Mais conteúdo relacionado Use AADRM (Right Management Services) with Office 3651. Use ADDRM with Office
365
Benoit HAMET
Sydney, June 5th 2013
Microsoft MVP
June 2013 Event
This work is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
2. The information contained in this presentation is proprietary.
© 2012 Capgemini. All rights reserved.
Who am I
Benoit HAMET
Manager – Microsoft Technologies Specialist at Capgemini
MVP Office 365
http://blog.hametbenoit.info
http://www.linkedin.com/in/benoithamet
http://twitter.com/benoit_hamet
3. 3Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Agenda
Terminology and Definition
Information Protection Requirements & Approach
What is Right Management and how it works?
RMS in Office 365
Integration with Exchange, Office and SharePoint
4. 4Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Glossary
IRM: Information Rights Management
DRM: Digital Rights Management
RMS: Right Management Server
RMS Online (AADRM): Cloud based Right Management Service
Publishing License: the license a document is published with
Usage License: the license to use the document
AD: Active directory
ADFS: Active Directory Federation Services
5. 5Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Terminology and Definition
Protection: Encryption + Policy + Policy
enforcement
Encryption: Targets securing data in transit or at
rest but only until consumed
Policy: Definition of who (identity) can do what
(conditions) on a protected item
Policy Enforcement: Application specific code to
enforce common, standardized behaviors
Windows Azure AD Rights Management : An
offering that is a part of Office 365
RMS: Right Management Services
IRM: Information Rights Management
interchangeable with Rights Management
ERM/DRM: Enterprise or Digital Rights
Management
Content-Aware Data Leakage Protection (DLP):
Relies on „agents‟ to apply Protection (encryption
+ policy) to content
Enterprise DRM
Services
Content
Protection
PoliciesSoftware
responsible to
protect content
People
responsible to
protect content
6. 6Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Information Protection Requirements
Data is protected at the source
Modern apps save directly to „foreign storage‟ so they must encrypt before data leaves the app
Data is protected in „usable chunks‟
Use patterns are at the document level; not at the full drive level (e.g.: BitLocker)
Especially true on constrained-resource mobile devices; on shared cloud-based storage
Very strong encryption at rest is required; pretty good protection in apps is fine
Assume the data is exposed to adversaries when at rest (pre-authorization)
Presume the user is “trustworthy but possibly absent minded” (post-authorization)
Flexible model to support offline use or online authorization; ITPro decides
Per-app policies and customization(s) to increase usability (reduce friction)
Per-application optimizations (Outlook vs. Word); App Context Matters
7. 7Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Information Protection Approach
Protect files with EFS
Everyday Metaphor: Locking bike rack – useful at that particular location but nowhere else.
Once a good idea but not very useful in modern times… who has only one device?
Lock up personal data stores with BitLocker / BitLocker to Go
Everyday Metaphor: Lock on the front door of your home. Good, but once open, everyone gets in.
Great way to protect against lost laptops and other assets but not at a granular level
Rights Management on-premises, in the cloud, across „tenants‟ and to guests
Everyday Metaphor: Certified mail that, when closed, requires re-certification before reuse.
Protection for data „in the wild‟ with flexible terms-of-use, and transport agnostic
Generic file protection using „Rights Protected Folders‟
SharePoint „Secure Libraries‟
Everyday Metaphor: A well run public Library who‟s librarian actually asks to see your identity
Great way to host data that can be centralized; data that leaves is protected
Pro-active protection (aka DLP) via Exchange, FOPE, FCI, ISV offers, etc.
Everyday Metaphor: A persistent yard caretaker for your „digital landscape‟
Volunteer application of RM will only get you so far DLP offers at strategic points does wonders!
Combined, these offers give you protection of lost assets, data in repositories, data in flight (user protected or not), and IT controlled*
auditing of data usage.
8. 8Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
What is Rights Management?
Information Protection technology
Protection is persisted with the data, content can travel anywhere (desktops, file shares,
USB keys, network and devices)
Combines encryption, access controls and policy expression and
enforcement
Prevent the accidental disclosure of sensitive data by applying usage polices (cannot forward,
cannot print, read-only)
Simple to use
Authors just select a policy option, consumers just open documents
Securely share data with individuals within and outside of your organization.
9. 9Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
How RMS works?
Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
User certificates Use License
Galactic Empire Confidential – You cannot copy, print or export this
information in unprotected form to droids of any class.
Publishing
License +
keys
10. 10Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
AADRM in Office 365
AADRM: Azure Active Directory Rights Management
AADRM is only available to Office 365 Enterprise
plans
Easy to setup and use
Start protecting data within minutes of when you subscribe to
Office 365, no on-premises infrastructure required.
Integrated within Exchange Online, SharePoint Online and
Office, users will use applications and services they are
already familiar with today.
Additional controls available in Exchange Online and
SharePoint Online to meet your business requirements.
11. 11Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
RMS in Office 365
Capabilities
Simple mechanism to enable Rights management capabilities
across applications and services.
Once Rights Management is enabled, Exchange and Office
integration is also enabled including IRM in Office, OWA and
EAS.
Provides default templates for to apply common usage
rights
Simple templates to restrict access to users within a
company.
Will assess usage policies during preview timeframe to gather
feedback to add or tune policies.
“Do Not Forward” and Ad-hoc Policies are also available.
13. 14Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Office 2010 and 2013 Integration
Information Worker
Applications are already familiar to users, just learn File, Protect, Restrict Permissions
Policy Templates available to easily apply protection
Users can create ad-hoc policy to provide an addition level of control.
Office IRM integration supports Outlook, Word, Excel, PowerPoint and InfoPath
Information Control
Integrated with Exchange and SharePoint Online (more in a few minutes)
Word, Excel, PowerPoint integrated with SharePoint Document Libraries
Outlook works with Exchange IRM integrated features
Outlook 2013 is integrated with DLP and can use IRM to apply protection
Protection persisted independent of how the data is stored
Desktop, USB Drive, File Share, SkyDrive etc…
14. 15Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Exchange Online Integration
Information Worker
Outlook Web App – IRM messages can be created and consumed in Outlook Web App
Exchange Active Sync – IRM messages can be consumed in EAS based clients that
have enabled Rights Management including Windows Phone 7.5 and Touchdown for
Android.
Supports collaboration across organizations
Information Control
Journaling- Creates an unprotected copy of messages for compliance purposes
Exchange Transport Rules – Enables automatic protection of content by complementing
the DLP capabilities in Exchange Online
Decryption – Can decrypt content for Malware scanning and the additions of disclaimers
to messages.
15. 16Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
SharePoint Online Integration
Information Worker
Protection is applied when documents are downloaded from a document library, users
will not observe a difference.
Provides view only capabilities for Web Access Companion Applications
Information Control
Great for a centralized repository of documents.
• When documents are downloaded from SharePoint protection is applied which resides with the
document no matter where it goes.
Supports all IRM functionality for policy definition
• Can define usage restrictions, policy renewal, and distribution groups on per document library
basis.
Supports collaboration scenarios across organizations
• Can set access policies to enable users from other organizations to access your document library
and stay in control of your data.
17. 23Copyright © Capgemini 2013. All Rights Reserved
Microsoft MVP Event
Use AADRM with Office 365 | June-13
Take Away
Data can flow anywhere anytime
Access based control does not protect content once it has been accessed.
Rights Management provides encryption that is persisted with the content.
Enables rich policy to be associated with content to prevent accidental disclosure of
content.
Rights Management is now integrated within the Office 365
Does not require any additional on-premise infrastructure and takes a few minutes to
configure.
Available as a part of the Office 365 Enterprise.
Deep Integration with Office 2013, SharePoint Online and Exchange Online.