WIXLIB

Information Rights Management in SharePointby André Vala

About Me.André ValaSharePoint Solutions ArchitectOffice & SharePoint Solutions Team evala2 /45

INFORMATION RIGHTS MANAGEMENT IN SHAREPOINTAgendaWhat is it?Why do Ineed it?How does itwork?How do Iset it up?How do Iuse it?RelatedtopicsConclusions3 /45

INFORMATION RIGHTS MANAGEMENTGlossary AD: Active Directory AD RMS: Active Directory Rights Management Services Azure RMS: Azure Rights Management, also knows as Azure Active DirectoryRights Management Services (AADRMS). IRM: Information Rights Management OWA: Office Web Apps RMS: Rights Management Server/Services4 /45

INFORMATION RIGHT MANAGEMENTWhat is it?

INFORMATION RIGHTS MANAGEMENTWhat is it? Set of technologies that protect an organization’s sensitive information fromunauthorized access and control how the information is used. Uses encryption, identity and authorization policies Protection stays with the files, independently of their location Works across multiple devices – phones, tablets and PCs6 /45

INFORMATION RIGHTS MANAGEMENTWhy do I need it?

WHY DO I NEED IT?The ScenarioDocument withsensitive informationStored in SharePointdocument libraryand protected bypermissionsSharePointServerJohn has Readpermissions on thedocument libraryJohn8 /45

WHY DO I NEED IT?The ProblemJohn can view its contentsJohn can download itJohn can copy itJohn can edit itSharePointServerJohnJohn can print itJohn can send it to JaneJane9 /45

WHY DO I NEED IT?The ProblemNo protection information isincluded in the file and, so, theinformation is freeSharePointServerAs soon as the information leavesSharePoint, it’s no longer protectedSecurityBoundary10 /45

WHY DO I NEED IT?The SolutionJohn can view its contentsJohn can download itJohn cannot copy itJohn cannot edit itSharePointServerJohnJohn cannot print itJohn cannot send it to JaneJane11 /45

WHY DO I NEED IT?DEMO

WHY DO I NEED IT?Demo Summary Difference between using IRM and not using it IRM support in Office Web Apps IRM support in Office Client13 /45

INFORMATION RIGHTS MANAGEMENTHow does it work?

How does it work? In SharePoint, IRM protection is applied to: Files in document libraries Files attached to list items (but not the list items) Protection is applied to a file by an IRM Protector according to its file type SharePoint (on premises and online) includes protectors for: Microsoft Office 97-2003 file formats (.doc, .xls, .ppt) Office Open XML file formats (.docx, .xlsx, .pptx) PDF file format XML Paper Specification (XPS) file format15 /45

HOW DOES IT WORK?Content creationSharePointRMS1User uploads unprotected document to IRM-enableddocument libraryThat’s it!Even in IRM-enabled document libraries (or lists), documentsare not protected or encrypted when stored.1This allows the search service to crawl the contents of thefiles, even in IRM-enabled libraries and lists.User16 /45

HOW DOES IT WORK?Content creationSharePointRMS231User uploads protected document to IRM-enabled documentlibrary2Issuance License validation3Document is unprotected (decrypted), document library ID isverified and document is stored.1Important!File contents are never sent to RMS when protecting,unprotecting, sharing or viewing a protected documentUser17 /45

HOW DOES IT WORK?Content consumptionSharePointRMS23141User requests document from IRM-enabled document library2Generate Issuance License (IL) which includes: Document key (used to encrypt the file content) List of users with access to the document (SharePoint andthe user that requested the document) Document library ID3Protect (encrypt) the document.4Return document to the user.Important!UserProtection is applied every time a user requests a file from anIRM-enabled library. The protected document will be accessibleonly to the user that requested it.18 /45

HOW DOES IT WORK?Permission mappingIRM protection applied depends on the permissions of the user on thedocument library that contains the file.IRM PermissionsSharePoint PermissionsFull ControlReadEditCopySave Edit ItemsManage ListsAdd and Customize Pages If permission is explicitly setView Items Manage PermissionsManage Web SitePrintIf permission is explicitly setOther19 /45

HOW DOES IT WORK?With IRM you can. Prevent an authorized viewer from: Copying a document Modifying a document Printing a document Copy and pasting the contents of a document Copying the contents of a document using Print Screen on Windows Prevent an unauthorized viewer from viewing the content of a document if itis sent in an email after being downloaded from the server Restrict access to content to a specific period of time, after which users mustconfirm their credentials20 /45

HOW DOES IT WORK?With IRM you cannot. Prevent users from taking pictures of a document that is displayed on a screen Prevent users from manually copying the content of a document that isdisplayed on a screen and retyping it in a new document Prevent copying of the content through the use of third-party screen-captureprograms Prevent erasure, theft, capture or transmission by malicious software such astrojan horses, viruses, keyloggers and spyware. Open protected documents on client applications, as External Users inSharePoint Online21 /45

INFORMATION RIGHTS MANAGEMENTHow do I set it up?

HOW DO I SET IT UP?Cloud and On Premises IRM is available for SharePoint Server and SharePoint Online (Office 356) buteach one rely on different Rights Management components SharePoint Online depends on Azure RMS SharePoint Server can be used with AD RMS or Azure RMS (via RMS Connector)23 /45

HOW DO I SET IT UP?Azure RMS vs AD RMSFeatureAzure RMSActive Directory RMSSupports On-Premises Servers (SharePoint Server, Exchange Server and FileServers that run Windows Server with File Classification Infrastructure (FCI)YesYesSupports Online Services (SharePoint Online, Exchange Online and Office365)YesNoTrust between organizations and users within an organizationSupports implicit trust betweenorganizations and users that use Office365, Azure RMS or RMS for individuals.Requires explicit trust using trusted user domains(TUD) or federated trust via ADFS.Default rights policy templates2Not availableSupport for creating new policy templatesYesYesMinimum supported versions of OfficeOffice 2010 with RMS Sharing AppOffice for Mac 2011 is not supported2007Office for Mac 2011 is supportedMinimum supported version of Windows clientWindows 7Windows Vista SP2RMS Sharing App supportYesYesCryptographic Mode supportMode 2Mode 1 (default)Requires additional configuration for Mode 2.Key lengths and encryption algorithmsRSA 2048 for public key cryptogtaphySHA 256 for signing operationsAES 128 for simmetric encryptionRSA 1024 and RSA 2048 for public key cryptogtaphySHA 1 and SHA 256 for signing operationsAES 128 for simmetric encryptionMore info: x24 /45

HOW DO I SET IT UP?Requirements To use IRM with Azure RMS you need: A cloud subscription for RMS Azure AD directory Client devices Client applications Internet connectivity and access to dependent cloud servicesMore info: x25 /45

HOW DO I SET IT UP? REQUIREMENTSCloud Subscription At least one of the following subscriptions Office 365 Enterprise E3 or E4 Education A3 or A4 Government G3 or G4 Azure RMS Standalone subscription Enterprise Mobility Suite subscription RMS for Individuals Subscriptions (just for consumption)More info: x26 /45

HOW DO I SET IT UP? REQUIREMENTSClient Devices and ApplicationsDevice OSWord, Excel, PowerPointProtected PDFEmailGeneric ProtectionWindowsOffice 2010/2013Office OnlineGigaTrust Desktop PDF ClientFoxit ReaderNitro PDF ReaderRMS Sharing AppOutlook 2010/2013Outlook Web AppRMS Sharing AppiOSTITUS DocsOffice Online (view)Foxit Reader (Azure RMS only)RMS Sharing AppTITUS DocsNitroDeskOWA for iOSTITUS MailTITUS DocsRMS Sharing AppAndroidGigaTrust AppOffice OnlineGigaTrust AppFoxit Reader (Azure RMS only)RMS Sharing App9FoldersGigaTrust AppNitroDeskOWA for AndroidSamsung Email (S3 )TITUS Classification for MobileRMS Sharing AppMacOS XOffice 2011 (AD RMS only)Office OnlineRMS Sharing AppOutlook 2011 (AD RMS only)Outlook for MacRMS Sharing AppWindows RTOffice 2013 RTOffice OnlineNot SupportedOutlook 2013 RTMail App for WindowsNot SupportedWindows Phone 8.1Office Mobile (AD RMS only)RMS Sharing AppOutlook MobileRMS Sharing AppBlackberry 10Not SupportedNot SupportedBlackberry EmailNot SupportedMore info: x27 /45

HOW DO I SET IT UP?DEMO

HOW DO I SET IT UP?Demo Summary Setting up IRM in Office 365 requires two simple steps1. Activate Azure RMS in your Office 365 Tenant2. Activate Rights Management in SharePoint OnlineMore info: Set up Information Rights Management (IRM) in SharePoint admin center29 /45

INFORMATION RIGHTS MANAGEMENTHow do I use it?

HOW DO I USE IT?Configuring IRM on a Document Library IRM is configured on thedocument library or listlevel IRM is configured in 3groups of settings IRM library settings Document access rightsDocument library settings Group protection andcredentials interval31 /45

HOW DO I USE IT? CONFIGURING IRM ON A DOCUMENT LIBRARYIRM Library SettingsPrevents uploads of documents that do not support IRM,which means: File types for which there are no protectors installed File types that SharePoint cannot decrypt File types that are IRM protected in another programRemoves all IRM restrictions after a specific datePrevents documents to be opened in the browser, forcingusers to open them in IRM-Enlightened applications such asMicrosoft Office client applications.This can be important because, when using Office Web Apps,screen capture cannot be prevented as it is in the clientapplications.32 /45

HOW DO I USE IT? CONFIGURING IRM ON A DOCUMENT LIBRARYDocument access rightsPrevents users fromprinting the documentPrevents code/macrosto run on a documentPrevents users from makinglocal editable copies of adocumentPrevents access to a document a specificnumber of days after it was downloaded.33 /45

HOW DO I USE IT? CONFIGURING IRM ON A DOCUMENT LIBRARYGroup protection and credentials intervalSets the duration of the document access license, in days.After the specified interval, users will be requested to validatetheir credentials to have access to its contents.Specifies a group of users that can share the document, evenafter its downloaded.34 /45

HOW DO I USE IT?DEMO

INFORMATION RIGHTS MANAGEMENTRelated Topics

RELATED TOPICSRMS Sharing App RMS-Enlightened client application Can protect/unprotect files of any type Available for Windows (desktop PC) MacOS X (10.6.6 or above) Windows Phone 8.1 Android (4.0.3 or above) iOS (version 7.0 or above)More info: https://portal.aadrm.com/Home/Download37 /45

RMS SHARING APPDEMO

RELATED TOPICSLogging and Auditing RMS logs can be used for auditing access to protected documents RMS logging is optional and is not enabled by default Requirements An IT-managed RMS Subscription (not RMS for Individuals) Azure Subscription (to store the logs) Windows PowerShell for Rights ManagementMore info: 21.aspx39 /45

RELATED TOPICS LOGGING AND AUDITINGAzure RMS Logs Stored in an Azure storage account as blobs, in W3C extended log format Can take around 15 minutes for a log message to appear You can download the logs using PowerShell or Azure Storage SDK Each log message includes (among other information): Date and time of the request Request type (request made to the RMS API) User ID Content ID Correlation ID (to map requests to ULS) Client information (similar to User Agent strings in browers) Client IP addressMore info: 21.aspx40 /45

LOGGING AND AUDITINGDEMO

INFORMATION RIGHTS MANAGEMENTConclusions

Conclusions IRM is a great way to protect sensitive information stored in SharePoint IRM can be used with SharePoint Server or SharePoint Online IRM protection is embedded in the document and travels with it IRM protection is applied at the library level for all documents To used IRM with PDF files, a specific reader application is required Any file type can be protected using the RMS Sharing App RMS logging can be used for security auditing of protected information43 /45