1 / 28

SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS

SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS. Tejas Patel Program Manager Microsoft Corporation. Business Ready Security Help securely enable business by managing risk and empowering people. Across on-premises & cloud. Access.

mura
Download Presentation

SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS Tejas Patel Program Manager Microsoft Corporation

  2. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  3. Encryption AD Rights Management Services Persistent Protection + • Provides identity-based protection for sensitive data • Controls access to information across the information lifecycle • Allows only authorized access based on trusted identity • Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted • Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery • Access Permissions • Use Right Permissions Policy:

  4. Exchange 2010 and AD RMS Integration Overview

  5. Automatic Content Based Privacy

  6. Automatic Content Based PrivacyEliminate reliance on end-user Enforcement Tools are required. Content Protection should be automated.

  7. Transport Protection Rule Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages • Automatic Content-Based Privacy: • Transport Rule action to apply RMS template to e-mail message • Transport Rules support regex scanning of attachments in Exchange 2010 • Do Not Forward policy available out of box

  8. Transport Protection Rule demo

  9. Protect Voice Message • UM Administrator can allow incoming voice mail messages to be marked as “private” • Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying of content • Private Voice mail supported by Unified Messaging in Outlook 2010 and OWA

  10. Protect Voice Message

  11. Outlook Protection Rule • Small scale rules engine delivered in Outlook 2010 add-in • Rules • Can be applied to a sender’s department, a recipient, or a recipient’s scope (inside or outside of the organization) • Retrieved by add-in from CAS through EWS • Optional or mandatory • Applied offline or online

  12. Streamline End User Experience

  13. RMS Integration in OWA • Create or consume RMS protected messages just like in Outlook • No client download or installation required • Supports • IE, Firefox, Safari, Chrome • Conversation view • Preview pane • Full-text search on RMS protected messages

  14. RMS Integration in OWA • CAS uses • Super User Privileges to decrypt • End User License (EUL) to determine which rights to enforce • Single RAC shared across all client access servers to give multiple machines a common RMS identity • Feature can be enabled or disabled at mailbox policy level

  15. View Protected attachments in OWA

  16. RMS Integration in OWA demo

  17. IRM in Exchange Active Sync • IRM in EAS policy can be configured on a per user basis • EAS transactions must be made over SSL • All encryption/decryption operations are executed at CAS Active Directory AD RMS 3. When a user selects a template to be applied to a new message, EAS will pass the template GUID to CAS. Once synced to CAS, mail and supported attachments will be protected appropriately. 4. Any IRM message will be decrypted at CAS and then synced to the device. Template Name, ID, description, and rights restrictions will also be passed 1. On first sync, Client advertises IRM support by sending in a value of 1 for <RightsManagementSupport> tag. 2. EAS syncs the list of AD RMS templates to the device for local storage Client Access Server

  18. Enable IT Infrastructure

  19. Enable IT InfrastructureRMS protection should not break IT infrastructure • Virus and spam filtering of RMS protected messages enabled at Hub Transport • Enable e-discovery via Journal Report Decryption • Enable cross-premise usage of IRM capabilities

  20. Transport Pipeline Decryption • Enables Hub Transport Agents to scan/modify RMS protected messages • Pipeline Decryption Agent • Uses Super-User privileges to decrypt • Decrypts message and attachments protected with same Publishing License • Encryption Agent re-encrypts messages with original publish license

  21. Journal Report Decryption • Journal Report Decryption Agent • Attaches clear-text copies of RMS protected messages and attachments to journal mailbox • Requires super-user privileges, off by default Archive/Journal

  22. Journal Report Decryption demo

  23. Cross Premises IRM Support for Exchange Online • Exchange Online tenants get IRM capabilities • After setup, all RMS transactions in the Datacenter are executed within the Datacenter • Clients such as Outlook continue to call the web services on the on-premises AD RMS server Exchange Online Woodgrove Bank Premises Import TPD Woodgrove Bank Tenant AD RMS

  24. 5 2 3 6 9 1 UL Enhanced Collaboration using Microsoft Federation Gateway Author sends protected mail to recipient at Trey Engineering Exchange (Trey Engineering) receives message and performs service discovery against Woodgrove Bank’s AD RMS Server Exchange (Trey Engineering) requests a token from the MFG MFG validates the claims and returns the token to Exchange (Trey Engineering) Exchange (Trey Engineering) creates a bootstrapping request including the token to the AD RMS server. AD RMS Server validates the token and then returns a RAC for Exchange(Trey Engineering) Exchange (Trey Engineering ) then requests a token on behalf of the recipient from the MFG Repeat Steps 4-6 for a licensing request The message is delivered and the recipient can consume the content via OWA Woodgrove Bank Trey Engineering MFG 4 7 5 Exchange AD RMS

  25. IRM in Exchange • View Protected attachments in OWA • IRM in Exchange Active Sync • Enhanced collaboration using Microsoft Federation Gateway • Cross Premises IRM support for Exchange Online Transport Protection Rule Outlook Protection Rule Journal Report Decryption Transport Pipeline Decryption IRM in OWA Protected Voice Message Pre-licensing

  26. Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw*  Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.

  27. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related