Secure Collaboration Within Organizations, B2B and B2C

Secure Collaboration within Organizations, B2B and B2C

• Definition of the term “Collaboration”: Working with others to do a task and to achieve shared goals. • Major Business Requirements  Structured filing  Simple and secure identity and access management processes within and across companies, user self-services  Broad support of devices and applications  Flexibility regarding business processes and team structures  Data security and classification  Traceability and auditability of any IAM and business activities  Evidence records for contracts and approval processes Requirement E-Mail SharePoint Structured filing   IAM, user self-services   Broad support of devices and applications   Flexibility w.r.t. processes and team structures   Data security and classification   Traceability and auditability   Evidence records   • Microsoft Azure, Office 365, SharePoint Online  Global cloud solution managing tenants and trusts  Single user identity for authentication and authorization to all resources  Broad support of devices and applications • Rights Management Services  Leverage access control beyond applications (DLP)  Data classification  Document tracking • Digital Signature Services  Evidence records for contracts and approval processes Requirement E-Mail SharePoint Structured filing   IAM, user self-services   Broad support of devices and applications   Flexibility w.r.t. processes and team structures   Data security and classification   Traceability and auditability   Evidence records   Microsoft Azure, Office 365, SharePoint Online

Rights Management Services Short introduction of Microsoft RMS and Secure Islands IQ Protector Digital Signature Services • About RMS  Traditional security controls (e.g. ACLs, firewalls, etc.) have limited effectiveness to protect company data while still empowering users to work efficiently (i.e. usage of many platforms, applications, mobile workplaces, etc.)  RMS protects the sensitive information independent of any other security measures. It uses encryption, identity, and authorization policies to help secure the data. • Available on-prem (AD RMS) and in the cloud (Azure RMS) • Major features  Security is intrinsically tied to data, no dependency to other security measures  Dynamic management of users and roles (joiners / movers / leavers / deputies / auditors / legal investigators)

RMS Protected Data

Data Data

Owner / Author RMS Ad-hoc Template User/Group RMS Metadata IQP Classification IQP Metadata • Major features  Data protection and classification  Rights enforcement (do not forward, read only, do not print, etc.)  Document tracking and document revocation

Application RMS Protected Data

Acquire Data Data RMS License RMS Server Log / Report

Owner / Author RMS Ad-hoc Auth Use Template User/Group RMS Metadata IQP Classification IQP Metadata • Broad support of applications and file-types

 Microsoft Office on Windows and Mac (Office 2016 and beyond for Mac )  RMS SDK available for Windows, Linux and iOS and Android  More and more RMS enlightened applications available  Broad support of file-types (Office, PDF, CVS, TXT, JPG, etc., almost any file-types) • Typical Use-cases  Leverage access control beyond applications (DLP)  Separation of business data from IT administrators  Separation of individual organizational units (e.g. human resources or finance department, research and development, etc.)  Secure collaboration within an organization or across organizational boundaries  Document tracking (and document revocation) • Additional use-cases with Secure Islands IQP  Policy-based file- and folder encryption  Automated and policy-based encryption / classification of data, e- mails, web up- and downloads  User-awareness (pop-up windows) based on pattern matching (content scanning)  Comprehensive Microsoft Exchange Journaling support for compliance and audit reasons • Use-case – example

B2B Sync Microsoft Azure

Tenant (Org 1) Tenant (Org 2)

User A Group G User X Group W Azure Azure Active Directory Active Directory Sharepoint Online Sharepoint Online Azure RMS (Office 365) (Office 365)

on-prem on-prem Directory Directory Federation Service Federation Service Synchronization Synchronization (ADFS) (ADFS) (AADConnect) (AADConnect)

Data Data

User X Group W User A Group G Fileshare, Exchange, USB Data User A Active Directory User X User Y Active Directory Stick, etc. • Use-case – example - description 1. User X from Org 2 downloads a document from the SharePoint Online Server of Org 1 2. User X is entitled to access the SharePoint Online Server and to open the document 3. User X sends the document to User Y (File-share, e-mail, etc.) 4. User Y is not entitled to access the SharePoint Online Server. Since the RMS rights on the document are based on the permissions of the SharePoint access rights the User Y cannot open the document.

Note: It is possible to apply other protection rules, especially wit RMS on prem and Secure Islands IQP RMS - Document tracking and reporting • Keyon - true-Xtended Reporting for RMS and IQP • Collects log-files and events from many sources, especially from Secure Islands IQP and Microsoft RMS Servers • Enriches log-files and events from further sources (e.g. AD, LDAP, DB’s, DLP Systems, other Applications) • Periodically copies enriched log-files and events into Splunk or Microsoft Reporting Services • Data collection and reports can be customized RMS - Document tracking and reporting • .. and how it looks like

Live Demo Microsoft Azure, Office 365, SharePoint Online

Rights Management Services

Digital Signature Services Short introduction Digital Signature Services • Business Benefits • Evidence records for approval processes • Contracts and agreements • Integrity and authenticity of internal and external documents • Benefits for IT operations • Signed Office Macros • Signed code (.exe, Java) Digital Signature Services • Breakout-Session 14:15 Swiss Re - Moderne Signaturanwendungen für Business Workflows und IT-Sicherheit inkl. Live-Demo“ Microsoft Azure, Office 365, SharePoint Online Short introduction Rights Management Services

Digital Signature Services  Microsoft Office 2013 (new: Office 2016)

 Office Application Suite for PC and Mac

 Mobile Apps for iOS, Windows & Android

 Microsoft Azure Active Directory (AAD)

 Sharepoint Online

 Azure RMS  Office 365 / Azure prerequisites

 Identity and access management

 Collaboration with Sharepoint Online

 RMS protection

 Demo

 B2C lookout, IDM challenges Office 365 / Azure prerequisites Office 365 subscription Subscription that includes Sharepoint Online:

 Starting with “Office 365 Business Essentials” (CHF 4.70/user/month).

 Also available in “Office 365 Business Premium”

 Included in all enterprise plans Basic personal sharing and collaboration options are also available with subscriptions that include OneDrive for Business but not Sharepoint. Identity and Access Management • Office 365 uses Azure Active Directory • Users of Office 365 must exist in Azure AD • Several options:

 Cloud identity: Create users online (small companies without Active Directory)

 Synchronized identity: Synchronize users from AD to Azure AD + password sync (Identity Lifecycle)

 Federated identity: Synchronize users from AD to AAD and federate with Azure AD (Identity Lifecycle + SSO) User synchronization and federation: Microsoft Azure Tenant (Org 1) • Re-use identities from the organization’s User A Group G Active Directory Azure Active Directory Sharepoint Online • Synchronize AD users and groups to Azure (Office 365) AD (AADConnect)

on-prem • Enable SSO through Federation (ADFS) Directory Federation Service Synchronization (ADFS) (AADConnect)

User A Group G User A Active Directory Result of user synchronization:  The synchronized users appear in the Azure AD and are ready for use Single Sign On with Federation: External users:

• Collaboration partners re- B2B Sync Microsoft Azure use their own Azure Tenant (Org 1) Tenant (Org 2) identities to access shared

User A Group G User X Group W team sites in Sharepoint Azure Azure Active Directory Active Directory Online. Sharepoint Online Sharepoint Online (Office 365) (Office 365) • Users that are not yet in Azure can create a on-prem on-prem Directory Directory Federation Service Federation Service Synchronization Synchronization Microsoft account to access (ADFS) (ADFS) (AADConnect) shared team sites (AADConnect)

User X Group W User A Group G User A User X Active Directory Active Directory Identity and Access Management • Identity management, provisioning and decommissioning

 Azure Active Directory B2B collaboration lets you enable access to your corporate applications from partner managed identities.

 You can create cross-company relationships by inviting and authorizing users from partner companies to access your resources

B2B Sync Microsoft Azure

Tenant (Org 1) Tenant (Org 2)

User A Group G User X Group W Azure Azure Active Directory Active Directory Sharepoint Online Sharepoint Online (Office 365) (Office 365) • Create team and project based SharePoint sites • Edit documents together at the same time • Access files across devices • Share internally and externally • Versioning, archiving • IRM protection • External users do not require an Office 365 license to access files shared with them Other collaboration tools offered by Microsoft 365: • Lync instant messaging Supports federation with Lync in other organizations • Shared team/project mailboxes • Share your calendar with people outside of the organization • OneDrive for Business RMS protection • Sharepoint Online supports RMS protection • RMS Protection is applied when the document is downloaded from Sharepoint Online or when it is opened for editing in Microsoft Office. • The applied RMS protection is determined based on the permissions of the user on the site that contains the file:

Permission IRM Permission Manage Sharepoint site Full Control: Generally allows a user to read, edit, copy, save and to modify permissions Edit items, manage lists Edit, copy and save (Print only, if allowed in the library settings) View items Read (Print only, if allowed in the library settings) Extended RMS features • Extended SharePoint RMS features with Secure Islands IQP  Storage of encrypted and classified data in SharePoint  Optional indexing of encrypted data for keeping the search capabilities Live Demo

SharePoint Online and Azure RMS B2B Sync Microsoft Azure

Tenant (Org 1) Tenant (Org 2)

User A Group G User X Group W Azure Azure Active Directory Active Directory Sharepoint Online Sharepoint Online Azure RMS (Office 365) (Office 365)

on-prem on-prem Directory Directory Federation Service Federation Service Synchronization Synchronization (ADFS) (ADFS) (AADConnect) (AADConnect)

Data Data

User X Group W User A Group G Fileshare, Exchange, USB Data User A Active Directory User X User Y Active Directory Stick, etc. …challenges regarding credentials and device policies

Maintaining control of users’ application access across on-prem and cloud platforms is challenging • Federation introduces single (or hybrid) identities  Such identities span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, from any devices, regardless of location • Questions  How to assess the assurance level of credentials? Are smartcards, virtual smartcards, HW based OTPs, SW based OTPs, SMS tokens, biometrics, etc. equivalent to each other?  How to determine the assurance level of credentials based on federated tokens (ABAC, policies, agreements)?  How to determine the security capabilities and security policies of devices (corporate managed devices, BYOD, MDM, etc.) • Cloud based solutions enable new business processes  Secure collaboration B2B and B2C • Fast evolving  Frequent features releases of cloud based components (RMS, SP Online, Intune, etc.)  Increased interoperability of cloud based components Q&A

Thank you for your attention

[email protected] [email protected]