Microsoft is confident its cloud services can meet the needs of the vast majority of our customers and there should seldom be a need to discontinue their use. But some organizations require a clearly defined process to discontinue the usage and any dependency on a cloud service without losing access to their data before adopting it - to be prepared in case the need arose.
Azure Information Protection (AIP) provides such ability for both customers using Bring your own Key (BYOK) and customers using a Microsoft-managed key (MMK).
In both cases, accessing previously protected content after a cloud exit is limited to users on Windows machines in the Intranet - irrespective on which platform the content was protected originally with AIP.
Please observe that the procedures described here are not meant for labeling/protecting content after a cloud exit.
Cloud Exit for an organization with a Microsoft Managed Key
A Microsoft Managed Key (MMK) is created automatically when provisioning an AIP tenant. This key is software-based, and Microsoft maintains responsibility for the whole key life cycle. See our documentation for more details on this key option.
Customers using an MMK may execute the process reactively at any point after they start using the service without any special preparation. When the time comes to execute a cloud exit, they ask Microsoft technical support to export the organization’s MMK and all associated artifacts in the form of a Trusted Publishing Domain (TPD). This can be done proactively before the Cloud Exit is needed, but the TPD provided by Microsoft needs to be stored in a very secure form after it's received since it contains the keys to decrypt all the organization's protected content. (Be aware that labels created in AIP after the TPD export aren't reflected in the stored TPD; content protected with these new labels may only be accessible with AD RMS super user rights.)
Such TPD file can be then imported in a clean installation of Active Directory Rights Management Services. Afterwards this (on-premises) AD RMS cluster can be used to license content protected with the MMK through the AIP service from any Windows client that is configured with special redirections in the registry.
This setup allows administrators with AD RMS super user privilege to access and optionally unprotect any content. Regular end users are capable of consuming content protected explicitly for them as well as content labeled with predefined permissions granting them access.
The following end to end process provides a cloud exit solution for organizations using MMK:
Cloud Exit for organizations using Bring your own Key
A Bring Your Own Key (BYOK) is created by the customer in a nCipher HSM and securely transferred to an HSM-based Azure Key Vault where it will be used by AIP. As a BYOK cannot be exported by Microsoft, the customer is fully responsible for this key in their own nCipher HSM. Customers choose this option to satisfy their requirement of an HSM-based key - considering a higher effort to manage their key than with the MMK option. This is discussed in our documentation.
Customers using AIP with the BYOK option need to execute a preparation process prior to the deployment of AIP (in particular, prior to the switch from MMK to BYOK).
Assuming correct preparation, a later Cloud Exit will provide the following capabilities:
The following preparation steps are mandatory to allow a later cloud exit for a BYOK customer:
New-Label -Name TestLabel -EncryptionTemplateId 514a86b6-67ac-43e7-8682-f7e9d00bb7e7 -DisplayName TestLabel -ToolTip "This is a TestLabel" -EncryptionEnabled $true -EncryptionProtectionType Template
Once the need to perform a Cloud Exit is identified, execute the following steps:
If any documents have already been protected with the MMK in use until the BYOK has been uploaded and made the active key, additional steps are needed. In this case, the procedure for an MMK cloud exit (see last section) needs to be implemented on top of the cloud exit discussed in this section. This ensures documents protected before the BYOK was uploaded can still be opened after a cloud exit.
Bulk Decryption as alternative to cloud exit
Some organizations choose to decrypt their content rather than implementing a cloud exit with an on-premises AD RMS cluster as described above. This option is only applicable with enough time for preparation and if all documents and mails can be unprotected in time.
To choose this approach, an organization would remove protection in bulk with the PowerShell tools on all documents and mails in PST stores they can locate. To allow users to unprotect emails and documents in other repositories (e.g. local drives), customers may also want to grant super user rights to all users.
Customers would use the PowerShell command Unprotect-RMSFile to unprotect folders, zip archives and PST files. The same PowerShell command can also be used with an AD RMS Server after a cloud exit - the super user feature is available on AD RMS as well.
Considerations for a Temporary Cloud Exit
Customers may face a temporary need to exit the service due to commercial, network or geopolitical issues. In this case a temporary cloud exit might be followed by a re-enablement of the cloud service and removal of all client-side redirections. Afterwards, users may continue to protect and consume content with AIP.
Additional steps are needed if a customer decides to return to AIP, but the cloud service has been completely deprovisioned after a cloud exit. In this case, the MMK or BYOK needs to be transferred to a new AIP tenant and clients need redirection to the new tenant.
Conclusion
We do not expect you to ever need to use the cloud exit with on-premises services. But with this blog post we intend to provide our customers with all the options - ensuring you are with us because you appreciate our service and not because you see no way out of our cloud-based offering given most of your important data is protected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.