June2019 Meetup: Using Secure Document Encryption (AIP, Azure Information Protection), without getting Lost in the Cloud by Oliver Dörr

Transcript

1. None

2. What to expect • Introduction • Information Protection – How

   it is intended • Information Protection – Limits and boundaries • Demo • Conclusion • Q&A
3. None

4. Information Protection - How it is intended

5. IN THE PAST, THE FIREWALL WAS THE SECURITY PERIMETER devices

   data users apps On-premises / Private cloud

6. On-premises NOW THERE’S FEWER BOUNDARIES, MORE DATA, MORE COMPLEXITY

7. None

8. Challenges with the complex environment Employees Business partners Customers Apps

   Devices Data Users Data leaks Lost device Compromised identity Stolen credentials

9. 88 % of organizations no longer have confidence to detect

   and prevent loss of sensitive data of employees use non-approved SaaS apps at work 80% 85 % of enterprise organizations keep sensitive information in the cloud 58 % Have accidentally sent sensitive information to the wrong person

10. “I can’t apply unified policies across various data sources or

    to a specific repository” “My data is scattered across sources and the data continues to grow” “When enforcing compliance our business users’ productivity is disrupted” “I need complete coverage of all my devices and applications” “How do I protect sensitive information such as sensitive PII data across my enterprise?” “I want data governance to be automatic - not something I have to think about” “How do I find only relevant data when I need it?”

11. Signature != Encryption • Signature • Encryption Read Everyone Doc.-Integrity

    Yes Read Only granted accounts Doc.-Integrity No
12. None

13. Classify Data – Begin the Journey SECRET CONFIDENTIAL INTERNAL NOT

    RESTRICTED IT admin sets policies, templates, and rules PERSONAL Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection

14. CONFIDENTIAL What is a sensitivity label? Tag that is customizable,

    in cleartext, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
15. None

16. Label Discover Classify Sensitivity Retention  Encryption  Restrict Access

     Watermark  Header/Footer  Retention  Deletion  Records Management  Archiving  Sensitive data discovery  Data at risk  Policy violations  Policy recommendations  Proactive alerts Data protection & data governance go hand-in-hand Comprehensive policies to protect and govern your most important data – throughout its lifecycle Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor

17. Office 365 Information Protection Windows Information Protection Azure Information Protection

    What Where How

18. What Where How Office 365 Information Protection Windows Information Protection

    Azure Information Protection

19. a DISCOVER AND CLASSIFY SENSITIVE INFORMATION CLOUD & SaaS APPS

20. Helps you manage sensitive data prior to migrating to Office

    365 or other cloud services Use discover mode to identify and report on files containing sensitive data Use enforce mode to automatically classify, label and protect files with sensitive data Can be configured to scan: • CIFS file shares • SharePoint Server 2016 • SharePoint Server 2013 • SharePoint Server 2010

21. Centralized management Configure and manage labels across apps and services

    in Office, Azure and Windows – all from the Security & Compliance Center Unified classification Uniform content classification to protect and preserve data across Office, Azure, Windows Consistent across M365 & extensible to 3rd party Consistent integration and experience across M365 apps & services. Extensible to 3rd party apps & solutions

22. New Microsoft 365 Specialized Workspaces security.microsoft.com compliance.microsoft.com

23. Discover the data & sensitivity

24. Detect content in cloud storage services Inspect files for sensitive

    information – based on policy Discover sensitive data across 3rd party clouds like SalesForce, Box, Dropbox and others. Apply classification labels & protection Automatically apply labels defined in Microsoft Information Protection to sensitive files discovered in cloud apps

25. NATIVE SUPPORT FOR PDF FILES ON ADOBE ACROBAT Adobe Acrobat

    can understand and honor labels and protection View protected files natively on Adobe Acrobat on Windows Labeling experience is built natively into Acrobat Integration enabled by the Microsoft Information Protection SDK GA: January, 2019

26. Flexible encryption options Protect Mitigates risk of unintended disclosure through

    encryption and rights protection Control Leverage automatic policies or ad hoc end-user controls, for emails shared inside or outside the organization Compliance Meet compliance obligations that require encrypting data or encryption key control Recipients can read protected messages using consumer identities Easily read protected emails on any device Apply sensitivity labels
27. None

28. Information Protection in Microsoft 365 Capabilities O365 E3 O365 E5

    EMS E3 EMS E5 Classification & labeling of sensitive data Create and manage sensitivity labels in Security & Compliance Center unified labeling experience • • • • Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • • • Manual labeling in Office apps on Windows using AIP client • Automatedclassification and labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 • • Automatedclassification and labeling of files in on-premises file servers (AIP scanner) • Automatedclassification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • Automatedclassification and labeling inf Office apps on Windows using AIP client • Information Protection SDK to apply labels to files • • Encryption & rights-based restrictions Add ad-hoc protection to Office documents • • Encrypt emails to internal or external recipients • • Data Loss Prevention (DLP) Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services • Windows Information Protection Prevent copying and sharing of data from a business location to a non-business location on Windows 10 devices • • Apply Windows Information Protection policy based on sensitivity label in document • 1 Running AIP scanner in “Discover all” mode

29. Discover compliance-related sensitive data across locations, including on-premises GDPR-specific sensitive

    information types helps protect personal data in EU countries Assess whether or not your cloud apps are GDPR compliant Gain visibility into classification, labeling and protection of personal data (including endpoints, locations, users) Guide end-users when working with personal data – with policy tips and recommendations

30. USER POLICIES Status Viewed Viewed Viewed Viewed Viewed United States

    Name Mark Adams Klass Pluck Katrina Redding David James Nandita Sampath Summary List Timeline Map Settings Personal Public Internal Confidential Highly Confidential LABEL Monitor, analyze and assess compliance through rich logs and reporting Admins create policies for data classification, labeling, and protecting Based on sensitivity of data, labels are applied by users or automatically Control sharing outside your organization Gain visibility and control over sensitive data even as it moves to cloud Protect sensitive data with encryption or visual markings

31. • Security & Compliance Center enhancements • Native labeling experience

    in Outlook mobile (iOS and Android) and web apps • Automatically classify, label and protection in Office apps • Additional automatic DLP integrations with labels • Information Protection analytics (GA) • Advanced detection and classification methods (OCR, exact data match, ML) • Ability to reason over (view, search, index) labeled & protected Office documents in SharePoint Online and OneDrive for Business On the horizon • Unified label management in Security & Compliance Center • Native labeling in Office apps on Mac, iOS, Android • Information Protection SDK • View protected PDFs on Adobe Acrobat Reader • Apply Windows Information Protection based on sensitivity labels • GDPR sensitive information types (Office 365 & Azure Information Protection) • Create custom sensitive information types • Message encryption enhancements • Information protection analytics (preview) • S/MIME as outcome of labels Recent Roadmap, known issues, documentation: https://aka.ms/officemipdocs

32. Future - Conditional Access Fine Grain Scenario: On a per-site

    basis, use all access conditions, including device compliance, location, MFA, user risk and device risk. Compliant device Domain join Limit download AND / OR Block Per-site policy controls User role / group User risk signals Terms of use Location Strong Auth Device Platform Device risk

33. Training! Training! Training!

34. Getting started

35. Information Protection - Limits and boundaries

36. Unified Azure Sensitivity Azure Retention O365 Sensitivity O365 Retention SharePoint

    IRM

37. Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal

38. Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal

39. No SSL Interception Licensing Login Property Further considerations UPN /

    E-Mail ? Identical? What is setup in AADC?

40. OS .pdf (NEW) .pdf (Old) / .ppdf Win 7 –

    Win 10 Acrobat Reader AIP Viewer (with / without UL) Foxit Reader Azure Information Protection viewer Gaaiho Doc GigaTrust Desktop PDF Client for Adobe Foxit Reader Nitro PDF Reader Nuance Power PDF RMS sharing app macOS 10.12 – 10.14 Acrobat Reader / Android AIP App Azure Information Protection app Foxit MobilePDF with RMS GigaTrust App for Android iOS AIP App Azure Information Protection app Foxit MobilePDF with RMS TITUS Docs

41. B2B integration works / B2C does not Search Limits E-Discovery

    / Delph etc. -> ONLY with Unified Labels AIP SuperUser can be applied anytime and gets access imediately Digitally signed documents Password protected Files (e.g. PDF / XLS) What else?

42. D E M O

43. None

44. Conclusion

45. vs

46. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps

47. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps

48. IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps

49. WHY AZURE INFORMATION PROTECTION? Persistent protection Safe sharing Intuitive experience

    Greater control

50. BUSINESSES AND USERS ARE GOING TO EMBRACE TECHNOLOGY ONLY IF

    THEY CAN TRUST IT. Satya Nadella

51. © Copyright Microsoft Corporation. All rights reserved. Thank you Oliver

    Dörr Cloud Solution Architect E-Mail: [email protected] Phone: +41 (0)43 456 69 18 © Copyright Microsoft Corporation. All rights reserved.

52. Sources • https://portal.azure.com • Cloud and Identitiy Access Management Infographic

    • https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-azure-information-protection-and-labels-in-office-365 • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers • https://www.heise.de/ct/artikel/Trojaner-Befall-Emotet-bei-Heise-4437807.html • https://docs.microsoft.com/en-us/azure/information-protection/prepare