June2019 Meetup: Using Secure Document Encryption (AIP, Azure Information Protection), without getting Lost in the Cloud by Oliver Dörr

June2019 Meetup: Using Secure Document Encryption (AIP, Azure Information Protection), without getting Lost in the Cloud by Oliver Dörr

Have you ever wondered how you could benefit from the secure document encryption in Azure? This session will give you an overview over what is possible right now with the different label types (AIP Labels, O365 Labels, Unified Labels) and what you will have to pay for it. In addition it will highlight its actual limits and issues in a real world implementation (e.g. limits when collaborating with other companies).

Speaker: Oliver Dörr
Oliver Dörr has been working within the IT industry for over 15 years. He has a lot of experience in enabling different kinds of customers to leveraging collaboration solutions on-premise and of course in the cloud. He is thrilled by the opportunities which are given by using cloud solutions, even if they are changing on a very quick schedule.

You can find him at:
https://www.linkedin.com/in/oliver-doerr/

0754d30f3acc99a940aebdcd49d5af97?s=128

Azure Zurich User Group

June 11, 2019
Tweet

Transcript

  1. 1.
  2. 2.

    What to expect • Introduction • Information Protection – How

    it is intended • Information Protection – Limits and boundaries • Demo • Conclusion • Q&A
  3. 3.
  4. 5.

    IN THE PAST, THE FIREWALL WAS THE SECURITY PERIMETER devices

    data users apps On-premises / Private cloud
  5. 7.
  6. 8.

    Challenges with the complex environment Employees Business partners Customers Apps

    Devices Data Users Data leaks Lost device Compromised identity Stolen credentials
  7. 9.

    88 % of organizations no longer have confidence to detect

    and prevent loss of sensitive data of employees use non-approved SaaS apps at work 80% 85 % of enterprise organizations keep sensitive information in the cloud 58 % Have accidentally sent sensitive information to the wrong person
  8. 10.

    “I can’t apply unified policies across various data sources or

    to a specific repository” “My data is scattered across sources and the data continues to grow” “When enforcing compliance our business users’ productivity is disrupted” “I need complete coverage of all my devices and applications” “How do I protect sensitive information such as sensitive PII data across my enterprise?” “I want data governance to be automatic - not something I have to think about” “How do I find only relevant data when I need it?”
  9. 11.
  10. 12.
  11. 13.

    Classify Data – Begin the Journey SECRET CONFIDENTIAL INTERNAL NOT

    RESTRICTED IT admin sets policies, templates, and rules PERSONAL Classify data based on sensitivity Start with the data that is most sensitive IT can set automatic rules; users can complement it Associate actions such as visual markings and protection
  12. 14.

    CONFIDENTIAL What is a sensitivity label? Tag that is customizable,

    in cleartext, and persistent. It becomes the basis for applying and enforcing data protection policies. In files and emails, the label is persisted as document metadata In SharePoint Online, the label is persisted as container metadata
  13. 15.
  14. 16.

    Label Discover Classify Sensitivity Retention  Encryption  Restrict Access

     Watermark  Header/Footer  Retention  Deletion  Records Management  Archiving  Sensitive data discovery  Data at risk  Policy violations  Policy recommendations  Proactive alerts Data protection & data governance go hand-in-hand Comprehensive policies to protect and govern your most important data – throughout its lifecycle Unified approach to discover, classify & label Automatically apply policy-based actions Proactive monitoring to identify risks Broad coverage across locations Apply label Unified approach Monitor
  15. 20.

    Helps you manage sensitive data prior to migrating to Office

    365 or other cloud services Use discover mode to identify and report on files containing sensitive data Use enforce mode to automatically classify, label and protect files with sensitive data Can be configured to scan: • CIFS file shares • SharePoint Server 2016 • SharePoint Server 2013 • SharePoint Server 2010
  16. 21.

    Centralized management Configure and manage labels across apps and services

    in Office, Azure and Windows – all from the Security & Compliance Center Unified classification Uniform content classification to protect and preserve data across Office, Azure, Windows Consistent across M365 & extensible to 3rd party Consistent integration and experience across M365 apps & services. Extensible to 3rd party apps & solutions
  17. 24.

    Detect content in cloud storage services Inspect files for sensitive

    information – based on policy Discover sensitive data across 3rd party clouds like SalesForce, Box, Dropbox and others. Apply classification labels & protection Automatically apply labels defined in Microsoft Information Protection to sensitive files discovered in cloud apps
  18. 25.

    NATIVE SUPPORT FOR PDF FILES ON ADOBE ACROBAT Adobe Acrobat

    can understand and honor labels and protection View protected files natively on Adobe Acrobat on Windows Labeling experience is built natively into Acrobat Integration enabled by the Microsoft Information Protection SDK GA: January, 2019
  19. 26.

    Flexible encryption options Protect Mitigates risk of unintended disclosure through

    encryption and rights protection Control Leverage automatic policies or ad hoc end-user controls, for emails shared inside or outside the organization Compliance Meet compliance obligations that require encrypting data or encryption key control Recipients can read protected messages using consumer identities Easily read protected emails on any device Apply sensitivity labels
  20. 27.
  21. 28.

    Information Protection in Microsoft 365 Capabilities O365 E3 O365 E5

    EMS E3 EMS E5 Classification & labeling of sensitive data Create and manage sensitivity labels in Security & Compliance Center unified labeling experience • • • • Manual labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Manual labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • • • Manual labeling in Office apps on Windows using AIP client • Automatedclassification and labeling of files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Discover sensitive data in on-premises file servers, apply label to entire repository or folder 1 • • Automatedclassification and labeling of files in on-premises file servers (AIP scanner) • Automatedclassification and labeling in Office apps (Word, PowerPoint, Excel, Outlook) using native labeling • • Automatedclassification and labeling inf Office apps on Windows using AIP client • Information Protection SDK to apply labels to files • • Encryption & rights-based restrictions Add ad-hoc protection to Office documents • • Encrypt emails to internal or external recipients • • Data Loss Prevention (DLP) Block sharing of sensitive files in Office 365 services (Exchange Online, SharePoint Online, OneDrive for Business) • • Cloud App Security Classify and label data in 3rd-party SaaS apps and cloud services • Windows Information Protection Prevent copying and sharing of data from a business location to a non-business location on Windows 10 devices • • Apply Windows Information Protection policy based on sensitivity label in document • 1 Running AIP scanner in “Discover all” mode
  22. 29.

    Discover compliance-related sensitive data across locations, including on-premises GDPR-specific sensitive

    information types helps protect personal data in EU countries Assess whether or not your cloud apps are GDPR compliant Gain visibility into classification, labeling and protection of personal data (including endpoints, locations, users) Guide end-users when working with personal data – with policy tips and recommendations
  23. 30.

    USER POLICIES Status Viewed Viewed Viewed Viewed Viewed United States

    Name Mark Adams Klass Pluck Katrina Redding David James Nandita Sampath Summary List Timeline Map Settings Personal Public Internal Confidential Highly Confidential LABEL Monitor, analyze and assess compliance through rich logs and reporting Admins create policies for data classification, labeling, and protecting Based on sensitivity of data, labels are applied by users or automatically Control sharing outside your organization Gain visibility and control over sensitive data even as it moves to cloud Protect sensitive data with encryption or visual markings
  24. 31.

    • Security & Compliance Center enhancements • Native labeling experience

    in Outlook mobile (iOS and Android) and web apps • Automatically classify, label and protection in Office apps • Additional automatic DLP integrations with labels • Information Protection analytics (GA) • Advanced detection and classification methods (OCR, exact data match, ML) • Ability to reason over (view, search, index) labeled & protected Office documents in SharePoint Online and OneDrive for Business On the horizon • Unified label management in Security & Compliance Center • Native labeling in Office apps on Mac, iOS, Android • Information Protection SDK • View protected PDFs on Adobe Acrobat Reader • Apply Windows Information Protection based on sensitivity labels • GDPR sensitive information types (Office 365 & Azure Information Protection) • Create custom sensitive information types • Message encryption enhancements • Information protection analytics (preview) • S/MIME as outcome of labels Recent Roadmap, known issues, documentation: https://aka.ms/officemipdocs
  25. 32.

    Future - Conditional Access Fine Grain Scenario: On a per-site

    basis, use all access conditions, including device compliance, location, MFA, user risk and device risk. Compliant device Domain join Limit download AND / OR Block Per-site policy controls User role / group User risk signals Terms of use Location Strong Auth Device Platform Device risk
  26. 37.

    Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal
  27. 38.

    Switch should be done by: GLOBAL Administrator Tenant will be

    migrated to use Unified Labels AIP Unified Labels Client is needed! The AIP Client still connects to the OLD Policies Migration Limits Policies incl. access access : NOT migrated Admin Centers: NOT all settings supported Only Labels with cloud based Keys are migrated, but no user-defined permissions for Word, Excel, PowerPoint Migrated Labels need to be published individually Variables in visual markings are not supported Changes in AIP Portal  Admin Centers Changes in Admin Centers MANUAL Publish in AIP Portal
  28. 39.
  29. 40.

    OS .pdf (NEW) .pdf (Old) / .ppdf Win 7 –

    Win 10 Acrobat Reader AIP Viewer (with / without UL) Foxit Reader Azure Information Protection viewer Gaaiho Doc GigaTrust Desktop PDF Client for Adobe Foxit Reader Nitro PDF Reader Nuance Power PDF RMS sharing app macOS 10.12 – 10.14 Acrobat Reader / Android AIP App Azure Information Protection app Foxit MobilePDF with RMS GigaTrust App for Android iOS AIP App Azure Information Protection app Foxit MobilePDF with RMS TITUS Docs
  30. 41.

    B2B integration works / B2C does not Search Limits E-Discovery

    / Delph etc. -> ONLY with Unified Labels AIP SuperUser can be applied anytime and gets access imediately Digitally signed documents Password protected Files (e.g. PDF / XLS) What else?
  31. 42.
  32. 43.
  33. 45.

    vs

  34. 46.

    IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  35. 47.

    IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  36. 48.

    IN REAL LIFE IT´S NOT THAT EASY LIKE ON THE

    MARKETING PAPERS devices process users apps
  37. 51.

    © Copyright Microsoft Corporation. All rights reserved. Thank you Oliver

    Dörr Cloud Solution Architect E-Mail: oliver.doerr@microsoft.com Phone: +41 (0)43 456 69 18 © Copyright Microsoft Corporation. All rights reserved.
  38. 52.

    Sources • https://portal.azure.com • Cloud and Identitiy Access Management Infographic

    • https://docs.microsoft.com/en-us/azure/information-protection/faqs#whats-the-difference-between-labels-in-azure-information-protection-and-labels-in-office-365 • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide • https://docs.microsoft.com/en-us/azure/information-protection/rms-client/protected-pdf-readers • https://www.heise.de/ct/artikel/Trojaner-Befall-Emotet-bei-Heise-4437807.html • https://docs.microsoft.com/en-us/azure/information-protection/prepare