Embed Size (px)
Citation preview
MANAGEABILITY
Prevent corporate data
leakage using EM+S
Frans Oudendorp
MANAGEABILITY
Frans OudendorpConsultant Inovativ
Enterprise Mobility + Security
Windows 10
@oudendorp
MANAGEABILITY
Agenda
• Wat is Enterprise Mobility + Security
• Waarom informatie beveiligen
• Wat is Azure Information Protection
• Demo, Demo, Demo
• Samenvatting
MANAGEABILITYMANAGEABILITY
Wat is EM+S?
MANAGEABILITY Enterprise Mobility + Security
Microsoft
Intune
Protect your users, devices, and apps
Detect threats early with visibility and threat analytics
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Microsoft
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Premium
Azure Information
ProtectionProtect your data, everywhere
MANAGEABILITY
In this session: Information Protection
Protect your data,everywhere
MANAGEABILITY
MANAGEABILITY
Perimeter protection
Identity, device management protection
Hybrid data = new normal
It is harder to protect
How much control
do YOU have?
MANAGEABILITY
Empower users to
make right decisions
Enable safe sharing
internally and externally
Data level protection
Maintain visibility and
control
Protect your data at all
times
MANAGEABILITY The evolution of Information Protection
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
MANAGEABILITY
Azure InformationProtection
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
LABELING
CLASSIFICATION
ENCRYPTIONACCESS
CONTROL
POLICY
ENFORCEMENT
Full Data
Lifecycle
MANAGEABILITY Classify Data – Begin the Journey
Start with the data that is most sensitive
IT can set automatic rules; users can complement it
Associate actions such as visual markings and protection SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
PERSONAL
Classify data based on sensitivity
MANAGEABILITY Classification user experiences
ReclassificationAutomatic Recommended Manual
MANAGEABILITY Apply Labels based on classification
Labels are metadata written to
documents
Labels are in clear text so that other
systems such as a DLP engine can read
Labels travel with the document,
regardless of location
FINANCE
CONFIDENTIAL
Persistent labels that travel with the document
MANAGEABILITY
VIEW EDIT COPY PASTE
Email attachment
FILE
Protect data needing protection by:
Encrypting data
Including authentication requirement and a
definition of use rights (permissions) to the data
Providing protection that is persistent and travels
with the data
Protect data against unauthorized use
Personal apps
Corporate apps
MANAGEABILITY
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use rights +
Secret cola formula
Water
Sugar
Brown #16
PROTECT
Usage rights and symmetric
key stored in file as “license”
Each file is protected by
a unique AES symmetric
License protected
by customer-owned
RSA key
Water
Sugar
Brown #16
UNPROTECT
How Protection Works
MANAGEABILITY
Use rights+
Azure RMS never
sees the file content,
only the license
How Protection Works
Apps protected with
RMS enforce rights
SDK
Apps use the SDK to
communicate with the
RMS service/servers
File content is never sent
to the RMS server/service
aEZQAR]ibr{qU@M]BXNoHp9nMDAtnBfrfC;jx+Tg@XL2,Jzu()&(*7812(*:
Use rights+
LOCAL PROCESSING ON PCS/DEVICES
MANAGEABILITY
Documenttracking
Rights management
Data encryption
Policy enforcement
Azure Information Protection
Azure Active Directory
Share internally Share externally
MANAGEABILITY
Vendor 2
Secure collaboration with Azure IP
Azure Information
Protection
Recipient email: [email protected]
Email notifications
Expiration: 5 days
Permissions: Read only
!
Sender Vendor
Username
Password
•••••••••••••
Username
Password
•••••••••••••
MANAGEABILITY
Authentication & collaboration
RMS connector
Authorization requests via federation
(optional)
Data protection for
organizations at different
stages of cloud adoption
Ensures security because
sensitive data is never
sent to the RMS server
Integration with on-premises
assets with minimal effort
AAD Connect
ADFS
Service supplied Key BYO Key
Azure RMS
deployment
MANAGEABILITY
Authentication & collaboration
RMS connector
Authorization requests via federation
(optional)
Data protection for
organizations at different
stages of cloud adoption
Ensures security because
sensitive data is never
sent to the RMS server
Integration with on-premises
assets with minimal effort
Hold your key on
premises
AAD Connect
ADFS
Hold-your-own Key
Service supplied Key BYO Key
Azure RMS
deployment
MANAGEABILITYMANAGEABILITY
DEMO
Management Azure Information Protection
Default, Manual and Automatic classification
Justification when lowering classification
Integration with Office365 DLP
Monitoring and revokation
MANAGEABILITY The story of a file
Azure Information Protection client
Office 365DLP
Microsoft Cloud App Security
Windows Information Protection
Intune
Persistent labels enable a unified information protection language
File is created
(via multiple sources)
User opens the file
for editing
Collaborate through
SharePoint Online
User opens the
the file on mobile
Upload to other cloud
service for external sharing
MANAGEABILITY
Information protection
Identity-driven security
Managed mobile productivity
Identity and access management
Azure Information
Protection Premium P2
Intelligent classification and
encryption for files shared
inside and outside your
organization
(includes all capabilities in P1)
Azure Information
Protection Premium P1
Encryption for all files and
storage locations
Cloud-based file tracking
Microsoft Cloud
App Security
Enterprise-grade visibility,
control, and protection for
your cloud applications
Microsoft Advanced
Threat Analytics
Protection from advanced
targeted attacks leveraging
user and entity behavioral
analytics
Microsoft Intune
Mobile device and app
management to protect
corporate apps and data on
any device
Azure Active Directory
Premium P2
Identity and access
management with advanced
protection for users and
privileged identities
(includes all capabilities in P1)
Azure Active Directory
Premium P1
Secure single sign-on to
cloud and on-premises apps
MFA, conditional access, and
advanced security reporting
EMS
E3
EMS
E5
Enterprise Mobility + Security
MANAGEABILITY
MANAGEABILITY
MANAGEABILITY
Volgende sessie 10:15 – 11:15 uur
The demise of RemoteApp gives chances to RDS and Xenapp Express
Arjan Vroege en Danny van Dam
