Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ......
Transcript of Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ......
![Page 2: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/2.jpg)
![Page 3: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/3.jpg)
• Definition of the term “Collaboration”: Working with others
to do a task and to achieve shared goals.
• Major Business Requirements Structured filing
Simple and secure identity and access management processes within and across
companies, user self-services
Broad support of devices and applications
Flexibility regarding business processes and team structures
Data security and classification
Traceability and auditability of any IAM and business activities
Evidence records for contracts and approval processes
![Page 4: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/4.jpg)
Requirement E-Mail SharePoint
Structured filing
IAM, user self-services
Broad support of devices and applications
Flexibility w.r.t. processes and team structures
Data security and classification
Traceability and auditability
Evidence records
![Page 5: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/5.jpg)
• Microsoft Azure, Office 365, SharePoint Online Global cloud solution managing tenants and trusts
Single user identity for authentication and authorization to all resources
Broad support of devices and applications
• Rights Management Services Leverage access control beyond applications (DLP)
Data classification
Document tracking
• Digital Signature Services Evidence records for contracts and approval processes
![Page 6: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/6.jpg)
Requirement E-Mail SharePoint
Structured filing
IAM, user self-services
Broad support of devices and applications
Flexibility w.r.t. processes and team structures
Data security and classification
Traceability and auditability
Evidence records
![Page 7: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/7.jpg)
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature Services
Short introduction of Microsoft RMS and Secure Islands IQ Protector
![Page 8: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/8.jpg)
• About RMS Traditional security controls (e.g. ACLs, firewalls, etc.) have limited effectiveness to
protect company data while still empowering users to work efficiently (i.e. usage of
many platforms, applications, mobile workplaces, etc.)
RMS protects the sensitive information independent of any other security measures.
It uses encryption, identity, and authorization policies to help secure the data.
The objectives of DLP can be implemented with RMS
![Page 9: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/9.jpg)
• Available on-prem (AD RMS) and in the cloud (Azure RMS)
• Major features Security is intrinsically tied to data, no dependency to other security measures
Dynamic management of users and roles (joiners / movers / leavers / deputies /
auditors / legal investigators)
RMS Protected Data
Data
Owner / Author
RMS Template
Ad-hocUser/Group
RMS Metadata
IQP Classification
IQP Metadata
Data
![Page 10: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/10.jpg)
• Major features Data protection and classification
Rights enforcement (do not forward, read only, do not print, etc.)
Document tracking and document revocation
Application
RMS Protected Data
Data
Owner / Author
RMS Template
Ad-hocUser/Group
RMS Metadata
IQP Classification
IQP Metadata
Data RMS ServerAcquire
RMS License
Use
Auth
Log / Report
![Page 11: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/11.jpg)
• Broad support of applications and file-types Microsoft Office on Windows and Mac (Office 2016
and beyond for Mac )
RMS SDK available for Windows, Linux and
iOS and Android
More and more RMS enlightened
applications available
Broad support of file-types (Office, PDF,
CVS, TXT, JPG, etc., almost any file-types)
![Page 12: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/12.jpg)
• Typical Use-cases Leverage access control beyond applications (DLP)
Separation of business data from IT administrators
Separation of individual organizational units (e.g. human resources or finance
department, research and development, etc.)
Secure collaboration within an organization or across organizational boundaries
Document tracking (and document revocation)
![Page 13: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/13.jpg)
Policy-based file- and folder encryption
Automated and policy-based
encryption / classification of data, e-
mails, web up- and downloads
User-awareness (pop-up windows)
based on pattern matching (content
scanning)
Comprehensive Microsoft Exchange
Journaling support for compliance and
audit reasons
• Additional use-cases with Secure Islands IQP
DLP implementation with IQP
![Page 14: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/14.jpg)
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
Azure RMS
Fileshare, Exchange, USB
Stick, etc.
Data
DataUser Y
Data
• Use-case – example
![Page 15: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/15.jpg)
• Use-case – example - description1. User X from Org 2 downloads a document from the SharePoint Online Server of
Org 1
2. User X is entitled to access the SharePoint Online Server and to open the
document
3. User X sends the document to User Y (File-share, e-mail, etc.)
4. User Y is not entitled to access the SharePoint Online Server. Since the RMS rights
on the document are based on the permissions of the SharePoint access rights the
User Y cannot open the document.
Note: It is possible to apply other protection rules, especially wit RMS on prem and
Secure Islands IQP
![Page 16: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/16.jpg)
RMS - Document tracking and reporting
• Keyon - true-Xtended Reporting for RMS and IQP• Collects log-files and events from many
sources, especially from Secure Islands IQP
and Microsoft RMS Servers
• Enriches log-files and events from further
sources (e.g. AD, LDAP, DB’s, DLP Systems,
other Applications)
• Periodically copies enriched log-files and
events into Splunk or Microsoft Reporting
Services
• Data collection and reports can be customized
![Page 17: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/17.jpg)
RMS - Document tracking and reporting
• .. and how it looks like
Live Demo
![Page 18: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/18.jpg)
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature ServicesShort introduction
![Page 19: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/19.jpg)
Digital Signature Services
• Business Benefits• Evidence records for approval processes
• Contracts and agreements
• Integrity and authenticity of internal and external documents
• Benefits for IT operations• Signed Office Macros
• Signed code (.exe, Java)
![Page 20: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/20.jpg)
true-Sign at a glance• Digital Signature Service
• Compliant to ZertES, ElDI-V, GeBüV
• Support of industry standards and long-term signatures• ETSI TS 102 778-1-5: PAdES-LTV, XAdES-A, CAdES-A
• RFC 6283: XMLERS
• RFC 4998: ERS
• RFC 3161 Time-Stamp Protocol
• FIPS and CC certified Hardware Security Modules
![Page 21: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/21.jpg)
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature Services
Short introduction
![Page 22: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/22.jpg)
Microsoft Office 2013 (new: Office 2016)
Office Application Suite for PC and Mac
Mobile Apps for iOS, Windows & Android
Microsoft Azure Active Directory (AAD)
Sharepoint Online
Azure RMS
![Page 23: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/23.jpg)
Office 365 / Azure prerequisites
Office 365 subscription
Subscription that includes Sharepoint Online:
Starting with “Office 365 Business Essentials” (CHF 4.70/user/month).
Also available in “Office 365 Business Premium”
Included in all enterprise plans
Basic personal sharing and collaboration options are also available with subscriptions
that include OneDrive for Business but not Sharepoint.
![Page 24: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/24.jpg)
Identity and Access Management
• Office 365 uses Azure Active Directory
• Users of Office 365 must exist in Azure AD
• Several options:
Cloud identity: Create users online
(small companies without Active Directory)
Synchronized identity: Synchronize users from AD to Azure AD + password sync
(Identity Lifecycle)
Federated identity: Synchronize users from AD to AAD and federate with Azure AD
(Identity Lifecycle + SSO)
![Page 25: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/25.jpg)
User synchronization and federation:
• Re-use identities from the organization’s
Active Directory
• Synchronize AD users and groups to Azure
AD (AADConnect)
• Enable SSO through Federation (ADFS)
Microsoft Azure
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Sharepoint Online(Office 365)
![Page 26: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/26.jpg)
Result of user synchronization: The synchronized users
appear in the Azure AD
and are ready for use
![Page 27: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/27.jpg)
Single Sign On with Federation:
![Page 28: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/28.jpg)
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
External users:
• Collaboration partners re-
use their own Azure
identities to access shared
team sites in Sharepoint
Online.
• Users that are not yet in
Azure can create a
Microsoft account to access
shared team sites
![Page 29: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/29.jpg)
Identity and Access Management
• Identity management, provisioning and decommissioning
Azure Active Directory B2B collaboration lets you enable access to your
corporate applications from partner managed identities.
You can create cross-company relationships by inviting and authorizing users
from partner companies to access your resources
Microsoft Azure
Tenant (Org 2)Tenant (Org 1)
AzureActive Directory
User A Group G
AzureActive Directory
User X Group W
B2B Sync
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
![Page 30: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/30.jpg)
• Create team and project based SharePoint sites
• Edit documents together at the same time
• Access files across devices
• Share internally and externally
• Versioning, archiving
• IRM protection
• External users do not require an Office 365 license to access files shared with
them
![Page 31: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/31.jpg)
Other collaboration tools offered by Microsoft 365:
• Lync instant messagingSupports federation with Lync in other organizations
• Shared team/project mailboxes
• Share your calendar with people outside of the organization
• OneDrive for Business
![Page 32: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/32.jpg)
RMS protection• Sharepoint Online supports RMS protection
• RMS Protection is applied when the document is downloaded from Sharepoint
Online or when it is opened for editing in Microsoft Office.
• The applied RMS protection is determined based on the permissions of the
user on the site that contains the file:
Permission IRM Permission
Manage Sharepoint site Full Control: Generally allows a user to read, edit,
copy, save and to modify permissions
Edit items, manage lists Edit, copy and save
(Print only, if allowed in the library settings)
View items Read
(Print only, if allowed in the library settings)
![Page 33: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/33.jpg)
Extended RMS features
• Extended SharePoint RMS features with Secure Islands IQP Storage of encrypted and classified data in SharePoint
Optional indexing of encrypted data for keeping the search capabilities
![Page 34: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/34.jpg)
Live Demo
SharePoint Online and Azure RMS
![Page 35: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/35.jpg)
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
Azure RMS
Fileshare, Exchange, USB
Stick, etc.
Data
DataUser Y
Data
![Page 36: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/36.jpg)
…challenges regarding credentials and
device policies
Maintaining control of users’ application access across on-prem and cloud platforms is challenging
![Page 37: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/37.jpg)
• Federation introduces single (or hybrid) identities Such identities span on-premises and cloud-based capabilities, creating a single user
identity for authentication and authorization to all resources, from any devices,
regardless of location
• Questions How to assess the assurance level of credentials? Are smartcards, virtual smartcards,
HW based OTPs, SW based OTPs, SMS tokens, biometrics, etc. equivalent to each
other?
How to determine the assurance level of credentials based on federated tokens
(ABAC, policies, agreements)?
How to determine the security capabilities and security policies of devices (corporate
managed devices, BYOD, MDM, etc.)
![Page 38: Secure Collaboration within Organizations, B2B and B2C · Rights Management Services ... •Available on-prem (AD RMS) and in the cloud (Azure RMS) ... Since the RMS rights on the](https://reader034.fdocuments.in/reader034/viewer/2022042307/5ed3cafb7ac79b440020124b/html5/thumbnails/38.jpg)
• Cloud based solutions enable new business processes Secure collaboration B2B and B2C
• Fast evolving Frequent features releases of cloud based components (RMS, SP Online, Intune, etc.)
Increased interoperability of cloud based components