secure collaboration within organizations, b2b and b2c · rights management services ......

Secure Collaboration

within Organizations, B2B and B2C

[email protected]

• Definition of the term “Collaboration”: Working with others

to do a task and to achieve shared goals.

• Major Business Requirements Structured filing

Simple and secure identity and access management processes within and across

companies, user self-services

Broad support of devices and applications

Flexibility regarding business processes and team structures

Data security and classification

Traceability and auditability of any IAM and business activities

Evidence records for contracts and approval processes

Requirement E-Mail SharePoint

Structured filing

IAM, user self-services


Flexibility w.r.t. processes and team structures


Traceability and auditability

Evidence records

• Microsoft Azure, Office 365, SharePoint Online Global cloud solution managing tenants and trusts

Single user identity for authentication and authorization to all resources


• Rights Management Services Leverage access control beyond applications (DLP)

Data classification

Document tracking

• Digital Signature Services Evidence records for contracts and approval processes

Requirement E-Mail SharePoint

Structured filing

IAM, user self-services


Flexibility w.r.t. processes and team structures


Traceability and auditability

Evidence records

Microsoft Azure, Office 365, SharePoint Online

Rights Management Services

Digital Signature Services

Short introduction of Microsoft RMS and Secure Islands IQ Protector

http://www.secureislands.com/


• About RMS Traditional security controls (e.g. ACLs, firewalls, etc.) have limited effectiveness to

protect company data while still empowering users to work efficiently (i.e. usage of

many platforms, applications, mobile workplaces, etc.)

RMS protects the sensitive information independent of any other security measures.

It uses encryption, identity, and authorization policies to help secure the data.

The objectives of DLP can be implemented with RMS



• Available on-prem (AD RMS) and in the cloud (Azure RMS)

• Major features Security is intrinsically tied to data, no dependency to other security measures

Dynamic management of users and roles (joiners / movers / leavers / deputies /

auditors / legal investigators)

RMS Protected Data

Data

Owner / Author

RMS Template

Ad-hocUser/Group

RMS Metadata

IQP Classification

IQP Metadata

Data



• Major features Data protection and classification

Rights enforcement (do not forward, read only, do not print, etc.)

Document tracking and document revocation

Application

RMS Protected Data

Data

Owner / Author

RMS Template

Ad-hocUser/Group

RMS Metadata

IQP Classification

IQP Metadata

Data RMS ServerAcquire

RMS License

Use

Auth

Log / Report



• Broad support of applications and file-types Microsoft Office on Windows and Mac (Office 2016

and beyond for Mac )

RMS SDK available for Windows, Linux and

iOS and Android

More and more RMS enlightened

applications available

Broad support of file-types (Office, PDF,

CVS, TXT, JPG, etc., almost any file-types)



• Typical Use-cases Leverage access control beyond applications (DLP)

Separation of business data from IT administrators

Separation of individual organizational units (e.g. human resources or finance

department, research and development, etc.)

Secure collaboration within an organization or across organizational boundaries

Document tracking (and document revocation)



Policy-based file- and folder encryption

Automated and policy-based

encryption / classification of data, e-

mails, web up- and downloads

User-awareness (pop-up windows)

based on pattern matching (content

scanning)

Comprehensive Microsoft Exchange

Journaling support for compliance and

audit reasons

• Additional use-cases with Secure Islands IQP

DLP implementation with IQP



on-prem

Microsoft Azure

Tenant (Org 2)

on-premFederation Service

(ADFS)

Directory Synchronization (AADConnect)

User A

Tenant (Org 1)

Federation Service(ADFS)


AzureActive Directory

User A Group G

Active Directory

User A Group G

Active Directory

User X Group W


User X Group W

B2B Sync

User X

Sharepoint Online(Office 365)


Azure RMS

Fileshare, Exchange, USB

Stick, etc.

Data

DataUser Y

Data

• Use-case – example



• Use-case – example - description1. User X from Org 2 downloads a document from the SharePoint Online Server of

Org 1

2. User X is entitled to access the SharePoint Online Server and to open the

document

3. User X sends the document to User Y (File-share, e-mail, etc.)

4. User Y is not entitled to access the SharePoint Online Server. Since the RMS rights

on the document are based on the permissions of the SharePoint access rights the

User Y cannot open the document.

Note: It is possible to apply other protection rules, especially wit RMS on prem and

Secure Islands IQP



RMS - Document tracking and reporting

• Keyon - true-Xtended Reporting for RMS and IQP• Collects log-files and events from many

sources, especially from Secure Islands IQP

and Microsoft RMS Servers

• Enriches log-files and events from further

sources (e.g. AD, LDAP, DB’s, DLP Systems,

other Applications)

• Periodically copies enriched log-files and

events into Splunk or Microsoft Reporting

Services

• Data collection and reports can be customized

RMS - Document tracking and reporting

• .. and how it looks like

Live Demo



Digital Signature ServicesShort introduction


• Business Benefits• Evidence records for approval processes

• Contracts and agreements

• Integrity and authenticity of internal and external documents

• Benefits for IT operations• Signed Office Macros

• Signed code (.exe, Java)

true-Sign at a glance• Digital Signature Service

• Compliant to ZertES, ElDI-V, GeBüV

• Support of industry standards and long-term signatures• ETSI TS 102 778-1-5: PAdES-LTV, XAdES-A, CAdES-A

• RFC 6283: XMLERS

• RFC 4998: ERS

• RFC 3161 Time-Stamp Protocol

• FIPS and CC certified Hardware Security Modules




Short introduction

Microsoft Office 2013 (new: Office 2016)

Office Application Suite for PC and Mac

Mobile Apps for iOS, Windows & Android

Microsoft Azure Active Directory (AAD)

Sharepoint Online

Azure RMS

Office 365 / Azure prerequisites

Office 365 subscription

Subscription that includes Sharepoint Online:

Starting with “Office 365 Business Essentials” (CHF 4.70/user/month).

Also available in “Office 365 Business Premium”

Included in all enterprise plans

Basic personal sharing and collaboration options are also available with subscriptions

that include OneDrive for Business but not Sharepoint.

Identity and Access Management

• Office 365 uses Azure Active Directory

• Users of Office 365 must exist in Azure AD

• Several options:

Cloud identity: Create users online

(small companies without Active Directory)

Synchronized identity: Synchronize users from AD to Azure AD + password sync

(Identity Lifecycle)

Federated identity: Synchronize users from AD to AAD and federate with Azure AD

(Identity Lifecycle + SSO)

User synchronization and federation:

• Re-use identities from the organization’s

Active Directory

• Synchronize AD users and groups to Azure

AD (AADConnect)

• Enable SSO through Federation (ADFS)

Microsoft Azure


(ADFS)


User A

Tenant (Org 1)


User A Group G

Active Directory

User A Group G


Result of user synchronization: The synchronized users

appear in the Azure AD

and are ready for use

Single Sign On with Federation:

on-prem

Microsoft Azure

Tenant (Org 2)


(ADFS)


User A

Tenant (Org 1)




User A Group G

Active Directory

User A Group G

Active Directory

User X Group W


User X Group W

B2B Sync

User X



External users:

• Collaboration partners re-

use their own Azure

identities to access shared

team sites in Sharepoint

Online.

• Users that are not yet in

Azure can create a

Microsoft account to access

shared team sites

Identity and Access Management

• Identity management, provisioning and decommissioning

Azure Active Directory B2B collaboration lets you enable access to your

corporate applications from partner managed identities.

You can create cross-company relationships by inviting and authorizing users

from partner companies to access your resources

Microsoft Azure

Tenant (Org 2)Tenant (Org 1)


User A Group G


User X Group W

B2B Sync



• Create team and project based SharePoint sites

• Edit documents together at the same time

• Access files across devices

• Share internally and externally

• Versioning, archiving

• IRM protection

• External users do not require an Office 365 license to access files shared with

them

Other collaboration tools offered by Microsoft 365:

• Lync instant messagingSupports federation with Lync in other organizations

• Shared team/project mailboxes

• Share your calendar with people outside of the organization

• OneDrive for Business

RMS protection• Sharepoint Online supports RMS protection

• RMS Protection is applied when the document is downloaded from Sharepoint

Online or when it is opened for editing in Microsoft Office.

• The applied RMS protection is determined based on the permissions of the

user on the site that contains the file:

Permission IRM Permission

Manage Sharepoint site Full Control: Generally allows a user to read, edit,

copy, save and to modify permissions

Edit items, manage lists Edit, copy and save

(Print only, if allowed in the library settings)

View items Read

(Print only, if allowed in the library settings)

Extended RMS features

• Extended SharePoint RMS features with Secure Islands IQP Storage of encrypted and classified data in SharePoint

Optional indexing of encrypted data for keeping the search capabilities



Live Demo

SharePoint Online and Azure RMS

on-prem

Microsoft Azure

Tenant (Org 2)


(ADFS)


User A

Tenant (Org 1)




User A Group G

Active Directory

User A Group G

Active Directory

User X Group W


User X Group W

B2B Sync

User X



Azure RMS

Fileshare, Exchange, USB

Stick, etc.

Data

DataUser Y

Data

…challenges regarding credentials and

device policies

Maintaining control of users’ application access across on-prem and cloud platforms is challenging



• Federation introduces single (or hybrid) identities Such identities span on-premises and cloud-based capabilities, creating a single user

identity for authentication and authorization to all resources, from any devices,

regardless of location

• Questions How to assess the assurance level of credentials? Are smartcards, virtual smartcards,

HW based OTPs, SW based OTPs, SMS tokens, biometrics, etc. equivalent to each

other?

How to determine the assurance level of credentials based on federated tokens

(ABAC, policies, agreements)?

How to determine the security capabilities and security policies of devices (corporate

managed devices, BYOD, MDM, etc.)

• Cloud based solutions enable new business processes Secure collaboration B2B and B2C

• Fast evolving Frequent features releases of cloud based components (RMS, SP Online, Intune, etc.)

Increased interoperability of cloud based components

Q&A

Thank you for your attention

[email protected]

secure collaboration within organizations, b2b and b2c · rights management services ......

Documents