park the future. May 4 – 8, 2015 Chicago, IL
New ETR actions configurable via UI or PowerShell.
Dec 21, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Spark the future.
May 4 – 8, 2015Chicago, IL
Your Encryption Controls in Office 365: Across Devices and PlatformsTariq SharifAsaf Kashi
BRK3172
Why is encryption needed?
Medical records
Bank statements
Intercompany confidential memos
Credit card information
Departmental-only emails
Design documents
Our Organization – Contoso PharmaContoso Pharma
Serena, Tariq, Jackie – Trials team
Dr. Toni Ramos
@hotmail email account Uses desktop for work
Dr. Alex Darrow
@gmail email account Uses desktop and phone
Rosella – Researcher Sanjay – Admin
Office 365 message encryption: Encrypt messages to any SMTP addressPersonal account statement from a financial institutions
Information rights management: Encrypt content and restrict usage; usually within own organization or
trusted partnersInternal company confidential memo
S/MIME: Sign and encrypt messages to users using certificatesPeer-to-peer signed and encrypted communication within a government agency
Customer control: encryption solutions in Office 365
Admin:Simple to provision and configurePolicy driven via Transport rulesCustomizable branding of encrypted emails and mail reading portalAllows for Enterprise content inspection and compliance
Sender:Ability to send encrypted messages to any SMTP address regardless of recipient’s client or service provider
Recipient:View encrypted messages on Office 365 message encryption portal after sign-inOffice 365 message encryption portal has rich OWA controls for viewing and composing messagesReplies from the portal are also encrypted
Office 365 message encryption
How do recipients sign in to view messages? Three ways: Microsoft account–used for sign-in to Microsoft services like
OneDrive, XBOX Live, etc. Microsoft account for hotmail.com, outlook.com, live.com already exists User can create Microsoft account for any SMTP address, like gmail.com,
mycustomdomain.com–address verification done as part of account creation process
If recipient does not have a Microsoft account, recipients are navigated through the process of creating one
For a given email address, a single Microsoft account is used to access all Microsoft services and view future encrypted emails
Organizational account–used for sign-in to workloads like Exchange Online, SharePoint Online, etc.
One time passcode
Office 365 message encryption
How do recipients sign in to view messages? Three ways:
As Office 365 embraces additional identity providers, so will Office 365 message encryption
OME Demo Contoso Pharma wants to send encrypted emails to its partner doctors Administrator has configured an ETR to encrypt any message going to Dr
Toni when the subject contains the word “Encrypt” Dr. Toni gets the encrypted email at his hotmail address and follows
instructions to view the encrypted message send from Serena
Alex, also wants to view the mail and used Onetime passcode to view the message on his desktop and Mobile device
Contoso Pharma
Serena, Tariq, Jackie – Trials team
Dr. Toni Ramos
@hotmail email account Uses desktop for work
Dr. Alex Darrow
@gmail email account Uses desktop and phone
Rosella – Researcher Sanjay – Admin
Our Organization – Contoso Pharma
Office 365 message encryption: admin configurationNew ETR actions configurable via UI or PowerShell
New-TransportRule –Name EncryptRule <Condition for which to apply encryption> -ApplyOME $true
New-TransportRule –Name DecryptRule <Condition for which to remove encryption> -RemoveOME $true
Office 365 message encryption: admin configurationCustomize opening text in encrypted email and disclaimer statement
Set-OMEConfiguration -Identity default -EmailText "Encrypted message from ContosoPharma secure messaging system"
Set-OMEConfiguration -Identity default -DisclaimerText “This email message and its attachments are for the sole use of the …"
Customize portal text and logo
Office 365 message encryption: admin configuration
Set-OMEConfiguration -Identity default -PortalText "ContosoPharma secure e-mail portal"
Set-OMEConfiguration -Identity default -Image (Get-Content "C:\Users\admin\Desktop\contoso.png” -Encoding byte)
Office 365 message encryption: Modern UI Modern O365 UI and
rich OWA controls
Mobile experiencesApps for iOS and Android devices
Windows Phone provides native support
Mobile experiences
Mobile experiences
Mobile experiences
Mobile experiences
Mobile experiences
Mobile experiences
Mobile experiences
OME DemoUser sending an OME encrypted message from OWA
Microsoft account/organization account/one time passcode
Office 365 message encryption: under the hood Exchange Online
O365 user Internet user
Policy detection and enforcement
Mail reading portal
Tenant configuration
Send Deliver
Post
Office 365 Message Encryption uses IRM as a platform to encrypt message Sending organization needs to have purchased and configured Azure Rights Management
Services (RMS) Keys imported from Azure RMS are 2048 bit and use SHA-256 encryption (Crypto Mode 2)
Encrypted messages are wrapped in an HTML file and sent as an attachment to intended recipients HTML file contains the encrypted message along with other metadata
When user opens and clicks on link in the attachment, encrypted content is posted and held temporarily while user authenticates User authenticates using a Microsoft account, Organizational Account or OneTime Passcode If user has neither, user is told and asked to create a Microsoft account before viewing Any email address (@yahoo.com, @gmail.com, etc…) can be used to create a Microsoft
account
Once the authentication completes, message is decrypted and shown in modern UI with all rich OWA controls
Messages replied from the portal are also encrypted
Office 365 Message Encryption—Under the hood
Information protection technology Protection is persisted with the data, content can travel anywhere
(desktops, file shares, USB keys, cloud drives, network, and devices)
Combines encryption and usage restrictions Prevent accidental disclosure of sensitive data by
applying usage polices (cannot forward, cannot print, read only)
Simple to use Authors just select a policy option, consumers just open documents Administrators can configure policies to protect content automatically Securely share data with individuals within organization
Information rights management
Admin: Simple to provision and configure using Microsoft Azure rights management—
no on-premises RMS server required Policy driven via transport rules Allows for Enterprise content inspection and compliance
Sender: Ability to send IRM protected messages to recipients in the organization using
supported clients—OWA and Microsoft Office 2010 and 2013
Recipient: Ability to view IRM-protected content just like regular emails using supported clients
(OWA, Microsoft Office 2010 and 2013, EAS)
Information rights management: Exchange Online
Information rights management: ETR and DLPAutomatically protect email with IRM using Exchange transport rules
Information rights management: OWAProtect email with IRM right from the Outlook web app
Admin: Simple to provision and configure using Microsoft Azure Rights
Management—No on-premises RMS server required
Protection managed at individual library level protecting Office and Adobe pdf file formats
End user: Documents are protected at the time of download from a library and
rights given to appropriate user accounts per the library settings
User can edit the document in supported office clients and protection is removed at time of upload
Information rights management: SharePoint online
IRM DemoSync of content in IRM protected librariesSharing of IRM content with external users and collaborating
Our Organization – Contoso PharmaContoso Pharma
Serena, Tariq, Jackie – Trials team
Dr. Toni Ramos
@hotmail email account Uses desktop for work
Dr. Alex Darrow
@gmail email account Uses desktop and phone
Rosella – Researcher Sanjay – Admin
Ability to IRM protect an individual file Tenant wide IRM enforcement across all
libraries
Future enhancements
Standards-based way to secure email communication Commonly used when communicating with government agencies Must know recipients public certificate to send them encrypted mail Must have private key associated with sending email address to sign
email Client-to-client encryption requiring recipients private key to open and
view the message
Exchange on-premises continues to support S/MIME
OWA 2013 support added in SP1
S/MIME
Admin: Admin provisions certificates to users and synchronizes them with
Exchange Online Simple Exchange Online configuration for S/MIME OWA behavior
Sender: Ability to send signed and encrypted email to intra-organization
recipients who are properly configured
Recipient: Ability to view signed and encrypted emails using OWA and supported
clients and reply
S/MIME in Exchange online
S/MIME in Exchange onlineAdmin: Exchange Online configuration options
Compose, send, receive, encrypt and decrypt S/MIME encrypted email via OWA
When you receive a digitally signed and encrypted S/MIME email, the digital signature is displayed on the message.
Compose, send, receive, encrypt, and decrypt S/MIME encrypted email via OWA You can select the S/MIME options to encrypt or digitally sign the message when you send a message in OWA
When you receive a digitally signed and encrypted S/MIME email, the digital signature is displayed on the message
S/MIME in OWA
S/MIME Demo
Contoso Pharma
Serena, Tariq, Jackie – Trials team
Dr. Toni Ramos
@hotmail email account Uses desktop for work
Dr. Alex Darrow
@gmail email account Uses desktop and phone
Rosella – Researcher Sanjay – Admin
Our Organization – Contoso Pharma
Office 365 message encryption: Encrypt messages to any SMTP addressPersonal account statement from a financial institutions
Information rights management: Encrypt content and restrict usage; usually within own organization or
trusted partnersInternal company confidential memo
S/MIME: Sign and encrypt messages to users using certificatesPeer-to-peer signed and encrypted communication within a government agency
Summary of encryption customer controls
O365 Information Protection sessionsSESSION CODEMeet Office 365 Compliance Center: Your One Stop Shop for Everything Compliance BRK2165: 5/5 – 3:15 PM
Extending Microsoft Office 365 Visibility, Security and Compliance: Office 365 Management APIs
BRK2180: 5/6 – 9:00 AM
Evolving Email Protection for Tomorrow's Needs with Exchange Online Protection BRK2198: 5/6 – 10:45 AM
Your Encryption Controls in Office 365: Across Devices and Platforms BRK3172: 5/6 – 1:30 PM
End-to-End Data Loss Prevention BRK3181: 5/6 – 9:00 AM
Device and Data Protection with Mobile Device Management in Office 365 BRK3113: 5/6 – 3:15 AM
Keeping Your Data in Place with Office 365 Archiving and Retention BRK2144: 5/6 – 10:45 AM
eDiscovery Redefined: Real Time and In-Place BRK3121: 5/6 – 5:00 PM
Deep Dive into How Microsoft Handles Spam and Advanced Email Threats BRK3106: 5/6 – 5:00 PM
Experts Unplugged: Office 365 Security BRK2193: 5/7 – 3:15 PM
Experts Unplugged: Office 365 Compliance BRK2145: 5/7 – 5:00 PM
Auditing for Office 365 BRK3126: 5/8 – 10:45 AM
© 2015 Microsoft Corporation. All rights reserved.
Related Documents
