dan plastina
TRANSCRIPT
![Page 1: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/1.jpg)
Azure RightsManagement
Dan Plastinahttps://twitter.com/TheRMSGuy https://linkedin.com/in/danpl
![Page 2: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/2.jpg)
What’s driving change?
IT
Employees CustomersBusiness partners
Devices AppsUsers Data
![Page 3: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/3.jpg)
Why do you seek to protect information?
Survey conducted with: 313 organizations 17,000,000 users 54,000 users on average
Reduce leakage of data shared with others (B2B collaboration)Partitioning of sensitive data from unauthorized usersPrevent malicious employees from leaking of secretsMeet compliance requirements
96%
94%89
%87%
![Page 4: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/4.jpg)
Other concerns…
Data privacy is mandated!
My existing DLP protection is too reactive. Can data be ‘born encrypted’?
How do I prepare for a fading perimeter?
Peer-to-peer federation is not practical or scalable. How do we establish ‘trust’?
IT must ‘reason over data’ to stay compliant, yet we need our sensitive data to be encrypted.
We want small steps to protect data now! We’re don’t want to slowly implement the ‘perfect grand solution’.
![Page 5: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/5.jpg)
Secured dataCompany external
Managed devicesCompany internal
Another New Challenge
You have a perimeter
Your perimeterCompany internal
You have managed devices within a broader perimeterYour business requiresyou to share sensitivedata outside of your control for B2B/B2C
![Page 6: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/6.jpg)
Persistent protection Storage independent solution
Permit all companies to authenticate
Authorization policies are enforced
Our promise<you> need to share <file types> between yourself and partners, suppliers, dealers, representatives, etc.
Powerful logging for reporting
End user use/abuse tracking
Ability to remote kill documents
Enable IT to reason over data
Tracking and Compliance
Works across all platforms
Free content consumption
Consistent user experience
Integrated into common apps/services
Ease of Use
![Page 7: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/7.jpg)
Demos
![Page 8: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/8.jpg)
Vision: Azure Rights Management
On any device
Email LOB appsFiles
Share internally Share externally (B2C)Share externally (B2B)
Policy enforcement
Document revocation
Document tracking
Access controlEncryption
Classification and labeling
In any part of the world
• US• EU• APAC
• China
• Germany
![Page 9: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/9.jpg)
Gartner StudyThe Role of EDRM in Data-Centric Security Gartner #G00275948
In this June 2015 report Mario Boer says: • "EDRM is a mature technology for enterprise wide persistent protection of data".
• Enterprise digital rights management has long been in Gartner's famed 'Trough of Disillusionment'.
• He offered other points in the 'Key Finding' section that made us smile. Be sure to look them up!
• "A broader data-centric security strategy requires a combination of EDRM with other technologies such as classification, DLP and data- centric audit and protection.“• He’s right… and Microsoft is active on all of these.
• "Many vendors offer a cloud solution to replace on -premises servers. This means cloud and the DMZ are not that different for EDRM offers. Moreover, the server does not see the body of the document, which makes cloud EDRM deployments interesting for even cloud-reluctant organizations."• We strongly support the view that a cloud EDRM offer makes this much better, even if
in the cloud.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose."
![Page 10: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/10.jpg)
Frost and Sullivan study
![Page 11: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/11.jpg)
KuppingerCole study
![Page 12: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/12.jpg)
Architecture
![Page 13: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/13.jpg)
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights +
Rights management 101
Secret cola formula
WaterSugarBrown
#16Protect Unprotect
Usage rights and symmetric key stored in file as ‘license’
Each file is protected by a unique AES symmetric
License protected by customer-owned RSA key
WaterSugarBrown
#16
![Page 14: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/14.jpg)
Local processing on PCs/devices
Rights management 101
Apps protected with RMS enforce rights
SDK
Apps use the SDK to communicate with the RMS service/servers
File content is never sent to the RMS server/service.
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights+
Use Rights+
Azure RMS never sees the file content, only the license.
![Page 15: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/15.jpg)
Authentication & collaboration BYO Key
RMS connector
Authorization requests go to
a federation service
Topology
• Data protection for organizations at different stages of cloud adoption
• Ensures security because sensitive data is never sent to the RMS server
• Integration with on-premises assets with minimal effort
AAD Connect
ADFS
![Page 16: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/16.jpg)
Use Azure AD as the trusted fabricAzure Active Directory
ADFS
On-premises organizations doing full sync
On-premises organizations doing partial sync
Organizations completely in cloud
…and all of these organizations can interact with each other.
Organizations created through adhoc sign up
![Page 17: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/17.jpg)
Minimum sync profile for Azure RMS
Cn (common name) jdoe
displayName John Doe
Mail [email protected]
proxyAddresses SMTP:[email protected]
userPrincipalName [email protected]
accountEnabled True
objectSID (sync ID)01 05 00 05 15 00 00 E2 DB … CF A1 29 71 04 00 00
pwdLastSet 20141013171110.0ZsourceAnchor (for Licensing) NyWoidInKk2S4xtxK+GsbQ==
usageLocation (for Licensing) DE
Only PII data is first name, last name, and email address
![Page 18: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/18.jpg)
Take action now
Every day you share sensitive items with no form of protection.
Act now to protect your information — even if only with small steps.
Defend your information against internal leakages and outside cyber-attacks.
Protect information with identity-based viewing privileges.
![Page 19: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/19.jpg)
• Start with IT-controlled, DLP-performed protection• Users experience RMS protected data but don’t have to initiate the
protection• e.g.: DLP in Exchange Online, in Office apps*, and SharePoint online**• e.g.: FCI protection of data on a file share, MyDocs folder, or Work
Folder.
• Teach the critical few user initiating B2B to ‘share protected’• A small percentage of users do most of the sensitive B2B sharing• e.g: Automotive dealership price lists / sales incentives• e.g: Vendor bid manager• e.g: SAP reporting
• Enable broader RMS where users initiate themselves• Let users opt-in initially. Tracking, remote kill, Do-not-forward are strong
benefits
Examples of step-wise approaches
![Page 20: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/20.jpg)
• Control sensitive email flow, internally, across all devices
• Share an Office file with external users• Board of Directors email communications• Document use tracking, abuse detection, and
revocation• Business-to-Customer secure email (and replies)• Control the download of files stored in
SharePoint• Securing reports generated from SAP• Protecting files on a user’s ‘Documents’ folder,
file share• Share CAD drawings, Redacted PDFs, and
analyst reports.
Top RMS Use Cases
![Page 21: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/21.jpg)
Vision: Azure Rights Management
On any device
Email LOB appsFiles
Share internally Share externally (B2C)Share externally (B2B)
Policy enforcement
Document revocation
Document tracking
Access controlEncryption
Classification and labeling
In any part of the world
• US• EU• APAC
• China
• Germany
![Page 22: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/22.jpg)
Follow @ https://twitter.com/TheRMSGuy
Learn more @ http://www.Microsoft.com/rms
Discover @ http://curah.microsoft.com/56313
For questions email [email protected]
IT Pro blog @ http://blogs.technet.com/b/rms
Get involved @ https://www.yammer.com/AskIPteam
Sign up @ http://portal.aadrm.com
Download @ http://portal.aadrm.com/home/download
Next steps
![Page 23: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/23.jpg)
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
![Page 24: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/24.jpg)
• Azure RMS Quick activation, B2B trust –enabled• RMS App RMS task assistant and viewer on all
platforms• RMS App (Mobile) RMS task assistant and viewer
on all platforms• Doc Tracking Permits viewing file usage /
remote revocation• Templates Global and departmental policies• Onboarding Easier pilots, partial deployments• Migration Toolkit AD RMS to Azure RMS phased
migration• BYOK Bring your own HSM-backed key to
the cloud• Cmdlets Power Shell commands for task
automation• RMS SDK Enable your own applications (LOB)
Resources – RMS
![Page 25: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/25.jpg)
• Apps (Word, etc) Word, Excel, PowerPoint on all platforms.
• Outlook / OWA Outlook on all platforms; Web email• Exchange Mail service with an RMS-aware
pipeline• SharePoint Doc Library• Office DLP Office 365 Data Loss Prevention• OME Office Message Encryption enables
B2C• EDP Windows10 Enterprise Data
Protection w/RMS• File Classification DLP over file servers, My Docs,
& Work Folder• OneDrive Protection of data on OneDrive
Resources – Office and Windows
![Page 26: Dan Plastina](https://reader036.vdocuments.us/reader036/viewer/2022081421/5697bfd31a28abf838cabf73/html5/thumbnails/26.jpg)
Resources – Partner ISVs
• Secude Protection of reports leaving SAP
• Secure Island Classification and RMS ‘enhancer’
• Titus Classification and RMS ‘enhancer’ • Watchful Software Classification and RMS
‘enhancer’
• Foxit PDF Reader with built-in RMS• Foxit Redaction Redacted PDF with ‘view all content ’
mode• Gigatrust Adobe Reader PDF extension for RMS