Secure Collaboration within Organizations, B2B and B2C. eberhard@keyon.ch staible@keyon.ch

Secure Collaboration within Organizations, B2B and B2C eberhard@keyon.ch staible@keyon.ch

Definition of the term Collaboration : Working with others to do a task and to achieve shared goals. Major Business Requirements Structured filing Simple and secure identity and access management processes within and across companies, user self-services Broad support of devices and applications Flexibility regarding business processes and team structures Data security and classification Traceability and auditability of any IAM and business activities Evidence records for contracts and approval processes

Requirement E-Mail SharePoint Structured filing IAM, user self-services Broad support of devices and applications Flexibility w.r.t. processes and team structures Data security and classification Traceability and auditability Evidence records

Microsoft Azure, Office 365, SharePoint Online Global cloud solution managing tenants and trusts Single user identity for authentication and authorization to all resources Broad support of devices and applications Rights Management Services Leverage access control beyond applications (DLP) Data classification Document tracking Digital Signature Services Evidence records for contracts and approval processes

Requirement E-Mail SharePoint Structured filing IAM, user self-services Broad support of devices and applications Flexibility w.r.t. processes and team structures Data security and classification Traceability and auditability Evidence records

Microsoft Azure, Office 365, SharePoint Online Rights Management Services Short introduction of Microsoft RMS and Secure Islands IQ Protector Digital Signature Services

About RMS Traditional security controls (e.g. ACLs, firewalls, etc.) have limited effectiveness to protect company data while still empowering users to work efficiently (i.e. usage of many platforms, applications, mobile workplaces, etc.) RMS protects the sensitive information independent of any other security measures. It uses encryption, identity, and authorization policies to help secure the data.

Available on-prem (AD RMS) and in the cloud (Azure RMS) Major features Security is intrinsically tied to data, no dependency to other security measures Dynamic management of users and roles (joiners / movers / leavers / deputies / auditors / legal investigators) RMS Protected Data Data Data Owner / Author RMS Template Ad-hoc User/Group RMS Metadata IQP Classification IQP Metadata

Major features Data protection and classification Rights enforcement (do not forward, read only, do not print, etc.) Document tracking and document revocation Application RMS Protected Data Data Data Acquire RMS License RMS Server Log / Report Owner / Author RMS Template Ad-hoc User/Group Use Auth RMS Metadata IQP Classification IQP Metadata

Broad support of applications and file-types Microsoft Office on Windows and Mac (Office 2016 and beyond for Mac ) RMS SDK available for Windows, Linux and ios and Android More and more RMS enlightened applications available Broad support of file-types (Office, PDF, CVS, TXT, JPG, etc., almost any file-types)

Typical Use-cases Leverage access control beyond applications (DLP) Separation of business data from IT administrators Separation of individual organizational units (e.g. human resources or finance department, research and development, etc.) Secure collaboration within an organization or across organizational boundaries Document tracking (and document revocation)

Additional use-cases with Secure Islands IQP Policy-based file- and folder encryption Automated and policy-based encryption / classification of data, e- mails, web up- and downloads User-awareness (pop-up windows) based on pattern matching (content scanning) Comprehensive Microsoft Exchange Journaling support for compliance and audit reasons

Use-case example B2B Sync Microsoft Azure Tenant (Org 1) Tenant (Org 2) User A Group G Azure Active Directory User X Group W Azure Active Directory Azure RMS Sharepoint Online (Office 365) Sharepoint Online (Office 365) Directory Synchronization (AADConnect) Federation Service (ADFS) on-prem Directory Synchronization (AADConnect) Federation Service (ADFS) on-prem Data Data User A Group G Active Directory User A User X Group W Active Directory User X Fileshare, Exchange, USB Stick, etc. Data User Y

Use-case example - description 1. User X from Org 2 downloads a document from the SharePoint Online Server of Org 1 2. User X is entitled to access the SharePoint Online Server and to open the document 3. User X sends the document to User Y (File-share, e-mail, etc.) 4. User Y is not entitled to access the SharePoint Online Server. Since the RMS rights on the document are based on the permissions of the SharePoint access rights the User Y cannot open the document. Note: It is possible to apply other protection rules, especially wit RMS on prem and Secure Islands IQP

RMS - Document tracking and reporting Keyon - true-xtended Reporting for RMS and IQP Collects log-files and events from many sources, especially from Secure Islands IQP and Microsoft RMS Servers Enriches log-files and events from further sources (e.g. AD, LDAP, DB s, DLP Systems, other Applications) Periodically copies enriched log-files and events into Splunk or Microsoft Reporting Services Data collection and reports can be customized

RMS - Document tracking and reporting.. and how it looks like Live Demo

Microsoft Azure, Office 365, SharePoint Online Rights Management Services Digital Signature Services Short introduction

Digital Signature Services Business Benefits Evidence records for approval processes Contracts and agreements Integrity and authenticity of internal and external documents Benefits for IT operations Signed Office Macros Signed code (.exe, Java)

Digital Signature Services Breakout-Session 14:15 Swiss Re - Moderne Signaturanwendungen für Business Workflows und IT-Sicherheit inkl. Live-Demo

Microsoft Azure, Office 365, SharePoint Online Short introduction Rights Management Services Digital Signature Services

Microsoft Office 2013 (new: Office 2016) Office Application Suite for PC and Mac Mobile Apps for ios, Windows & Android Microsoft Azure Active Directory (AAD) Sharepoint Online Azure RMS

Office 365 / Azure prerequisites Identity and access management Collaboration with Sharepoint Online RMS protection Demo B2C lookout, IDM challenges

Office 365 / Azure prerequisites Office 365 subscription Subscription that includes Sharepoint Online: Starting with Office 365 Business Essentials (CHF 4.70/user/month). Also available in Office 365 Business Premium Included in all enterprise plans Basic personal sharing and collaboration options are also available with subscriptions that include OneDrive for Business but not Sharepoint.

Identity and Access Management Office 365 uses Azure Active Directory Users of Office 365 must exist in Azure AD Several options: Cloud identity: Create users online (small companies without Active Directory) Synchronized identity: Synchronize users from AD to Azure AD + password sync (Identity Lifecycle) Federated identity: Synchronize users from AD to AAD and federate with Azure AD (Identity Lifecycle + SSO)

User synchronization and federation: Microsoft Azure Tenant (Org 1) Re-use identities from the organization s Active Directory Synchronize AD users and groups to Azure AD (AADConnect) User A Group G Azure Active Directory Sharepoint Online (Office 365) Enable SSO through Federation (ADFS) Directory Synchronization (AADConnect) Federation Service (ADFS) on-prem User A Group G Active Directory User A

Result of user synchronization: The synchronized users appear in the Azure AD and are ready for use

Single Sign On with Federation:

External users: Collaboration partners reuse their own Azure identities to access shared team sites in Sharepoint Online. Users that are not yet in Azure can create a Microsoft account to access shared team sites User A Group G Azure Active Directory Directory Synchronization (AADConnect) Federation Service (ADFS) B2B Sync Tenant (Org 1) Sharepoint Online (Office 365) on-prem User X Group W Azure Active Directory Directory Synchronization (AADConnect) Federation Service (ADFS) Microsoft Azure Tenant (Org 2) Sharepoint Online (Office 365) on-prem User A Group G User X Group W Active Directory User A Active Directory User X

Identity and Access Management Identity management, provisioning and decommissioning Azure Active Directory B2B collaboration lets you enable access to your corporate applications from partner managed identities. You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources B2B Sync Tenant (Org 1) Microsoft Azure Tenant (Org 2) User A Group G Azure Active Directory Sharepoint Online (Office 365) User X Group W Azure Active Directory Sharepoint Online (Office 365)

Create team and project based SharePoint sites Edit documents together at the same time Access files across devices Share internally and externally Versioning, archiving IRM protection External users do not require an Office 365 license to access files shared with them

Other collaboration tools offered by Microsoft 365: Lync instant messaging Supports federation with Lync in other organizations Shared team/project mailboxes Share your calendar with people outside of the organization OneDrive for Business

RMS protection Sharepoint Online supports RMS protection RMS Protection is applied when the document is downloaded from Sharepoint Online or when it is opened for editing in Microsoft Office. The applied RMS protection is determined based on the permissions of the user on the site that contains the file: Permission Manage Sharepoint site Edit items, manage lists View items IRM Permission Full Control: Generally allows a user to read, edit, copy, save and to modify permissions Edit, copy and save (Print only, if allowed in the library settings) Read (Print only, if allowed in the library settings)

Extended RMS features Extended SharePoint RMS features with Secure Islands IQP Storage of encrypted and classified data in SharePoint Optional indexing of encrypted data for keeping the search capabilities

Live Demo SharePoint Online and Azure RMS

B2B Sync Microsoft Azure Tenant (Org 1) Tenant (Org 2) User A Group G Azure Active Directory User X Group W Azure Active Directory Azure RMS Sharepoint Online (Office 365) Sharepoint Online (Office 365) Directory Synchronization (AADConnect) Federation Service (ADFS) on-prem Directory Synchronization (AADConnect) Federation Service (ADFS) on-prem Data Data User A Group G Active Directory User A User X Group W Active Directory User X Fileshare, Exchange, USB Stick, etc. Data User Y

challenges regarding credentials and device policies Maintaining control of users application access across on-prem and cloud platforms is challenging

Federation introduces single (or hybrid) identities Such identities span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, from any devices, regardless of location Questions How to assess the assurance level of credentials? Are smartcards, virtual smartcards, HW based OTPs, SW based OTPs, SMS tokens, biometrics, etc. equivalent to each other? How to determine the assurance level of credentials based on federated tokens (ABAC, policies, agreements)? How to determine the security capabilities and security policies of devices (corporate managed devices, BYOD, MDM, etc.)

Cloud based solutions enable new business processes Secure collaboration B2B and B2C Fast evolving Frequent features releases of cloud based components (RMS, SP Online, Intune, etc.) Increased interoperability of cloud based components

Q&A Thank you for your attention eberhard@keyon.ch staible@keyon.ch