First published on CloudBlogs on Apr 06, 2016
A Single Viable Option
This is an area where Microsoft’s Enterprise Mobility Suite (EMS) provides capabilities that other EMM solutions simply cannot begin to offer. To do this, this type of solution has to be engineered into the apps that are creating and viewing the information – and all of this really begins with Microsoft Office. One question I ask in every customer meeting is, “ What percentage of data that’s shared across your organization or with partners is contained in the Microsoft Office docs? ” The response is almost always “ north of 90%. ” What we’ve done is develop a solution that addresses >90% of the docs that are shared – and this gets you almost entirely to a place where you have this dramatically elevated level of information protection. This is accomplished through RMS . This aspect of your overall IT plan is critical because when your workforce tries to save their files to the cloud or their device, they may often need to share those files with customers or partners. That means your organization’s data is not just moving beyond your perimeter – it’s moving entirely beyond your control. Protecting every file in your organization can be quite a lot to bite off all at once though, however. I suggest that you start with the most highly sensitive information – like docs from your HR, Legal, or R&D teams. I want to be perfectly clear: No other EMM solution can provide this level of security where the data/files themselves becomes self-protecting. More on self-protecting files here and here and here .It’s fine if that seems a little scary. But it’s ok.
This is where RMS via EMS go light years beyond what’s possible anywhere else in the industry. Simply put, Azure RMS is the component of EMS that helps you protect your company’s information by encrypting files such that only the identities you’ve pre-approved can access the file – and only then can they take pre-approved actions with the file. Every EMS customer can use Azure RMS to share their documents and files with anyone – whether they work for your organization or not.Here’s a bit more detail on how this process works:
- When a protected document is opened, the user is asked to authenticate against Azure AD.
- When they have authenticated, the user’s rights to the document are checked and sent to the user’s client, the client then applies those rights.
- The users access is logged and the author of the document can check on the usage with document tracking.
- If an unintended user attempts to access a protected file and fails to authenticate (or they authenticate but don’t have rights), the author can be informed by email and can view the failed attempts through document tracking.
- If an authenticated and authorized user shares the file subsequently this is also tracked.
- Files may be protected using the RMS Sharing app or by using the RMS SDK available on all important platforms.
- It’s also important to note that this functionality still works when a user isn’t online (and therefore can’t connect to AAD). The rights are cached locally (in extreme cases you can reduce this cache to 0). In other words, the rights are cached for a period of time defined by the administrator and, if the rights have not been verified after that time, access is denied. In this way, your users that are out of contact – for example on a plane with no Wi-Fi – can still access their documents with the correct rights.
Additional Resources:
- Watch more: Azure AD Join in Windows 10
- Take an in-depth training: Taming Android and iOS with Enterprise Mobility Suite
-
Watch a demo:
How to Enable Mobile Application Management (MAM) for Unenrolled iOS and Android Devices
- Launch the corresponding virtual lab
-
Watch a demo:
How to Configure Mobile Application Management
- Launch the corresponding virtual lab
- Get hands-on: Enterprise Mobility Suite trial
- Download analyst insights: IDC Technology Spotlight: Securing Productivity in the Borderless Enterprise
Published Sep 08, 2018
Version 1.0Brad Anderson
Iron Contributor
Joined September 06, 2018
Security, Compliance, and Identity Blog
Follow this blog board to get notified when there's new activity