Learn About Azure Information Protection and HYOK (Hold Your Own Key)

Many organizations have a requirement to protect what Microsoft refers to as “more opaque data”.  The requirement is to ensure that no one else has access to this “more opaque data”.  One of the main reasons large regulated organizations opt not to use Microsoft Azure Information Protection (also called Azure RMS) is because Microsoft ultimately has access to your keys, and if they wanted to, or the US government really wanted to, they might be able to gain access to all your data. Thus Microsoft offers what is calls “Hold Your Own Key” or HYOK with Azure Information Protection (AIP).

So what is Azure Information Protection HYOK, and what are its limitations?

AIP HYOK enables organizations to protect data while holding their own key. Whereas Microsoft’s BYOK – Bring Your Own Key – offering hosts the RMS key in Azure Key Vault HSMs, HYOK requires customers to operate their own on premise Active Directory, their own on premise RMS server, and host their own HSMs for key retention.

How does it work?

In order to make HYOK work your organization will deploy multiple RMS services within a singular Azure Information Protection environment. At a high level, here’s what you would need to do:

  1. You deploy Azure Information Protection in your organization as per usual. The Azure Information Protection services (Azure RMS) are Microsoft hosted.
  2. Azure RMS is where you define your Azure RMS protection policies for less sensitive data.
  3. You deploy an on premise AD RMS server.
  4. Deploy an on premise HSM and generate the key for your AD RMS server within this HSM.
  5. AD RMS is where you define your AD RMS protection policies for your most sensitive opaque data.
  6. Ensure your users use templates defined on the AD RMS server when they want to protect your most sensitive data. If your users protect data with security templates defined on the Azure RMS instance, your data will not be opaque and will be potentially exposed to Microsoft.

You can tell that Microsoft would prefer their customers not use HYOK, and rather use the standard cloud based Azure Information Protection.  This is likely because Microsoft is trying to push all customers to the Office 365 cloud. Microsoft points out several limitations of HYOK in their own blog https://blogs.technet.microsoft.com/enterprisemobility/2016/08/10/azure-information-protection-with-hyok-hold-your-own-key/).  I’ve presented below how Microsoft describes the limitation and then I’ve written some reality checks comments:

  1. HYOK works solely with your AD and AD RMS instance. Because it’s targeted at ‘top-secret’ data, we urge you to keep AD RMS out of your DMZ. After all, your DMZ is our cloud… so for those collaboration use cases, just use Azure RMS. The moment you deviate from this, your assurances slide and we strongly urge you to fall back to Azure RMS so as to give your users all the benefits of Azure RMS. Reality check – it’s not the fact that Azure RMS is in the cloud that worries most customers, it’s the fact that Microsoft is hosting the keys.  So placing the AD RMS server out in the DMZ might not be the end of the world.
  2. You are now managing two or more separate instances of RMS protection: Azure RMS and AD RMS. We are providing the capability for you to present these as one thing to a user, but the IT infrastructure is isolated from each other. With all this power comes IT burden, more on-premises infrastructure, higher TCO, and so on. Reality check – this is a valid limitation as pointed out by Microsoft.  Their HYOK model forces you to manage several on premise and in the cloud versions of RMS.  If this is a concern there are other cloud based or on premise IRM solutions that will be easier to manage than RMS.
  3. While you can use HYOK option for documents, it is not supported for emails. Reality check – This is a major limitation of HYOK, as organizations often circulate their most sensitive data via email.  Other IRM solutions that allow you to hold your own key do not have this limitation.
  4. Office integration is limited to Office 2013 and 2016. Office 2010 will not be supported for HYOK. Reality check – Probably not a big deal for most customers as most have 2013 or 2016 or will be moving soon.

How to Purchase a valid license for Microsoft HYOK

The Microsoft HYOK capability will require an Azure Information Protection Premium P2 license.  For more information on different RMS licenses and how to obtain them please see this blog

How to Configure HYOK

In order to ensure the segregation of data protected by HYOK, Microsoft has introduced a bit of ‘copy and paste’ in the administration model. Here are the main steps:

  • Deploy AD RMS per usual or use the AD RMS instances you already have in use.
  • Associate an AD RMS protection policy with an Azure Information Protection classification label by copying the AD RMS template GUID and cluster licensing URL into our Azure Information Protection admin portal.

To do this, first fetch the AD RMS template GUID and licensing URL, from the AD RMS admin console as circled in the below three images. These images show AD RMS on Windows Server 2012 R2, but the experience of previous AD RMS versions is very similar.

Next, in the Azure Information Protection admin portal, associate an AD RMS template with a label by pasting in the data you just copied. Now you’re done!

File Encryption Comparison – How OneDrive, Box and Dropbox Encrypt Files and Protect Your Privacy

Many organizations are moving their file storage to the cloud.  The convenience of being able to access files from anywhere, and the cost benefits of the cloud are accelerating this migration. Most organizations have chosen one of the big three – Box, Dropbox, or Microsoft OneDrive. There are many factors to consider when making the decision on which vendor to use, including price, compatibility with other systems, functionality etc.  But one factor that always needs to be examined is security.

One of the most important security features for cloud storage is encryption. File encryption is a service offered by cloud storage providers whereby your data, or text, is transformed using encryption algorithms and is then placed on a storage cloud. Below, I’ve summarized how Box, Dropbox and OneDrive encrypt your files, and how the encryption keys are managed.


Box encrypts your files at rest using 256-bit AES encryption, and is further protected by an encryption key-wrapping strategy that also utilizes 256-bit AES encryption. As a separate feature for enterprise clients, Box also allows customers to manage their own encryption keys using Box KeySafe. Using KeySafe means Box can never see or access your encryption keys, something that is very important considering that cloud storage providers could be compelled to turn over your data to governments due to legislation such as the US Patriot Act. KeySafe also stores all key usage in an unchangeable audit log.


Dropbox encryption uses 256-bit AES encryption to protect files at rest.  The Dropbox encryption service handles all processing for all Dropbox applications. The service splits each file into blocks, and each block is encrypted using AES encryption. Dropbox doesn’t allow customers to manage their own encryption keys.  Dropbox publishes a transparency report to share how often they receive government data requests, as well as their government data request principles which guide their responses to those requests. Dropbox say their principles include being transparent, and fighting overly broad requests.

Microsoft OneDrive

OneDrive encryption for data at rest includes two components – BitLocker disk-level encryption and per-file encryption. BitLocker is currently deployed for OneDrive for Business and SharePoint Online. Per-file encryption is also currently being rolled out in OneDrive for Business and SharePoint Online in Office 365 multitenant.  While BitLocker encrypts all data on a disk, per-file encryption uses a unique encryption key for each file. Before they’re stored, the keys to the encrypted content are themselves encrypted and stored in a physically separate location from the content.  OneDrive encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials.

In September 2016 Microsoft announced the upcoming availability of customer-controlled encryption keys, sometimes referred to as “bring your own key.” It appears Microsoft is aiming to make this available in the fourth quarter of 2017. Microsoft says “Customer-controlled encryption keys provide an additional layer of security and privacy. You will be able to use customer-managed “master keys” to encrypt/decrypt the individual encryption keys used to encrypt each file. You will also be able to decide to change or revoke access to these keys to guarantee that Microsoft has no way to access encrypted files.”

Why Cloud Storage File Encryption is Sometimes Not Enough

The most stubborn security issues are often caused by user behavior. Dropbox, Box and OneDrive all automatically decrypt your files when you view or download a file, so a user can easily distribute the file with no encryption protection. As a result, your sensitive files could still end up in email, on a desktop or in other clouds where they are not protected.

In addition a recently-discovered security exploit called the man-in-the-cloud attack may allow hackers to bypass both Google Drive encryption and Dropbox Encryption. A skilled hacker could steal the user’s synchronization token — a code that identifies the user to the cloud service. The hacker would then be able to access the user’s account directly without even knowing their login credentials. They could then steal, delete or vandalize anything on the account.

How can you mitigate this risk?  Applying a second level of encryption can solve these problems.  Using a client side Information Rights Management (IRM) solution would be one possible solution.  IRM can ensure that your information will always be protected.  IRM solutions apply persistent encryption to files no matter where they are distributed or stored.  In addition some IRM solutions allow you to manage your own keys to ensure the privacy of your information.

Whether you settle for the standard file encryption offered by Box, Dropbox and OneDrive, or opt to add additional encryption may depend on the sensitivity of the information you are storing in the cloud.

Deciphering the Real Price for Microsoft Azure RMS and Azure Information Protection

We have some customers that are evaluating IRM solutions and Microsoft’s Azure RMS is one of the products being evaluated.  Microsoft sometimes also refers to this product as Azure Information Protection.  The customer was discussing the price of Azure RMS.  It’s a bit hard to decipher Microsoft’s pricing because of all the pieces that are required to make AIP work and because of the myriad of available Office 365 subscriptions.  Acquiring Azure RMS involves three steps:

  1. Get all your users licensed for Office Professional Plus
  2. Get an Office 365 subscription that includes the Azure RMS feature
  3. Buy the additional Azure RMS functionality via individual RMS plans

It’s possible that step 1 and step 2 can be achieved together by buying the right Office 365 subscription.  More on that below.

The first thing you need to know is that obtaining Azure RMS functionality is more complicated than just obtaining an RMS license.  You need to be licensed for Microsoft Office Professional Plus or ProPlus in order to get full use of Azure RMS.   If you already have this in your organization you are off to a good start.  If you have a lower version of Office, you might be looking at a significant cost to upgrade all your users to Office Professional Plus. The cost is dependent on what version of Office you currently have, the size of your organization and what plan you purchase.  Here is the information on the Office requirement from the Microsoft web site

Azure RMS is tightly integrated into the Word, Excel, PowerPoint, and Outlook apps, where this functionality is often referred to as Information Rights Management (IRM). The following Office client editions support protecting files and emails by using Azure RMS:

  • Office 365 ProPlus: Office 2016 and Office 2013
  • Office Professional Plus 2016
  • Office Professional Plus 2013
  • Office Professional Plus 2010

All editions of Office (with the exception of Office 2007) support consuming protected content.

The second stage, once you have licensed the Office Professional Plus suite for all your users, is to ensure your Office 365 subscription includes Azure RMS functionality. Only Office 365 Enterprise E3 and E5 include Azure RMS, as shown in the table below taken from the Microsoft web site. E3 and E5 also include Office Professional Plus so by signing up to one of these subscriptions you have accomplished step 1 and step 2. These are the higher levels of Microsoft Office 365 subscriptions.  Office 365 E3 pricing is $20/user / month ($240 per year) and E5 is $35/ user / month ($420 per user per year).


Service Office 365 Business Essentials Office 365 Business Office 365 Business Premium Office 365 Enterprise E1 Office 365 Enterprise E3 Office 365 Enterprise E5
Azure Rights Management (RMS) No No No No Yes Yes


Instead of getting Azure RMS as part of your Office 365 subscription, you can opt to get Azure RMS as part of the Enterprise Mobility + Security Suite.  This suite includes things like Azure Active Directory Premium, Microsoft Intune (the Microsoft mobility management product) and Microsoft Advanced Threat detection.  The basic EMS E3 suite is priced at $8.75 per user per month ($105 per user per year).  The more advanced EMS E5 suite will cost even more.  If your company is not interested in Intune or Advanced Threat Detection, EMS is probably not a good way to license Azure RMS as the cost is high for the value you will get.

The third step in getting fully licensed for Azure RMS is to get the additional functionality not included in Office 365 subscription (even the E3 or E5 subscriptions). If you license Azure RMS via an Office 365 subscription or via EMS you will get basic Azure RMS protection functionality, but you will not get all the Azure RMS features like Document Tracking or Hold Your Own Key.  The following table illustrates the functionality you would get in your Office 365 E3 or E5 subscription and what you will need to pay extra for:


Feature Rights Management Service for Office 3651 Azure Information Protection Premium P1 Azure Information Protection Premium P2
Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios NO NO YES
Protection for Microsoft Exchange Microsoft SharePoint, and Microsoft OneDrive for Business content  YES  YES  YES
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2  YES  YES  YES
RMS software developer kit for all platforms: Windows, Windows Mobile, iOS, Mac OSX, and Android  YES  YES  YES
RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector  NO  YES  YES
Document tracking and revocation  NO  YES  YES
RMS content creation by using work or school accounts  YES  YES  YES
Manual document classification and consumption of classified documents  NO  YES  YES
Automated data classification and administrative support for automated rule sets  NO  NO  YES


The Azure Information Protection Premium P1 subscription will run you an additional $2 per user per month ($24 per user per year), and the Azure Information Protection Premium P2 will run you an additional $5 per user per month ($60 per user per year).

Let’s look at the costs for a 10,000 user organization. This organizational will license Office Professional Plus and the basic Azure RMS functionality via the Office 365 E3 subscription.

  • Office 365 E3 Subscription – $8.75 per user per month.
  • Azure Information Protection Premium P2 subscription – $5/ user / month

The total cost at $13.75 per user per month is $1,650,000 per year for 10,000 employees.  It’s coming up to Microsoft’s June year end, so maybe your Microsoft rep will throw in some extra discounts to make the upgrade easier 🙂

Have a Compliance Requirement for Email Encryption? TLS vs S/MIME vs Secure Pull vs IRM

A growing number of organizations are subject to compliance requirements like HIPAA and GDPR that require their data to be encrypted. Email is usually the first application affected. There are a number of different email security solutions available today and customers sometimes don’t understand the strengths and weaknesses of each of the solutions.  Below I have provided a quick summary of the major email encryption options as well as their strengths and weaknesses:


This is the simplest of all the email encryption solutions.   TLS protects the email as it is transmitted between two email servers.  This protection is at the transport level, not at the message level (the communication channel is encrypted not any particular messages). This is very simple to setup.  In email systems, such as Microsoft Exchange, the setup is generally as easy as checking the TLS encryption checkbox on the sending and receiving Exchange connectors. Within an organization this is very easy to enable.  In a B2B scenario, the two organizations must cooperate to exchange TLS trust.

As can be seen in this diagram the message is encrypted and protected while in transit, but once the message arrives at the local email system it is not encrypted.  So the information is subject to exposure and leakage within the organization.  As well, when email is sent between two organizations that have not enabled a TLS trust, the content will not be protected and encrypted. So in summary TLS is very simple, but generally does not provide the level of security that most organizations would be looking for.


S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is an IETF standard  defined in a number of documents. S/MIME provides both data security via encryption and non-repudiation of origin using digital signatures. Before S/MIME can be used in any of the above applications, all users must obtain and install an individual key/certificate either from an in-house certificate authority (CA) or from a public CA.  S/MIME provides protection at the message level so is much more secure than TLS. As can be seen in the diagram below, the message is encrypted on the sender’s desktop and un-encrypted on the recipients desktop.

S/MIME protects the message while it is in transit, while it is stored on the email server and within the user’s email application (such as Microsoft Outlook).  So between the sender and recipient the message is very secure.  But once the message is un-encrypted the protection does not persist.  S/MIME does not include any concept of email permissions, so once the recipient has un-encrypted a message they can do anything they want with the message including printing, and forwarding the message to others (without encryption).

The major disadvantage of S/MIME is that it is very difficult to setup.  Within an organization it requires the installation of a Certificate Authority and everyone must have a certificate from the CA or S/MIME will not work. Because B2B or B2C scenarios would require authenticating and enrolling outside users in an organizations CA, S/MIME is generally not useful in these scenarios.

Secure Pull or Secure Email Gateway

There are a number of solutions out there referred to as secure pull or secure email gateway that provide secure email functionality.  This solution is generally used where secure information needs to be shared with people outside the organization that do not have any encryption solution installed.  This works well in B2B or B2C scenarios.  The concept is that the email is sent to a secure central storage location.  Recipients then read their secure email via a secure browser session which displays the message.  The message is never transmitted to the recipient, rather the recipient views the message which is stored in a remote location.  The message stored in the secure central storage may or may not be encrypted.

The disadvantage of this solution is that the user never has possession of the email, and the user is forced to repeatedly sign in to a remote location to view their secure email.  So users’ end up using their native mail client (like Outlook) to view normal messages, and then have to sign into another system to view their secure email. This may be acceptable for the occasional email, but is not a good solution if you are planning to encrypt a lot of email.

Information Rights Management (IRM)

Information Rights Management is a newer form of encryption that is based on the concepts of digital rights management. For more detail, see our blog, What is Information Rights Management?  IRM enforces the persistent protection of information.  Even though a user may have rights to open and view IRM protected email, they generally will not be able to forward the email in an unprotected format. IRM takes S/MIME a step further in that it allows for permissions to be assigned to protected content.  So the owner of the content can specify if the recipient can Forward, Reply, Print & Copy the content of the email.

IRM suffers from some of the same disadvantages as S/MIME in that it can be complicated to install and administer.  With new methods of authentication, many IRM systems are better at B2B and B2C scenarios than S/MIME.  One of the big advantages of IRM is that it works well in the new cloud and mobile world, as you can be assured that your content is persistently protected even though it is outside the bounds of your firewall.

How to Select and Evaluate Information Rights Management Solutions

With the wide spread adoption of mobile, cloud and collaboration platforms, as well as the proliferation of data-sharing practices many organizations are taking a closer look at Information Rights Management (IRM) solutions.  These solutions are sometimes also referred to as Enterprise Digital Rights Management (EDRM) solutions. When doing an evaluation of IRM products what are the most important factors to consider?  Based on our experience working with enterprise customers, here are a few you should have at the top of your list:

User Experience

The best IRM tools will integrate transparently into current business workflows.  Users should not have to deal with a new user experience or require a lot of training to start protecting important business information. Transparent integration into Microsoft Outlook and Office are very important as these are the primary business tools for most workers. An example of a change of workflow that could confuse users would be an IRM that requires the user to use a different Send button (other than normal Outlook Send) when they want to protect an email. The optimal situation is for the protection to be transparent to the user.  Integration of IRM with classifications tools seems to be a trend that makes use of IRM easier. The user only has to decide on the appropriate classification of the information and the protection is applied transparently.

Native Document Format Support

Transparent support for the most popular data formats like native Office files (doc, docx, etc.) is very important. Some IRM solutions require protected documents be saved in an intermediary format, such as PDF or other proprietary format. This reduces the support for the native capabilities typically used in workflows and collaborations as files do not automatically get opened in the native app, but instead get opened in a viewer which does not provide all the capability the user requires. You should assess which native application functionality, if any, will be broken by supporting an IRM solution and assess whether suitable work-arounds can be found.

Little impact on current desktop infrastructure

A lot of the IRM tools require special software or add-ons be installed on every desktop in order to protect information.  For instance, in email, many require an Outlook add-on to be installed. IT organizations are increasingly reluctant to install additional software on the desktop, especially in large organizations where this involves deployment to thousands of desktops.  With the move to cloud based applications, large enterprises are looking for the ease of cloud based applications.  The best IRM tools are those that require no special software install on the desktop.

Support for Different Authentication Scenarios

With information traveling outside the organization to mobile devices and to the cloud means that Active Directory authentication is no longer sufficient.  Organizations want the freedom to consume their information anywhere.  In order to assess the user’s permissions the IRM server must have proof of positive authentication.  An IRM that can support different authentication methods and protocols, such as Active Directory, Google authentication, and IAM platforms such as Okta and Ping will provide the greatest flexibility for users both inside and outside the organization.

Support for External Users

Organizations are increasingly collaborating with other organizations and directly with their customers in B2B and B2C scenarios.  In some cases sensitive information needs to be exchanged.  Being able to use the IRM for this type of exchange of information is crucial.  We can’t assume that these other organizations or individuals have access to Microsoft authentication, thus the importance of wide authentication support as explained above.  Being able to allow these external entities to participate in your IRM environment will be absolutely critical going forward.

Key Storage

Providing flexibility on where your encryption keys are stored can be extremely important  when trying to provide reassurance to others of the ultimate privacy of your information.  We covered the different options for key storage in our last blog, “Where Should You Store your Encryption Keys – Protecting Your Data with IRM”.  An IRM that allows organizations to manage and host their own keys is the optimal solution.

Document Tracking

Organizations want to know who is accessing, or trying to access their sensitive material.  Because user’s need to make a request to the IRM server to allow them to open protected content, an IRM solution can easily track who is opening or trying to open protected content.  The best IRM solutions provide logging, reporting and dash boarding capabilities so security administrators can easily track the usage of their most important content.  In addition the best IRM solutions will provide alerting capabilities to alert data owners of use, or suspicious use of their data.

Support for multiple operating systems

IRM solutions generally provide full support across all Windows platforms; however, support for Google and Unix tends to be significantly more limited. Some of the organizations we’re working with are starting to have a serious look at the Google GSuite as an alternative to Microsoft Office 365.  So depending on what platforms you use today, and what you might use in the future, you need to examine the capabilities that IRM solutions provide on these platforms to assess whether they will be viable.

Advanced Policy Support

Typical IRM solutions support standard Permit / Deny policy. Based on the permissions attached to the file the user is either permitted or denied access to the file.  But we are starting to see organizations that require more sophisticated policy.  For example an organization may permit access to sensitive content when the user is on the corporate network, but may want to deny access if the user is outside of the office or traveling to a foreign country.  If your organization wants to be able to control access based on factors such as geography, time of day etc.  you will need to look to IRM vendors that can support these more complex policy scenarios.

If you are interested in more information on the Microsoft Azure RMS IRM solution see Deciphering the Real Price for Microsoft Azure RMS and Azure Information Protection

Where Should You Store your Encryption Keys – Protecting Your Data with IRM

Customers I speak to are struggling with the decision of what encryption technology to use and where to store the master encryption keys.  Many of the Information Rights Management vendors in the market today are moving to cloud based encryption technology. Let’s start by looking at the basic alternatives for storing the encryption keys, then we’ll look at a real work example. Your options for storing keys are:

1 – Store the keys On Premise: Holding the keys on premise ensures maximum security and availability.  You can implement a high availability/disaster recovery configuration to ensure keys are always available.  In addition, in this scenario there is no risk of an external party being compromised.   Storage options include a virtual appliance or a more secure hardware security module (HSM) to initialize and hold the keys.

2 SaaS Key Management: In our real world example below we’ll use Microsoft Azure Information Protection (formerly called Rights Management) as an example of SaaS key management. While this approach takes advantage of the cloud, there are risks. Since the SaaS key management vendor has responsibility for the availability of the keys – if they experience an outage, the data could become unavailable. If your keys are somehow lost or corrupted, you data could be permanently unavailable. When the SaaS vendor holds both your encryption key and your data (not an ideal separation of duties) there may be legal issues to consider, like the US Patriot Act as we’ll discuss below.

3IaaS Key Management: An example of IaaS key management would be Amazon’s AWS Key Management Service (KMS). KMS is a managed service that allows you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys.  IaaS key management has similar risks to SaaS key managements (you are relying on the security and availability of your IaaS provider’s key management).  But on the other hand you might be better off than SaaS key management if you implement separation of duties. The IaaS could manage your keys, but your data is not under their control.

Now let’s use Microsoft with their Azure Information Protection cloud based offering as a concrete example.  If you sign up for the standard AIP service on Office 365 your encryption keys are managed by Microsoft in their cloud.  This is really the worst case scenario where the SaaS vendor, Microsoft, is managing both your keys and the data (assuming your data is in Office 365). Microsoft has stated that, per the USA Patriot Act, the US government could have access to the data even if the hosted company is not American and the data resides outside the USA. So letting Microsoft manage your keys could be equivalent to giving your data to the NSA.  If you are a European company you may also be in violation of the EU Data Protection Directive. U.S. President Donald Trump signed an Executive Order entitled “Enhancing Public Safety” which states that U.S. privacy protections will not be extended beyond US citizens or residents: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

So what are the alternatives to having the vendor, in this case Microsoft, manage your keys?  Microsoft has an offering called Bring Your Own Keys (BYOK).  It sounds like this would be an improvement as you are the one generating and bringing your keys.  Unfortunately this is not really the case as your keys are not under your control.  The keys will still be hosted within the Microsoft Azure data center and therefore Microsoft has access to the keys in the case of Patriot Act etc.  So Microsoft’s BYOK is really no better than the standard Microsoft Azure Information Protection offering.

Microsoft has recently announced another offering called Hold Your Own Keys (HYOK) that allows a customer to hold their own keys.  But this requires a complicated structure where you need to subscribe to Microsoft AIP and also run your own Microsoft AD RMS servers on premise. The idea being you use your AD RMS server to protect your most sensitive data, and use the Microsoft hosted AIP to protect less sensitive data.  Instead of going to all the trouble you might as well skip the Microsoft AIP and just run your own encryption servers if this is a requirement anyway.  In addition, Microsoft will force you to sign up to their AIP Premium P2 Subscription in order to use HYOK which costs an additional $5/ user per month or $60 per user per year!

What is the best solution?   The best solution occurs when you have complete ownership and control of your keys.  If you can hold the keys on premise and these keys can be used with a cloud security solution or IRM you end up having the best of both worlds.  Since you have the keys there is no way for the vendor to be able to open and read your content.  In addition if the keys you hold can be used with a hosted IRM solution then you do not have to deploy any servers on premise. Another good alternative could be for you to host your keys in an IaaS managed environment like Amazon’s AWS, but store your protected content outside of Amazon.

What is the Difference between DLP and IRM?

Both Data Loss Prevention (DLP) and Information Rights Management (IRM) are used to protect corporate data, usually email and files.  Both technologies are used to ensure that sensitive data does not fall into the wrong hands.  Companies are extremely paranoid about losing or spilling sensitive data outside the organization. Because of these similarities people often get the technologies confused or think that they are competitors.  But in reality these technologies are very different.  One of the technologies, Data Loss Prevention, is starting to lose its relevance and in my opinion will soon go the way of the dodo.

DLP is about putting up walls around your data.  These walls block outgoing data (they are not like traditional firewalls that filter and block incoming traffic).  The walls do not block everything, but attempt to block sensitive material from going outside the organization.  Modern DLP is often referred to as content aware, meaning that the DLP can examine the content of an email or file and determine if it is sensitive.  DLPs usually allow administrators to build policy.   The administrator can define what type of information to block and what channels to monitor.  Channels is the term used to refer to the method of communication being user to send outgoing data (e.g. email, USB etc.). Modern DLP allows organizations to block many channels such as web email, corporate email, USB, web upload, FTP, file copy etc.  One of the well know problems with DLP is what is referred to as a “false positive”.  A false positive occurs when the DLP thinks that the data is sensitive and therefore blocks it, but in reality the data is not sensitive.  For example the DLP might encounter this telephone number (819990870893) and think that it is a credit card number.  Outgoing email with this telephone number might be blocked causing a slowdown in business where none is warranted.  This interference with normal business communication is seen as one of the major downsides of DLP.

As we explained in a previous blog (What is Information Rights Management?), IRM is an encryption solution that maintain the encryption of the information regardless of where it is sent. In addition to protecting using encryption, organizations can also define use permissions with IRM. These use permissions permit or deny users from taking certain actions on a piece of information. Permissions can include things like controlling copy & paste, preventing forwarding of email, and preventing screenshots, printing, editing. So for instance, and IRM can allow the sender of the email to specify that the message should not be forwarded, and cannot be printed.

So how relevant are these two technologies today?  DLP was a very popular solution for data protection before the emergence of cloud and mobile technologies.  Now that organizations are moving data to the cloud they are faced with the question of how to extend DLP to the cloud.  If this is a public cloud such as Box or Dropbox, that is virtually impossible.  Users accessing this public cloud data are not using private corporate networks, they are coming in over the public Internet.  As a result companies cannot wrap their DLP technologies around the cloud to block.  There are similar problems for mobile.  Since mobile users are accessing their phone data over the public Internet, it is impossible to block sensitive data from being sent out. For example if a user decides to upload a sensitive corporate document from their mobile phone to Dropbox, DLP cannot be placed in the middle to re-mediate the upload.  Some DLP-like solutions are being proposed that force users to route their mobile traffic over a virtual private network that runs over a corporate network.  Though this does allow customers to implement DLP checking to provide additional security, it is not a viable solution as users do not want to connect to VPN before using their phone, and VPN will always slow down the response time on a mobile device. A newer technology called Cloud Access Security Broker (CASB) has emerged in the last few years.  In some ways this is the equivalent or extension of DLP into the cloud.  This solves some of the DLP cloud issues, but suffers from the same type of problem – the assumption that all cloud traffic can be routed through a CASB appliance.

The advantage of IRM is that it does not make any assumptions or require any special network configuration.  Because the data is always protected, users are free to use mobile, cloud and other new technologies.  Why would I worry when my data is always encrypted?  So in my opinion IRM is ideally suited for our new mobile / cloud world.  It allows people to collaborate and share information the way they want, while maintaining essential protection for sensitive information.

What is Information Rights Management?

People sometimes get confused between encryption,   Information Rights Management (IRM), and Digital Rights Management.  Information Rights Management and Digital Rights Management (DRM) are similar technologies applied to different markets.   DRM is a security / encryption technology applied to consumer focused businesses such as movie and music.  IRM uses very similar concepts, but is targeted at business scenarios and the protection of email and documents. Like DRM, IRM solutions use encryption to prevent unauthorized access. Information Rights Management is sometimes also referred to as Enterprise Rights Management.

Essentially, Information Rights Management products are encryption products that maintain the encryption of the information regardless of where it is sent.  That’s the big difference between IRM and earlier encryption solutions.  Earlier encryption solutions protected the information, but once the information was opened (un-protected) it could be sent freely without protection. For example, S/MIME email encryption protects the email content in transit and while it is stored in the email system, but once the email is opened by a recipient (who has the proper permissions)  it can be forwarded without encryption to other users. This somewhat compromises the originator’s intent to protect the information.  Information Rights Management solutions fix this problem by always maintaining the protection on an email or file.  When IRM protected information is forwarded to unauthorized users, those users will receive the file, but they will not be able to open the file because it always remains encrypted.

In addition to protection, organizations can also define use permissions with IRM. These use permissions permit or deny users from taking certain actions on a piece of information. Permissions can include things like controlling copy & paste, preventing forwarding of email, and preventing screenshots, printing, editing.

Modern IRM products extend the functionality of these solutions to include document tracking, revocation of use rights, and web based protection.  We will examine these features in more detail in upcoming blogs.

IRM products emerged in the late 90s but initially were not very successful.  Most of the early solutions could only be used by employees within the organization, and did not work in scenarios where information needed to be shared outside of the organization. So use cases were limited.  This shortcoming has been addressed by most vendors.  As we move to a world where much more information is flowing outside the organization (email/ clouds/ social) IRM products are seeing a re-emergence.

Examples of IRM solutions include:

Ionic Security



Microsoft Azure Rights Management

If you’re looking for a guide on how to evaluate IRM solutions see our blog – How to Select and Evaluate Information Rights Management Solutions

Welcome to Security Outside the Firewall

Welcome to Security Outside the Firewall on security2021.com.  As this is our very fist blog we wanted to explain why we launched the blog and what we are trying to accomplish.

First of all you might be wondering why we called the web site security2021.com?  Well, we wanted to focus on emerging information technology security topics that will become more important as we move forward.

Second question – why did we call the blog “Security Outside the Firewall”?  Well, we think that in the future, security will be focussed on protecting data outside of the corporate perimeter.  Of course you will still need to secure information within your organization, but that’s old news.  Cloud computing has arrived, and more and more data is flowing outside the organization in the form of email, cloud data storage and cloud hosted applications like Salesforce. This means your data has to be secure as it’s travelling outside of your organization. Securing this data will become the growing focus area for information security professionals.

There are a lot of blog sites that talk about how to secure your cloud and the level of security of cloud solutions like Amazon’s Web Services (AWS).  But the missing piece to these discussions is how to keep information secure, not only while it’s in the cloud, but also while it’s travelling to the cloud, or being sent to collaborators outside the organization.  Over the coming weeks and months we’re planning to write about topics such as encryption solutions, email security, mobile security, and file tracking that address that missing piece. In addition we’ll focus in on some vendors with solutions in these areas and see what they can offer.

In our blog next week we’ll start digging into one of the emerging data security products for protecting information outside the firewall – information rights management, sometimes called enterprise rights management. We’ll talk about how this category of product work, what they claim to do and the major players in this space.

We’ve created this site for people like ourselves, people involved in securing organizational data.   Whether you’re an information security professional, a privacy consultant, someone looking at legal issues, or a customer struggling with how to protect sensitive information, we’d like to hear your thoughts and questions. This is an opportunity for all of us to collaborate and better secure that data that is outside the firewall.

New York Yellow Pages

blog search directory