SlideShare a Scribd company logo

Information Rights Management in SharePoint

Download as PPTX, PDF
André Vala
André Vala

Webinar presented for the European SharePoint Community on April 7th 2015, about Information Rights Management (IRM) on SharePoint 2013.

Software
1 of 45
Information Rights Management in SharePoint by André Vala
About Me... 2/45 André Vala SharePoint Solutions Architect Office & SharePoint Solutions Team Leader andre.vala@create.pt @atomicvee http://blogit.create.pt/andrevala http://www.linkedin.com/in/andrevala
Agenda INFORMATION RIGHTS MANAGEMENT IN SHAREPOINT 3/45 What is it? Why do I need it? How does it work? How do I set it up? How do I use it? Related topics Conclusions
Glossary  AD: Active Directory  AD RMS: Active Directory Rights Management Services  Azure RMS: Azure Rights Management, also knows as Azure Active Directory Rights Management Services (AADRMS).  IRM: Information Rights Management  OWA: Office Web Apps  RMS: Rights Management Server/Services INFORMATION RIGHTS MANAGEMENT 4/45
What is it? INFORMATION RIGHT MANAGEMENT
What is it?  Set of technologies that protect an organization’s sensitive information from unauthorized access and control how the information is used.  Uses encryption, identity and authorization policies  Protection stays with the files, independently of their location  Works across multiple devices – phones, tablets and PCs INFORMATION RIGHTS MANAGEMENT 6/45
Why do I need it? INFORMATION RIGHTS MANAGEMENT
The Scenario WHY DO I NEED IT? 8/45 SharePoint Server John Document with sensitive information Stored in SharePoint document library and protected by permissions John has Read permissions on the document library
SharePoint Server The Problem WHY DO I NEED IT? 9/45 John John can download it John can view its contents John can copy it John can edit it John can print it Jane John can send it to Jane
SharePoint Server The Problem WHY DO I NEED IT? Security Boundary As soon as the information leaves SharePoint, it’s no longer protected No protection information is included in the file and, so, the information is free /4510
SharePoint Server The Solution WHY DO I NEED IT? 11/45 John John can download it John can view its contents John cannot copy it John cannot edit it John cannot print it Jane John cannot send it to Jane
DEMO WHY DO I NEED IT?
Demo Summary  Difference between using IRM and not using it  IRM support in Office Web Apps  IRM support in Office Client WHY DO I NEED IT? 13/45
How does it work? INFORMATION RIGHTS MANAGEMENT
How does it work?  In SharePoint, IRM protection is applied to:  Files in document libraries  Files attached to list items (but not the list items)  Protection is applied to a file by an IRM Protector according to its file type  SharePoint (on premises and online) includes protectors for:  Microsoft Office 97-2003 file formats (.doc, .xls, .ppt)  Office Open XML file formats (.docx, .xlsx, .pptx)  PDF file format  XML Paper Specification (XPS) file format 15/45
Content creation HOW DOES IT WORK? 16/45 RMS User SharePoint 1 1 User uploads unprotected document to IRM-enabled document library That’s it! Even in IRM-enabled document libraries (or lists), documents are not protected or encrypted when stored. This allows the search service to crawl the contents of the files, even in IRM-enabled libraries and lists.
Content creation HOW DOES IT WORK? 17/45 RMS User SharePoint 1 1 User uploads protected document to IRM-enabled document library Important! File contents are never sent to RMS when protecting, unprotecting, sharing or viewing a protected document 2 3 2 Issuance License validation 3 Document is unprotected (decrypted), document library ID is verified and document is stored.
Content consumption HOW DOES IT WORK? 18/45 RMS User SharePoint 1 1 User requests document from IRM-enabled document library Important! Protection is applied every time a user requests a file from an IRM-enabled library. The protected document will be accessible only to the user that requested it. 2 3 2 Generate Issuance License (IL) which includes:  Document key (used to encrypt the file content)  List of users with access to the document (SharePoint and the user that requested the document)  Document library ID 3 Protect (encrypt) the document. 4 4 Return document to the user.
Permission mapping SharePoint Permissions IRM Permissions Full Control Read Edit Copy Save Print Manage Permissions Manage Web Site       Edit Items Manage Lists Add and Customize Pages     If permission is explicitly set View Items  If permission is explicitly set Other HOW DOES IT WORK? 19/45 IRM protection applied depends on the permissions of the user on the document library that contains the file.
With IRM you can...  Prevent an authorized viewer from:  Copying a document  Modifying a document  Printing a document  Copy and pasting the contents of a document  Copying the contents of a document using Print Screen on Windows  Prevent an unauthorized viewer from viewing the content of a document if it is sent in an email after being downloaded from the server  Restrict access to content to a specific period of time, after which users must confirm their credentials HOW DOES IT WORK? 20/45
With IRM you cannot...  Prevent users from taking pictures of a document that is displayed on a screen  Prevent users from manually copying the content of a document that is displayed on a screen and retyping it in a new document  Prevent copying of the content through the use of third-party screen-capture programs  Prevent erasure, theft, capture or transmission by malicious software such as trojan horses, viruses, keyloggers and spyware.  Open protected documents on client applications, as External Users in SharePoint Online HOW DOES IT WORK? 21/45
How do I set it up? INFORMATION RIGHTS MANAGEMENT
Cloud and On Premises  IRM is available for SharePoint Server and SharePoint Online (Office 356) but each one rely on different Rights Management components  SharePoint Online depends on Azure RMS  SharePoint Server can be used with AD RMS or Azure RMS (via RMS Connector) HOW DO I SET IT UP? 23/45
Azure RMS vs AD RMS Feature Azure RMS Active Directory RMS Supports On-Premises Servers (SharePoint Server, Exchange Server and File Servers that run Windows Server with File Classification Infrastructure (FCI) Yes Yes Supports Online Services (SharePoint Online, Exchange Online and Office 365) Yes No Trust between organizations and users within an organization Supports implicit trust between organizations and users that use Office 365, Azure RMS or RMS for individuals. Requires explicit trust using trusted user domains (TUD) or federated trust via ADFS. Default rights policy templates 2 Not available Support for creating new policy templates Yes Yes Minimum supported versions of Office Office 2010 with RMS Sharing App Office for Mac 2011 is not supported 2007 Office for Mac 2011 is supported Minimum supported version of Windows client Windows 7 Windows Vista SP2 RMS Sharing App support Yes Yes Cryptographic Mode support Mode 2 Mode 1 (default) Requires additional configuration for Mode 2. Key lengths and encryption algorithms RSA 2048 for public key cryptogtaphy SHA 256 for signing operations AES 128 for simmetric encryption RSA 1024 and RSA 2048 for public key cryptogtaphy SHA 1 and SHA 256 for signing operations AES 128 for simmetric encryption HOW DO I SET IT UP? 24/45More info: https://technet.microsoft.com/library/jj739831.aspx
Requirements  To use IRM with Azure RMS you need:  A cloud subscription for RMS  Azure AD directory  Client devices  Client applications  Internet connectivity and access to dependent cloud services HOW DO I SET IT UP? 25/45More info: https://technet.microsoft.com/library/dn655136.aspx
Cloud Subscription  At least one of the following subscriptions  Office 365  Enterprise E3 or E4  Education A3 or A4  Government G3 or G4  Azure RMS Standalone subscription  Enterprise Mobility Suite subscription  RMS for Individuals Subscriptions (just for consumption) HOW DO I SET IT UP? > REQUIREMENTS 26/45More info: https://technet.microsoft.com/library/dn655136.aspx
Client Devices and Applications Device OS Word, Excel, PowerPoint Protected PDF Email Generic Protection Windows Office 2010/2013 Office Online GigaTrust Desktop PDF Client Foxit Reader Nitro PDF Reader RMS Sharing App Outlook 2010/2013 Outlook Web App RMS Sharing App iOS TITUS Docs Office Online (view) Foxit Reader (Azure RMS only) RMS Sharing App TITUS Docs NitroDesk OWA for iOS TITUS Mail TITUS Docs RMS Sharing App Android GigaTrust App Office Online GigaTrust App Foxit Reader (Azure RMS only) RMS Sharing App 9Folders GigaTrust App NitroDesk OWA for Android Samsung Email (S3+) TITUS Classification for Mobile RMS Sharing App MacOS X Office 2011 (AD RMS only) Office Online RMS Sharing App Outlook 2011 (AD RMS only) Outlook for Mac RMS Sharing App Windows RT Office 2013 RT Office Online Not Supported Outlook 2013 RT Mail App for Windows Not Supported Windows Phone 8.1 Office Mobile (AD RMS only) RMS Sharing App Outlook Mobile RMS Sharing App Blackberry 10 Not Supported Not Supported Blackberry Email Not Supported HOW DO I SET IT UP? > REQUIREMENTS 27/45More info: https://technet.microsoft.com/library/dn655136.aspx
DEMO HOW DO I SET IT UP?
Demo Summary  Setting up IRM in Office 365 requires two simple steps 1. Activate Azure RMS in your Office 365 Tenant 2. Activate Rights Management in SharePoint Online HOW DO I SET IT UP? 29/45More info: Set up Information Rights Management (IRM) in SharePoint admin center
How do I use it? INFORMATION RIGHTS MANAGEMENT
Configuring IRM on a Document Library  IRM is configured on the document library or list level  IRM is configured in 3 groups of settings  IRM library settings  Document access rights  Group protection and credentials interval HOW DO I USE IT? 31/45 Document library settings
IRM Library Settings HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 32/45 Prevents uploads of documents that do not support IRM, which means:  File types for which there are no protectors installed  File types that SharePoint cannot decrypt  File types that are IRM protected in another program Removes all IRM restrictions after a specific date Prevents documents to be opened in the browser, forcing users to open them in IRM-Enlightened applications such as Microsoft Office client applications. This can be important because, when using Office Web Apps, screen capture cannot be prevented as it is in the client applications.
Document access rights HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 33/45 Prevents users from printing the document Prevents code/macros to run on a document Prevents users from making local editable copies of a document Prevents access to a document a specific number of days after it was downloaded.
Group protection and credentials interval HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 34/45 Specifies a group of users that can share the document, even after its downloaded. Sets the duration of the document access license, in days. After the specified interval, users will be requested to validate their credentials to have access to its contents.
DEMO HOW DO I USE IT?
Related Topics INFORMATION RIGHTS MANAGEMENT
RMS Sharing App  RMS-Enlightened client application  Can protect/unprotect files of any type  Available for  Windows (desktop PC)  MacOS X (10.6.6 or above)  Windows Phone 8.1  Android (4.0.3 or above)  iOS (version 7.0 or above) RELATED TOPICS 37/45More info: https://portal.aadrm.com/Home/Download
DEMO RMS SHARING APP
Logging and Auditing  RMS logs can be used for auditing access to protected documents  RMS logging is optional and is not enabled by default  Requirements  An IT-managed RMS Subscription (not RMS for Individuals)  Azure Subscription (to store the logs)  Windows PowerShell for Rights Management RELATED TOPICS 39/45More info: https://technet.microsoft.com/en-us/library/dn529121.aspx
Azure RMS Logs  Stored in an Azure storage account as blobs, in W3C extended log format  Can take around 15 minutes for a log message to appear  You can download the logs using PowerShell or Azure Storage SDK  Each log message includes (among other information):  Date and time of the request  Request type (request made to the RMS API)  User ID  Content ID  Correlation ID (to map requests to ULS)  Client information (similar to User Agent strings in browers)  Client IP address RELATED TOPICS > LOGGING AND AUDITING 40/45More info: https://technet.microsoft.com/en-us/library/dn529121.aspx
DEMO LOGGING AND AUDITING
Conclusions INFORMATION RIGHTS MANAGEMENT
Conclusions  IRM is a great way to protect sensitive information stored in SharePoint  IRM can be used with SharePoint Server or SharePoint Online  IRM protection is embedded in the document and travels with it  IRM protection is applied at the library level for all documents  To used IRM with PDF files, a specific reader application is required  Any file type can be protected using the RMS Sharing App  RMS logging can be used for security auditing of protected information 43/45
References  Microsoft Rights Management Services  RMS for IT Professionals  Azure Rights Management  Comparing Azure Rights Management and AD RMS  Requirements for Azure Rights Management  Set up Information Rights Management (IRM) in SharePoint admin center  Apply Information Rights Management to a list or library  RMS Sharing App  Logging and Analyzing Azure Rights Management Usage 44/45
/4545 Thank you! andre.vala@create.pt @atomicvee http://blogit.create.pt/andrevala http://www.linkedin.com/in/andrevala

Recommended

RGPD - Testemunho do Mundo Real
RGPD - Testemunho do Mundo RealRGPD - Testemunho do Mundo Real
RGPD - Testemunho do Mundo Real
André Vala
 
Office Dev Day 2018 - Extending Microsoft Teams
Office Dev Day 2018 - Extending Microsoft TeamsOffice Dev Day 2018 - Extending Microsoft Teams
Office Dev Day 2018 - Extending Microsoft Teams
André Vala
 
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
André Vala
 
From Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint WebhooksFrom Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint Webhooks
André Vala
 
Planning the Death Star with Microsoft Planner
Planning the Death Star with Microsoft PlannerPlanning the Death Star with Microsoft Planner
Planning the Death Star with Microsoft Planner
André Vala
 
From Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint WebhooksFrom Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint Webhooks
André Vala
 
Microsoft Planner Deep Dive
Microsoft Planner Deep DiveMicrosoft Planner Deep Dive
Microsoft Planner Deep Dive
André Vala
 
SharePoint - Presente e Futuro
SharePoint - Presente e FuturoSharePoint - Presente e Futuro
SharePoint - Presente e Futuro
André Vala
 

Recommended

RGPD - Testemunho do Mundo Real
RGPD - Testemunho do Mundo RealRGPD - Testemunho do Mundo Real
RGPD - Testemunho do Mundo Real
André Vala
 
Office Dev Day 2018 - Extending Microsoft Teams
Office Dev Day 2018 - Extending Microsoft TeamsOffice Dev Day 2018 - Extending Microsoft Teams
Office Dev Day 2018 - Extending Microsoft Teams
André Vala
 
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
From Event Receivers to SharePoint Webhooks (SPS Lisbon 2017)
André Vala
 
From Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint WebhooksFrom Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint Webhooks
André Vala
 
Planning the Death Star with Microsoft Planner
Planning the Death Star with Microsoft PlannerPlanning the Death Star with Microsoft Planner
Planning the Death Star with Microsoft Planner
André Vala
 
From Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint WebhooksFrom Event Receivers to SharePoint Webhooks
From Event Receivers to SharePoint Webhooks
André Vala
 
Microsoft Planner Deep Dive
Microsoft Planner Deep DiveMicrosoft Planner Deep Dive
Microsoft Planner Deep Dive
André Vala
 
SharePoint - Presente e Futuro
SharePoint - Presente e FuturoSharePoint - Presente e Futuro
SharePoint - Presente e Futuro
André Vala
 
Office 365 Groups Deep Dive
Office 365 Groups Deep DiveOffice 365 Groups Deep Dive
Office 365 Groups Deep Dive
André Vala
 
Soluções com Office Graph
Soluções com Office GraphSoluções com Office Graph
Soluções com Office Graph
André Vala
 
Host-Named Site Collections in SharePoint 2013
Host-Named Site Collections in SharePoint 2013Host-Named Site Collections in SharePoint 2013
Host-Named Site Collections in SharePoint 2013
André Vala
 
User License Enforcement em SharePoint 2013
User License Enforcement em SharePoint 2013User License Enforcement em SharePoint 2013
User License Enforcement em SharePoint 2013
André Vala
 
How To Use Host-Named Site Collections
How To Use Host-Named Site CollectionsHow To Use Host-Named Site Collections
How To Use Host-Named Site Collections
André Vala
 
Novidades na pesquisa no SharePoint 2013
Novidades na pesquisa no SharePoint 2013Novidades na pesquisa no SharePoint 2013
Novidades na pesquisa no SharePoint 2013
André Vala
 
Building Public Web Sites in SharePoint 2010
Building Public Web Sites in SharePoint 2010 Building Public Web Sites in SharePoint 2010
Building Public Web Sites in SharePoint 2010
André Vala
 
SharePoint + Azure = Better Together
SharePoint + Azure = Better TogetherSharePoint + Azure = Better Together
SharePoint + Azure = Better Together
André Vala
 
Federated Authentication in SharePoint 2010
Federated Authentication in SharePoint 2010Federated Authentication in SharePoint 2010
Federated Authentication in SharePoint 2010
André Vala
 
Using BCS to integrate Azure Services with SharePoint 2010
Using BCS to integrate Azure Services with SharePoint 2010Using BCS to integrate Azure Services with SharePoint 2010
Using BCS to integrate Azure Services with SharePoint 2010
André Vala
 
LINQ to SharePoint
LINQ to SharePointLINQ to SharePoint
LINQ to SharePoint
André Vala
 
Solução de Negócio baseadas em Office 2010 e SharePoint 2010
Solução de Negócio baseadas em Office 2010 e SharePoint 2010Solução de Negócio baseadas em Office 2010 e SharePoint 2010
Solução de Negócio baseadas em Office 2010 e SharePoint 2010
André Vala
 
SharePoint Deployment
SharePoint DeploymentSharePoint Deployment
SharePoint Deployment
André Vala
 
Microsoft Planner Deep Dive
Microsoft Planner Deep DiveMicrosoft Planner Deep Dive
Microsoft Planner Deep Dive
André Vala
 
Office 365 Groups Deep Dive
Office 365 Groups Deep DiveOffice 365 Groups Deep Dive
Office 365 Groups Deep Dive
André Vala
 
Content Recommendation with SharePoint Search
Content Recommendation with SharePoint SearchContent Recommendation with SharePoint Search
Content Recommendation with SharePoint Search
André Vala
 
Building Solutions with Office Graph
Building Solutions with Office GraphBuilding Solutions with Office Graph
Building Solutions with Office Graph
André Vala
 
Working with AngularJS
Working with AngularJSWorking with AngularJS
Working with AngularJS
André Vala
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Philip Schwarz
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
masabamasaba
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
masabamasaba
 

More Related Content

More from André Vala

More from André Vala (18)

Office 365 Groups Deep Dive
Office 365 Groups Deep DiveOffice 365 Groups Deep Dive
Office 365 Groups Deep Dive
 
Soluções com Office Graph
Soluções com Office GraphSoluções com Office Graph
Soluções com Office Graph
 
Host-Named Site Collections in SharePoint 2013
Host-Named Site Collections in SharePoint 2013Host-Named Site Collections in SharePoint 2013
Host-Named Site Collections in SharePoint 2013
 
User License Enforcement em SharePoint 2013
User License Enforcement em SharePoint 2013User License Enforcement em SharePoint 2013
User License Enforcement em SharePoint 2013
 
How To Use Host-Named Site Collections
How To Use Host-Named Site CollectionsHow To Use Host-Named Site Collections
How To Use Host-Named Site Collections
 
Novidades na pesquisa no SharePoint 2013
Novidades na pesquisa no SharePoint 2013Novidades na pesquisa no SharePoint 2013
Novidades na pesquisa no SharePoint 2013
 
Building Public Web Sites in SharePoint 2010
Building Public Web Sites in SharePoint 2010 Building Public Web Sites in SharePoint 2010
Building Public Web Sites in SharePoint 2010
 
SharePoint + Azure = Better Together
SharePoint + Azure = Better TogetherSharePoint + Azure = Better Together
SharePoint + Azure = Better Together
 
Federated Authentication in SharePoint 2010
Federated Authentication in SharePoint 2010Federated Authentication in SharePoint 2010
Federated Authentication in SharePoint 2010
 
Using BCS to integrate Azure Services with SharePoint 2010
Using BCS to integrate Azure Services with SharePoint 2010Using BCS to integrate Azure Services with SharePoint 2010
Using BCS to integrate Azure Services with SharePoint 2010
 
LINQ to SharePoint
LINQ to SharePointLINQ to SharePoint
LINQ to SharePoint
 
Solução de Negócio baseadas em Office 2010 e SharePoint 2010
Solução de Negócio baseadas em Office 2010 e SharePoint 2010Solução de Negócio baseadas em Office 2010 e SharePoint 2010
Solução de Negócio baseadas em Office 2010 e SharePoint 2010
 
SharePoint Deployment
SharePoint DeploymentSharePoint Deployment
SharePoint Deployment
 
Microsoft Planner Deep Dive
Microsoft Planner Deep DiveMicrosoft Planner Deep Dive
Microsoft Planner Deep Dive
 
Office 365 Groups Deep Dive
Office 365 Groups Deep DiveOffice 365 Groups Deep Dive
Office 365 Groups Deep Dive
 
Content Recommendation with SharePoint Search
Content Recommendation with SharePoint SearchContent Recommendation with SharePoint Search
Content Recommendation with SharePoint Search
 
Building Solutions with Office Graph
Building Solutions with Office GraphBuilding Solutions with Office Graph
Building Solutions with Office Graph
 
Working with AngularJS
Working with AngularJSWorking with AngularJS
Working with AngularJS
 

Recently uploaded

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Recently uploaded (20)

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 

Information Rights Management in SharePoint

  • 1. Information Rights Management in SharePoint by André Vala
  • 2. About Me... 2/45 André Vala SharePoint Solutions Architect Office & SharePoint Solutions Team Leader andre.vala@create.pt @atomicvee http://blogit.create.pt/andrevala http://www.linkedin.com/in/andrevala
  • 3. Agenda INFORMATION RIGHTS MANAGEMENT IN SHAREPOINT 3/45 What is it? Why do I need it? How does it work? How do I set it up? How do I use it? Related topics Conclusions
  • 4. Glossary  AD: Active Directory  AD RMS: Active Directory Rights Management Services  Azure RMS: Azure Rights Management, also knows as Azure Active Directory Rights Management Services (AADRMS).  IRM: Information Rights Management  OWA: Office Web Apps  RMS: Rights Management Server/Services INFORMATION RIGHTS MANAGEMENT 4/45
  • 5. What is it? INFORMATION RIGHT MANAGEMENT
  • 6. What is it?  Set of technologies that protect an organization’s sensitive information from unauthorized access and control how the information is used.  Uses encryption, identity and authorization policies  Protection stays with the files, independently of their location  Works across multiple devices – phones, tablets and PCs INFORMATION RIGHTS MANAGEMENT 6/45
  • 7. Why do I need it? INFORMATION RIGHTS MANAGEMENT
  • 8. The Scenario WHY DO I NEED IT? 8/45 SharePoint Server John Document with sensitive information Stored in SharePoint document library and protected by permissions John has Read permissions on the document library
  • 9. SharePoint Server The Problem WHY DO I NEED IT? 9/45 John John can download it John can view its contents John can copy it John can edit it John can print it Jane John can send it to Jane
  • 10. SharePoint Server The Problem WHY DO I NEED IT? Security Boundary As soon as the information leaves SharePoint, it’s no longer protected No protection information is included in the file and, so, the information is free /4510
  • 11. SharePoint Server The Solution WHY DO I NEED IT? 11/45 John John can download it John can view its contents John cannot copy it John cannot edit it John cannot print it Jane John cannot send it to Jane
  • 12. DEMO WHY DO I NEED IT?
  • 13. Demo Summary  Difference between using IRM and not using it  IRM support in Office Web Apps  IRM support in Office Client WHY DO I NEED IT? 13/45
  • 14. How does it work? INFORMATION RIGHTS MANAGEMENT
  • 15. How does it work?  In SharePoint, IRM protection is applied to:  Files in document libraries  Files attached to list items (but not the list items)  Protection is applied to a file by an IRM Protector according to its file type  SharePoint (on premises and online) includes protectors for:  Microsoft Office 97-2003 file formats (.doc, .xls, .ppt)  Office Open XML file formats (.docx, .xlsx, .pptx)  PDF file format  XML Paper Specification (XPS) file format 15/45
  • 16. Content creation HOW DOES IT WORK? 16/45 RMS User SharePoint 1 1 User uploads unprotected document to IRM-enabled document library That’s it! Even in IRM-enabled document libraries (or lists), documents are not protected or encrypted when stored. This allows the search service to crawl the contents of the files, even in IRM-enabled libraries and lists.
  • 17. Content creation HOW DOES IT WORK? 17/45 RMS User SharePoint 1 1 User uploads protected document to IRM-enabled document library Important! File contents are never sent to RMS when protecting, unprotecting, sharing or viewing a protected document 2 3 2 Issuance License validation 3 Document is unprotected (decrypted), document library ID is verified and document is stored.
  • 18. Content consumption HOW DOES IT WORK? 18/45 RMS User SharePoint 1 1 User requests document from IRM-enabled document library Important! Protection is applied every time a user requests a file from an IRM-enabled library. The protected document will be accessible only to the user that requested it. 2 3 2 Generate Issuance License (IL) which includes:  Document key (used to encrypt the file content)  List of users with access to the document (SharePoint and the user that requested the document)  Document library ID 3 Protect (encrypt) the document. 4 4 Return document to the user.
  • 19. Permission mapping SharePoint Permissions IRM Permissions Full Control Read Edit Copy Save Print Manage Permissions Manage Web Site       Edit Items Manage Lists Add and Customize Pages     If permission is explicitly set View Items  If permission is explicitly set Other HOW DOES IT WORK? 19/45 IRM protection applied depends on the permissions of the user on the document library that contains the file.
  • 20. With IRM you can...  Prevent an authorized viewer from:  Copying a document  Modifying a document  Printing a document  Copy and pasting the contents of a document  Copying the contents of a document using Print Screen on Windows  Prevent an unauthorized viewer from viewing the content of a document if it is sent in an email after being downloaded from the server  Restrict access to content to a specific period of time, after which users must confirm their credentials HOW DOES IT WORK? 20/45
  • 21. With IRM you cannot...  Prevent users from taking pictures of a document that is displayed on a screen  Prevent users from manually copying the content of a document that is displayed on a screen and retyping it in a new document  Prevent copying of the content through the use of third-party screen-capture programs  Prevent erasure, theft, capture or transmission by malicious software such as trojan horses, viruses, keyloggers and spyware.  Open protected documents on client applications, as External Users in SharePoint Online HOW DOES IT WORK? 21/45
  • 22. How do I set it up? INFORMATION RIGHTS MANAGEMENT
  • 23. Cloud and On Premises  IRM is available for SharePoint Server and SharePoint Online (Office 356) but each one rely on different Rights Management components  SharePoint Online depends on Azure RMS  SharePoint Server can be used with AD RMS or Azure RMS (via RMS Connector) HOW DO I SET IT UP? 23/45
  • 24. Azure RMS vs AD RMS Feature Azure RMS Active Directory RMS Supports On-Premises Servers (SharePoint Server, Exchange Server and File Servers that run Windows Server with File Classification Infrastructure (FCI) Yes Yes Supports Online Services (SharePoint Online, Exchange Online and Office 365) Yes No Trust between organizations and users within an organization Supports implicit trust between organizations and users that use Office 365, Azure RMS or RMS for individuals. Requires explicit trust using trusted user domains (TUD) or federated trust via ADFS. Default rights policy templates 2 Not available Support for creating new policy templates Yes Yes Minimum supported versions of Office Office 2010 with RMS Sharing App Office for Mac 2011 is not supported 2007 Office for Mac 2011 is supported Minimum supported version of Windows client Windows 7 Windows Vista SP2 RMS Sharing App support Yes Yes Cryptographic Mode support Mode 2 Mode 1 (default) Requires additional configuration for Mode 2. Key lengths and encryption algorithms RSA 2048 for public key cryptogtaphy SHA 256 for signing operations AES 128 for simmetric encryption RSA 1024 and RSA 2048 for public key cryptogtaphy SHA 1 and SHA 256 for signing operations AES 128 for simmetric encryption HOW DO I SET IT UP? 24/45More info: https://technet.microsoft.com/library/jj739831.aspx
  • 25. Requirements  To use IRM with Azure RMS you need:  A cloud subscription for RMS  Azure AD directory  Client devices  Client applications  Internet connectivity and access to dependent cloud services HOW DO I SET IT UP? 25/45More info: https://technet.microsoft.com/library/dn655136.aspx
  • 26. Cloud Subscription  At least one of the following subscriptions  Office 365  Enterprise E3 or E4  Education A3 or A4  Government G3 or G4  Azure RMS Standalone subscription  Enterprise Mobility Suite subscription  RMS for Individuals Subscriptions (just for consumption) HOW DO I SET IT UP? > REQUIREMENTS 26/45More info: https://technet.microsoft.com/library/dn655136.aspx
  • 27. Client Devices and Applications Device OS Word, Excel, PowerPoint Protected PDF Email Generic Protection Windows Office 2010/2013 Office Online GigaTrust Desktop PDF Client Foxit Reader Nitro PDF Reader RMS Sharing App Outlook 2010/2013 Outlook Web App RMS Sharing App iOS TITUS Docs Office Online (view) Foxit Reader (Azure RMS only) RMS Sharing App TITUS Docs NitroDesk OWA for iOS TITUS Mail TITUS Docs RMS Sharing App Android GigaTrust App Office Online GigaTrust App Foxit Reader (Azure RMS only) RMS Sharing App 9Folders GigaTrust App NitroDesk OWA for Android Samsung Email (S3+) TITUS Classification for Mobile RMS Sharing App MacOS X Office 2011 (AD RMS only) Office Online RMS Sharing App Outlook 2011 (AD RMS only) Outlook for Mac RMS Sharing App Windows RT Office 2013 RT Office Online Not Supported Outlook 2013 RT Mail App for Windows Not Supported Windows Phone 8.1 Office Mobile (AD RMS only) RMS Sharing App Outlook Mobile RMS Sharing App Blackberry 10 Not Supported Not Supported Blackberry Email Not Supported HOW DO I SET IT UP? > REQUIREMENTS 27/45More info: https://technet.microsoft.com/library/dn655136.aspx
  • 28. DEMO HOW DO I SET IT UP?
  • 29. Demo Summary  Setting up IRM in Office 365 requires two simple steps 1. Activate Azure RMS in your Office 365 Tenant 2. Activate Rights Management in SharePoint Online HOW DO I SET IT UP? 29/45More info: Set up Information Rights Management (IRM) in SharePoint admin center
  • 30. How do I use it? INFORMATION RIGHTS MANAGEMENT
  • 31. Configuring IRM on a Document Library  IRM is configured on the document library or list level  IRM is configured in 3 groups of settings  IRM library settings  Document access rights  Group protection and credentials interval HOW DO I USE IT? 31/45 Document library settings
  • 32. IRM Library Settings HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 32/45 Prevents uploads of documents that do not support IRM, which means:  File types for which there are no protectors installed  File types that SharePoint cannot decrypt  File types that are IRM protected in another program Removes all IRM restrictions after a specific date Prevents documents to be opened in the browser, forcing users to open them in IRM-Enlightened applications such as Microsoft Office client applications. This can be important because, when using Office Web Apps, screen capture cannot be prevented as it is in the client applications.
  • 33. Document access rights HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 33/45 Prevents users from printing the document Prevents code/macros to run on a document Prevents users from making local editable copies of a document Prevents access to a document a specific number of days after it was downloaded.
  • 34. Group protection and credentials interval HOW DO I USE IT? > CONFIGURING IRM ON A DOCUMENT LIBRARY 34/45 Specifies a group of users that can share the document, even after its downloaded. Sets the duration of the document access license, in days. After the specified interval, users will be requested to validate their credentials to have access to its contents.
  • 35. DEMO HOW DO I USE IT?
  • 37. RMS Sharing App  RMS-Enlightened client application  Can protect/unprotect files of any type  Available for  Windows (desktop PC)  MacOS X (10.6.6 or above)  Windows Phone 8.1  Android (4.0.3 or above)  iOS (version 7.0 or above) RELATED TOPICS 37/45More info: https://portal.aadrm.com/Home/Download
  • 39. Logging and Auditing  RMS logs can be used for auditing access to protected documents  RMS logging is optional and is not enabled by default  Requirements  An IT-managed RMS Subscription (not RMS for Individuals)  Azure Subscription (to store the logs)  Windows PowerShell for Rights Management RELATED TOPICS 39/45More info: https://technet.microsoft.com/en-us/library/dn529121.aspx
  • 40. Azure RMS Logs  Stored in an Azure storage account as blobs, in W3C extended log format  Can take around 15 minutes for a log message to appear  You can download the logs using PowerShell or Azure Storage SDK  Each log message includes (among other information):  Date and time of the request  Request type (request made to the RMS API)  User ID  Content ID  Correlation ID (to map requests to ULS)  Client information (similar to User Agent strings in browers)  Client IP address RELATED TOPICS > LOGGING AND AUDITING 40/45More info: https://technet.microsoft.com/en-us/library/dn529121.aspx
  • 43. Conclusions  IRM is a great way to protect sensitive information stored in SharePoint  IRM can be used with SharePoint Server or SharePoint Online  IRM protection is embedded in the document and travels with it  IRM protection is applied at the library level for all documents  To used IRM with PDF files, a specific reader application is required  Any file type can be protected using the RMS Sharing App  RMS logging can be used for security auditing of protected information 43/45
  • 44. References  Microsoft Rights Management Services  RMS for IT Professionals  Azure Rights Management  Comparing Azure Rights Management and AD RMS  Requirements for Azure Rights Management  Set up Information Rights Management (IRM) in SharePoint admin center  Apply Information Rights Management to a list or library  RMS Sharing App  Logging and Analyzing Azure Rights Management Usage 44/45