Accelerate deployment and adoption of Microsoft Information Protection solutions - BRK3009
Good. Morning everyone and welcome to our session thank, you for. Coming. Up so early in the morning know it's been a rough week. My, name is ma vie and I lead the as. Your information, protection customer, experience, go to production, team now, I know this is title, as as long as Khaleesi from Game of Thrones, but. Hey winner is coming, and we're all need to be prepared with, me we have Enrica, suggests a. Customers. Understand, and deploy our products and I also, help our pro. Team or engineering team understand, our customers, and idea. Today is to show, you what they've been doing for the last couple. Years on the information, protection front and, also. To introduce yourselves so we, can work with you on deploying, these wonderful products, so. Today in our agenda we're. Going to talk a little bit about what, is Microsoft, Information protection some. Scenarios, on how to accelerate the deployment in your organization, and we. Are going to share a customer, experience story so. We have a guest star today and. He's. Actually working for, a company that has. Been nominated, number. One out of, Fortune. 500 for the sixth time in a row this, year this. Is the largest company think. In the world may I say and let, him introduce himself. Hello. Good morning I'm Alan Coren enterprise, technical expert with Walmart's cyber. Security and compliance. Crew, today. I have, the honor of being able to present to you some of the stories from Walmart how we selected. Aap among the field of options. In the IRM drm world as well, as some of the challenges we had deploying like, all of you larger organizations face unique challenges and, so I'll shared the challenges how we overcame them and even a couple of they're still outstanding that I'm able to work with Mavi and Enrique on to help better the next generation, so, thank you and I'll see you in a little while, as. You know everyone's, been asking us yeah you're telling us what, to do how to do we, want to learn and hear other customers. So, we have Alan here, ok. So, let's so direction, to what, is actually Microsoft. Information, protection. Back. In the days not that, long ago you. Know all. The information was, on pram we had firewalls, to protect all the data inside. The organization, we, didn't have that much of a technology, everyone. Wanted to work, they, worked on their users, devices apps data everything was on purim nothing. Has happened but. Today as we, move on to the cloud and, technologies, are getting better and better and more complexed, we, need to find a better way to secure our data so. You. Know we have less boundaries. Everything. Is out in the open employees. Bring their own devices to work we, have laptops, you. Name it we have it we have several iOS. Android. Google, whatever you want we have it so. What. Microsoft, is has. Been working on is a comprehend. Solutions, that we are calling the Microsoft, information protection it. Covers basically, four, pillars it's doing the discovery, it's, doing the classification. It's doing the protection, and it is monitors. Everything. That is happening. It. Actually. Do everything. Like. Cross all devices all platforms, worldwide. Wherever whenever. We're. Here to protect. So. How do we actually do that we. Do content discovery, can. Be transferred orals it can be DLP FCI, AAP. Of course in MCAS we. Do the labeling and classification. With, that. Can also be the FCI, Exchange, SharePoint and. Obviously, AIP. Encryption. And protection, again the rights management service, comes to play here through, the EFS, we do office.
365. Message encryption and with your Windows Information protection and we. Do all the tracking and monitoring, with all our tools obviously. The RMS tools the classification, logs the, office 365, compliance. Center. And sorry and the MCAS alerts and Windows, Defender ATP. All. These can be achieved with what we are calling today as Microsoft. Information. For detection okay. Again this is not a product this. Is not, one, thing this, is a comprehensive. Set, of solutions, across. Microsoft. Okay. So, just in a glance so. You'll be, able to see we. Have a lot of solution. This is only partial list by the way and. Just. So you know so we have the Azure information protection the office 365, DLP, office. Apps, obviously. Is v we have our MEAP SDK, there's a great session a day later on in a day we will point it out later, strongly. Suggest that you attend this one if you need, to work on an SDK. And, all the things that you see here and again, this is only partial. List from. What we call the Microsoft information protection solutions. All. Right coming. Up next is how, you can actually leverage the. Deployment, of azure information, protection in your organization. Today what, we hear from our customers is. Ok. That's great I want, it and I want it now and how, do I do it in the most efficient, way fastest. Way just. To get started and then we can actually go to more complex, things so, we're here to actually help you learn. How, to do it learn. From our best practices, also. Listen to Ellen later on and, just. Get started with, that I will hand it to Enrique. Thanks. Maddie. So. As may be said this. Is a family, of products. MIP, let me be very clear it is not a marketing, term this is an actual thing it's a SDK. And a sea of dealers, of DLL and components. That are actually being implemented across all those products but if you say well I want to protect me my information with Microsoft. You. Have a long road ahead because as you saw there are many products and you. May choose to use some and not others you, may decide to deploy some niche solutions. But. It's a very, big family and you may be wondering how do I get this done quickly well, there are some things that our customers have, told. Us they want to achieve as rapidly, as possible and we've come up with the ways to get that done, very. Rapidly, the. First one is I want to understand my data I want to have an idea. Of what, is important, what isn't what I shall protect. What doesn't, matter and. They. Want to do that without, changing. The way their users, works they want to do that without, introducing. Breaking, changes, in their environment etc. Another, one is to. Be, able to quickly very. Rapidly be. Able to tell their upper. Management, what's, out there what's our level of risk what data is, exposed. What data, if. Something, bad happens, where will it happen so. For. That we're gonna describe the scenario of the point a piece can in discovery mode, which. Again is something that you can do very very rapidly. Companies. Also have very. Complex, challenges. Around protecting, data that is being shared with others with their partners suppliers customers, and.
Protecting. Business-to-business data, has. Multiple faces but there are some scenarios that are extremely, straightforward that you can deploy overnight, and enable. Protection. Of the most important pieces of data that you need to share we're going to show you that and finally this, is something that is very important, especially in specific, markets. There. Are companies they have extremely, sensitive data it's, well as identifiers well localized they know what it is and that. Is the make-or-break, data, in the company and they want to make sure that it is protected at all times, with. That sinner, in mind we can also enable. Protection. For. That data without. Affecting. The rest of the environment and you're very efficient, and rapidly so let's talk, briefly about each, of these scenarios I won't. Understand my data how. Do you understand your data. By. Classifying, it using classification, data classification is a great tool in. Itself data classification doesn't. Do much for security. Though it can be complemented, very, easily with other elements in your environment, to. Add. Protection. But. You can deploy manual. And automatic classification very, rapidly across the organization. Thanks. To Microsoft information protection and in particular as your information, protection. You. Can. Teach. Your users to classify, data you can auto classify, data and then, with, that you can do report, to understand, what's, going on where's your data how does it look like who has it who's creating it how, is it being shared you. Can use, content, markings like headers. Footers watermarks. Things like that apply it automatically, so your users know what type of data they are dealing with and increase awareness increase. Increase. Efficiency, and you. Can also implement, each level controls, like, DLP, rules transport, rule things like that to say well I don't want top secret data to be leaving my company without authorization, that kind of scenario is relatively easy to implement of. Course. You can do much more and we. Hope you will do much more once you deploy these for. Example you can apply protection, your kind of play encryption, you can apply. Restrictions. Access, controls, lots of things, like that Paul as part of the AIP. Product. And it's, relatively straightforward implement, but those changes normally, take a little bit longer to. To. Test validate to. Make. Sure your users understand, the consequences, of what they do so, applying.
Just Specification, that's the first step without breaking, anything without annoying, anyone, you can do that very very rapidly, and. Until. Recently we had some limitations, in that area. Today. We still have some limitation in that area in particular, the support, for Mac Android, and iOS is, not to the same extent than we have in Windows, during. This event I think yesterday we announced the. Support. On Mac iOS Android. And also. On the web interfaces, for. Our data, classification so. Most. Likely by the time you are, deployed. With these you'll. Have a great level of support in all the platforms and a very consistent level of support in all the platforms. So. Talking. About classification. What. Is labeling. Everything. Is what you use to do classification. Basically. It's metadata written, into, the documents, into your files and emails that. Metadata. It's, a tag. That says this is confidential this is public this is personal, this is whatever it is and that. Metadata. Travels, with the documents, when somebody, classifies a document, that document travels around and it keeps the data with it that. Aggghhhhh allows applications. To know, what it is so for example if you have a firewall you have a transport. Agent, you have a exchange. They. Can look into that metadata, and say ok this is important. This is not already through I block it or apply, other behaviors. The. Metadata, is clear text so it can be read by applications, it. Can also be, used, to trigger other behaviors such as content marketing so as I mentioned before you can put visible content markings, in the content, or something I put a header that says this is confidential, so the users know that it's confidential as well as the, computer and. It. Can be obviously fuelie custom customize to adapt to your business needs and to your existing, classification, methods, to your company's. Culture and, to your languages, etc. So. How do you do this you. Can create, your own labels, and. Or customise the defaults. Which. Are a great starting point for most organizations. The. Recommendation, is when you first create your labels do not start with protection, think about protection but do not enable it right away you want your users to become familiar and. Relaxed. Around classification. The, last thing you want to do on this is a common mistake when you deploy a classification solution, is to train your users to lie to you let's.
Say You say well whatever is confidential, is gonna be read only and, only accessible to these people and cannot be printed cannot be sent outside banned or any circumstances. The. Second, time, a user sees a documents confidential they're going to classified US public because they're gonna hate that they're gonna hate all those restrictions so. You train your users to lie to you and then the whole system is useless. Start. With classification. Don't. Do anything extreme. Regarding, protection you can do some cases of protection but very relaxed, let your users get familiar with it in essence we are talking about boiling the Frog here making, sure that your users get used to, classification. And by the time, you. Add more restrictions, they, already accept, that that classification is the way to go and they already have a familiar understanding, of what, is confidential, what is public etc. In. General is recommended to do they, will in mandatory because users, are lazy they're not gonna click on one extra button just. For the sake of security or, anything like that, now. Making, it mandatory for documents and emails tends to be kind of annoying, because. You especially, for emails because. You send 100 emails per day you, are being asked to click a hundred buttons per day and that's perhaps, too much for the users so one thing you can do is to define some defaults, and say my, emails by default are gonna be internal and if it's other thing you have to click on a button and. For. Documents, you make it mandatory you put no defaults, and your users are mandated, to click, one extra button every time they create a new document which doesn't happen every five minutes so it's, not too much to ask. Then. You deploy the AAP toolbar, told. Your Windows devices or users, start seeing those labels. And. Then you do an awareness campaign that's, this is critical, AAP. Is a simple enough product that doesn't require training, you don't have to train your users on how to click one button one, terrific asian button I want to show you how it works and it's extremely, simple so you don't have to teach their users how to do clarification what, you have to do is, to explain users why classification, is important, what, each of these labels means and. How. To to. React. On how to behave around them we, have created a bunch of materials for these for helping users understand, a classification we have created quizzes. Posters. Things like that that, you can customize to your organization. And you can deploy in your, bathroom. Stalls in your walls everywhere, so your users get used to understanding, qualification please. Contact us if you need that information and with. That you increase awareness about classification, and. Then you use the reporting capabilities that we announced this week track.
Adoption, Of classification. To understand how the data is being, classified. To. Let people know they're falling behind if you have some departments, that are classifying, less than others then you, send them an email saying hey you're. Behind make sure that new teacher or you tell your users to do. The right thing here and you. Continue tracking, once. That is well established which, takes a few weeks you. Can start enabling more aggressive settings for, example adding protection item watermarking, and other, settings. That are part of the AAP offering I mean. Very rapidly. It looks like. Before. Enrica dies does. Anyone here deployed, AP, already. Everyone, here is engaged some who's engaged with the CXC team. Okay. And I see some familiar faces around yeah. So. This. Shall be the most boring demo ever because, the, idea is that it's, simple it's almost. Stupidly. Simply, I. Have a document and working on confidential, stuff and I, want, to tell this confidential, I click on the confidential button that's, it I'm not gonna do that because. One thing that you may want to do along with the deployment of classification, is deploying, automatic. Classification and, you may have your own keywords you may have they. Need to detect critical numbers you may have the need to detect. Other. Sensitive, information that can be programmatically. Via tected, AIP, can do that in the case of Microsoft, for example, or. Legal department, they, use such, and jargon certain terminology, such as attorney-client. Privilege and when somebody type. Types. Their keywords, ACP, which stands for attorney-client, privilege, document. Shall, be protected as, confidential. So, we show a recommendation there, we. Chose to use a recommendation because, sometimes, the word HCP can mean something else. Instead, of automatically. Classifying, the. Document, but if the user says okay yeah this is confidential, then. The, document gets automatically, tagged as confidential you can see that in the classification toolbar and you can see that we are the header etc. It cannot, really get simpler than that and in. This case at Microsoft, we're applying protection, in addition to just tagging, the data in. Fact for this, kind of data is quite tight. Classification, it's because our users got. Used, to it first and now. They accept that for example if something is ACP they're.
Not Going to be able to print it or things, like that but. That, was hopefully. A very simple, demo. And. It. Doesn't require much more, to, understand. How classification, works, deploying, that again, takes, days. It's extremely. Simple when, you get into a protection, stuff obviously you have to validate for example that your ink that the encryption that we're applying doesn't, block. Some behaviors, doesn't, prevent, you from indexing. Stuff that kind of things so that's, a little bit more involved. Project. Sorry, wrong. Computer so. The second scenario I, don't. Want to wait until. My users have started classifying data and gone through months or to spank data to start seeing what's out there I want to know what's out there right now I want. To be proactive and, find everything, that is in my organization. So. If. You have repositories, in particular on-premises, repositories. Which may be lacking advanced, discovery, features such as five servers, or older SharePoint versions. And. You want to find the data that is there we can help we have as part of the AAP solution the AAP scanner the AP scanner is an agent that you deploy on premises and that, goes to your different content. Repositories, and discovers what's out there. Once. The data is discovered, it, can be reported and then you can. Enter. In panic mode if what you find there is terrifying, and then, take additional measures such, as applying protection, and. Securing. That data. You. Can scan, most. On private repositories, such as Nass devices, sips devices. Sharepoint. Server etc. It. Can discover what's out there and match. It to your policies, so if you deploy, classification, policies you, can match it to those labels, and say well this contains critical numbers, so it's confidential this contains, Social Security numbers so it's top secret you, can do that kind of stuff, or. You can say just this code what's out there and report to me if you found credit card number social security numbers or whatever it is you can customize these rules and say discover part number discover. Account. Codes whatever, you, can define as a pattern or a keyword. And. Then. You can report on it and you can, either. Do custom reports by looking at the logs and presenting, specific, details, of what you found or you, can take. The standard, reports that we provide in the, and, use those for, awareness how. To operate a scanner I'm not gonna go into details here we have a theater session this afternoon at.
1:15. I think what. We're gonna show how to deploy the AP scattering four minutes. Kevin's. Dead five but I'm pressing, him it's, good. And. It's. Extremely, simple, you need, a server you need a database a sequel database to put the data and then. You just configure, a few powershell, commandlets and that's it it, goes it finds your data and your reports back. In. Particular, deploying, the IP scanner in discovery mode with all content eyes means I'm not going to tell you how to classify data just tell me what you found tell me if you found critical numbers on how many tell me if you found, soldiers. Killed numbers etc and you can configure that with one PowerShell command you say discover all information, types or, discover, information types all and, that's. It we're going to go into details this afternoon if you want show, up to that theater, session and we put some pressure on Kevin. Once. You have that dot. You. May move to the next problem which is I have emails that contain sensitive data and need. To be shared with my customers, or with my partners, or maybe I'm organization, that deals with consumers, and I'm sharing with sharing, their data which contains BIA I'm a medical organization, an insurance, company, I'm a school and I, want to. Secure. All those communications, but the challenge is I want to secure in a way that doesn't annoy them there are my customers has, to be easy it has to be has, to always work so. In. This case is where I have to send sensitive information. To other businesses, or to other individuals, whichever, is the case. You. Want to have it protected in most cases what. You want is to ensure that it's encrypted and if it's intercepted. They can't read it and if it's lost not a problem. Most. Cases you don't need to ensure I want them not to be able to print this data go, into some cases that's true so in, most cases you, want to use the most relaxed, but, still secure, method, which is encrypt, and apply access controls but do not apply users restrictions, in. Some cases for example for, sherry. Bidding, information. For an RFQ with your suppliers you may say no you cannot forward it to others you cannot print it you cannot copy it you, we have the flexibility to do those policies, but the starting point is usually we, relax the plain encryption, and don't, add additional, capabilities, until, this. Is well established. There. Are many ways to do these, one. Of them is tell your users to classify data and then one is an it out the, emails will be protected. Because the, classification, can trigger automatic, encryption another. One is let's create a transport, rule that looks for that kind of data or that looks for specific scenarios like a school. Principal sending. Email about health. Situations. To the school. Students. Parents, that. Flow is going to be automatically, protected always you don't have to look into the content you know that that flow in particular, is sensitive. You. Can create a transport rule to do that. So. Just. Very. Quickly I'm gonna for, those that haven't seen these, at work let. Me show. You how. It is I'm gonna, create a very simple email. Good. Point. I'm, gonna create a very simple email I'm gonna send it to one. Officer. 25 user within. My organization Robbie. I'm. Also, gonna, send, it to another. User. In another company. Allen. I'm gonna, send it a. Gmail. User I'm. Gonna send it. To. A hotmail user, I'm. Gonna send it to Comcast. User a bunch of you certain different types of identity, systems different platforms, I don't know what kind of device they're using what kind of application, I.
Can. Send it somewhere from the crowd I. Called. I'm. Gonna start asking emails because everybody else is going to listen. So. I'm. Going to add an attachment and, let's say that both the body and the, attachment, are important, this is an insurance policy information, and. In. If you have followed the previous steps these, insurance policy shall be classified, already so. The, user will not have to do anything extra for, this exchange, to be secure in. This case well I didn't have time to deploy aap in. Front of this audience so. I'm going to classify, these as confidential. And we have this is microsoft policies I'm gonna say, confidential. Recipients only. Now. Notice that they didn't do anything special, around. These I just. Selected. A policy, and is the same email for all these users, I have, business-to-business. Business-to-consumer, all, that, mixed up in the same scenario. So I'm gonna go to. Possibly. The worst case scenario here actually. Let me show you, I'm. Gonna go to, the gmail, case and I'm, gonna try. To open this now let, me show you one thing first. If. I went to Bobbi's mailbox, and I, looked. At what she, received she. Will, see this email how. Does she open it, she. Double clicks on it and. That's. Gonna open the protected email she didn't have to enter authentication, passwords credentials, anything she didn't have to install an app she didn't have to. Click. Here nothing, why because, he's using of sixty-five and well there is an internal external user, they, can open it without installing anything on doing anything special so. For them is like magic they just received an email the only thing that tells them that this is sensitive information is the fact that they, see the classification, up there and they, see the, protection, apply that tells them you cannot forward copy whatever. Now. In the case of a gmail user I. Just. Open. It but here's the thing Gmail. Doesn't know about a IP natively, yet and. So. It doesn't know how to render this email so, what do you say I have to do is to say okay I'm, gonna read the message but notice this is the same email, we, didn't fork the conversation, we don't have two different T must go in two different people is the same email it's just that he has a different, presentation, depending, on the environment. Some. Magic that we do behind the scenes so the user, now. Clicks on the, link and. Fatty's. I'm a gmail user some already authenticated the Gmail if to. Be full. Transparency if I hadn't done this before, it will have asked me can, you login and the user will have clicked, on their gmail, credentials. Authenticated. And that's, it I've, done this before I practice, my demos so he didn't ask me for credentials and it's, signing directly. Now. You'll notice that this is not the Gmail you are this is another. Web UI this is the office 3 5 yards so basically we're using office 365 for, Gmail which, is kind of crazy but. Whether. The user is Gmail, Hotmail chromecast. Or something else they will be saying the same thing they will be seeing a full fidelity representation. Of the message they can reply reply all they, can not. Forward. Or print, because that's blocked by my policies, the sender's policies they, can view the attachment and. They. Basically get the. Full, experience that they can actually download the attachment they can view it in the web browser. And. They can continue working with me so, you cannot get less annoying than that in fact, as adoption. Of a physical if I grows and, more, users are using AP and all these, the. Native, experience will become more and more common but. Everybody. Else whatever device they are using they. Will see this in fact I tried these on a blackberry. Using. Lotus. Notes and all what was not client, with a yahoo identity. And all that still, works so, there. Are no challenges, for the sender and that's the important thing the sender, doesn't have to be worrying or thinking what kind of identity have what kind of device they have they. Just, click. On the, classify. Button, and then they send that as an email and that's, it.
So. But. That isn't easy, enough, what. You can do is to create a transport rule and you can say well I'm going to create a classification for confidential. And then you, create the transport rule that says if the email is confidential. Apply. This policy or you. Can say if the email contains these kind of keywords, or social, security numbers or whatever you're looking for. Apply. These protections and don't require the the user classifies. The email so, in that case there is zero effort for the user oh one. More thing when. That gmail, user I didn't show you that but if the gmail user replies, to the email the sender doesn't get the Gmail experience, they, get this same, native of twenty five experience, so they see it in place in Outlook they don't have to collect any extra buttons because. Again, we didn't fork the message and created. A web version a non web version it's all the same when, the user replies it, continues, working as the regular email. Experience for the sender and for any other people that are copying the email. So. Final. Scenario oh. The. Benefit twelve I already said that basically. It's, minimal friction minimal. Effort it just works and. You. Can either protect, the emails before their sense or all the emails are protected. Across, the whole environment, internally. Externally etc. Or you can just protect them on egress you can create a transfer rule that says you know it's not protected until it leaves the company and, when it leaves the company we want to protect it and that, way you. Have any worries about anything inside when the data leaves the company that's when it's encrypted in general we encrypt we recommend, encrypting every, Clause or when, the email is internal external it doesn't matter if it's sensitive it should be encrypted but, you can choose depending on your priorities. Final. Scenario the, crown jewels for. Those businesses, that have extremely, sensitive, data that is easily identified. For example, an oil company having, oil exploration, data those are billion dollar spreadsheets. An, announced public, plans you're, planning, the Xbox, be next and you want all the details you. Know where that is you know what it is. Critical. Intellectual, property, Natural Resources exploration. VIP. Account, like you are a Swiss bank and you have these 50, accounts, which are paying you millions and you want to make sure that you give them the highest assurances. Unreleased. Financial data mergers, and acquisitions data when we were about to buy a secure Island in. Order to build all these we. Didn't want anybody to know that we were buying secured Islands because that might drive their share price and then we end up paying twice as much so, we want to protect that data. That. Information, is relatively easy to find and. What. We recommend those cases is. Centrally. Located and, both protected, that. Is again something that can be done in. A week, you. Can protect all your informations, data with, a IP but these are things that you can do overnight. How. You do that, find. Data, use. A ap PowerShell or the AAP scanner, classify. And protect the data. If. The, data is not centralized you have to deploy the AP, trying. To the user start dealing with the data and tell them to classify, it so you can find it. And. Apply. Restrictive, rights do. Not copy do, not print. Still. Allow the users, to do their jobs but. Restrict. The data and the operations, that they don't need to perform normally but, always provide an escalation method for example regular. Users, cannot, forward. These data to external people but, managers, in that division can so a regular user needs to share something outside, of the concision is one, door. Away they go to the managers hey I need to share this with the supplier I know it's super confidential, but they, are working for us on these they. Change, the policy and they share it so always provide an escalation method because, again what the last thing you want is your users lying to you and saying this is all public so I can do my job. And. Then use. A peer reporting, content. Tracking and all that to find where the data is and to weekly report, how it's being used how. It has been shared where, it is located, who, reclassified. That if I have a top-secret document with new. Found oil, field. In. This country, and I don't want others to know I want to check who read this document every, week and I want to make sure that if there are any exceptions, any risk.
Factors I can report on that and. The. Reporting capabilities were announced, yesterday. You. Will be able to look at them by, the end of this week and basically. Tells you where your data is the fully inventory of your data and, what. Classification it is what, will happen we're, going to add the reclassification information. To show you who has done great, security of a document that kind of thing. And. With that those, are the easy deployment scenarios, what. Walmart did is not the easy deployment scenarios, they, are doing. The full thing but. Alan. Will tell will I be able to tell you how. To deal, with these in an extremely, large complex. Organization. With, all the challenges that the most complex and large organizations have. Alvin. Thank you. You. All I, actually want to follow up on something Maggie said she asked who was deploying AAPL already and there were a few hands who's, looking, to deploy an IR m or DRM technology, and is looking for information to select something for their business. About. Half the crown maybe more. Thank. You, so. What, I want to do is present some of the decision-making some of the selection criteria that, we chose making. Certain that we were making the right decision for our business not only today but down. The road in the future talk. About some of the components. Enrique, did an awesome job lining, out the technologies, and talking about what they are and what. I'd like to do is translate that to some, of the business terms on the back end what he can have to support later on because. Something, has to be paid for now and pay later. Eliminating. Roadblocks, obviously. Walmart a very large organization, with a lot of endpoints nodes, configurations. Versions, and so making certain that we have compatibility, and deploy ability across our enterprise is, key for us and so there are challenges we have to knock down most. Of which we knocked down a couple of not this. Is something that actually mafia, nanri Kay and I have been discussing for months, and even as recent as yesterday about. How to what. Changes could be made in the product in the coming future that, you all can look forward to that would help not only drive our business but make your lives easier as well. Yarp. It. Might be natural for some organizations who already have 80, rms who move on to the azure RMS, the AAP for. Those who already have their identities, in the cloud this same cloud makes, a lot more sense because, you've reduced some of the complexity, it's gonna be available for you in the same platform. Integrated. Technologies, with Exchange. SharePoint Online. Again. When you're when you reducing the complexity by removing, some of the additional hops and steps to other providers it's, going to a faster. More seamless. Transition. For you business. Continuity I actually. Wanted to list a bunch of, DRM. Providers, who, had gone out of business in this space but I thought it might be maybe. A little less tasteful, given that they might be in the room though. I, listed, a few from the movie industry the music industry, the e-book industry, there, are some organizations that are gonna be out there today, that won't be there in 12 or 24 or 36 and so, for us we wanted to make a selection. Choose, an option that was good for us not only today but tomorrow. Trust. There's. A lot of trusts in. The relationship, that we've got with Microsoft, and they've, been around for a really long time, it, doesn't require a second, or third party access again talking about the seamless nature of having everything in one cloud I don't, have to then provide another. Piece of access for someone to move over to the location. Of my files a. List, of audits and certifications, it was interesting when we were trying. To evaluate and figure out which provider, would be the best option for us and Microsoft. Has a very, long list of search that I forgot they've got on there in a previous life I used to do some auditing for organizations, and there are things on that list I don't recognize so I appreciate a Microsoft, for going. In my opinion above and beyond and trying, to figure out what they can do better for their environment and not. Listed on the slide a lot of trust for letting me speak last. Vision. Continued, growth this, one area, where I think Microsoft has been absolutely, instrumental they, don't really have this a great conference here where we get to hear about the new products new services being, brought out but. We get to see the last ones already implemented, and growing and we, get to see the roadmap they're very transparent they share the roadmaps with us and it's something we can appreciate whereas some organizations, even. With. The relationship, with an organization, as large as Walmart they don't want to share the roadmaps so, if we don't know what's coming down the road if we don't know that they're committed to growth it's not something that we're interested in.
So. What are the pieces and parts epi sometimes, can be a little nebulous. At least to some customers it is one, cohesive, set, of technologies, but what are the technologies, and we're gonna have to support an own later, on. You've got your core piece your Azure RM s that's where you're going to settle your policies your templates, all the components, inside. Are basically, defining, what it is you're trying to provide enta fie label. And protect, your. Client you are gonna have to put software down onto the workstations, you. Want to make certain that you've got someone who can employ it and configure it the ARP scanner for. Everything existing, in your on-prem solution, file. Servers you want to make certain to go back and identify, where those files are and classify, them even if it's an open encryption. To your organization. Later, under the presentation, something, that Enrique mentioned. I think mommy as well keeping, it simple it's. Easy to save but it's sometimes hard to do because someone, with a grand plan has come down and lets you know here's what I want and that complexity. Can. Definitely. Make it harder, to use some of the technologies, later on and so, you want to start simple, Enrique. Had mentioned that you want to start even with just a scan don't necessarily, go back in and crib don't protect now tell. Me what you saw so, I, can, iterate from, experiences, and definitely. A large organization, to any size organization. Start. Simple. That. Doesn't mean you won't grow later on security is not a checkmark you're not going to do it today you're going to evolve over time start, simple. The, office 365 policy, so some of the DLP functions. Of AIP are actually. In other, components, inside of Escher and so you want to make certain that you've got relationships, with your exchange, teams your collaboration, teams if it. Isn't owned in one organization and finally, your ARP connectors, and I are M so. The, connectors, allow other services. Like Exchange Online SharePoint. To be able to go through a proxy, to get back out to ARP, so that it can do the decryption for you so that you can have. Those functionalities. Without. Having to have software on your system. So. What about ownerships. Licenses. Is one piece you're going to need across multiple. Components. Here the, policies templates, it takes a while to create some of these the. Canned out-of-the-box they absolutely can, work for many organizations if, you need more customization. You're gonna have to put time into it DLP. DLP, is definitely, a special area anyone who's done DLP knows that you can put something down you are gonna have to own what it finds, there. Are tickets there are teams that are kind of have to go back and either do remediation or, provide. Information to your leadership, on why those piece of end and files across the organization. The. Client clients, our software, software has to be upgraded, no real, secret, there, the. Scanner the, scanner has a different licensing, model and that's, something. That we were even having conversation, about yesterday how either. That could be made. More, simple, I don't, think it's necessarily complex. Today but if something need to understand, so, take take, note of that and finally, I remand, the Azure connectors that is, probably the simplest piece you. Lay it down you install it you walk away from it but somebody's, got to own those servers, knowing. What's in your environment keeping, it updated you've, got to make certain that you're always patched so. What are some of the challenges that an organization, says it will more faced and what, did we do to overcome them. Like. Many of you we want to protect our data from leaving our environment, and so if we've got. DLP. Protecting, stopping. Data from leaving the environment, on the edge the egress, we. Also have a decryption zone we, make certain that, information. Doesn't leave without us knowing about it a IP. As a security client and wants to make certain that no one is interrupting, its signal as it's making a secure connection so, as soon as it sees a, corporate. Decryption. Zone it. Treats that exactly, like it is a man-in-the-middle says, that's a man in the middle i'm not going to connect. So. If you've got one of those you need to put in an exclusion, make certain you right around that, users.
In Computers this, is also easy to say users aren't computers, the. Challenge is when I have to deploy software to a computer to upgrade it but I have to license, the user, for. Organizations, that have no. Asset. Management or a simple, asset management this can be complex. It. Doesn't have to be with making a few changes something, that I've worked with andrey, k and some other Microsoft. Contractors. In our. Contract. Excuse. Me this, is something where I was able to create some extra automation, and, that's. Something where I provided it back to Microsoft and I'm even willing to collaborate with you all obviously. Offline, and provide. Information. To you so that you can make better deployments, in your organization's. Dns, this, is just a really simple one the. As. Your connector. The AFP connector it has to have one call to dns give, us something if it can't see through the proxy let it go on. Organizations. Not all organizations, have the exact same user. ID and email, address your UPN, and your email address of organizations, who've either been purchased, or renamed, or purchased other organizations, and consolidated. Into an email scheme the, first authentication, that normally happens with your office is Outlook, in, the morning your buddy starts up Outlook it connects and that authentication typically, happens through email, address doesn't have to but typically does that's, not something a up he's going to use to authenticate so you need to understand that a IP, has its own authentication, be, aware of it and take, it into consideration when laying down your configuration. Mak, authentication, the Mac experience is a little bit different it's not. It's. Not terrible but it's different and so you need to have your expectations, set with your executives, who have Mac's, as. Well you need to make certain to put the UPN, if it is different from your email address in the email field. Of, the outlook client. Migrate. Crypto Mo's this. It. Should be easy but sometimes, you forget two little things if you have upgraded from crypto mode one to crypto MOTU and you migrate the ARP make certain not to only migrate, your crypto mode two keys might, not be able to unencrypted, some of your older emails. Licensing. Confusion. Licensing. Licensing. Thing, I had. It titled differently but one of my corporate attorneys helped me fix, that. This. Is a challenge, the. Licensing, is something you want to keep up with there are different names in different places, there, are functionalities. Out of products, that are attached to service plans that part, of SKUs. It's. A little complex it's not terrible but making certain that you have. It all lined out and communicated. When you're making changes especially, when using something like dynamic, groups being. Able to populate. Licensing. For your users based on a dynamic group makes this simple, and so, leverage some of the other components inside of azure it. Really can take all of the administration, way as long as you have the right thing and so you want to communicate with your other organizations, maybe. Email teams maybe SharePoint teams maybe, tune teams whoever's, using the other functionality, be transparent, as much as you can. Keeping. It simple, when, we first started we decided we wanted to use a large, number of scope policies, that. Was pulled back a bit we made a lot of decisions where we had grand plans and we pulled back because the simple works well and then, for your edge cases, then. Add the additional complexity, don't start with the additional complexity, I think, it's something that Microsoft has put in every, one of the presentations, and not all of us listen so it, really is great advice what. About the remaining challenges, office, 2010, Microsoft, has not been shy they've not they've been completely, transparent, that's not something they're looking to go back and support now for modern authentication if, you've got office 2010, in your environment app, he can be installed there it can work it's going to take more work on your part and possibly on the part of your customers, be. Aware. Upgrading. Is simpler sometimes, then trying to reconfigure everybody's, workstations. Parity. Between platforms the. Platform's there is a difference between your Windows clients and your Mac clients the Windows clients will show the labels, that we've been talking about and the Mac clients will show the template, names if. You, migrated, those from some other platform if you call them different things it now has, a loss, of parity they're not gonna be the same names it can be confusing to your, Mac users executives. Multi. Tagging, is, something near and dear to my heart for. For, the classification, of data is, something that I'm pairing with Mavi and Henrique, on trying, to make it we're not only one piece, of metadata, gets attached to your email but actually multiple, depending on what's inside instead, of saying that it's just PII, and I've got to encrypt it because P I sometimes, include some security number what about when PII doesn't, in, most countries around the world it means name plus something else what if its name in address I don't, want that encrypted, I don't need to I'm not trying to protect something, they.
Can Do a company harm but, if its name and social security number now I want to so. The scenarios we've come up with that maybe in a future product, maybe hopefully, talk, about it here is. That if we could have something, labeled as social security number if we can have a second. Label it says PII third, one that says because of a social security number and a label it, to a label of highly sensitive or whatever your highest classification is, a third one it'd be great to have multiple labels activated. At once note, taken, thank you. Finally justification. Some. Of the features that you've got available in AIP, some, of the options you can put in front of your users whether. It's up classifying, whether is down classifying, making. Some of those selections there are some justifications. Available we're looking for a little bit more and so that's again, a partnership, with Microsoft and they have been an awesome, partner, it's. Not often you find someone who's willing to listen to, the needs of their customers in such a way and then, you know channels back could you use this could use this that, might work this one it's. Great. To have a dialogue open so if you've got Microsoft, representatives. Or online chats by all means use them there they're great resources i appreciate, them and. So. To wrap, up. It's. Not easy for an organization, our size to make selections there is nothing that fits our organization, one size doesn't fit all especially, when you're the largest people. Come in and they help us to deploy products, and we, know that were going to be challenges, they're gonna be problems and so, we work with our partners very, closely they work with us they listen and we make each other better and I can certainly appreciate what, Microsoft. Has done for us and hopefully, not, only can they do something for you but. Reach, out to me if you've got questions beyond. Obviously, what's on the presentation, I'd love to take the conversation offline try to help you all make better decisions, for your environment thank. You. Well. As. Ellen has written like, if organizations. Size, as Walmart can actually implement a, peep, obviously. So can you but, to wrap up we, always suggest start, simple. Start. You know with the simple, use cases don't. Overdo it and deploying. Ap is a journey you, need to have everyone engaged especially the stakeholders, and your end users if the end users will not be engaged that process, you, will end up with a broken, deployment. So, you need everyone, on track you, need to educate them, you need to have them understand. What they're doing and not just tell them you're doing that because we, said so no, one likes it and, once. You go over the label taxonomies we always suggest either use out of the box Microsoft, labeled externally because we spent so much time doing, all. The thoughts and consideration, that, everything will be logical, to end-users don't. Just use we. Used to. Back. In the days in Microsoft we had hbil, bi and MB I raise, your hands if you know what that means. Only. Microsoft, people would understand like seriously. So, L bi h. Bi nm bi is low, high and medium business, impact, never. Used that as a label texting, with Microsoft, twenty five twenty one years got trained on that every, year and still I couldn't tell you what hbil, bi OMB is just don't. Go with whatever is there already just, try to make sense of it to make sure it makes sense to your users yeah, so. What. My team basically does is, we're helping our customers deploy, aap, worldwide. We have a team that is spread. Worldwide, and. We help our customers deploy aap we do best. Practices we help them translate, their business use cases into, actual aap policy, and we're, actually the bridge between the end customer and our engineering team, we, help prioritizing, bug feature. Requests do, you have any future requests I didn't say. Everything. Is perfect yeah everything is perfect done we're. Done so. We help them we help also documentation but I do recommend also using our amazing, resources, so, we have our documentation. We, have our younger we, have our. BOTS. If you. Take. A look at our new BOTS we, have our user voice to, help you just you, know suggest. Any features that you want to see and then my team is actually monitoring that and helps with their, prioritization and business justification. Related. Sessions if you want to take a picture of that these are all the related sessions that, has Microsoft. Information protection really especially, to the IP. I, think, we highlighted the scanner and the meep SDK sessions that are happening today there, is also a lab, that is happening today at 11:00 I strongly. Suggest to. Attend that one as well it's, a hands-on lab we're. There to help you actually configure, policies see how it looks.
Okay. And, as. I said there is a Microsoft, security, challenge, do. It in an expo if you want to win. Only. Number five exists. And. Right. Now we can take questions so, any anyone, has any questions feel, free to either ask me, and Rico are obviously, Ellen I'm sure you have a lot of questions to Alan we finished like 20 minutes before the. End time this is the first time it happens to me and I get. Normally. Is 20 minutes over so we have plenty of questions we have plenty. Of time to handle your questions, so we can show you a lot more with the IEP if. You have questions please approach the microphone or, yell from your, position. And we'll repeat, the question. Every. Question is the Microsoft own perfect we. Are introducing. IEP, in our infrastructure, and we. Have it running but we are really hard struggling, with, two-factor, authentication. Have. To be able to solve this. Well, until now there's a nice dialogue asking. You for a second factor in. You if you press cancel we'll. Just open the document. So. The question. Is about the integration, of second multi-factor authentication with, AIP. There. Are two sides, to that one of them is for, the intra, business. Access. To data we. Have a feature in preview, which, is a partial, implementation of, the videos not a full preview which. Allows you to say any. Content. That is classified that, requires protection, will require multi-factor authentication or will require a conditional, access policy which might, involve, multi-factor, authentication you can say for example you need to be in a managed device or have multi-factor authentication or things like that that, works well but. It's. Only for. All. Content, that is protected, you cannot say top-secret. Content, requires MFA and confidential, doesn't that kind of thing also, we only check when, your. Client. Certificate expires so we only check that once every 30 days so. That's why the feature is in preview because it's not very flexible, there, are some challenges that run implemented a more granular, solution. Basically, the. Authentication, model that we use in AP is not very well aligned with requiring, authentication, in every call we. Are fixing that we're, working. To. Allow, for. You to establish policies, that say top secret requires multi-factor authentication. Confidential. Doesn't and to, require, it every time you open one of these documents if. The policy says that you need. So. That's in the works, I think. It's early next year because there are some significant changes needed to authentication, stack in order to enable that scenario, for. Now if your requirement is very absolute, and you say well I need multiple, authentication for, sensitive, content you, can implement that today with the preview but, it's going to become much more flexible as we implement these new features the, other common request is around, business.
To Consumer if, somebody. If. I'm sending an email to a user, with a Comcast. Email address I'm gonna use a one-time. Passcode for accessing, the, data. I want to be clear that that's not multi-factor, authentication, some. People see that this is a one-time pass code that looks like multi-factor authentication but it's not is that's, the authentication, is the single factor authentication is that one-time passcode. So. It's an email validation thing, that we do it's not MFA, we, are working, so. When we enable the multiple and education intra, business we can also enable it business-to-business. And, hopefully. Also business to consumer but. What, we have today with the email and the one-time passcode is not multi-factor authentication so. Let's. Not mix those two features, I'm not. Sure if I answer your question our answer, dude okay another. Point which might, be important, for multiple, companies if. You have sensitive data would, tend to store the key material, on premise and. It. Would be also great if this can be better integrated, because, also there we have this challenge, at. This. Multi-factor, authentication, is. Even, not working, much better there, yes. Today, we have an option for handling, on-premises, keys which is called hold, your own key it's, a solution we do not recommend in the general cases for niche scenarios, basically, the. Current implementation is. You. Have a DRMs on-premises you, use the cloud service and for, some labels, like the top-secret labels, that do you say you know this data needs to be protected with an on-premises key because of all these requirements you basically, tied those labels, to your on-premises. Deployment, it, has significant, limitations. Multi-factor. Authentication is, one of them we. Have some. Solutions for that so we, can discuss those but basically you can enable certificates, based authentication in, iis on-premises. And, require modification litigation but it's only for some platforms, so it's not a complete solution what, we have on premises, we're, currently brainstorming. On the future of the on-premises, component. We're. Not as you, probably notice during this conference we are not too excited, about on-premises, stuff what we prefer the cloud but. We realize. That for, some particular, for some scenarios, in some customers. On-premises. Still make sense we, want to enable a full hybrid solution. That gives you the best of both worlds, we're, working on that we don't our current timeline for, addressing, things like multi-factor authentication and, more flexible policies, in the on premises stuff but we're thinking about, it we are not forgetting a lot on premises. It's, just it's gonna take a little bit of time for us to. To. Complete the picture, but, for now we. Can work with you you can enable certificate. Based authentication at least for Windows devices and have a partial. Solution at least. Let's. Go to the sides and then we go back there sure. A, lot. Of folks in my industry we all use journaling. 2/3 probably archives. And. We're just experimenting, right now but I guess what we observe the behavior is that you get the message, journal decipi n't with two attachments. Encrypted. And unencrypted, I have. Been able to see that documented, anywhere so I just want to kind of ask if that's the behavior you're intending to do and that's where it's in me long term, so. You're talking about you're running off emails, and attachments yes. So, if you've, turned, on ome. And and it's, Journal to the third party what we've observed is that you have the two attachments, one. Is the encrypted form one is the unencrypted, form so is that I haven't. Seen documented, anywhere yeah. The it's. Not documented, for third parties but if you look at the exchange. Online, journaling. Functionality, there is a function that's called journal decryption. It's.
Described, For the internal journaling in exchange but the same API is actually here's, not so me summarize it when, a message goes to exchange the first thing exchange does is decrypted. And sent it to a special pipeline, in which things like indexing. Discovery. And, journaling. Happen the, message, that, the critic copy of the message is put, in that case in the journaling, pipeline, which then sends it to the journey mailbox, and, we. Also attach. An encrypted copy so. There is like a chain, of custody this is the own regionally untanned, tampered. Version so if somebody challenges it says oh no yeah that that's not my email because you touched it yeah. Here's the region I want do you want me to the credit now and then you have them so. That. Pipeline, is also connected to properly, design third, party journaling, solutions, they, connect to the same spot so the same behavior that you have in exchange, line journaling, you have it for many other journaling. And also he discovery solution start logging into the off 25, journaling. Or transport. Decryption pipeline is there any scenario where I could break. Third. Party journaling with one of these policies, where, something. Is only. Hold your own key if you are using hold your own key that by design, is opaque to anything, it's like only you can see it and talk, to the cloud great. Thank you. Can. You share with us some news, about some, PDF, clients. Yeah. We have great news today actually, I, think it's gonna be in this session this afternoon. Yeah. So adobe. Has. Been working with us to implement natively. AIP, in adobe. PDF so. We already had support in most other third-party, PDF, clients like roxy, Nitra, PDF, and, a few others but. The Diaby was the elephant, in the room they want people want to use in didn't, support AIP. Now. There. Are some, kind, of breaking changes there Adobe. Said, okay I'm doing AIP but I don't like your file format I'm gonna do, I'm, gonna modify the, standard iso, PDF, format, suza to support aap they created, this new variation of the format which is great because you want, it to be the standard and, they. Create this new format they support, it we just, shipped our client, that supports the same standard, now, there is some work ahead to put. That into the SDK actually that was done already but also to put that in SharePoint for example when a file is protected by SharePoint he needs to use that format on what they all wonder where you think it's gonna be a few months of transition, until Adobe, actually ships what they built and we. Also have that in SharePoint, and all the other products it's. Probably a few months of. Path. Until, we get there but at that point we're, gonna have the same file format with. Protection, and. In. All the known, important. Viewers, of PDF so we can say January, 2019. Provide, cannot, give a date for a third party but that's kind, of the rough time working Thanks. Here. I, saw. Demo of what's. Coming up with combining, our information. Protection with the functionality, of security and compliance Center but, they weren't able to tell, me when that's gonna be released for the GCC, any, inside Oh. GCC. Actually. Be, product. Is available in GCC. Today. I was. Released about a few, weeks ago. The. Integration. Of or, the unified, labeling experience, with the officers d5 and that, she'll. Not have a delay other than the deployment of the new version so as, soon as the. New version of Office, 85. In general is deployed with GCC, you. Should have that unified labeling as well there, is no particular challenge, in unified labeling that, will delay that we're talking about a few months until these GS because we do not deploy previous to GCC. So we're talking about maybe end of the year I recommend.
That. You check in the AAP. Booth in. The expo, as. She's Ram Dass owns that and he can give you details on the timeline implementation, of AIP, and, unified, labeling and all that in, GCC that. Is, his name and keep all the stuff. And. I'm sorry for not taking questions in order because we can't really see you, just. Going dark splotches there first, of all thank you for your excellent presentation and, it. Sounds like from what you've said so far today that this. Really is a a cloud centric, solution, and you. Really can't get value out of it unless you're already in. The Microsoft, cloud. But, you also talk about future, support for hybrid and maybe I'm Pam alternatives, but, do you have a time horizon for that is that like one year two year three years out what. Do you foresee for that okay. Let me clarify what, I said, today. We do have a hybrid solution it's. Not the. Nice one it's basically, the. Cloud service defines the policies, and, you can have a cloud key and an on-premises, key and, then. Your content can be protected, with one or the other depending on the level confidentiality. That enables, you to have your. Key on-premises it enables you to have your login on-premises, your authorization and octagons authentication parameters for that policy the policies are still defining the cloud so, the labels and all that are still defined in the cloud but it basically ties down to, that, on-premises. Agent and that. Means the needs of Mothe customers, there, are some seniors it doesn't cover for example a military. Organization that, has disconnected, bunkers, well. You, have to have a connection even proxy. Or at least you have to be able to take the files exporting from the cloud service and put them on premises we have seen that as well. But. There. Are some things we don't like about that solution, aside. For me being on premises but. For example, the. Mobile, device support has to sell a bit poorer than a cloud version it. Doesn't. Support. Multi-factor, authentication it. Doesn't support good. Business business collaboration though, we, are actually kind, of happy with that because the idea is that if you're going to be doing business or business collaboration you should be using cloud. We. Ar