secure collaboration within organizations, b2b and b2c · rights management services ......
TRANSCRIPT
• Definition of the term “Collaboration”: Working with others
to do a task and to achieve shared goals.
• Major Business Requirements Structured filing
Simple and secure identity and access management processes within and across
companies, user self-services
Broad support of devices and applications
Flexibility regarding business processes and team structures
Data security and classification
Traceability and auditability of any IAM and business activities
Evidence records for contracts and approval processes
Requirement E-Mail SharePoint
Structured filing
IAM, user self-services
Broad support of devices and applications
Flexibility w.r.t. processes and team structures
Data security and classification
Traceability and auditability
Evidence records
• Microsoft Azure, Office 365, SharePoint Online Global cloud solution managing tenants and trusts
Single user identity for authentication and authorization to all resources
Broad support of devices and applications
• Rights Management Services Leverage access control beyond applications (DLP)
Data classification
Document tracking
• Digital Signature Services Evidence records for contracts and approval processes
Requirement E-Mail SharePoint
Structured filing
IAM, user self-services
Broad support of devices and applications
Flexibility w.r.t. processes and team structures
Data security and classification
Traceability and auditability
Evidence records
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature Services
Short introduction of Microsoft RMS and Secure Islands IQ Protector
• About RMS Traditional security controls (e.g. ACLs, firewalls, etc.) have limited effectiveness to
protect company data while still empowering users to work efficiently (i.e. usage of
many platforms, applications, mobile workplaces, etc.)
RMS protects the sensitive information independent of any other security measures.
It uses encryption, identity, and authorization policies to help secure the data.
The objectives of DLP can be implemented with RMS
• Available on-prem (AD RMS) and in the cloud (Azure RMS)
• Major features Security is intrinsically tied to data, no dependency to other security measures
Dynamic management of users and roles (joiners / movers / leavers / deputies /
auditors / legal investigators)
RMS Protected Data
Data
Owner / Author
RMS Template
Ad-hocUser/Group
RMS Metadata
IQP Classification
IQP Metadata
Data
• Major features Data protection and classification
Rights enforcement (do not forward, read only, do not print, etc.)
Document tracking and document revocation
Application
RMS Protected Data
Data
Owner / Author
RMS Template
Ad-hocUser/Group
RMS Metadata
IQP Classification
IQP Metadata
Data RMS ServerAcquire
RMS License
Use
Auth
Log / Report
• Broad support of applications and file-types Microsoft Office on Windows and Mac (Office 2016
and beyond for Mac )
RMS SDK available for Windows, Linux and
iOS and Android
More and more RMS enlightened
applications available
Broad support of file-types (Office, PDF,
CVS, TXT, JPG, etc., almost any file-types)
• Typical Use-cases Leverage access control beyond applications (DLP)
Separation of business data from IT administrators
Separation of individual organizational units (e.g. human resources or finance
department, research and development, etc.)
Secure collaboration within an organization or across organizational boundaries
Document tracking (and document revocation)
Policy-based file- and folder encryption
Automated and policy-based
encryption / classification of data, e-
mails, web up- and downloads
User-awareness (pop-up windows)
based on pattern matching (content
scanning)
Comprehensive Microsoft Exchange
Journaling support for compliance and
audit reasons
• Additional use-cases with Secure Islands IQP
DLP implementation with IQP
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
Azure RMS
Fileshare, Exchange, USB
Stick, etc.
Data
DataUser Y
Data
• Use-case – example
• Use-case – example - description1. User X from Org 2 downloads a document from the SharePoint Online Server of
Org 1
2. User X is entitled to access the SharePoint Online Server and to open the
document
3. User X sends the document to User Y (File-share, e-mail, etc.)
4. User Y is not entitled to access the SharePoint Online Server. Since the RMS rights
on the document are based on the permissions of the SharePoint access rights the
User Y cannot open the document.
Note: It is possible to apply other protection rules, especially wit RMS on prem and
Secure Islands IQP
RMS - Document tracking and reporting
• Keyon - true-Xtended Reporting for RMS and IQP• Collects log-files and events from many
sources, especially from Secure Islands IQP
and Microsoft RMS Servers
• Enriches log-files and events from further
sources (e.g. AD, LDAP, DB’s, DLP Systems,
other Applications)
• Periodically copies enriched log-files and
events into Splunk or Microsoft Reporting
Services
• Data collection and reports can be customized
RMS - Document tracking and reporting
• .. and how it looks like
Live Demo
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature ServicesShort introduction
Digital Signature Services
• Business Benefits• Evidence records for approval processes
• Contracts and agreements
• Integrity and authenticity of internal and external documents
• Benefits for IT operations• Signed Office Macros
• Signed code (.exe, Java)
true-Sign at a glance• Digital Signature Service
• Compliant to ZertES, ElDI-V, GeBüV
• Support of industry standards and long-term signatures• ETSI TS 102 778-1-5: PAdES-LTV, XAdES-A, CAdES-A
• RFC 6283: XMLERS
• RFC 4998: ERS
• RFC 3161 Time-Stamp Protocol
• FIPS and CC certified Hardware Security Modules
Microsoft Azure, Office 365, SharePoint Online
Rights Management Services
Digital Signature Services
Short introduction
Microsoft Office 2013 (new: Office 2016)
Office Application Suite for PC and Mac
Mobile Apps for iOS, Windows & Android
Microsoft Azure Active Directory (AAD)
Sharepoint Online
Azure RMS
Office 365 / Azure prerequisites
Office 365 subscription
Subscription that includes Sharepoint Online:
Starting with “Office 365 Business Essentials” (CHF 4.70/user/month).
Also available in “Office 365 Business Premium”
Included in all enterprise plans
Basic personal sharing and collaboration options are also available with subscriptions
that include OneDrive for Business but not Sharepoint.
Identity and Access Management
• Office 365 uses Azure Active Directory
• Users of Office 365 must exist in Azure AD
• Several options:
Cloud identity: Create users online
(small companies without Active Directory)
Synchronized identity: Synchronize users from AD to Azure AD + password sync
(Identity Lifecycle)
Federated identity: Synchronize users from AD to AAD and federate with Azure AD
(Identity Lifecycle + SSO)
User synchronization and federation:
• Re-use identities from the organization’s
Active Directory
• Synchronize AD users and groups to Azure
AD (AADConnect)
• Enable SSO through Federation (ADFS)
Microsoft Azure
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Sharepoint Online(Office 365)
Result of user synchronization: The synchronized users
appear in the Azure AD
and are ready for use
Single Sign On with Federation:
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
External users:
• Collaboration partners re-
use their own Azure
identities to access shared
team sites in Sharepoint
Online.
• Users that are not yet in
Azure can create a
Microsoft account to access
shared team sites
Identity and Access Management
• Identity management, provisioning and decommissioning
Azure Active Directory B2B collaboration lets you enable access to your
corporate applications from partner managed identities.
You can create cross-company relationships by inviting and authorizing users
from partner companies to access your resources
Microsoft Azure
Tenant (Org 2)Tenant (Org 1)
AzureActive Directory
User A Group G
AzureActive Directory
User X Group W
B2B Sync
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
• Create team and project based SharePoint sites
• Edit documents together at the same time
• Access files across devices
• Share internally and externally
• Versioning, archiving
• IRM protection
• External users do not require an Office 365 license to access files shared with
them
Other collaboration tools offered by Microsoft 365:
• Lync instant messagingSupports federation with Lync in other organizations
• Shared team/project mailboxes
• Share your calendar with people outside of the organization
• OneDrive for Business
RMS protection• Sharepoint Online supports RMS protection
• RMS Protection is applied when the document is downloaded from Sharepoint
Online or when it is opened for editing in Microsoft Office.
• The applied RMS protection is determined based on the permissions of the
user on the site that contains the file:
Permission IRM Permission
Manage Sharepoint site Full Control: Generally allows a user to read, edit,
copy, save and to modify permissions
Edit items, manage lists Edit, copy and save
(Print only, if allowed in the library settings)
View items Read
(Print only, if allowed in the library settings)
Extended RMS features
• Extended SharePoint RMS features with Secure Islands IQP Storage of encrypted and classified data in SharePoint
Optional indexing of encrypted data for keeping the search capabilities
Live Demo
SharePoint Online and Azure RMS
on-prem
Microsoft Azure
Tenant (Org 2)
on-premFederation Service
(ADFS)
Directory Synchronization (AADConnect)
User A
Tenant (Org 1)
Federation Service(ADFS)
Directory Synchronization (AADConnect)
AzureActive Directory
User A Group G
Active Directory
User A Group G
Active Directory
User X Group W
AzureActive Directory
User X Group W
B2B Sync
User X
Sharepoint Online(Office 365)
Sharepoint Online(Office 365)
Azure RMS
Fileshare, Exchange, USB
Stick, etc.
Data
DataUser Y
Data
…challenges regarding credentials and
device policies
Maintaining control of users’ application access across on-prem and cloud platforms is challenging
• Federation introduces single (or hybrid) identities Such identities span on-premises and cloud-based capabilities, creating a single user
identity for authentication and authorization to all resources, from any devices,
regardless of location
• Questions How to assess the assurance level of credentials? Are smartcards, virtual smartcards,
HW based OTPs, SW based OTPs, SMS tokens, biometrics, etc. equivalent to each
other?
How to determine the assurance level of credentials based on federated tokens
(ABAC, policies, agreements)?
How to determine the security capabilities and security policies of devices (corporate
managed devices, BYOD, MDM, etc.)
• Cloud based solutions enable new business processes Secure collaboration B2B and B2C
• Fast evolving Frequent features releases of cloud based components (RMS, SP Online, Intune, etc.)
Increased interoperability of cloud based components