An Introduction to Microsoft Azure Information Protection

An Introduction to Microsoft Azure Information Protection


Coming up, a look at the new Microsoft
Azure Information Protection. A new solution that makes it simpler to
classify and protect information even as it travels outside of your organization. We will show you new options
that let you define how your users can classify their documents and emails
during the normal course of their work. How you can define the labels, protection, and visual markings appropriate for your organization. And finally, track sensitive documents when traveling and, how to stop them in their tracks. Microsoft Mechanics I’m joined by Dan Plastina,
well known as the RMS guy. Thanks Simon, good to be here. So Dan, we’ve covered a lot of technologies
designed to protect data on the show from data loss prevention to rights management. What’s behind this latest solution?
what are you trying to solve? So, it used to be that organizations had a
perimeter. That perimeter contained the majority
of business activity and the services were really in sourced,
far more in source compared to now. Then as your employees became mobile, you started to punch a whole lot more holes in your firewall. And now activity is happening outside that perimeter. The MDM, mobile device management offerings solve for this. And, Intune is an example of that. However, unfortunately if you’re in IT now it’s a common practice that sensitive data
leaves your organization every single day. It’s stored in the cloud and
it’s given to other people. So, are you suggesting that I need to protect
all of the data that leaves my organization? Oh no, absolutely not. Office 365 and other services provide
incredible value by reasoning over data by being able to look at it. Users will demand that you preserve this value. Search, web views, and so on. So really what we’re about is helping
you protect that small set of data. The confidential data or even the secret data. So that you can feel safe with that. We’re going to do that by protecting the
document itself. Even then, when protected services like Exchange, Outlook and other products we have are able to reason over that data
or react with that data properly. It’s that balance that we’re striving to achieve. So how does our team really get their arms
around this then if they aren’t protecting everything? What we’re going to help with
is a simple 5-step program. The first part is you will classify your data. That means that you’re going to understand
what is sensitive and what is not. That will result in labeling. We’re going to label the content so that other systems can behave better knowing the sensitivity of the data. Third, if necessary will protect the data. Now that you have a smaller set of sensitive data. You can monitor it for use and possible abuse. If the data is being abused, you can use some new technologies that I will show you later. Or, you can walk down the hall and talk
to HR and deal with it some other way. Sounds pretty great in theory, but I guess in practice this could be pretty
cumbersome to put into place. Can show you what it looks like? Sure, absolutely. First Microsoft has a lot going on in this space. You’ve already seen some of the cool DLP
offerings in this show before. So I’m going to focus on how it is we make it easier to actually classify, label, and protect data. So, I’m in word here. And this is word 2016 with our add-on. And this is the information protection
add-on and I have a document. It’s a sensitive Contoso financial
document. And what I’m going to do is classify it. It’s not classified today and
I’m going to say that it’s confidential. That’s it, this document is confidential. Now if i don’t think it was confidential. Let’s say I want to say it is something more, I just change this. And, I’m going to say that this one
is secret for finance only. At this point I’ve classified that
document. That was pretty slick actually,
it didn’t look like you did any work at all. what’s going on in the background? Of course, in fact we did a whole lot. So the first thing we did was invite the
user to classify the content. In this particular case we did it manually. Some institutions are regulated and
require manual intervention. So I classified this as secret for finance only. You can see that up here in the top. The next thing we did was
persistently label this file. This file now has a marking that its secret finance only. And other services can look at that tag and deal with it. Third, we protected it. If i go here in the out space you can see that this document is protected to a Microsoft policy. So done. I’m an IT guy. Can I automate this for my users? Absolutely. Classification would normally be done via DLP. Sometimes that’s not possible, as I said earlier. So, we did it manually and i’ll show you how we automate it with this particular demo. So I’m in word here. And I’ve got a document. It’s a personal document, but I typed in a credit card number. Now in this particular instance, the credit card number is not permitted it trigger some rules in my company. And so, I’m going to go to save this document. You’ll notice at the top it says “it is recommended to label this document as secret finance only”. I just said it was a personal doc so of
course i’m not going to do that. And so I’ll say this document is personal. The act of saying it was personal did not protect it. It labeled it as personal and
so now it’s my own document. Now let’s go to another document. In this particular case, this document is a word document. It’s an Azure fraud prevention scenario. And, there’s an attack vector
where people were typing in credit cards. And so, I just wrote this up and I’m about to save it. And here, when I hit ctrl+s you’ll notice that
a watermark was added at the bottom. The big secret was plastered on all over the document. The document was set to secret finance only. And, if i go back into the out space
you’ll see that it was protected. It did all of that with no input from me. So that’s full automation in that case. So this looks really familiar with an office DLP demo. what’s the nuance here? Yeah, the nuances is that now what we’re doing is we’re classifying, labeling,
and protecting everything all at once. In the past you would have just classified it,
so this is much better together. Ok, so presumably IT is sometimes going to get this wrong. Especially if they’re a bit
over-ambitious with the automation. What then? Well in this particular case,
we’re shooting for getting the right balance here. Getting the rules right is not always
a slam dunk and this is not easy. So just as Office DLP detection
had overrides, we will do the same. And, the person who used this case
was one example of that over ride where I just said no this is personal
for that recommendation. But, we will have others where you’re forced
to do justification of that override Great. This is really important
to be able to prevent a work stoppage and having users complain
to the help desk when IT gets it wrong. It’s good how we’re balancing
lockdown versus usability. Yes, I fully agree. Everything that you’ve shown me
this far was within my company. What about when I want to share with
partners and customers b2b and b2c? Yeah, let’s do that. So we’re going to flip to the iPad. If you don’t mind, I’m going to be
showing you a couple of emails that i sent earlier just to save a little bit of time. So this first email is one where i sent a document to someone external to the company. And, I got a custom rule and the
rule basically bounce back saying Data classified as SECRET can’t leave the organization unless classified as SECRET EXTERNAL PERMITTED So I then got that message I went back
and I created a new document. This one is external permitted. Being a manager I was allowed to do that. Now I’m going to open up that document in word. So word will launch and its going to load that document. What we’re going to see is
the same protected document with the same watermark that you saw earlier. So words enabled for this ecosystem. So that was the demo of protected content. Now we could have used Office Message Encryption instead of a native RMS implementation. And that would have given us the
opportunity to do one time password That’s been covered on your show before,
so we wont do that today. And this opens up a secure email to everyone, right? Yeah, absolutely that was the idea. A lot of other schemes like S Mime or PGP have complicated key management schemes and we’re trying to get away from that. Want me to show you one more demo? Yeah sure. Ok, so let’s go back to the Mail Client. This time I’ve got a document that I’ve sent using our mobile application and our sharing application. You’ll note here that there’s two documents. There’s the excel spreadsheet and a protected PDF. So let’s open up the excel spreadsheet
just like we did the Word document. Here Excel is opening this up. I just protected this the same way
the other one was protected. I’m going to take a minute and
show you the permissions. In this case, the permissions are quite generous. Because i’m logged in
with my work account so you’re seeing permissions for me as
the author of this document. Let’s leave there and go to my personal
email account where the same email came in. So here I see the PPDF and we’re
going to open that with our mobile application. This time we’re going to login. I recently used the app, so it’s going to single sign-on. And you see the same
spreadsheet But, if you look here to the right
I only have view permissions. Granted to me by my work account,
but this is my personal account. and now i have access to that content. So, let’s for a second
go back to my work email. Here in my work email,
you see that when I share that document the very first thing i got was an email that said Click here to learn who opened your
document, or revoke access to it. So I have a tracking portal capability
to track use of that data. There’s two emails here. Whoops, one just shut off. So we just open the doc and So this email is notifying me that Let’s go take a peek. That [email protected]
was granted access on this document. So here I can go and track this. And I’ll click on the here link. It’s going to bring me to the Azure portal. So this is something that anybody who
shares content has the ability to see. You can sign in and get a tutorial and learn about the various features of this portal. Now i’m not going to do this here. I’m going to do this on the PC because I don’t want you to watch me
type my password in the iPad. So let’s just do the same thing here. Now on my pc and I’m in the
tracking portal for that document. You can see that its quarterly sales report.xlsx. The bird indicates the document is still flying around. It was shared on June 11th, today. And there have been many views by three users. No denied access to this point and it’s been a little while since activity. Now if I reload this page you’re going to see that the time
since last activity will change because I just consumed the document. So now it says two minutes
since last activity. Let’s go take a peek at the map view. So the map is going to show me who has
had access to this content. So I can see there’s a 20 number in here. Let’s zoom in a little bit on that. I see someone in in California
and I see someone in New York. That’s a little bit of a concern. But, I can continue zooming in and looking at the bottom and seeing
who’s accessing the document. And you can see the various times
that I’ve accessed this from my personal account. Let’s zoom out here and go look at the people on the East Coast. That’s me too. That’s not right because
I’m here in redmond right now. So why don’t we revoke
access to this document. So I’m going revoke access. It’s asking me to confirm. It’s an important operation. I will confirm. And now this document is is being revoked. So at that point, the revoke is complete. I’ll close this and when we do the bird that was flying around is no longer there. Now on screen you see that the document
was revoked. It was revoked on June 11th. Let’s go back to the device now. And on the device we’re going to go back to my
personal email account and we’re going to open that PPDF, again. We’re going to open it in our mobile application and it’s going to get a license. It’s going to single sign-on. And in the process of getting a license now you see your account doesn’t have permission to view this content. Contact the owner for permission. So the document was revoked. You could have had this in your pocket. You could have had this offline. There’s no way you’re opening this document again. This is amazing. So how can these guys actually turn this on now? How do they light this up? Ok, well let’s go into our admin portal. This is the Ibiza portal for Azure information protection. I’m going to go in on the Azure
information protection service. You’re going to see here the labels that
we showed earlier. Personal, public, internal, confidential and secret. I’m going to use the top link and i’m going to change some of the global settings. Here I can change sensitivity strings. I can change descriptions to be
compliant with my organization. But, I’m going to turn on mandatory labeling. Now I’m going to go click on secret and what we’re going to do is
look at the secret settings. This is the secret label. Again i can change descriptions. And we’re going to click on
impact of this label. And then look here to note that
there is no RMS template so there’s no protection at this time. So I’m going to click on that drop down. I’m going to pick Contoso FTE read-only. And now we have a policy assigned with this label. I’m going to look at the visual markings. I’m all happy with that. Now once i’m done with,
that I close my blade. I’m notified that i need to publish this
policy in order to affect all of the endpoints. So I’m going to do that. And confer. And at that point my policy was published
and the notification goes away. What about automation? Automation here is similar to what we’ve had before. You’ve seen this in Office 365 DLP. Generally speaking we are going to
have the same thing. We want to share one set of policy that’s used by all of the end points. To that end, we are working with a lot of partners both internal, such as our cloud app security team. We’re also working with all of the DLP vendors and some industry leaders
in the information protection space. What we want is to get everybody to adhere to the same set of labeling and classification models. And so far so good. Everyone’s really excited,
they know it’s the right thing to do. How can folks keep up to date with this stuff? Well I’m the RMS guy and on the screen there are a couple of links. If you happen to be a developer and you want to contact us about
participating in some of our frameworks email us at [email protected] Thanks Dan. Don’t forget to keep watching Microsoft
Mechanic for the latest in tech updates. Thank you for watching and bye for now. Microsoft Mechanics www.microsoft.com/mechanics

1 Reply to “An Introduction to Microsoft Azure Information Protection”

Leave a Reply

Your email address will not be published. Required fields are marked *