Secure your information,

not your devices

Olav Tvedt

Twitter: @olavtwitt
Blog: https://olavtvedt.blogspot.com

BRK3143
Information protection

Access Share Store

When did YOU start to protect your information?
Historic protection
1500
BC
Not your devices???
Device management examples
• Active Directory
• Office 365
• Intune
• Sccm / Intune
• Jamf
• Android Enterprise
Intune supported OS!
 Windows  Apple
 PCs running Windows 10 (Home, Pro,  Apple iOS and iPadOS 9.0 and later
Education, and Enterprise versions)  Mac OS X 10.9 and later
 Windows 10 Mobile  Google
 Devices running Windows 10 IoT Enterprise
 Google Android 4.0 and later (including
(x86, x64)
Samsung KNOX Standard 4.0 and higher)
 Devices running Windows 10 IoT Mobile
 Google Android for Work
Enterprise
 Windows Holographic & Windows
Holographic Enterprise
 Windows Phone 8.1, Windows 8.1 RT, and PCs
running Windows 8.1 (Sustaining mode)
 Windows 7 and later PCs, except Windows 10
Home edition, can also be managed with the
Intune software client.

https://docs.microsoft.com/en-us/intune/fundamentals/supported-devices-browsers
Android 4.0 —Ice Cream Sandwich

https://en.wikipedia.org/wiki/Android_version_history
Lost devices vs lost data
Information Protection VS Device Management
Levels and layers
Layers and levels
First layer
Second layer
Transportation between second layers
Third layer

Caesar Cipher: Uszufq Daowe

https://en.wikipedia.org/wiki/History_of_cryptography
 Old School  Modern
Transportation between second layers
Transportation between second layers
 Office 365 EMS E3 EMS E5
Basic Extended Advanced
• Controlled Access • Manuel Protection & • Automatic Protection
Information labelling & labelling
• Monitoring
Layers

• Enrolled • Encryption • Monitoring with

Devices • Basic MDM • Monitoring automated responses
• MDM
• Cloud presence • MFA • Monitoring with
Identity • Passwords • Conditional Access automated responses
• Monitoring • Automation

Levels
 Microsoft 365 Microsoft 365 E5
E3
Basic Extended Advanced
• Controlled Access • Manuel Protection • Automatic
Information & labelling Protection &
• Monitoring labelling
• Enrolled • Encryption • Monitoring with
Layers

Devices • Basic MDM • Monitoring automated

• MDM responses
• Cloud presence • MFA • Monitoring with
• Passwords • Conditional Access automated
Identity • Monitoring responses
• Automation

Levels
Information
Protection
Information Protection

Cloud

Information
On-premises Random locations
Information Protection

Cloud

Information
On-premises Random locations

Device Protection Device Random Protection

 The ultimate
information protection
is when
the information protect itself
Classify
 Automatic classification
 Policies can be set by IT Admins for automatically
applying classification and protection to data
 Recommended classification
 Based on the content you’re working on, you can be
prompted with suggested classification
 Manual reclassification
 Users can override a classification and optionally be
required to provide a justification
 User-driven classification
 Users can choose to apply a sensitivity label to the email
or file they are working on with a single click
Label
 Metadata written into document files

 Travels with the document as it moves

 Readable so that other systems such as DLP engines can

understand and take action

 Used for the purpose of apply a protection action or

data governance action—determined by policy

 Can be customized per the organization’s needs

Protect

 Encryption that cannot be removed by others than

the ones you specify

 Can follow information for it’s entire lifecycle

 Allows you to revoke access if wanted/needed

Be aware!

Current limitations AIP protected files stored in Office 365:

• No Co-authoring, eDiscovery, search, Delve or other collaborative features
• DLP (Data loss prevention) policies can only work with metadata, not
content
Recommended
and
Automatic
Protection
Be aware!
 Information Protection (AIP)

E3 (P1) E5 (P2)

• Classification and labelling • Recommendations

• Encryption and rights • Automation
management • AIP Scanner
• tracking and reporting
Technical deep dive?

 http://pewinther.blogspot.com

http://pewinther.blogspot.com/2019/04/how-microsoft-information-protection.html
 Extending
Information
Protection
 Dynamic
Security / Data Access
 Protection On Device or Information Layer?

MDM/MAM MIP

• Can require: • Securing the information

• Encrypted storage • Manual
• No sharing • Recommended
• Pin • Automatic
Etc.
Metadata
•
•
• Trusts the supported
• Tracking
Platforms/Apps
• Platform agnostic
Please evaluate this session
Your feedback is important to us!

Please evaluate this session through

MyEvaluations on the mobile app
or website.
Download the app:
https://aka.ms/ignite.mobileapp
Go to the website:
https://myignite.techcommunity.microsoft.com/evaluations
 Find this session Visit aka.ms/MicrosoftIgnite2019/BRK3143

in Microsoft Tech  Download slides and resources

Community
 Access session recordings in 48 hours
 Ask questions & continue the conversation
© Copyright Microsoft Corporation. All rights reserved.