Monitor & protect your data in ALL your clouds, NOW!

Think your organization is operating in a secure and compliant manner? After you answer the following questions, you might want to keep reading…

  • How do you ensure your sensitive data is protected across all the clouds in your environment, whether it’s Office 365/G-Suite/Box/SalesForce/etc?
  • Do you have a single pane of glass view of when someone shares a file from one of those clouds to someone outside the organization
  • What about login traffic to those cloud apps?
  • Do you have visibility into your Shadow IT and understand which apps in the environment are storing data overseas or aren’t compliant with an industry regulation such as HIPAA or GDPR?

Watch the following 3 minute video for an overview on Cloud App Security in Microsoft 365 – this is the tool that will make you the hero in your organization and help ensure you operate in a secure and compliant manner! Questions? Leave a comment below!

Technical documentation and how to configure what I show in the video for Cloud App Security can be found here.

AIP: I know when you open my document, and I can revoke access! (Compliance + Sales = Seller Hero)

Have you sent an email to someone (perhaps a customer) that contained an important document and wish you could see if they have opened it? What if you accidently sent the document to the wrong audience, wouldn’t it be nice to revoke access? Perhaps it’s a sales quote and you want it to expire in 30 days? Well the future is here, and this is possible today using Azure Information Protection (AIP), included with Enterprise Mobility + Security, Microsoft 365, or a plan that includes AIP with Office 365. In this blog post we will explore from an end-user perspective how they can see if their recipient has opened the document, and how to revoke it’s access.

Azure Information Protection enables your organization to classify it’s data and apply security policy to that data, but more importantly gives the end-users visibility and control over how the data is consumed. This tool is extremely powerful for both IT and end-users, because it allows you to not only discover what data is in the organization, but classify it based on some criteria (i.e. Confidential, Secret, Top Secret and risk to organization) and apply policies that govern who can access what data based on the classification assigned.

This can be especially useful when you need help complying with regulations like GDPR. For more information about Azure Information Protection, I suggest reading the IT Pro documentation: What is Azure Information Protection? As I will not be covering full technical details here, such as how to configure the protection policy. I also highly suggest reviewing the AIP client user guide HERE.

You’re telling me I can see who has opened my document?

Yes! If I send you a document, spreadsheet, PDF, PowerPoint, etc – I can see if you have opened that file, doesn’t matter how it was sent either (email, file transfer over Skype, posted to Teams,etc). I can also see who has opened the file, by their identity, regardless if they were the intended recipient. I simply control this using the site https://track.azumrerms.com

When I browse to the site, and login, I can see a list of the documents I have protected using Azure Information Protection:


Clicking on one of the documents, I have access to see how many views (and by whom), how many (and by whom) were denied access to the document, among other controls. Let’s click on the list at the top menu


Here I can see who (by user identity, as signed into the Office applications) have attempted to access the document and whether or not they were successful. This is extremely useful!


Clicking on Map at the top menu I can see where in the world the document has been accessed. If all my users were accessing from the US, and then one user was from outside the US – this could indicate a stolen identity or data breach, and I may want to revoke access to the document.


Clicking on Settings from the top menu, allows me to do something REALLY COOL: Whenever the document is accessed – I can receive an email notification! Why is this really cool? I might be a salesperson and this document might be a proposal to a client. If I never receive an email indicating you never opened the document, then I know you may not be interested and I need to adjust my sales approach. This is one of the features of the product (in my opinion) that sells itself. Having that type of intelligence can be critical to the closure of a deal.


At the bottom of the page, I can revoke everyone’s access to the document by the clicking Revoke Access button:


At the bottom, I click Confirm:


All access to the document has now been revoked:


How does this work?

All roads lead to identity:

When a file is protected using Azure Information Protection (AIP), the file is actually encrypted at the file level, and the encryption travels with the file where ever it goes. This encryption is tied to the user’s identity in Azure Active Directory (AD). When the file is accessed, they are authenticating to Azure AD, and authorization is checked, the file is de-encrypted and the user can view the file. For more detailed technical information on how this encryption process works see How does Azure RMS work? Under the hood

So, if I give you a super sensitive file that has been protected using AIP, unless you have my identity – or have been granted authorization – you cannot open the file. This is (in my opinion) a game changer, as this means your organization’s data can travel from device to device (personal home computer, work computer, mobile devices, USB sticks, etc) and the data will stay encrypted. It doesn’t matter if the device is protected or not – because the file is already encrypted. It doesn’t matter if I accidently send the file to someone I shouldn’t have – because it’s already encrypted.

What’s required to do this? A few things as outlined in the technical documentation but most importantly: The recipient (inside or outside your organization) needs to have an identity account in Azure Active Directory.

What if the recipient does not have an Azure AD account?

If the file is being sent to someone outside your organization, and that recipient does not have an identity account in Azure Active Directory you have a few options:

  1. The recipient can signup for “Azure RMS for Individuals” by browsing to this website and going through the wizard. Microsoft will check the email address to see if it’s associated with an AIP subscription, or an Office 365 subscription that includes AIP. If it is not found, you can register and essentially an account in Azure Active Directory will be created for you. For more information about this process see: RMS for individuals and Azure Information Protection (Note, this DOES NOT sign your company up for anything, this is tied to a single identity so you can use the viewer or sign into a protected file)
  2. If you do not want to go with option 1 (although, it’s VERY easy!) then your second option is actually pretty interesting. When AIP is used with Exchange Online – and that document is sent using Office 365 Message Encryption, then you can sign in using a Gmail, Hotmail or Microsoft (Live) account! See New Capabilities Available in Office 365 Message Encryption
  3. The last option, uses the Azure Information Protection client. You can manually specify the recipients who are authorized to access the file (by email address) and their associated permissions using the AIP client:


IMPORTANT: All three options require the user to sign into Office on their device (or use the Azure AIP Viewer) with the identity that is associated with the AIP protected file. So, if I receive a spreadsheet from you sent to johndoe@gmail.com, I need to sign into Excel on my device as johndoe@gmail.com.

NOTE: Notice above, there is an option to Expire Access. I can have the file expire after say, 30 days and no one can open it afterwards. This is again another important feature that adds tremendous value (salesperson that wishes to expire a quote after 30 days).

Conclusion:

As you can see, Azure Information Protection can provide tremendous value back to your organization with empowering employees to take control over their data and ensure it’s security. However, this also enables them to be more productive through being able to seamlessly share the sensitive files outside the organization and track it’s usage. This used to require different 3rd party products and trying to get them integrated with the environment was a challenge.

It’s important to note, I have not shown all the back-end configuration that can be performed by IT to add additional value and to meet organizational requirements. Please review the technical documentation to learn more about the following: trusted domains, permissions based on classification type, Office 365 Message Encryption (and how typing the recipient’s email address in the To line in Outlook automatically grants them permissions, etc.)

If you own AIP through Microsoft 365, Office 365 or Enterprise Mobility and Security – give this a try and tell me about your success in the comments below!

Understanding Office365 Security Capabilities

So you want to learn more about the security capabilities in Microsoft Office 365? You’ve come to the right place! Below is a list of resources that will provide you with a good foundational knowledge of the various advanced security workloads in Office365. Stay tuned as I will update this list periodically.

Start Here -> Office365 Trust Center

Offerings:

Office 365 Secure Productive Enterprise

Getting Started:

Address your CXO’s top five cloud security concerns

Take control of your security and compliance with Office 365

Learn how Office 365 security and compliance leverages intelligence in a cloud first world

Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls

Own your data with next generation access control technology in Office 365

General Data Protection Regulation (GDPR)

How Does Microsoft IT Secure Office 365?

Keep calm and automate: How we secure the Office 365 service

Office 365 Secure Score:

Introducing the Office 365 Secure Score

Learn about Office 365 Secure Score: actionable security analytics

An introduction to Office 365 Secure score

New Office 365 capabilities help you proactively manage security and compliance risk

Advanced Threat Analytics:

Learn how Microsoft Advanced Threat Analytics combats persistent threats

Plan and deploy Microsoft Advanced Threat Analytics the right way

Advanced Security Management:

Overview of Advanced Security Management in Office 365

Get started with Advanced Security Management

Gain visibility and control with Office 365 Advanced Security Management

Advanced Threat Protection:

Introducing Office 365 Advanced Threat Protection

Advanced threat protection for safe attachments and safe links

Learn about advancements in Office 365 Advanced Threat Protection

Data Loss Prevention:

Protect your sensitive information with Office 365 Data Loss Prevention

Customize and tune Microsoft Office 365 Data Loss Prevention

Customer Lockbox:

Announcing Customer Lockbox for Office 365

Office 365 Customer Lockbox Requests

Developer:

Building security and compliance solutions with the O365 Activity API – a Microsoft IT case study

Identity:

Deliver management and security at scale to Office 365 with Azure Active Directory

Secure your Active Directory to mitigate risk in the cloud

Exchange:

Implement Microsoft Exchange Online Protection

Get an edge over attackers – what you need to know about email threats

Understand how Microsoft protects you against Spoof, Phish, Malware, and Spam emails

Learn about advancements in Office 365 Advanced Threat Protection

Advanced eDiscovery:

Office 365 Advanced eDiscovery

Video: Office 365 Advanced eDiscovery

Reduce costs and challenges with Office 365 eDiscovery and Analytics

Azure Information Protection:

What is Azure Rights Management?

Information Protection and Control (IPC) in Office 365 with Microsoft Rights Management service (RMS) whitepaper

Collaborate confidently using Rights Management

Adopt a comprehensive identity-driven solution for protecting and sharing data securely

Mobile Devices:

Secure access to Office 365, SaaS, and on-premises apps and files with Azure AD and Intune

Deliver a BYOD program that employees and security teams will love with Microsoft Intune

Manage BYOD and corporate-owned devices with MDM solutions

Secure Android devices and apps with Microsoft Intune

Encryption:

Introducing Office 365 Message Encryption: Send encrypted emails to anyone!

Encryption in Office 365

Challenge cloud encryption myths and learn about Office 365 BYOK plans

Windows Defender Advanced Threat Protection:

Detect and respond to advanced and targeted attacks with Windows Defender ATP

Advanced Data Governance:

Advanced Data Governance overview

Take control of your data with intelligent data governance in Office 365

Applying intelligence to security and compliance in Office 365

Threat Intelligence:

Applying intelligence to security and compliance in Office 365

Resource I will post soon: Enterprise Mobility Suite, AppLocker, Credential Guard, Device Guard, Windows Hello, Windows Information Protection, Cloud App Protection, Azure Active Directory Premium.