Great protection needs…. That users can protect ALL the files they value That users can consume them in all their devices That users can share.

Sneak peek into the future of RMS on-premisesEnrique SaggeseSr. Program Manager – Information Protection

PCIT-B316

Session Objectives And TakeawaysSession Objective(s): I am able to choose the platform for Information Protection that suits my needsI can prepare my organization to adopt upcoming features when they become available

Key takeaway 1: the news of AD RMS’s death have been greatly exaggeratedKey Takeaway 2: expect no unjustified differences between the on-premises and the cloud products over time

Past, present and future

RMS Timeline

On-premises

Cloud

2003 20152004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

2003Windows RMS

2007SharePoint/Exchange integration

2008AD RMS

2009Windows Server 2008 R2

2011Windows Server 2012

2012AAD RM

2013Mobile SDKs, RMS app, RMS connector, RMS for Individuals

2010Exchange 2010 integration

2013Windows Server 2012 R2

2010Exchange Online integration

Persistent adoption blockers

Great protection needs….• That users can protect ALL the files they value• That users can consume them in all their devices• That users can share with anyone they need to• That it works with any infrastructure• That users can assume their counterparts will be able to

consume the content• That all this can be done with minimal technical knowledge

Breaking through these challenges

Issue Azure RMS AD RMS

Use for all files

Collaborate transparently

Any device, anywhere

Deploy with ease

Reaching out for parity

What AD RMS lacks that Azure RMS has• Mobile device access: Azure RMS provides REST endpoints for

the RMS 3.0 clients.

• Collaboration: In Azure RMS collaboration is automatic. In AD RMS, explicit trusts are needed.

• Ease of deployment: Azure RMS is simple to deploy (one click!). AD RMS requires advanced knowledge.

Other than that, they are functionally equivalent.

Mobile device support

MSDRM client (2003)Low-level operations, no abstraction of architecture or cryptoMust be installed on all clientsControlled through registry keys

MSIPC client (a.k.a. RMS client 2.x, 2011)High level operations, architecture and crypto are abstractedCan be deployed with applicationsControlled through registry keys

RMS client 3.0 (a.k.a. mobile client, 2013)Released in 2013 for iOS, Android, Windows Phone, RT and MacHighly abstracted and simplifiedNo RAC, no CLCInitially online-onlyAdded modern (REST) APIs at the service to support thisUses OAuth for authentication (Federation-based)

Three flavors of RMS clients

RMS Mobile client in detailMSDRM and MSIPC couldn’t be ported to mobile clients

XML parsing is expensiveNo Kerberos auth on most mobile devicesNo registry or configuration storageNo key protectionNo key persistenceNo SSOAsymmetric crypto is too expensive for the typical phone

A new client and API was necessaryNew API added in the server/service (REST endpoints)New service discovery processEliminate the need for client certs (RACs and CLCs)Accept some initial restrictions (no offline use)Policy representation is Json-based

Mobile (REST) clients highlight:All transactions are atomicThere’s no RAC: client authenticates and acquires license in one op.There’s no CLC: client builds policy and gets PL from the serverThere’s no SLC: client trust service URL (SSL is mandatory)There’s no machine certificate: no need as there’s no cert storageThere’s no SCP: endpoint discovery uses well-known URL or DNSWhat is there?

A trusted, highly abstracted clientPublishing Licenses built by the server and embedded by the clientEnd Use Licenses, delivered by the server to the client every timeApps (e.g. RMS Sharing app) using the SDK/client

How does it work in the cloud?

ConsumptionClient goes to known endpointClient referred to authentication endpointClient obtains EUL from serviceClient renders content

• Authoring• Client authenticates against fixed (cloud) URL• Client is redirected to REST protection endpoint according to user’s

tenant• Client obtains templates from service• Client obtains PL from service• App protects document

Azure AD

Azure RMS

Azure AD

Azure RMS

How will it work on-premises with mobile client extension preview

ConsumptionUse provides email addressClient discovers URL from DNS for user’s email domainClient authenticates via federation to server and is redirected to the user’s serverClient obtains EUL from serviceClient renders content

• Authoring• User provides email address• Client finds DNS SRV record for its domain (points to on-prem RMS server)• Client goes to endpoint on that server and is redirected to federation server• Client authenticates via federation (AD FS)• Client asks for service endpoint for user and is directed to right server • Client obtains templates from service• Client obtains PL from service• App protects document

AD RMS w. REST

DNS

AD FS

AD DS

5: u

ser

attrib

utes

4: q

uery

use

r att

ribs

AD RMS w. REST

AD FS

DNS

AD DS

5: u

ser

attrib

utes

4: q

uery

use

r att

ribs

Release planAD RMS Mobile Device Extension package is currently in preview

Add-on package for AD RMSInstall on top of Windows Server 2012 or 2012 R2 AD RMS serversNon-trivial installation and configuration, but fully functional and supported

DNS records must be registered manuallyDependency on AD FS 3.0 with some specific configurations

An upcoming version of on-premises RMS will have this capability built-in

No separate installationMore configuration flexibilityAn uninstall of the extension package may be required for upgrade to AD RMS v.next

Installation of the Mobile Device Extension on an AD RMS server (screen shots)

Pre-requisites

AD RMS running on Windows Server 2012 or 2012 R2AD FS 3.0 installed

Post installation tasks

Install on all your AD RMS nodesConfigure federation via supplied scriptCreate DNS SRV records to point mobile devices to your servers

For your email domains_rmsdisco._http._tcp.mailatcontoso.com 443

rmsserver.contoso.comFor your AD RMS URLs

_rmsdisco._http._tcp.rms.contoso.com 443 rmsserver.contoso.com

Download and install latest RMS sharing app

Android version available during TAP

Where do I get it?

Send email to [email protected] the pre-release documentation at http://technet.microsoft.com/en-us/library/a69ead9d-7dd3-4b38-9830-4728e9757341

Anything else for AD RMS?

No, that’s it, only support for mobile devicesBut we still have some BIG plans for RMS on-premises

But it won’t come in the boxYou can’t wait years for new features, so you won’t have toWe will release more and more features out of the Windows box

Collaboration through Azure AD Federation

Collaboration target for AD RMS v.next

Your organization can collaborate with ANYONE through Azure ADYour organization is in control of all licensingNo need to set up explicit peer to peer trustsKeep your key on premises

How does collaboration work in AD RMS?

peter@contoso sends protected email to john@fabrikamIF fabrikam as RMS deployed AND contoso imported fabrikam’s TUD AND john can access contoso’s licensing URL

Or

IF fabrikam is set up to federate (AD FS) with contoso AND contoso is willing to issue a RAC to john

• When John tries to acquire a license from Contoso, contoso validates John’s RAC (from Fabrikam)

• Since John’s RAC is issued by a trusted server (via TUD), the email address is accepted and a license is issued

How does collaboration work in Azure RMS?peter@contoso sends protected email to john@fabrikam

John tries to open the content, goes to contoso’s service endpointContoso authenticates the user via AAD and issues a CONTOSO RAC (in addition to Fabrikam’s RAC which John already had)

[email protected] RAC signed by Contoso’s tenantNo CLC is issued, John still uses Fabrikam’s CLC to protect content

John then acquires a license from contoso using the RAC it has from contosoThere’s no TUD!

• When John tries to acquire a license from Contoso, contoso validates John’s RAC (from Contoso)

• Since John’s RAC is issued by a trusted server (itself), the email address is accepted and a license is issued

Collaboration between AD RMS and Azure ADAD RMS is configured to federate with Azure AD

When AD RMS user sends content to external userExternal user tries to authenticate against AD RMS (fails) and is redirected to Azure AD Forms Based Authentication page for authentication External user authenticates (or creates account and then authenticates) and is redirected back to AD RMSAD RMS issues license to regular federated user

Advantages:No need to set up peer to peer trustsNo need for key exchangesUsers can be self-provisioned on the flyANYONE can securely collaborate with ANYONEPolicies are the only boundaries

Note: Azure RMS is not involved in this scenario!Azure RMS may still be used by an external user to protect content and share with you

Other areas of work

Other Features we are working on (for RMS on-premises and in the cloud)Scoped templates (a.k.a. departmental templates)

You can define templates that differ from department to departmentCan be “scoped” by assigning them to groups

Content RevocationOpen a document in the RMS app and choose “revoke”. It becomes inaccessible to all users

Document TrackingOpen a document and ask for more informationYou will see who opened the document, when, etc.

Deployability enhancementsSingle cluster deployment across the enterpriseSimplified setup, more administration flexibility

Other things in our sights:

Content watermarkingWill require application support

Dynamic policiesChange policy on a document after sharing, impact all users immediately

Enhanced/flexible crypto algorithmsRoot key rotation

Change your root key and/or your key protection mechanism at any time

Multi-factor authenticationUse PhoneFactor to validate user identity prior to access

Anything else you want to see? Now is the time to vote!

Call to action

Non-deployed organization:

Focus on your cloud strategyCloud-friendly with Office 365 plans? Propose Azure RMS.Cloud-reluctant organization able to deploy some cloud services? Azure RMS with the connector is best for you.Cloud-averse organization? Get into AD RMS, understanding the roadmap.

Prepare for the new featuresDeploy AD RMS in Windows Server 2012 or 2012 R2 now

Upgrade will be easiestAD RMS Mobile Device Extensions (add-on package) will work on top of this OS

Begin plans to deploy AD FSPre-requisite for the Mobile Device Extensions AND for collaborationUse AD FS 3.0

AD RMS customer

Understand that the roadmap for AD RMS will include out of the box software

Be aware that while AD RMS may seem “frozen” in Windows, updates are coming as separate featuresUnderstand that RMS on-premises is here to stay, AD RMS as you know it may change (significantly)Understand your options. “RMS” is the common platform. RMS on-premises and in the cloud are flavors.

Upgrade to Windows 2012 or 2012 R2 and deploy the Mobile Device Extension

Available NOW (as preview). Can get you unlocked on supporting mobile devices.

Deploy AD FS 3.0Pre-requisite for the Mobile Device Extensions AND many upcoming

Office 365 customer

Start using Azure RMS NOWIt is ready for actionIt is easy to enableIt is easy to useIt works with on-premises servers nowIncluded with E3/E4, can be added to any other SKU (except Small Business)

Deploy the most seamless configurationFederation offers the best experienceDirsync with PW hash sync works well for pure cloud scenariosLook at the RMS connector to integrate on-premises servers

Training tip: Not up to speed with federation?

Put federation in your curriculum!Federation is KEY for ALL these features

Mobile device supportCollaborationCritical for Azure RMS as well

Consider your plan to deploy AD FS 3.0 (required)

Review: Session Objectives And TakeawaysSession Objective(s): I am able to choose the platform for Information Protection that suits my needsI can prepare my organization to adopt upcoming features when they become available

Key takeaway 1: the news of AD RMS’s death have been greatly exaggeratedKey Takeaway 2: expect no unjustified differences between the on-premises and the cloud products over time

Breakout Sessions/Chalk TalksPCIT-B321 - Deploying the New RMS for Cloud-Friendly and Cloud-Reluctant

OrganizationsPCIT-B332 - Securely Collaborating with Anyone, Everywhere, with the New RMS

Instructor-Led LabsPCIT-IL302 - Enabling Hybrid Information Protection with the RMS connector

RMS web sitesOfficial web site: www.microsoft.com/rmsOfficial blog for IT Pros: blogs.technet.com/rmsOfficial blog for developers: blogs.msdn.com/rms

Related Content

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.