hand Comprehensive policies to protect and govern your most important data – throughout its lifecycle Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor
  17. Office 365 Information Protection Windows Information Protection Azure Information Protection

    What Where How
  18. What Where How Office 365 Information Protection Windows Information Protection

    Azure Information Protection
  19. a DISCOVER AND CLASSIFY SENSITIVE INFORMATION CLOUD & SaaS APPS

  20. Helps you manage sensitive data prior to migrating to Office

    365 or other cloud services Use discover mode to identify and report on files containing sensitive data Use enforce mode to automatically classify, label and protect files with sensitive data Can be configured to scan: • CIFS file shares • SharePoint Server 2016 • SharePoint Server 2013 • SharePoint Server 2010
  21. Centralized management Configure and manage labels across apps and services

    in Office, Azure and Windows – all from the Security & Compliance Center Unified classification Uniform content classification to protect and preserve data across Office, Azure, Windows Consistent across M365 & extensible to 3rd party Consistent integration and experience across M365 apps & services. Extensible to 3rd party apps & solutions
  22. New Microsoft 365 Specialized Workspaces security.microsoft.com compliance.microsoft.com

  23. Discover the data & sensitivity

  24. Detect content in cloud storage services Inspect files for sensitive

    information – based on policy Discover sensitive data across 3rd party clouds like SalesForce, Box, Dropbox and others. Apply classification labels & protection Automatically apply labels defined in Microsoft Information Protection to sensitive files discovered in cloud apps
  25. NATIVE SUPPORT FOR PDF FILES ON ADOBE ACROBAT Adobe Acrobat

    can understand and honor labels and protection View protected files natively on Adobe Acrobat on Windows Labeling experience is built natively into Acrobat Integration enabled by the Microsoft Information Protection SDK GA: January, 2019
  26. Flexible encryption options Protect Mitigates risk of unintended disclosure through

    encryption and rights protection Control Leverage automatic policies or ad hoc end-user controls, for emails shared inside or outside the organization Compliance Meet compliance obligations that require encrypting data or encryption key control Recipients can read protected messages using consumer identities Easily read protected emails on any device Apply sensitivity labels
  27. None
  28. Information Protection in Microsoft 365 Capabilities O365 E3 O365 E5

    EMS E3 EMS E5 Classification & labeling of sensitive data Create and manage sensitivity labels in Security & Compliance Center unified labeling experience • • • • Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • • • Manual labeling in Office apps on Windows using AIP client • Automatedclassification and labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 • • Automatedclassification and labeling of files in on-premises file servers (AIP scanner) • Automatedclassification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • Automatedclassification and labeling inf Office apps on Windows using AIP client • Information Protection SDK to apply labels to files • • Encryption & rights-based restrictions Add ad-hoc protection to Office documents • • Encrypt emails to internal or external recipients • • Data Loss Prevention (DLP) Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services • Windows Information Protection Prevent copying and sharing of data from a business location to a non-business location on Windows 10 devices • • Apply Windows Information Protection policy based on sensitivity label in document • 1 Running AIP scanner in “Discover all” mode
  29. Discover compliance-related sensitive data across locations, including on-premises GDPR-specific sensitive

    information types helps protect personal data in EU countries Assess whether or not your cloud apps are GDPR compliant Gain visibility into classification, labeling and protection of personal data (including endpoints, locations, users) Guide end-users when working with personal data – with policy tips and recommendations
  30. USER POLICIES Status Viewed Viewed Viewed Viewed Viewed United States

    Name Mark Adams Klass Pluck Katrina Redding David James Nandita Sampath Summary List Timeline Map Settings Personal Public Internal Confidential Highly Confidential LABEL Monitor, analyze and assess compliance through rich logs and reporting Admins create policies for data classification, labeling, and protecting Based on sensitivity of data, labels are applied by users or automatically Control sharing outside your organization Gain visibility and control over sensitive data even as it moves to cloud Protect sensitive data with encryption or visual markings
  31. • Security & Compliance Center enhancements • Native labeling experience

    in Outlook mobile (iOS and Android) and web apps • Automatically classify, label and protection in Office apps • Additional automatic DLP integrations with labels • Information Protection analytics (GA) • Advanced detection and classification methods (OCR, exact data match, ML) • Ability to reason over (view, search, index) labeled & protected Office documents in SharePoint Online and OneDrive for Business On the horizon • Unified label management in Security & Compliance Center • Native labeling in Office apps on Mac, iOS, Android • Information Protection SDK • View protected PDFs on Adobe Acrobat Reader • Apply Windows Information Protection based on sensitivity labels • GDPR sensitive information types (Office 365 & Azure Information Protection) • Create custom sensitive information types • Message encryption enhancements • Information protection analytics (preview) • S/MIME as outcome of labels Recent Roadmap, known issues, documentation: https://aka.ms/officemipdocs
  32. Future - Conditional Access Fine Grain Scenario: On a per-site

    basis, use all access conditions, including device compliance, location, MFA, user risk and device risk. Compliant device Domain join Limit download AND / OR Block Per-site policy controls User role / group User risk signals Terms of use Location Strong Auth Device Platform Device risk
  33. Training! Training! Training!

  34. Getting started

  35. Information Protection - Limits and boundaries

  36. Unified Azure Sensitivity Azure Retention O365 Sensitivity O365 Retention SharePoint

    IRM
  37. Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal
  38. Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal
  39. No SSL Interception Licensing Login Property Further considerations UPN /

    E-Mail ? Identical? What is setup in AADC?
  40. OS .pdf (NEW) .pdf (Old) / .ppdf Win 7 –

    Win 10 Acrobat Reader AIP Viewer (with / without UL) Foxit Reader Azure Information Protection viewer Gaaiho Doc GigaTrust Desktop PDF Client for Adobe Foxit Reader Nitro PDF Reader Nuance Power PDF RMS sharing app macOS 10.12 – 10.14 Acrobat Reader / Android AIP App Azure Information Protection app Foxit MobilePDF with RMS GigaTrust App for Android iOS AIP App Azure Information Protection app Foxit MobilePDF with RMS TITUS Docs
  41. B2B integration works / B2C does not Search Limits E-Discovery

    / Delph etc. -> ONLY with Unified Labels AIP SuperUser can be applied anytime and gets access imediately Digitally signed documents Password protected Files (e.g. PDF / XLS) What else?
  42. D E M O

  43. None
  44. Conclusion

  45. vs

  46. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  47. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  48. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  49. WHY AZURE INFORMATION PROTECTION? Persistent protection Safe sharing Intuitive experience

    Greater control
  50. BUSINESSES AND USERS ARE GOING TO EMBRACE TECHNOLOGY ONLY IF

    THEY CAN TRUST IT. Satya Nadella
  51. © Copyright Microsoft Corporation. All rights reserved. Thank you Oliver

    Dörr Cloud Solution Architect E-Mail: oliver.doerr@microsoft.com Phone: +41 (0)43 456 69 18 © Copyright Microsoft Corporation. All rights reserved.
  52. Sources • https://portal.azure.com • Cloud and Identitiy Access Management Infographic

    • https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-azure-information-protection-and-labels-in-office-365 • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers • https://www.heise.de/ct/artikel/Trojaner-Befall-Emotet-bei-Heise-4437807.html • https://docs.microsoft.com/en-us/azure/information-protection/prepare