Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Controlling the Uncontrollable, Component 6:  Information Protection

Brad Anderson's avatar
Brad Anderson
Iron Contributor
Sep 08, 2018
First published on CloudBlogs on Apr 06, 2016


We talk a lot in the EMM space about MDM and MAM .  MDM and MAM are really just ways of trying to provide information protection .  MDM does it by trying to build a perimeter around the device and in so doing protect the data.  MAM tries to build a perimeter around the app . These are important layers of protection, but every organization has data that has to be shared (aka be mobile) and, therefore, it simply cannot be kept within the perimeter of the device/app.  Despite all their benefits, MDM and MAM technologies can only protect up to the device boundary – EMS exists to extend this boundary to be anywhere via Azure Rights Management (RMS).  To offer this kind of protection, we had to think of a new way of protecting this information.  Our solution was, at the risk of sounding dramatic, revolutionary:  If the information cannot be contained within a perimeter, it must become self-protecting. This is a really important concept to understand – especially when you recognize that the sharing of information will only accelerate, not decrease. You can read more about the self-protecting concept here , here , here and here .

A Single Viable Option

This is an area where Microsoft’s Enterprise Mobility Suite (EMS) provides capabilities that other EMM solutions simply cannot begin to offer.  To do this, this type of solution has to be engineered into the apps that are creating and viewing the information – and all of this really begins with Microsoft Office.  One question I ask in every customer meeting is, “ What percentage of data that’s shared across your organization or with partners is contained in the Microsoft Office docs? ”  The response is almost always “ north of 90%. ”  What we’ve done is develop a solution that addresses >90% of the docs that are shared – and this gets you almost entirely to a place where you have this dramatically elevated level of information protection.  This is accomplished through RMS . This aspect of your overall IT plan is critical because when your workforce tries to save their files to the cloud or their device, they may often need to share those files with customers or partners.  That means your organization’s data is not just moving beyond your perimeter – it’s moving entirely beyond your control.  Protecting every file in your organization can be quite a lot to bite off all at once though, however.  I suggest that you start with the most highly sensitive information – like docs from your HR, Legal, or R&D teams. I want to be perfectly clear: No other EMM solution can provide this level of security where the data/files themselves becomes self-protecting. More on self-protecting files here and here and here .

It’s fine if that seems a little scary.  But it’s ok.

This is where RMS via EMS go light years beyond what’s possible anywhere else in the industry. Simply put, Azure RMS is the component of EMS that helps you protect your company’s information by encrypting files such that only the identities you’ve pre-approved can access the file – and only then can they take pre-approved actions with the file. Every EMS customer can use Azure RMS to share their documents and files with anyone – whether they work for your organization or not.

Here’s a bit more detail on how this process works:

  • When a protected document is opened, the user is asked to authenticate against Azure AD.
  • When they have authenticated, the user’s rights to the document are checked and sent to the user’s client, the client then applies those rights.
  • The users access is logged and the author of the document can check on the usage with document tracking.
  • If an unintended user attempts to access a protected file and fails to authenticate (or they authenticate but don’t have rights), the author can be informed by email and can view the failed attempts through document tracking.
  • If an authenticated and authorized user shares the file subsequently this is also tracked.
  • Files may be protected using the RMS Sharing app or by using the RMS SDK available on all important platforms.
  • It’s also important to note that this functionality still works when a user isn’t online (and therefore can’t connect to AAD). The rights are cached locally (in extreme cases you can reduce this cache to 0).  In other words, the rights are cached for a period of time defined by the administrator and, if the rights have not been verified after that time, access is denied.  In this way, your users that are out of contact – for example on a plane with no Wi-Fi – can still access their documents with the correct rights.
The Outlook, Word, Excel, PowerPoint apps on iOS and Android (as well as Windows) are all able to natively use Azure RMS .  Additionally, Adobe Reader and Foxit on iOS and Android also both support RMS. Each of these apps also are Intune MAM partners so you have control over the uncontrollable at multiple levels! No other EMM solution can offer the Data Loss Prevention capabilities across the Office mobile apps and Adobe – this is entirely unique to EMS. More on our Data Loss Prevention (DLP) functionality here and here .

Additional Resources:

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment