In this session I go over the functional and management side of Azure Information Protection. The new Office 365 Sensitvity labels were also discussed and demonstrated.
5. #SPSGeneva
Albert Hoitingh
• Solution Architect
• Motion10
• The Hague
• Working for over 25 years in IT (sigh…..)
• Microsoft MVP for Enterprise Mobility
6. #SPSGeneva
Our four goals for this session
• Have an understanding of AzureIP from a
functional and IT management perspective
• Know about Office 365 message encryption
• Get to know the new sensitive information labels
in Office 365
• See the Microsoft roadmap for information
protection
12. #SPSGeneva
Protect
• Standard permissions or custom
• Based on label or “do it yourself”
• User, group or domain based
• Super-user role
• Owner stays in control
• Protection stays with content
18. #SPSGeneva
Azure Information Protection Scanner
• Detect, label and protect content on file-
shares, NAS and on-premises SharePoint
farms
• Exchange on-premises is not covered by the
scanner
• Discovers and can also classify
• Creates reports of discovered information
• New scanner dashboard is now available
19. #SPSGeneva
Microsoft Cloud App Security
• Label and protect content in SaaS applications
• Can scan for sensitive content across SaaS
applications
• Applications included are Office 365,
DropBox, OneDrive, Salesforce and more
• Can apply policies when a label is detected
26. #SPSGeneva
Office 365 sensitivity labels
• Aims to bring AzureIP and Office
365 together
• Offers both labels and settings for
SharePoint sites
• Requires a new sensitivity client
(not the AzureIP client)
• Note the distinction between
sensitivity and retention labels!
27. #SPSGeneva
Labels extend to SharePoint sites and
groups
• Set controls on sites based on the label
• Set the site’s classification based on the label
28. #SPSGeneva
Sensitivity labels vs. AIP
• Managed from the Security & Compliance Center
• Only works with Office 365 groups or persons
• Enables Windows 10 endpoint data loss prevention
• Custom permissions and remove permissions don’t work in Office
• Does not offer:
• Color
• Hold your own key
• Automatic application of label
31. #SPSGeneva
• Unified Labeling in Office SCC (Now)
• Unified Labeling in new M365 SCC (EOY18)
• Labeling in Office apps on Mac and mobile (Preview now)
• Labeling in Office apps on Windows (Preview EOY18)
• Labeling in Outlook mobile (Preview EOY18)
• Adobe PDF Preview and GA with MIP
• Windows GA with MIP labels
• MCAS + MIP GA
• MIP SDK GA
• AIP customers starting migration on pre-prod tenants
• Partner ISVs going GA with MIP
Now – 3 Months
• Auto-classification for sensitivity outcomes
• AIP customers migrate to using M365 SCC for
admin experiences
3 – 6 Months
Microsoft roadmap https://www.yammer.com/askipteam/#/home
32. #SPSGeneva
Take aways
• There’s a lot happening with Microsoft Information Protection
• (Azure) Information Protection is a piece of the puzzle
• Automate Azure Information Protection for the important stuff (PII, highly confidential,
etc)
• Content is everywhere, use Cloud App Security/PowerShell/AIP scanner to identify and
protect
• Look at the new sensitive labels and Office 365 integration
Eventview van werkplek logt acties.
MS overweegt hiervoor een dashboard te maken
FIPS: The Federal Information Processing Standard (FIPS)
SHA: Secure Hash Algorithm 2
AES: Advanced Encryption Standard (AES)
- Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com.- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.- If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
Toegang goed uitleggen!
https://docs.microsoft.com/en-us/azure/information-protection/secure-collaboration-documents#example-configuration-for-a-label-to-apply-protection-to-support-internal-and-external-collaboration
Azure AD (eigen, gesynced of via RMS account microsoft)
Federated social (Google, Yahoo, Microsoft)
Office account (heb je Office2016 click to run voor nodig)
Iedereen (werkt alleen met Office 365 message encryption) – werkt met one time passcode
Eventview van werkplek logt acties.
MS overweegt hiervoor een dashboard te maken
FIPS: The Federal Information Processing Standard (FIPS)
SHA: Secure Hash Algorithm 2
AES: Advanced Encryption Standard (AES)
- Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com.- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.- If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.
Eventview van werkplek logt acties.
MS overweegt hiervoor een dashboard te maken
FIPS: The Federal Information Processing Standard (FIPS)
SHA: Secure Hash Algorithm 2
AES: Advanced Encryption Standard (AES)
- Allow HTTPS traffic on TCP 443 to api.informationprotection.azure.com.- Do not terminate the TLS client-to-service connection (for example, to do packet-level inspection). Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with Azure RMS.- If you use a web proxy that requires authentication, you must configure it to use integrated Windows authentication with the user's Active Directory logon credentials.