EMS (Enterprise Mobility Suite) by Microsoft – Episode 20
EMS Part 2 of 3 Part Series – Azure RMS
In episode 20 Frank and Alfred take a deep dive into EMS Azure RMS. One of three things that comes with the Microsoft Enterprise Mobility Suite. In the next episode The Device Pros will cover the final component of EMS, Microsoft Intune.
EMS includes Azure Rights Management which enables:
- Information protection from the cloud or in a hybrid model with your existing on-premises infrastructure
- Integration into your native applications with an easy-to-use SDK
What is Azure Rights Management (RMS)?
Almost every organization is Internet-connected these days, with users bringing personal device to work, accessing company data on the road and home, and sharing sensitive information with important business partners. As part of their daily work, users share information by using email, file-sharing sites, and cloud services. In these scenarios, traditional security controls (such as access control lists and NTFS permissions) and firewalls have limited effectiveness if you want to protect your company data while still empowering your users to work efficiently.
In comparison, Azure Rights Management (Azure RMS) can protect your company’s sensitive information in all these scenarios. It uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries. As an example, employees might email a document to a partner company, or they save a document to their cloud drive. The persistent protection that Azure RMS provides not only helps to secure your company data, but might also be legally mandated for compliance, legal discovery requirements, or simply good information management practices.
But very importantly, authorized people and services (such as search and indexing) can continue to read and inspect the data that Azure RMS protects, which is not easily accomplished with other information protection solutions that use peer-to-peer encryption. This ability is sometimes referred to as “reasoning over data” and is a crucial element in maintaining control of your organization’s data.
What do I need to deploy Azure RMS and how do I get going?
First, check Requirements for Azure Rights Management, which has information about the cloud subscription options, how you can use your on-premises servers with Azure RMS, which deployment scenarios are not currently supported, which devices and applications support Azure RMS, and a link if you need a list of IP addresses and domain names for firewalls or proxy servers. You might also want to check the other topics in the Getting Started with Azure Rights Management section, to get a basic understanding of how Azure Rights Management can help protect your organization’s data, how it works with applications, how it compares with the on-premises version of Active Directory Rights Management, and understand the terms and abbreviations that are specific to Azure Rights Management. Then when you’re ready to test Azure RMS for yourself, or deploy it for your organization, use the Azure Rights Management Deployment Roadmap for a list of steps with links for more information and how-to instructions. If you need additional information, resources, and support options, see Information and Support for Azure Rights Management.
What devices and which file types are supported by Azure RMS?
For a list of supported devices, see the Client devices that support Azure RMS section in the Requirements for Azure Rights Management topic. Because not all supported devices can currently support all RMS capabilities, be sure to also check the Client device capabilities table in the same topic.
Azure RMS can support all file types.
For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and some other application file types, Azure RMS provides native protection that includes both encryption and enforcement of rights (permissions). For all other applications and file types, generic protection provides file encapsulation and authentication to verify if a user is authorized to open the file. For a list of file name extensions that are natively supported by Azure RMS, see the Supported file types and file name extensions section of the Rights Management sharing application administrator guide. File name extensions not listed are supported by using the RMS sharing application that automatically applies generic protection to these files.
Do you have any tips or tricks for a successful RMS deployment?
After overseeing many deployments and listening to our customers, partners, consultants, and support engineers – one of the biggest tips we can pass on from experience: Design and deploy simple rights policies. Because Azure RMS supports sharing securely with anyone, you can afford to be ambitious with your information protection reach. But be conservative with your rights policies. For many organizations, the biggest business impact comes from preventing data leakage by applying the default rights policy template that restricts access to people in your organization. Of course, you can get much more granular than that if you need to – prevent people from printing, editing etc. But keep the more granular restrictions as the exception for documents that really need high-level security, and don’t implement these more restrictive policies on day one, but plan for a more phased approach.
Where can I get technical information about the free Azure RMS subscription (RMS for individuals)
For example, how it really works, how to take control of the accounts, and which domains can’t be used? You’ll find answers to these questions in the RMS for Individuals and Azure Rights Management topic.
Where can I find supporting information for Azure RMS—such as legal, compliance, and SLAs?
Azure RMS supports other services and also relies on other services. If you’re looking for information that is related to Azure RMS but not about how to use the Azure RMS service, check the following resources:
Legal and privacy:
- For Microsoft Azure agreement information: Microsoft Azure Agreement
- For Microsoft Azure privacy information: Microsoft Azure Privacy Statement
Security, certifications, and auditing:
- For external certifications for Azure RMS: Microsoft Azure Trust Center
- For external security audits for Azure RMS: Security, Audits, and Certifications
Service level agreements:
- Service level agreement for Azure RMS, by selected country: Service level agreement
- Service level agreement for Azure Active Directory: Service Level Agreements
Welcome back to another amazing episode of thedevicepros my name is Frank Pinto and am joined by my co-host, Alfred Ojukwu.
Frank Pinto: What’s up Alfred how you doing man?
Alfred Ojukwu: doing good, just enjoying the raining weather of you know late fall, it’s hiding times.
Frank Pinto: Nice, Nice, I understand you are calling from New York City.
Alfred Ojukwu: New York City in the heart of it man that’s where I am at having good time.
Frank Pinto: Nice, Nice, am some jealous, New York in the fall is awesome, I love that area it’s beautiful you know, are you near rockerfella at all?
Alfred Ojukwu: No, am probably about 20 blocks away but you know New York is a kind of jungle you just kind of enjoy where you are, you know people everywhere.
Frank Pinto: Cool man
Alfred Ojukwu: Speaking of New York City I mean a kind of understanding the caliber, I had a conversation today, I mean one of the thing I was concern about, or at least think about when am in New York City is you know you kind have to watch your bags, your wallets, not so much as it was in the 80’s but even more some now, just because of so many people, you don’t know who is who and you know what’s gonna happen if they bumped into you. You know, outside that is a great place to be.
Frank Pinto: huh, huh
Alfred Ojukwu: But reason why am bringing that up is to tie it to our conversation today around information protection right?
Frank Pinto: Yeah, so this is gonna be part 2 of the 3 parts series covering……..
Alfred Ojukwu: Enterprise Mobility Suite
Frank Pinto: Ah, Enterprise Mobility Suite or EMS for short. Alright, so we know those 3 components for Enterprise Mobility Suite and last podcast we let people hang to let them know what, we did let them know what we are going to cover as part 2 and so we decided to cover Azure RMS in part number 2 and so that means part number 3
Alfred Ojukwu: Azure Rights?
Frank Pinto: Rights Management, yeah and so part number 3 we going to cover Intune. Before we jump into this, I just want to gig off for a minute. So, am actually starting a road trip to China, Japan, Korea, Australia, in the next few weeks and Singapore as well and so I got 2 Nokia devices am taking with me, got my Nokia 1520, I bought the RM-93 the unlocked one so, am gonna see how it does overseas and I also grabbed the new Nokia but this is not new anymore but the 630 the dual SIM model, it’s funny I went into looking for a SIM tray re-use, you know those?
Alfred Ojukwu: I don’t even know what that is
Frank Pinto: Yeah, so you know different phones have different size SIM cards, so the 1520 uses a nano SIM and the 630 uses a micro SIM. So, I was able to drop my nano SIM into my micro SIM tray and it fits into my 630. I went into the store and ask, it’s like they don’t make those things I don’t know man you are in luck and your SIM card is locked to your phone and bla, bla, bla but actually it was wrong I pumped in my nano SIM and am up and running so am dying to one of the podcast when I get back we have to talk about how my experience was.
Alfred Ojukwu: Yeah, sounds really good and I think that people will be willing to hear that next we get some information about that.
Frank Pinto: Alright so now for the side note, well okay we can start this podcast so that we talk about the release for just a couple of minute I know you dying to get on RMS but we had a major announcement here on Microsoft.
Alfred Ojukwu: Yeah am pretty excited about it, it’s ah, you know, for those who are running windows 8 it’s probably a bit surprise because the question is where do you go next? And we are going to not windows 9 but what Frank?
Frank Pinto: Windows 10 or if you are listening from Mexico or Spain Dx.
Alfred Ojukwu: So the rumor has it that Windows 9 was so good then we decide to skip the version and just move on to Windows 10 and keep it re-called.
Frank Pinto: You know what’s funny man, there has been blog post on all kinds of steps before the announcement was made people were doing all kinds of guesses and all kinds of things to what the new windows is going to be called but it’s pretty cool, you know checking it out, here I have my own thought process I was thinking it was going to be windows 1like expert 1 and other ones being used these days so I thought okay maybe it would be Windows 1 but I like Windows 10. I saw a blog article this morning and somebody was suggesting think she went with Windows 10 because of you know like programmers; if they wrote a program to say if you are on Windows 9 like 95 & 98 maybe in actually program in actual version checking they just went on lazy way then they can cause some issue so maybe Microsoft decided let’s start with, you know, Windows 10, because me obviously whatever, whatever is on Windows 1 does not exist anymore so
Alfred Ojukwu: If it does not it’s been said right now
Frank Pinto: It’s probably true.
Alfred Ojukwu: Yeah, we probably have some really good content on Windows 10 in a few weeks so, you just stay tuned, stay tuned.
Frank Pinto: Yeah, yeah Windows10, so I think we should do that actually after the Enterprise Mobility Suite series.
Alfred Ojukwu: We’ll see, we let the bloggers and the readers decide that.
Frank Pinto: Alright, alright, alright. Enough of this, I know everybody is dying to find out about RMS (Rightss Management System) so let’s jump in. First half, what the heck is it?
Alfred Ojukwu: So, for those of you guys who aren’t familiar with, you know, ADRMS which is Active Directory Rights Management System which lives unprimed where you don’t have service in cloud and it’s basically used to protect information as it’s being sent from user to user of thousands systems or from e-mail system. ADRMS is SOLELY the predecessor; it’s been around for a while 2005 or so before?
Frank Pinto: Yeah, it’s been around for awhile
Alfred Ojukwu: Yeah I think 2003 and each couple of years it’s updated and at one point they realize that the engine has to be updated so they can actually do a lot more work than it needs to do now and so Azure RMS kind of show up and it becomes, it’s now, it can help you protect your Company sensitive information and all the different scenarios it’s basically reliable for office 365 and in providing easy configuration firstly you know information protection policy itself.
Frank Pinto: So what I like about Azure RMS is that it can protect not only unprimed stuff but it can also protect cloud stuff so if you have ADRMS you only able to protect what is inside your network but if you have Azure RMS you have both in and out cloud in and out.
Alfred Ojukwu: Well even more so it’s ………… into the device you are on so in other words if you are sending a word document to someone who is running an android or iOS device, it still has the ability to protect that file or data you are sending to that person and you know just through Azure RMS.
Frank Pinto: Holy crap man, hold on second, are you telling me that not only does Azure RMS protects files that are built on, protect the files and allows the user to use file on Window 7, Windows 8, Windows 8.1 but also works on iOS devices?
Alfred Ojukwu: It does not care about that, it cares about the information you are sending that’s the important piece to remember.
Frank Pinto: Alright, so then I guess it’s a good thing to list them, am looking at the supported device types and iOS types; I see Window 7-x86, x64, same thing for Windows 8, 8.1 looks like Mac, OSx, form lion on, Windows phone, android phone and tablet, iphone and ipad ……. iOS 6…… and Window RT tablet. Damn, that’s a long list.
Alfred Ojukwu: Yeah, I mean that’s the beauty of it, it’s the idea that you know we are really can get back from a device signal system point, it’s the information that matters, it’s your Company’s information that we want to protect, if we look in the industry today, we see all these breaches of data, breaches of you know information accessing you know different cloud sources, we trying to make sure that becomes a non issue for our users.
Frank Pinto: When we say protect, does it mean that the files are encrypted?
Alfred Ojukwu: I don’t know Frank what does it mean?
Frank Pinto: Ah, ah, ah yes it does, ah, ah, ah so it does mean that the file individually is encrypted. So, I get so really excited that we are doing things that’s not just Microsoft focus right? We didn’t just say eh! This is just for Microsoft stuff, you know, you can actually use this on all kinds of devices, so, that’s really awesome and I’ll say against the traditional Microsoft of ten years ago, you know that’s pretty awesome.
Alfred Ojukwu: Yep, I think so too, even to add to that is it actually protects all file types so like in the previous before new user can configure RMS only office file could be protected, using enable protection.
Frank Pinto: Yeah older versions?
Alfred Ojukwu: But now with what they call engineering protection, it means that any file type can be protected and you know it gives a different name; for example, if you have a PDF file you wanna have it protected and sent to someone else of course, you can use what we call the note sharing app and protect that file and it will be re-compiled and sent as a PDF a protective PDF and you can send that users who can then open it and view it just based on pulses they used to send the file.
Frank Pinto: Well man, that’s awesome, alright you know this comes into that, I think I talked about it in the last podcast, I have this tele-visual discussion about the way I tried talking to a customer in the way I tried to convey how this works? And use this treasure chest as example and so let’s take that for a minute right, typically if we look at the treasure chest, the treasure chest itself is locked and typically that the treasure chest is hidden somewhere maybe it’s locked in a cover or locked away in a safe right? So that’s a perimeter security the thing that protects the chest itself and then you probably have that chest itself as locked so that will be maybe further locking inside of your network like maybe NTF transformation or things but the problem is if someone breaks through the perimeter or goes around it, let’s say in plane or internally you know takes that file puts it on a USB key goes outside then you are outside of the vault and you are outside of the treasure chest, it’s you know completely unlock as that user ……… so what do you do? you have to actually protect the gold inside the treasure chest and that’s what RMS gives this ability to do so that even if the file may be outside if you don’t have the rights to unencrypt that file and view it, you can’t see it, just that simple.
Alfred Ojukwu: that’s a very good point to make even more so, the way everybody is looking at information theft when it comes to making sure, they are protected is the cost of not having that data saved can be millions of millions of dollars for your Company but even loss of some important information for you, thousands of dollars within your own account.
Frank Pinto: Yeah, yeah good point
Alfred Ojukwu: So, some of the reason why RMS is such a big quality is just name a couple of it very quick, some of the drivers is really to protect all file types, you can share that anyone you care about based on who is accessing document. You can share document that into many devices and then we need to talk about, needs to work with any or RM infrastructure so when you are un-prime or in the cloud or in the hybrid scenario that information must be protected right those are some of the reasons why Azure RMS became encoding and the same scenario had to be true for your partner’s the ones in the receiving end we want to make sure when they receive your information they can also protect their data and view your data and protect it the same way you view them.
Frank Pinto: Okay, I wanted you to also touch on you know here we are talking about encryption right? And Azure Rights Management by the way the default is RSA 2048 and the public key cryptography is SHH 256 and now in support RSA1024, SHA-1 and SHA-256 both of the whether you are internal or on Azure that’s my UK stuff – it’s kicking – in using S128 for symmetric encryption now one thing our government customers and financial customers are really going to be interested in is that it is FIPS140-2 compliant so I know a lot of our Government customer’s and regulators with this FIPS140-2 and a lot of financial agencies also that’s as an important thing to understand, the file itself is now FIPS140-2 compliant when you utilize Azure RMS.
Alfred Ojukwu: Very nice, very nice
Frank Pinto: Yeah, I think that’s cool stuff
Alfred Ojukwu: Another thing I do want to add is if you have an existing office 365 user you can take it down the job on Azure RMS because it also has information protection looked into so whether you use the exchange online you can have RMS for that which is basically is enable on ipad and iphones sharpen our mind basically the same thing where you can protect your documents, your applications, even when you migrate into it you have the ability to enable Azure RMS and basically you go to the portal on the Microsoft online and in your service settings you can then configure it to enable Rights Management just by one button the code will then be enabled.
Frank Pinto: That’s really, I love this thing and I think this is the future of IT security right it’s protecting the gold in my treasure chest example and it makes that really easy, in fact, when you do this there’s a ton of futures but one of ones I really like is the auditing and monitoring futures you can monitor the user of your protected files and that’s when they leave your organization even then so you can see if the people you specified open your document when they open the document you can see if somebody who didn’t have access or they try to access the document were able to we really empowering security departments to have much more control. When you just have a need to have a document it goes up the e-mail, it’s gone you no idea what’s going on with that document. So let’s see what other ………………… should we talk about?
Alfred Ojukwu: Agreed I think it’s a great solution
Frank Pinto: Oh yah, you can actually trust implicitly certain domains so let’s say that you have a Company umbrella, you have two different organizations have two different domains or two different you know firstname.lastname@example.org and email@example.com or whatever, so you can implicitly trust that domain from domain to domain I think that’s really good too because it makes it really easy without having to configure the whole style of internal trust set up when you go through the RMS in the cloud it’s very easy to do that.
Alfred Ojukwu: Yep. I think even if even you are a stand-alone individual who wanted to protect your information we’ve got that in too right I know many of you may not have hear of this but it’s the RMS sharing app or your basically a stand-alone version to be able to protect your data right and you can find that with you if you are on a computer now, you can go to the security side and go to portal.aadrm.com and basically enter a e-mail address with an organization not in the available address Hotmail not with the external available addresses but something that is in all that we may know about and basically you are able to take advantage of using the RMS sharing app to deliver protected documents to your end points.
Frank Pinto: That’s really great it also has RMS connectors so not only can you protect documents but you can connect so if you have unprimed exchange SharePoint or you using a file classification infrastructure which we talked about before windows server, you have connectors if you doing on-cloud connects to the unprimed stuff too, it connects those things implicitly so e-mails can be protected and files that are on SharePoint so famously that might be really helpful in dealing with situation like some person who mind the bunch of Government data from a SharePoint server and then release it to the general public.
Alfred Ojukwu: Exactly. So, one more piece about the sharing app, so basically couple of days ago it was announced that you now can have the RMS sharing app for Mac users so if you are a Mac user you get to take advantage of protecting your data too, we care about your data.
Frank Pinto: Come on, come on you kidding me man? What is going on here?
Alfred Ojukwu:I don’t know of Microsoft just shown the love, shown the love
Frank Pinto: Shown the love for apple waow waow man
Alfred Ojukwu: If you guys are familiar with the Azure active directory sync, it also has support for Azure RMS releases its data it should be coming through too, you’ll be able to use that to synchronize and also protect your data regardless of where the data is.
Frank Pinto: Also, policies are managed through customized template it’s very easy to put together quick templates it’s flexible so you can templatize certain types of data or e-mail or private policies by user and put certain protection level so maybe I say that anyone in finance has everything they do is encrypted or whatever super easy.
Alfred Ojukwu: Yeah, I forgot to mention that so that’s also if you had access subscription or transcript subscription you have ability to go in there and enable Azure RMS as the feature that you will take that job and encrypt template around it and you can actually use to protect to determine who has right to send what.
Frank Pinto: Another thing that’s really cool that Microsoft has enabled to start is the Rights Management SDK, so you can have developers and software vendors using APIs they can write customer’s applications that supports Azure RMS natively. This thing is so flexible so awesome, am really excited.
Alfred Ojukwu: Yeah, I think that was the goal to make sure that we put information protection at the top of the list; I mean as a matter of fact you know we would probably be talking more about managing global devices but as a pre-requisite you know if you working with a customer of yours or someone is looking to take advantage of enterprise mobility you probably should spend some time thinking about what it means to manage devices from a whole list in perspective because there’s an aspect of it that really is focused on the security of the information as it’s been sent to these protected devices as well as how you append the key against these devices protecting who you are when you are accessing these devices.
Frank Pinto: So, we have some Companies that we work with that are concerned about where their keys are stored because of particular Government regulations, for example, you can arm Microsoft has data centers in North America, EMEA and Asia and you can store your alternate key in those individual data centers so your key can be used in the region only which I think is important and then it’s also certified I mentioned that we are certified for FIPS140-2 standard Cryptographic right? Then it’s also certified for ISO IEC 2007-1, SOC2 SSAE it’s EPA compliant also certified with the e-module clause so you know what I don’t see typically will sit down on security viz are questions we gonna ask okay I don’t know this product and at the end of it we use XYZ Company is this thing certified, it’s in the cloud, is it really trust worthy? Microsoft have to spent a lot of time to make sure this product is certified by regulatory boards I mean the regulations not just in America but you know multiple Countries across the globe.
Alfred Ojukwu: Agreed. I mean there’s a lot of benefits to using Azure RMS and I mean again just the ability for you to kind of ………. The cloud is probably what am most excited about I don’t have to manage here outside the business specific app, I don’t have to set or install anything I just need to subscribe and then I have access to protect my data.
Frank Pinto: Am really gigging out am really surprised that some of the things I really honestly know about some of the things you are bringing out but am pretty hyped I mean I can’t believe we are enabling iOS devices I can’t believe we are enabling android devices I mean it’s a killer.
Alfred Ojukwu: Yeah I think that’s the key is to make sure I mean that’s what we do, we are basically giving services so that we can help you mange lest you do what you are supposed to do with your Companies in your data like making it easy for you, you don’t have to worry about losing information, you don’t have to worry about sending information to device, or having to worry about compro…. What is the word am looking for Frank?
Frank Pinto: I don’t know
Alfred Ojukwu: …….. compromise ah, ah, ah, that’s it.
Frank Pinto: Ah, ah, ah, so, okay let me ask you this all of these amazing features, all of things you’ve talked about up till now, there must be, you know, with the Enterprise Mobility Suite this comes with the Enterprise Mobility Suite it must just be sub-side of these features in this way.
Alfred Ojukwu: Actually no, I mean it sounds sub-side that’s the whole point we giving it to you, yes, changing…………. That’s absolutely. I mean we don’t know
Frank Pinto: Awesome stuff man, I really hope our listeners are gaining some values out of this, you know I think I know am really hyped about it, I know a lot of services guy, senior consultants, architect are really hyped about it, when I sit down and have this discussion with security departments and our customer’s they really want to see these things in play and I think it’s awesome you can go and get a free trial and test it out live you get out there and test it out at no charge and see how these things works.
Alfred Ojukwu: Yeah, even more so, if you already have a subscription with DMS and you are only using it for identity or ADFS solutions or AAD sync or if you are only using it to manage mobile devices and Intune you definitely need to think about protecting your data and how RMS taking advantage of RMS can do that.
Frank Pinto: Yeah, it’s like you rolling around in a big beautiful a……..van and you got a v8 in there and you only use ……………. You got to use all the things that comes with this.
Alfred Ojukwu: Absolutely agreed, absolutely agreed.
Well dude, awesome episode, I am really excited, I really looking forward to hearing some feedback from our listeners what they think about Azure RMS, are you using it? If you’ve tested it; what is your thought, make sure to hit us up on twitter @thedevicepros, you can find us on facebook thedevicepros, you can find us on our website www.thedevicepros.com , we have a waste mail hotline which you can call and leave us some feedback, anything you want to do anyway you want to think of, we are out there, we are on the social media, please let us know what you think is going on with the podcast, with new Microsoft technology and any question you may have, we do our best to push it in the right direction.
Alfred Ojukwu: Well, that’s what we do, we trying to show you what’s out there make sure you are aware of it I mean a whole lot of good products available we are trying our best to show you how Microsoft is compiling it to make a great solution for you so follow us as we keep you in track and make sure you are at the speed as to what’s going on.
Frank Pinto: Alright, well that’s the end of another amazing episode, thank you very much Alfred for a fantastic very informational podcast, I appreciate that very much and next podcast we gonna go over intune.
Alfred Ojukwu: Sounds a like a plan Frank.
Frank Pinto: Alright we would talk to ya later; see ya.