Objectives, Doings and Limitations with Azure Information Protection and BYOK

Sources:

·         BYOK pricing and restrictions

·         What Does Bring Your Own Key (BYOK) Really Mean?

Overview

Azure Rights Management enables BYOK according to a model that Microsoft calls customer-managed tenant keys. This requires a customer to create an RSA 2048-bit key in their HSM and then export the key to the HSM in Microsoft's data center. This RSA key is then used to encrypt the document encryption keys used by Azure RMS. RSA 2048-bit keys correspond to 112-bit AES keys. This means that the AES 256-bit encryption provided by Azure RMS is really only 112 bits. The US government has advised against the use of AES encryption keys below 256 bits.

Overview about the necessary steps:

• Create an HSM-based Azure Key Vault for a specific Azure region.
• Generate your own key according to your IT policies. This requires e.g. Thales HSM, smartcards and support software.
• Transfer the key from an HSM in your possession to HSMs owned and managed by Microsoft as provided by Azure Key Vault for your vault. This process ensures that your key never leaves the hardware protection boundary.
• When you transfer your key to Microsoft, it remains protected by Thales HSMs. Microsoft has worked with Thales to ensure that the key cannot be recovered from Microsoft HSMs, and certificates are provided to ensure this.
• Configuring Azure Information Protection to use the HSM-based key
• Azure Key Vault's real-time usage protocols are available as an option. These can also be applied to BYOK to see exactly how and when the key is used with Azure Key Vault. Blob storage is required to store the logs.

BYOK vs. HYOK

The two scenarios and implementation differ fundamentally. HYOK is a kind of Azure RMS hybrid scenario. More details: https://docs.microsoft.com/de-de/azure/information-protection/faqs-rms#whats-the-difference-between-byok-and-hyok-and-when-should-i-use-them

Prerequisites, Restrictions & Limitations

• To use keys with AIP stored in HSMs in the Azure Key Vault, Azure Information Protection Premium P1 licenses are required. | https://azure.microsoft.com/en-us/pricing/details/information-protection/
• Premium tariff of Azure Key Vault to use an HSM-protected key | https://azure.microsoft.com/en-us/pricing/details/key-vault/ | Azure Key Vault is a hardware security module (HSM) provided as a service.
• BYOK goes with Office 2019, Office 2016 and Office 2013
• If you first used Azure Information Protection with a client key managed by Microsoft and now want to manage your client key yourself (BYOK), the previously protected documents and emails remain accessible via an archived key.
• Generation and transfer of HSM-protected keys for the Azure key safe | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys#prerequisites-for-byok
• (technical) requirements for BYOK: https://docs.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#prerequisites-for-byok
• Your Azure Information Protection client must have an Azure subscription.
• You must have Azure Key Vault's premium to use an HSM-protected key.
• To use an HSM-protected key that you create locally:
• All requirements listed for Key Vault-BYOK:
• Azure subscription
• Azure Key Vault "Premium" service level to support HSM-protected keys
• nCipher nShield HSMs, smart cards and support software. For more information about nCipher nShield Hardware Security Module (HSM) support and how to use it with Azure Key Vault, visit the nCipher website and see: Bring Your Own Key (BYOK) with Azure Key Vault for Office 365 and Azure - Toolset
• Hardware and software requirements:
• An x64 workstation in offline mode with a minimum Windows 7 operating system and nCipher nShield software version 11.50 or higher.
• If this workstation is running Windows 7, you must install Microsoft .NET Framework 4.5.
• A workstation that is connected to the Internet, has a Windows 7 or later operating system, and has Azure PowerShell (version 1.1.0 or later) installed on it.
• A USB drive or other portable storage device with at least have 16 MB of free disk space.
• If the key safe that should contain your client key uses virtual network service endpoints for Azure Key Vault, allow trusted Microsoft services to bypass this firewall.
• The Azure Rights Management administration module for Windows PowerShell.
• Backup and restore of the client key: https://docs.microsoft.com/en-us/azure/information-protection/operations-customer-managed-tenant-key

Support and SLA

• Support for billing and subscription management is provided free of charge.
• Technical support is available through various Azure support models from €24.456/month for Developer and €84.33/month in the Standard version.
• SLA: Microsoft guarantees that in at least 99.9% of cases, Key Vault transaction requests will be processed within 5 seconds.

Call to Action

• Evaluate the actual advantages and disadvantages of BYOK in the context of your requirements and specifications in detail with the data protection officer and the involved departments.
• Calculate the costs for the implementation, the required services and hardware as well as the operating costs. Based on this, you create a cost-benefit analysis.
• Do you have other services that are already using BYOK with Azure?Did you use your own key for other scenarios and therefore want to implement AIP BYOK as well?
• Does HYOK meet your requirements better?

Security Features Matrix in Office 365 and Azure

UPDATED VERSION 1.1. availible

• The matrix gives you an overview about security feature in Microsoft cloud stack including info about:
• focus-area of the feature
• a overview description plus hyperlink for further information
• info about how to license the feature.

Screenshot:

Download the complete Matrix: LINK

• added Azure Sentinel PREVIEW

Related post: A quick guide to secure Office 365

Further interesting and helpful links:

• Microsoft Security Community: https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Join-Our-Security-Community/m-p/311170
• Security & Compliance Center: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center
• Azure Security Center: https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
• Updates to SharePoint security: https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Updates-to-SharePoint-security-administration-and-migration/ba-p/549585

Focusing Cloud App Security Policies to dedicated Objects

In CAS we can focus policies to dedicated object. For example, you have a SharePoint Online Site with sensitive content, and you will get informed if a user is doing a mass download.

We can use the “Mass download by a single user” template to set up a policy:

In the filter section if the policy select “edit and preview results”:

In the shown activities list search for the location or event ion which you will filter. In my demo I take https://sharepointtalk.sharepoint.com/teams/SearchDemo2:

Selecting “Activity Objects” opens a report with all objects and its ID´s. To filter on the SharePoint SiteCollection URL we need the second one:

Now we can use this ID as a filter:

Coaching your users through the External Sharing Experience

If your organization is sharing documents or collaborating directly with vendors, clients, or customers, then you can use the external sharing features and guest access in Office 365 to support this. Or, if this is not the case, you may want to limit the use of external collaboration in your organization.

Note that external sharing is turned on by default for your entire Office 365 environment. Every user can invite external people to Groups, Teams and SharePoint sites and can share content using OneDrive for Business. You may want to turn it off globally until you know exactly how you want to use the feature.

Poorly there is no mater switch to turn external sharing and inviting external user ON or OFF globally. We need to configure it per service and there are also cross sites effects between the services.

Settings overview

External sharing overview

Content Level

When sharing a SharePoint site with an authenticated external user, an invitation is sent to them via email which contains a link to the site. During the login process they are asked to log in using the username and password of their Microsoft account or their work or school account. If the login is successful, the account is added to the Azure AD associated to the Office 365 subscription. The account is added with #EXT# in the user name.

An external user did not need to have a license. To discontinue sharing with an authenticated external user, remove the permissions from the site or delete the user in the Azure AD.

If you share a file or folder with an external user, this user gets an email with a link to the file or folder. The user gets a time-sensitive code via email that he can use to verify his identity. Once he proved his identity by using the code the user is added as a external user in the Azure AD and he can access the file using his account. Sharing a file or folder with a user that did not have a Microsoft account or work or school account this user needs to use the code every time to access the shared content.

To discontinue sharing with an authenticated external user you can delete the sharing link that was sent to him.

To share with anonymous users, you can set several options:

• Edit, view or upload to a folder
• Set link to expire at a specified time
• Block download

The (external) user will receive a E-Mail with the link to the file or folder.

Anonymous users are not added to the Azure AD. To discontinue sharing you need to delete the anonymous link.

Collaboration Level

Guest access on the collaboration level is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions. No additional licensing for the guest users is requirement. You can have up to 5 guests per licensed user on your tenant. For more information about licensing, see Azure Active Directory B2B collaboration licensing guidance.

Office 365 Groups

To collaborate with external users in your Office 365 Group this feature must be activated as showed in the table above. By default, guest access is turned on in Office 365. That means, that everyone in your organization can add external users to an Office 365 Group. When an external user is invited to join a group, he receives an invitation email. The external user will have access to the following Office 365 Group features:

• Conversations: Externals did not get access to the conversation history, but they will become part of the Office 365 Group distribution list.
• Notebook: Externals get access to OneNote
• Calendar: No access, but they receive calendar invitations
• SharePoint Team Site: Externals get access to the SharePoint Team Site
• Planner: To access a plan, guests either need to use a specific plan URL or go to https://tasks.office.com/%organizationdomainname%

Microsoft Teams

Because of Microsoft Teams is using services like SharePoint Online etc. the external access configuration belongs on the settings in you tenant.

Each level controls the guest access as shown:

• Azure Active Directory: External access in Microsoft Teams relies on Azure AD.
• Microsoft Teams: Controls external access in Microsoft Teams.
• Office 365 Groups: Controls external access in Office 365 Groups and Microsoft Teams.
• SharePoint Online and OneDrive for Business: Controls external access in SharePoint Online and OneDrive for Business.

Advanced

Office 365 inter-tenant collaboration

We have several options to collaborate between two Office 365 tenants. Based on Azure Active Directory B2B we can set up collaboration for nearly all Office 365 services. Details are described in this Microsoft article: Office 365 inter-tenant collaboration

Tenant restrictions

Tenant restrictions enables you to control access to other Office 365 tenants. Tenant restrictions gives organizations the ability to specify the list of tenants that their users are permitted to access. Details, pre-requirements and limitations are described in this Microsoft article: Use Tenant Restrictions to manage access to SaaS cloud applications

Office 365 user vs. Windows Live ID

Anyone with a Microsoft work or school account or a consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Office 365.

If a user has an Office 365 hosted E-Mail address, he will automatically have a work or school account created by his IT department. This account original exists in an Azure AD.

If a user does not have a work or school account, he can use a LiveID. To get one the user needs to go to the Microsoft account sign-in page: https://account.microsoft.com/. In the upper right corner select “Login” and then select “No account”. He needs to fill out the form and create a password. Details see below in “Coaching your (guest) users through the External Sharing Experience” The LiveID is original hosted by Microsoft.

Coaching your (guest) users through the External Sharing Experience

Content Level

IF you are inviting an external user to a SharePoint site or added him to a SharePoint group, he will receive an invitation E-Mail:

The link in the email will point the user to a website asking him what type of account he has:

If the user enters his email but did not have a Microsoft account, he will see the following dialog:

Click “Create One!” to register a new Microsoft account:

Set a password:

Provide your details:

Microsoft will send a code to verify the email address:

If a file or folder in SharePoint or OneDrive for Business is shared to an external user and the user did not already exists in the Azure AD, he will also need to verify his E-Mail address:

Sharing a file or folder with a user that did not have a Microsoft work or school account this user needs to use the code every time to access the shared content.

Collaboration Level

When an external user is invited to a group, he receives an E-Mail:

External member's can join conversations through their inbox and receive calendar invitations.

When an external user is invited to a group, he also receives an E-Mail with the details:

Microsoft Predictions 2019

The new year just started. Highest time to look at what 2019 will bring our way in the Microsoft ecosystem!  

We published an article called Microsoft Predictions 2019. You can download the article for free and without any registration here: LINK

Highlighted topics:

·     Surface Centaurus and Windows Core OS

·     Microsoft 365 for Consumer

·     The new Microsoft 365 Add-ons

·     Serverless Computing, Serverless PaaS and Containers

·     IoT, Edge Computing and Blockchain

·     Security, Security, Security

·     Office 365 Predictions for 2019

·     Further topics like Office Pro Plus in a Windows 2019 terminal server infrastructure

You may also be interested in our new whitepaper:

·     The Microsoft Cloud Services - what is next after the peak

·     The Microsoft Cloud – A CFO perspective

Das Jahr 2019 ist bereits einige Tage alt. Höchste Zeit, sich anzuschauen, was es im Microsoft Ökosystem tut.

Wir haben einen Artikel mit dem Titel Microsoft Predictions 2019 veröffentlicht. Den Artikel können Sie hier kostenlos und ohne Registrierung herunterladen: LINK

Themen:

·     Surface Centaurus und Windows Core OS

·     Microsoft 365 für Consumer

·     Die neuen Microsoft 365 Add-ons

·     Serverless Computing, Serverless PaaS and Containers

·     IoT, Edge Computing und Blockchain

·     Security, Security, Security

·     Office 365 Predictions für 2019

·     Weitere Themen wie z.B. Office Pro Plus in einer Windows 2019 Terminalserver Infrastruktur

Weitere aktuelle Whitepaper:

·     Die Microsoft Cloud Services was kommt nach dem Peak

·     Die Microsoft Cloud aus der CFO Perspektive