Don’t make me think about IT Security

This is what end-users say about IT-Security. If you are an Admin or Data Security Officer, you have to think about IT Security.

Microsoft provides super useful info and material about this topic. In real world scenarios we often had to find out where to start. And also, for this Microsoft offers a walkthrough:

• Top 10 Security Deployment Actions with Microsoft 365
• Securitydeployment

I put all the stuff together in a small Excel workbook and extend it with some further licensing info.

All important information for your IT security strategy is summarized in this Excel. In column 1 you will find the respective scenario, column 2 gives you an overview and column 3 the details on the topic. Columns 4 and 5 contain further information and details on licensing.

DOWNLOAD Excel workbook!

Updates & News around Microsoft Information Protection

In the last couple of weeks Microsoft release a bunch of new features / versions for Information Protection and Unified Labeling:

• New features & functions with Microsoft Cloud App Security and Azure Information Protection
• Azure Information Protection unified labeling client
• Update to Unified labeling

Cloud App Security and Azure Information Protection

Cloud App Security and the integration with Azure Information Protection is not new. If you are already migrated to Office 365 unified sensitivity labels and if you did not migrate your existing classification labels you need to know:  Creating new labels in the Office 365 Security and Compliance Center, Cloud App Security will only use the preexisting labels configured in the Azure Information Protection portal.

Integrating Azure Information Protection into Cloud App Security you get the ability to:

• apply classification labels as a governance action to files that match specific policies
• view all classified files in a central location
• investigate according to classification level, and quantify exposure of sensitive data over your cloud applications
• create policies to make sure classified files are being handled properly

This integration is focusing to scenarios like:

• Visibility on sensitive data in managed cloud apps
• Compliance / Risk Enforcement
• Apply label to documents in cloud apps repositories
• Prevent storage of highly sensitive documents in the cloud
• Sensitive data reporting in AIP analytics space
• Detect anomalous access
• Block download of sensitive document from specific locations or non-compliant device
• Block upload of sensitive documents

You need both a Cloud App Security license and a license for Azure Information Protection. Then Cloud App Security syncs the labels from Azure Information Protection. This action is performed every hour.

Scanning the files:

• Automatic scan: all new or modified files are added to the scan queue and will be scanned, classified and protected
• File policy to search for classification labels: these files are added to the scan queue for classification labels

After you enable Azure Information Protection on Cloud App Security, all new files that are added to Office 365 will be scanned and you can create new policies within Cloud App Security that apply classification labels automatically.

More Details: How to integrate Azure Information Protection with Cloud App Security

Azure Information Protection unified labeling client

Highlights of version 2.2.19.0:

• Support for labels that are configured for user-defined permissions for Word, Excel, PowerPoint, and File Explorer
• Support for advanced settings with PowerShell for the Security & Compliance Center
• New cmdlet New-AIPCustomPermissions to create an ad-hoc policy for custom permissions
• New parameters added to Set-AIPFileClassification:-WhatIf and -DiscoveryInfoTypes so that this cmdlet can run in discovery mode without applying labels

Download and further information: Version 2.2.19.0

Actually, we have two management portals which are supported by different clients:

1. Azure Information Protection:

• Azure Information Protection client (classic)
• Azure Information Protection scanner
• Microsoft Cloud App Security

2. Unified labeling in Office 365 Security & Compliance Center:

• Azure Information Protection unified labeling client
• Microsoft Cloud App Security
• Office apps for MacOS, Android and iOS
• Information Protection SDK and applications based on it like Adobe Acrobat
• Coming Soon:
• SharePoint Online
• Office Online, Outlook Mobile for iOS and Android
• Built-in labeling in Office for Windows
• Azure Information Protection scanner

Further information: Understanding Unified Labeling migration

Update to Unified labeling

Unified labeling is not activated per default and Azure Information Protection labels can be used only by the Azure Information Protection client. To make labels available in the Office 365 Security & Compliance Center and to use the unified labeling client you need to Activate that integration:

Before you activate unified labeling, check in Office 365 that you don't have labels that have the same name or display name as your labels in Azure Information Protection. Note that Azure Information Protection labels will be automatically renamed so that migration can succeed. Once activated you cannot deactivate unified labeling for your tenant. Learn more about the migration process.

Unified labeling: Activated

Depending on how many labels do you have the updated takes some time. After it is done you can manage your labels from either the Azure portal or the Office 365 Security & Compliance Center. The labels can be used by the Azure Information Protection client and by unified labeling clients.

Note: you must use the Publish option after the migration to make the labels available in the unified labeling clients. Otherwise the client is showing an error like this:

Objectives, Doings and Limitations with Azure Information Protection and BYOK

Sources:

·         BYOK pricing and restrictions

·         What Does Bring Your Own Key (BYOK) Really Mean?

Overview

Azure Rights Management enables BYOK according to a model that Microsoft calls customer-managed tenant keys. This requires a customer to create an RSA 2048-bit key in their HSM and then export the key to the HSM in Microsoft's data center. This RSA key is then used to encrypt the document encryption keys used by Azure RMS. RSA 2048-bit keys correspond to 112-bit AES keys. This means that the AES 256-bit encryption provided by Azure RMS is really only 112 bits. The US government has advised against the use of AES encryption keys below 256 bits.

Overview about the necessary steps:

• Create an HSM-based Azure Key Vault for a specific Azure region.
• Generate your own key according to your IT policies. This requires e.g. Thales HSM, smartcards and support software.
• Transfer the key from an HSM in your possession to HSMs owned and managed by Microsoft as provided by Azure Key Vault for your vault. This process ensures that your key never leaves the hardware protection boundary.
• When you transfer your key to Microsoft, it remains protected by Thales HSMs. Microsoft has worked with Thales to ensure that the key cannot be recovered from Microsoft HSMs, and certificates are provided to ensure this.
• Configuring Azure Information Protection to use the HSM-based key
• Azure Key Vault's real-time usage protocols are available as an option. These can also be applied to BYOK to see exactly how and when the key is used with Azure Key Vault. Blob storage is required to store the logs.

BYOK vs. HYOK

The two scenarios and implementation differ fundamentally. HYOK is a kind of Azure RMS hybrid scenario. More details: https://docs.microsoft.com/de-de/azure/information-protection/faqs-rms#whats-the-difference-between-byok-and-hyok-and-when-should-i-use-them

Prerequisites, Restrictions & Limitations

• To use keys with AIP stored in HSMs in the Azure Key Vault, Azure Information Protection Premium P1 licenses are required. | https://azure.microsoft.com/en-us/pricing/details/information-protection/
• Premium tariff of Azure Key Vault to use an HSM-protected key | https://azure.microsoft.com/en-us/pricing/details/key-vault/ | Azure Key Vault is a hardware security module (HSM) provided as a service.
• BYOK goes with Office 2019, Office 2016 and Office 2013
• If you first used Azure Information Protection with a client key managed by Microsoft and now want to manage your client key yourself (BYOK), the previously protected documents and emails remain accessible via an archived key.
• Generation and transfer of HSM-protected keys for the Azure key safe | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys#prerequisites-for-byok
• (technical) requirements for BYOK: https://docs.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#prerequisites-for-byok
• Your Azure Information Protection client must have an Azure subscription.
• You must have Azure Key Vault's premium to use an HSM-protected key.
• To use an HSM-protected key that you create locally:
• All requirements listed for Key Vault-BYOK:
• Azure subscription
• Azure Key Vault "Premium" service level to support HSM-protected keys
• nCipher nShield HSMs, smart cards and support software. For more information about nCipher nShield Hardware Security Module (HSM) support and how to use it with Azure Key Vault, visit the nCipher website and see: Bring Your Own Key (BYOK) with Azure Key Vault for Office 365 and Azure - Toolset
• Hardware and software requirements:
• An x64 workstation in offline mode with a minimum Windows 7 operating system and nCipher nShield software version 11.50 or higher.
• If this workstation is running Windows 7, you must install Microsoft .NET Framework 4.5.
• A workstation that is connected to the Internet, has a Windows 7 or later operating system, and has Azure PowerShell (version 1.1.0 or later) installed on it.
• A USB drive or other portable storage device with at least have 16 MB of free disk space.
• If the key safe that should contain your client key uses virtual network service endpoints for Azure Key Vault, allow trusted Microsoft services to bypass this firewall.
• The Azure Rights Management administration module for Windows PowerShell.
• Backup and restore of the client key: https://docs.microsoft.com/en-us/azure/information-protection/operations-customer-managed-tenant-key

Support and SLA

• Support for billing and subscription management is provided free of charge.
• Technical support is available through various Azure support models from €24.456/month for Developer and €84.33/month in the Standard version.
• SLA: Microsoft guarantees that in at least 99.9% of cases, Key Vault transaction requests will be processed within 5 seconds.

Call to Action

• Evaluate the actual advantages and disadvantages of BYOK in the context of your requirements and specifications in detail with the data protection officer and the involved departments.
• Calculate the costs for the implementation, the required services and hardware as well as the operating costs. Based on this, you create a cost-benefit analysis.
• Do you have other services that are already using BYOK with Azure?Did you use your own key for other scenarios and therefore want to implement AIP BYOK as well?
• Does HYOK meet your requirements better?

Security Features Matrix in Office 365 and Azure

UPDATED VERSION 1.1. availible

• The matrix gives you an overview about security feature in Microsoft cloud stack including info about:
• focus-area of the feature
• a overview description plus hyperlink for further information
• info about how to license the feature.

Screenshot:

Download the complete Matrix: LINK

• added Azure Sentinel PREVIEW

Related post: A quick guide to secure Office 365

Further interesting and helpful links:

• Microsoft Security Community: https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Join-Our-Security-Community/m-p/311170
• Security & Compliance Center: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center
• Azure Security Center: https://docs.microsoft.com/en-us/azure/security-center/security-center-intro
• Updates to SharePoint security: https://techcommunity.microsoft.com/t5/Microsoft-SharePoint-Blog/Updates-to-SharePoint-security-administration-and-migration/ba-p/549585

Focusing Cloud App Security Policies to dedicated Objects

In CAS we can focus policies to dedicated object. For example, you have a SharePoint Online Site with sensitive content, and you will get informed if a user is doing a mass download.

We can use the “Mass download by a single user” template to set up a policy:

In the filter section if the policy select “edit and preview results”:

In the shown activities list search for the location or event ion which you will filter. In my demo I take https://sharepointtalk.sharepoint.com/teams/SearchDemo2:

Selecting “Activity Objects” opens a report with all objects and its ID´s. To filter on the SharePoint SiteCollection URL we need the second one:

Now we can use this ID as a filter: