Many organizations have a requirement to protect what Microsoft refers to as “more opaque data”. The requirement is to ensure that no one else has access to this “more opaque data”. One of the main reasons large regulated organizations opt not to use Microsoft Azure Information Protection (also called Azure RMS) is because Microsoft ultimately has access to your keys, and if they wanted to, or the US government really wanted to, they might be able to gain access to all your data. Thus Microsoft offers what is calls “Hold Your Own Key” or HYOK with Azure Information Protection (AIP).
So what is Azure Information Protection HYOK, and what are its limitations?
AIP HYOK enables organizations to protect data while holding their own key. Whereas Microsoft’s BYOK – Bring Your Own Key – offering hosts the RMS key in Azure Key Vault HSMs, HYOK requires customers to operate their own on premise Active Directory, their own on premise RMS server, and host their own HSMs for key retention.
How does it work?
In order to make HYOK work your organization will deploy multiple RMS services within a singular Azure Information Protection environment. At a high level, here’s what you would need to do:
- You deploy Azure Information Protection in your organization as per usual. The Azure Information Protection services (Azure RMS) are Microsoft hosted.
- Azure RMS is where you define your Azure RMS protection policies for less sensitive data.
- You deploy an on premise AD RMS server.
- Deploy an on premise HSM and generate the key for your AD RMS server within this HSM.
- AD RMS is where you define your AD RMS protection policies for your most sensitive opaque data.
- Ensure your users use templates defined on the AD RMS server when they want to protect your most sensitive data. If your users protect data with security templates defined on the Azure RMS instance, your data will not be opaque and will be potentially exposed to Microsoft.
You can tell that Microsoft would prefer their customers not use HYOK, and rather use the standard cloud based Azure Information Protection. This is likely because Microsoft is trying to push all customers to the Office 365 cloud. Microsoft points out several limitations of HYOK in their own blog https://blogs.technet.microsoft.com/enterprisemobility/2016/08/10/azure-information-protection-with-hyok-hold-your-own-key/). I’ve presented below how Microsoft describes the limitation and then I’ve written some reality checks comments:
- HYOK works solely with your AD and AD RMS instance. Because it’s targeted at ‘top-secret’ data, we urge you to keep AD RMS out of your DMZ. After all, your DMZ is our cloud… so for those collaboration use cases, just use Azure RMS. The moment you deviate from this, your assurances slide and we strongly urge you to fall back to Azure RMS so as to give your users all the benefits of Azure RMS. Reality check – it’s not the fact that Azure RMS is in the cloud that worries most customers, it’s the fact that Microsoft is hosting the keys. So placing the AD RMS server out in the DMZ might not be the end of the world.
- You are now managing two or more separate instances of RMS protection: Azure RMS and AD RMS. We are providing the capability for you to present these as one thing to a user, but the IT infrastructure is isolated from each other. With all this power comes IT burden, more on-premises infrastructure, higher TCO, and so on. Reality check – this is a valid limitation as pointed out by Microsoft. Their HYOK model forces you to manage several on premise and in the cloud versions of RMS. If this is a concern there are other cloud based or on premise IRM solutions that will be easier to manage than RMS.
- While you can use HYOK option for documents, it is not supported for emails. Reality check – This is a major limitation of HYOK, as organizations often circulate their most sensitive data via email. Other IRM solutions that allow you to hold your own key do not have this limitation.
- Office integration is limited to Office 2013 and 2016. Office 2010 will not be supported for HYOK. Reality check – Probably not a big deal for most customers as most have 2013 or 2016 or will be moving soon.
How to Purchase a valid license for Microsoft HYOK
The Microsoft HYOK capability will require an Azure Information Protection Premium P2 license. For more information on different RMS licenses and how to obtain them please see this blog
How to Configure HYOK
In order to ensure the segregation of data protected by HYOK, Microsoft has introduced a bit of ‘copy and paste’ in the administration model. Here are the main steps:
- Deploy AD RMS per usual or use the AD RMS instances you already have in use.
- Associate an AD RMS protection policy with an Azure Information Protection classification label by copying the AD RMS template GUID and cluster licensing URL into our Azure Information Protection admin portal.
To do this, first fetch the AD RMS template GUID and licensing URL, from the AD RMS admin console as circled in the below three images. These images show AD RMS on Windows Server 2012 R2, but the experience of previous AD RMS versions is very similar.
Next, in the Azure Information Protection admin portal, associate an AD RMS template with a label by pasting in the data you just copied. Now you’re done!