Protect data in a hybrid world with Azure Information...
Transcript of Protect data in a hybrid world with Azure Information...
Agenda
Rationale behind Information Protection
On-premises solution
Cloud solution
Data Classification and Hybrid solution
Outlook
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights +
RMS Protection Basics
Secret cola formula
Water
Sugar
Brown #16
Protect Unprotect
Usage rights and symmetric
key stored in file as ‘license’
Each file is protected by a
unique AES symmetric key
License protected
by customer-owned
RSA key
Water
Sugar
Brown #16
AD RMS Server
Active Directory
Database Server
SharePoint
Exchange Server
RMS Client
RM-enabled application
On-Premises Discussion (AD RMS)
Pros: Compatible with Windows and mobile devices
Key is always on-premises (either in software or in HSM)
Cons: No easy integration with customers and partners
No integration with Office 365
Difficult user education for selecting templates (no classification framework)
No new features expected
Local processing on PCs/devices
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent
to the RMS server/service.
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use Rights+
Use Rights+
Azure RMS
never sees the
file content, only
the license.
- The keys are uploaded directly from customer’s HSM to Azure. Microsoft never sees them.
- Microsoft can’t hand your keys over – to an attacker or a government investigation.
Cloud Discussion (Azure RMS)• Pros:
• Compatible with Windows and mobile devices
• Key in Software or in HSM
• Integration with customers and partners
• Integration with Office 365
• Cons:• Microsoft controls key usage (but NOT key export)
• Difficult user education for selecting templates (no classification framework)
• No coexistence with AD RMS
Data Lifecycle Classification and Protection
At data creation
Manual and automatic -as much as possible
Persistent labels
Industry standard thatenables a wide ecosystem
User awareness through visual labels
Encryption with RMS
DLP & compliance actions
Audit trails to track data
Orchestrate
Enables hybrid use of Azure RMS and on-premises AD RMS on the same endpoint, for
protecting different labels.
(Feature formerly called “Dual/Multi Server”)
Classification / Hybrid Discussion (AZIP)• Pros:
• User friendly classification / labelling
• Allows flexibility of Azure RMS for 90% of information…
• … while still keeping the 10% “crown jewels” protected by AD RMS key.
• Cons:• Additional licenses
• Currently limited to Windows / Office
Upcoming features
• Exchange Online and “Bring Your Own Key”• By the end of 2016 new customers are expected to have Exchange Online
integration compatible with BYOK. Migration of existing customer expected to start by end of this year.
• A preview of this feature is available for interested customers.
• Azure Information Protection• First version expected to be available soon.
• Coming versions expected to have more functionality.