Agenda

Rationale behind Information Protection

On-premises solution

Cloud solution

Data Classification and Hybrid solution

Outlook

Information Author

Recipient

External Users

Mobile Devices

USB Drive

aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:

Use Rights +

RMS Protection Basics

Secret cola formula

Water

Sugar

Brown #16

Protect Unprotect

Usage rights and symmetric

key stored in file as ‘license’

Each file is protected by a

unique AES symmetric key

License protected

by customer-owned

RSA key

Water

Sugar

Brown #16

AD RMS Server

Active Directory

Database Server

SharePoint

Exchange Server

RMS Client

RM-enabled application

On-Premises Discussion (AD RMS)

Pros: Compatible with Windows and mobile devices

Key is always on-premises (either in software or in HSM)

Cons: No easy integration with customers and partners

No integration with Office 365

Difficult user education for selecting templates (no classification framework)

No new features expected

Using Azure AD as the Trust Fabric

Azure RMS

Integration

BYO Key

Sync

Local processing on PCs/devices

Apps protected with

RMS enforce rights

SDK

Apps use the SDK to

communicate with the

RMS service/servers

File content is never sent

to the RMS server/service.

aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:

Use Rights+

Use Rights+

Azure RMS

never sees the

file content, only

the license.

- The keys are uploaded directly from customer’s HSM to Azure. Microsoft never sees them.

- Microsoft can’t hand your keys over – to an attacker or a government investigation.

Cloud Discussion (Azure RMS)• Pros:

• Compatible with Windows and mobile devices

• Key in Software or in HSM

• Integration with customers and partners

• Integration with Office 365

• Cons:• Microsoft controls key usage (but NOT key export)

• Difficult user education for selecting templates (no classification framework)

• No coexistence with AD RMS

Data Lifecycle Classification and Protection

At data creation

Manual and automatic -as much as possible

Persistent labels

Industry standard thatenables a wide ecosystem

User awareness through visual labels

Encryption with RMS

DLP & compliance actions

Audit trails to track data

Orchestrate

Automatic classification

Custom Rule

Enables hybrid use of Azure RMS and on-premises AD RMS on the same endpoint, for

protecting different labels.

(Feature formerly called “Dual/Multi Server”)

Configuring and using HYOK

Classification / Hybrid Discussion (AZIP)• Pros:

• User friendly classification / labelling

• Allows flexibility of Azure RMS for 90% of information…

• … while still keeping the 10% “crown jewels” protected by AD RMS key.

• Cons:• Additional licenses

• Currently limited to Windows / Office

Upcoming features

• Exchange Online and “Bring Your Own Key”• By the end of 2016 new customers are expected to have Exchange Online

integration compatible with BYOK. Migration of existing customer expected to start by end of this year.

• A preview of this feature is available for interested customers.

• Azure Information Protection• First version expected to be available soon.

• Coming versions expected to have more functionality.