Sunday, August 21, 2016

Azure Information Protection with Office 365

If you are a reader of my blog, you know for the past few years I have been very focused on discussing Office 365 services.  I recently decided to some catching-up on EMS and how it relates to Office 365.  Well as it turns out there have been several recent changes.  One thing that caught my attention very quickly was Azure Information Protection.  In this blog I will explore this solution.

I will say I am super excited to see the vision of this feature given I work with customers who have the most complex security and information protection policies out there.

Note that Azure Information Protection services is currently in Public Preview.

What is the new Azure Information Protection solution?A major challenge that organizations face is protection of their data.  Data loss prevention is constantly on customers’ minds.

With Azure Information Protection we can protect data at the lowest common denominator.  Instead of solely relying on the data storage systems to classify and protect data, we now protect the data directly at the source as email and documents move from place-to-place.

With Azure Information Protection:

  • Classify, label and protect data at the time of creation or modification.
  • Persistent protection travels with the data with rights management.
  • Provide users simple intuitive controls help users make the right decisions and stay productive.
  • Enable safe sharing of data both internally and externally.
  • Ability to create organizational enforceable policies to protect data.
  • Visibility and control over the shared data.
  • Deployment and management flexibility through the cloud.

What is the difference between Azure Information Protection and Azure RMS?
Simply put, Azure Rights Management Services (RMS) got a bunch of new features added to it.  Azure Information Protection building upon RMS with several new capabilities that have been introduced as part of the Secure Islands acquisition.

The new capability that should catch your attention is the intelligent classification and labeling solution that has been integrated with Azure RMS.  This is super exciting capability.

With the new labeling capability in Azure Information Protection services, you have the ability to be able to create enforceable policy to classify and protect your more important critical data.  You have the ability to create labels (classifications) like Personal, Public, Internal, Confidential, Secret, etc.  Then you have the ability to create policies define how data should be tagged with these classifications.  Once data is classified, that data can visual indicators applied to it, RMS protection policies pro-actively applied to the data, and DLP rules (like Exchange transport rules) can watch for this data and take action.

Additionally, there are new reports available to you that allow you to see how the most critical data in your organization is being accessed and managed.  This provides an audit trail for your most critical data.

How can an organization use Azure Information Protection?
Let’s look at Azure Information Protection a little closer.

When a user is in Office, they will see a new ribbon item (Protect) along with new labeling mechanism in the ribbon.  Users have the ability to tag any document or email on the spot.

Administrators have the ability to create the labels that customers see.

Within each label you can:

  • Associate RMS policies you want to apply (if any) to a specific label.  For instance, if you have a Confidential or Secret label, you may want to associate that label to an RMS policy.
  • Create visual markings that would be applied to the email or document once the label is applied.  For instance, add headers, footers, watermarks, etc.
  • Define conditions that could automatically label email and documents.  For instance, if you see data patterns within the content, a label can be auto applied.
There are numerous ways these labels can actually be applied.
  • Automatic – Labels can be applied by IT based on information it can see in the documents and emails.  This means as the user is creating the content, the label can be applied for them. 
  • User Drive – Users have the ability to choose to apply sensitive labels to email or file as they work on it.
  • Recommendation – Instead of automatically applied the label, you can make recommendations to the user on how classify/label.
  • Reclassification – Depending on your policy, you can allow users the ability to re-classify email and documents.  You can even require them to enter a justification which will be logged.
I see endless opportunity for organizations to use Azure Information Protection services to protect their data.  For instance:
  • An organization could create a policy that all documents are automatically classified as Internal.  The Internal does not have to have a RMS policies associated to it, but doing this will set a baseline that all content in the organization has been tagged.
  • As data needs to be become public, the data can be re-classified (labeled) as public by the end user.
  • For documents as classified as Secret or Confidential, an RMS policy could automatically be applied.
  • Re-classification can be allowed without justification for Internal and Public, but for any re-classifications of Secret or Confidential a justification must be provided.
  • I really think there are endless opportunities here with Azure Information Protection services.
How does this relate to Office 365?
As part of the Preview, Azure Information Protection services can be integrated with Office 365 ProPlus.  This means files that you author in Word, Excel, PowerPoint, etc. as well as emails in Outlook will have this user experience.  This will expand with time.

I thought Office 365 already had DLP, where does this play in?
Yes, Office 365 already has DLP capabilities within Exchange Online, SharePoint Online and OneDrive for Business.  Azure Information Protection services provides another layer of protection to data protection along with labeling solution.

For instance, SharePoint Online DLP will identify sensitive documents that were put in a location that has too broad access.  That file can be locked down and then remediated with SharePoint Online DLP by the user or an administrator.  However, what if the end user made a mistake (or worse was malicious) and then tried to send a file tagged as secret outside of the organization?  Azure Information Protection could protect that data tagged as Secret based on your policies.  For instance, you can automatically apply an RMS policy to Secret data and not allow users to re-classify that data.  There are several other mitigations you can take such as watch for documents tagged as secret being emailed externally.

From what I have observed, a challenge customers have had with RMS is educating users on how they should use it.  With Azure Information Protection services classification and labeling solution, the decision has just been super simple for end users.  End users do not need to know complex RMS policies and rule sets; all they need to know are organization contextual tags and the RMS policy is applied for them.

How is Azure Information Protection related to the EMS Suite?
There are two plans, there is Azure Information Protection Plan 1 and Plan 2. 

Plan 1 provides the encryption for files and cloud based file tracking.  From a legacy perspective, this is what you know of as Azure RMS as part of the EMS suite.

Plan 2 adds the new intelligent classification and labeling policies.

There are as well EMS Suites (E3 and E5).  Azure Information Protection Plan 2 is part of the EMS Suite 5.

If you are an Office 365 E3 suite customer, you already get access to Azure RMS service.  However, having Office 365 E3 does not give you access to all the EMS E3 or E5 capabilities.  So to get access to Azure Information Protection Plan 2, to get this new classification and labeling solution, you will need acquire some additional EMS plans.

Announcing Azure Information Protection -
Azure Information Protection Public Review Announcement-
Introducing Enterprise Mobility + Security -
Acquisition of Secure Islands -
Azure Information Protection product page -
What is Azure Information Protection (good video) - 
Azure Information Protection FAQs -
Azure Information Protection Quick Start for Preview -

Saturday, August 20, 2016

Office 365 Secure Score and Information Security Planning

Office 365 customers are provided a highly security solution for business productivity.  Microsoft ensures that the Office 365 service is secure and demonstrates this commitment through many of the third-party accreditations it receives.  Yet that is only half the battle as the customer who manage the Office 365 tenant shares in that security responsibility.  There are a tremendous amount security features and capabilities that are available to Office 365 customers that require configuration and management.  Customers frequently miss they too have a security responsibility to manage and continuously monitor their tenant.  In this blog I will discuss:
  1. The new Office 365 Secure Score analytics tool.
  2. Office 365 Information Security Planning.
Microsoft is invested in providing a safe and secure productivity cloud solution for your end users.  A clear differentiator for Microsoft is that they provide you plans, frameworks and tools that help you plan and continually monitor your security risk with Office 365.

Office 365 Secure Score
Microsoft has released “in preview” a new capability called Office 365 Secure Score.  This is a new analytics tool that can review the configuration of your tenant and make recommendations (based initially on 77 different factors).  Think of it as a “credit score”.  The higher the score, the more controls you have configured into your tenant.  The goal is to create a score that is aligned to your business requirements which do not impact your user experience.

Features of this capability are:
  • There is a summary panel that provides you your score and when you last ran it.
  • There is a modeling tool that allows you to do analysis to determine if you introduce more controls how those new controls will impact your score.
  • There is detailed information about each control it evaluates and the risk that it mitigates.
  • There are remediation instructions for each control that you introduce and how it would impact your end users.
  • There is a score analyzer that allows you to measure your performance over time.  You can download the scores from the reports and make them part of continuous monitoring program.
  • New controls will be introduced into the tool as new features are added to the service.
Plan for Office 365 Information Security
Since I have discussed this new Office 365 Secure Score tool that helps you continuously evaluate your security position, it is also worth mentioning there are several new Office 365 Information Planning worksheets you should review (see references below).
What these references will do is provide you direction on how you can utilize and configure all of the Office 365 security features (several new ones). 

Here are features I talk about a lot:
  • Federated Authentication (ADFS) and ADFS Client Access Policies.
  • Two-factor Authentication with Office 365 MFA and integration with third-party 2FA (smart cards, PIV, CaC).
  • Data Loss Prevention for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Rights Management Service (RMS) Exchange Online, SharePoint Online, OneDrive for Business and Office 365 ProPlus.
  • Office 365 Message Encryption (OME) and S/MIME support.
  • eDiscovery, Legal Hold and Retention policies for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Advanced eDiscovery with text analytics, machine learning and predictive coding.
  • Exchange Online Inactive Mailboxes.
  • Data spillage and deletion methods.
  • Permissions management.
  • Service usage reports.
  • Customer Lockbox
  • Office 365 MDM and Exchange ActiveSync policies.
  • Intune MDM advanced features for Exchange Online, SharePoint Online, OneDrive for Business and Skype for Business Online.
  • Office on the Web (OWA) client policies for data sync and attachment downloads.
  • Exchange Online Protection.
  • Advanced Threat Protection for Exchange Online.
  • Office 365 Advanced Security Management.
  • Azure AD usage and audit reports.
  • Exchange Online mailbox auditing and administrator auditing reports.
  • SharePoint Online usage audit reports.
  • Rights Management Service (RMS) audit reports.
  • External sharing policies for SharePoint Online, OneDrive for Business and Skype for Business Online.
There are a lot of features available to customers and planning is required.

In Closing
It can be daunting to see the amount of information security features that a customer has available to them in Office 365.  Customers need to plan and develop continuous monitoring plans to evaluate their risk in the Office 365.  Microsoft, unlike many of the cloud vendors out there, provide comprehensive solutions to help you plan and measure your risk.

Monday, August 1, 2016

New Office 365 Exchange and SharePoint User Experiences Coming

New User Experiences
There are some important new user experiences that are being released for Office 365 that you should be aware of:
  1. SharePoint Online Modern Lists
  2. Outlook Focused Inbox
  3. Outlook Mentions
Modern SharePoint Lists are coming
A new user experience is coming to SharePoint Lists.  It will be referred to as Modern SharePoint lists and many of the changes are consistent with the user experience changes you have been seeing with SharePoint modern document libraries.  You will many new features such as:
  • Simplified user experience to add columns to lists.
  • Ability to elevate (pin) list data for viewing.
  • Ability to edit data in an information panel without having to leave the list view.
  • Improved bulk editing.
  • Simplified automation with versions, approvals and alerts.
  • New user experience for view and edit lists in mobile browsers and SharePoint mobile app.
  • Integration with PowerApps and Microsoft Flow.  This will allow you to build new workflow applications connected to cloud data and then expose these workflows via PowerApps.

Transition over this user experience can be managed as well so that end users are no disrupted:
  • By default, classic list will automatically inherit the new modern list experience.
  • If there is a compatibility blocker to move to the modern list experience, the classic list experience will stay as is.
  • Users will have the ability to revert to the classic experience at any time.
  • Administrators will have the ability to configure classic list experience as the default at the list, site, site collection or tenant level.  This allows for lots of flexibility for user transition.

Outlook Focused InboxThis is a new experience that is called Focused Inbox that is being released for Outlook.  It was initially release on Outlook for iOS but will be release to all versions of Outlook.

The Focused Inbox will prioritize email that is important to you based on such things as who you interact with the most often, while other email (newsletters, DLs, generated emails, etc.) will land in the Other Inbox.  All the data is staying in your primary mailbox, just the email that most important to you is being prioritized.

Focused Inbox will be replacing the Clutter feature that was introduced awhile back.  Clutter was different in that it actually moved email data to a different email folder.  With Focused and Other Inbox, these are just views into the primary Inbox folder.  Clutter will stop moving mail as the Focused Inbox feature is rolled out.

From a transition perspective, again you have control.  Admins will have mailbox and tenant level control of this feature to do a staged rollout to your end users.

Outlook Mentions

This is a really neat feature that I find super exciting.  This features will help you write emails so much quicker.

As you type an email, you can simple type the @ symbol anywhere in the body of a message.  Once you do that, a people picker will appear, which you can select a person’s name.  Once you pick the person, their name will he highlighted in the message calling out action to them.  Additionally, if the person’s name is not yet on the TO line, their name will be automatically added to the TO line for you.  This is very much like a user experience you have in Facebook when writing a message.