Azure Information Protection

!

Customized by markwil@microsoft.com

Customized by markwil@microsoft.com

Enterprise Mobility +SecurityIDENTITY - DRIVEN SECURITY

Extend enterprise-grade security

to your cloud and SaaS apps

Microsoft Cloud App Security

Manage identity with hybrid

integration to protect application

access from identity attacks

Azure Active Directory

Premium

Microsoft

Advanced Threat Analytics

Detect threats early with visibility and threat analytics

Microsoft

Intune

Protect your users, devices, and apps

Azure Information

ProtectionProtect your data, everywhere

Enterprise Mobility & Security capabilities

Microsoft

Intune

Mobile device and app

management to protect corporate

apps and data on any device.

Managed Mobile Productivity

Microsoft Advanced Threat

Analytics

Identify suspicious activities &

advanced attacks on premises.

Microsoft

Cloud App Security

Bring enterprise-grade visibility,

control, and protection to your

cloud applications.

Identity Driven SecurityIdentity and access management

Azure Active Directory

Premium P1

Single sign-on to cloud and on-

premises applications. Basic

conditional access security

Azure Active Directory

Premium P2

Advanced risk based identity

protection with alerts, analysis, &

remediation.

Azure Information

Protection Premium P1

Encryption for all files and storage

locations. Cloud based file

tracking

Existing Azure RMS capabilities

Information Protection

Azure Information

Protection Premium P2

Intelligent classification, &

encryption for files shared inside &

outside your organization

Secure Islands acquisition

EM

S E3

EM

S E5

Vortrag von der Technical Summit 2016:https://channel9.msdn.com/events/microsoft-techncial-summit/Technical-Summit-2015-The-Next-Level/Bring-your-own-key-fuer-Azure-RMS-und-Azure-Key-Vault

Recap Azure RMS und Azure Key Vault

Azure RMS

Schutz ist an die Datei gebunden, nicht an den Speicherort oder das Medium.Verbindliche und persistente Regeln für den ZugriffSchutz am Speicherort, im Transport und während der Nutzung

RMS entspricht einem Non-Discretionary Access Control (Access Management Terminologie)

Recap Azure RMS und Azure Key Vault

Azure RMS - BYOK

Bring Your Own Key (BYOK) verwendet nun Azure Key Vault.

• Azure Key Vault ist nicht Bestandteil der Azure Information Protection Lizenz

• Azure Key Vault Premium für geschützte HSM-Schlüssel(€0,8433 pro Schlüssel und Monat + €0,0253/10.000 Vorgänge)

Update Azure RMS und Azure Key Vault

Azure RMS – BYOK

• Segregation of Duties mitAzure Key Vault

• Integration in Azure RBAC

Update Azure RMS und Azure Key Vault

Azure Key Vault – Integration in Azure RBAC (Beispiel)

Update Azure RMS und Azure Key Vault

Azure Key Vault – AAD Gruppen für Segregation of Duties

Update Azure RMS und Azure Key Vault

Azure Key Vault – AAD Gruppen für Segregation of Duties

Update Azure RMS und Azure Key Vault

Azure Key Vault – AAD Gruppen für Segregation of Duties

Update Azure RMS und Azure Key Vault

Authentication & collaboration BYO Key

RMS connector

Authorization requests go to a federation service

Standard Topologie

Schutz von Daten für eine

hybride Infrastruktur

Einfache Integration

Bring Your Own Key Option

AAD Connect

ADFS

Authentication & collaboration BYO Key

RMS connector

Authorization requests go to a federation service

Hold Your Own Key

(Azure Information Protection

P2)

AAD Connect

ADFS

No DMZ Exposure

Schutz von Daten für eine

hybride Infrastruktur

Einfache Integration

Bring Your Own Key Option

Regulierte Topologie

Pragmatische Denkweise für eine moderne IT im Kontext Mobility und Cloud

Risikobasierter Ansatz

Assume Breach bedeutet nicht „Assume Failure“!

Assume Breach

• Prävention• Firewalls, Netzwerk Segmentierung, IDP, Funktionstrennung etc.

• Mitigation / Risikominderung• Risiko Management, Systems Hardening, Patch Management, System-

undDaten Klassifizierung, Verschlüsselung etc.

• Monitoring/Detection• Event Correlation, SIEM, Anomaly Detection etc.

• Recovery/Remediation• BCP/DRP, Contingency Planning, Backup & Restore etc.• Continuous improvement

Assume Breach

Externe

Zusammenarbeit

Verwaltete Mobile

Systeme

Information Protection

On-Premises

Daten innerhalbdes Perimeters

Verwaltete Identitätenund verwaltete Geräte

Hybride Daten

Probleme beim Schutz

DOCUMENT

TRACKING

DOCUMENT

REVOCATION

Monitoring &

Reaktion

LABELINGCLASSIFICATION

Klassifizierung

& Labeling

ENCRYPTION

Schutz von Daten

ACCESS

CONTROLPOLICY

ENFORCEMENT

Azure InformationProtection DOCUMENT

TRACKING

DOCUMENT

REVOCATION

Monitoring &

Reaktion

LABELINGCLASSIFICATION

Klassifizierung

& Labeling

ENCRYPTION

Schutz von Daten

ACCESS

CONTROLPOLICY

ENFORCEMENT

Voller Daten-

Lifecycle

Constoso Page|1 CONFIDENTIAL

DueDiligenceDocumentationDueDiligenceCategory DocumentationTask Owner Status

BusinessPlan,CorporateStructure,Financing

Businessplan Currentfive-yearbusinessplan

Priorbusinessplan

Corporateorganization

Articlesofincorporation

Bylaws

Recentchangesincorporatestructure

Parent,subsidiaries,andaffiliates

Shareholders’agreements

Minutesfromboardmeetings

Shareholders Numberofoutstandingshares

Stockoptionplan

Samplesofcommonandpreferredstockcertificates,debentures,andotheroutstandingsecurities

Warrants,options,andotherrightstoacquireequitysecurities

Currentshareholders,includingnumberofsharesowned,datesthatshareswereacquired,considerationsreceived,andcontact

information

Relevantprivateplacementmemorandaandotherofferingcirculars

Lenders Convertible,senior,orotherdebtfinancing

Banklinesofcredit,loanagreements,orguarantees

Loandefaultsorexpecteddefaults

Recentcorporatetransactions

Descriptionandrationaleforeachtransaction

Purchaseandsaleagreements

Regulations Businesslicenses

Environmentalpermits

Workers’healthandsafetypermits

Marketing,Products,Sales,Service

Marketanalysis Competitionbyproductline(includecontactdetails,marketsize,marketshare,andcompetitiveadvantagesanddisadvantages)

Industryandmarketresearch

Tradepublicationsandcontactinformation

Policy Einstellungen

Label Einstellungen

Label Einstellungen – Protection

• Konfigurierte Azure RMS Templates

• „Remove Protection“

• Beibehaltung der Klassifizierung auch wenn der Schutz nicht verwendet werden kann.

• Do Not Forward (nur für E-Mail)

• AD RMS Templates (AzIP P2 - HYOK)

• Azure Information Protection hat keineVerbindung zum AD RMS

Label Einstellungen

Label Einstellungen

• Bedingungen für automatischeRegeln können verbundenwerden

• AzIP P2 Funktionalität

Policy- und Label Einstellungen werden bei Programmstartautomatisch synchronisiert

Policy- und Label Einstellungen können optional manuell exportiert werden

• Verwendung bei Offline-Clients(z.B. rote Netze etc.)

• Testen von Policies vor Deployment

• Archivierung von Policies

• Überprüfung von Policies

• ...

More information

Enterprise Mobilityhttp://www.microsoft.com/de-de/server-cloud/products/enterprise-mobility-suite/default.aspx

AzureRMShttp://aka.ms/rmshome and http://aka.ms/ipdeck

Microsoft Intunehttp://www.microsoft.com/de-de/server-cloud/products/windows-intune/default.aspx

Cloud App Securityhttps://www.microsoft.com/en-us/cloud-platform/cloud-app-security

Advanced Threat Analyticshttp://www.microsoft.com/ata

Forefront Identity Manager / Microsoft Identity Managerhttp://technet.microsoft.com/en-us/library/jj133852(v=ws.10).aspx

Standard-Konnektoren von FIM finden Sie unterhttp://technet.microsoft.com/en-us/library/ff608275%28WS.10%29.aspx

Videos

http://aka.ms/rmsvideo

http://aka.ms/ipvideo