Azure RMS. Service features

The author of the article is Mikhail Voytko, Technical Director of Energy Time

With this publication, we want to start a series of articles on new cloud and often unfamiliar Microsoft technologies. In this article I will try to briefly “without water” to talk about the work of the Azure RMS service. Below you will find out:

1. Why do you need Azure RMS.
2. A few words about work.
3. Killer features, or important differences from competitors.
4. "Cherry on the cake" - superuser mode in PowerShell.
5. Real examples of customer use.

So, Azure RMS. The beast is not new, because Microsoft has had experience in implementing RMS in various server operating systems, starting with Windows Server 2003. But, perhaps because of the need to build federative relations with a large number of partners, it has not gained much acceptance. Later, with the popularization of cloud technologies and the advent of Office 365 and Azure AD, a logical question arose: why not provide access to the RMS via SaaS? 2013 became revolutionary in this direction, because Azure RMS entered the market. Now you can buy Azure RMS in several ways:

• Azure RMS is included in Office 365 E3, E4, A3 and A4 plans.
• You can purchase the service on the direct model directly on the site.
• The service is included in the Enterprise Mobility Suite (EMS) and in all products where EMS is present.

Why do I need Azure RMS? On TechNet on this topic, the answer is given: " It uses encryption, it works, and it works across multiple devices — phones, tablets, and PCs ." I absolutely agree with him, but I’ll add that now there is an opportunity not to install everything you need for RMS on your servers, but to use the service in the cloud by subscription. At the same time, no encrypted data is stored in the cloud, of course, if you do not send it yourself then, for example, by email. All encryption occurs on the client side, and the cloud provides identity management services, keys and policies.

How does the service work? The entire infrastructure is available in the Microsoft cloud, but scenarios with connecting the local environment and using their own keys ( Bring-Your-Own-Key , BYOK) are possible. RMS web service uses Azure AD for user authentication and is configured on the appropriate page:


')
The service includes 3 main parts:

• Certificates: confirmation of user identification and certificate assignment.
• Licenses: issue licenses for content.
• Publication: issue certificates for content protection.

All of the work of Azure RMS is built on certificates that use XrML (extensible right markup language). More details can be read, for example, here .

A brief diagram of the service is shown in the diagram:



Data encryption takes place at the level of local applications and, in addition to keys, it also takes into account the policy in which users and file access types are specified. The policies, authentication and key management are provided by the cloud service. For example, the document contains sensitive information, and you (the user or service) want to access. If you are logged into Azure AD and are eligible by Azure RMS policies, then access can be granted. The document is protected by a random key. This key is unique for each document and is placed in the file header during the encryption phase of your RMS tenant root key. Your tenant key is created and managed by MS, but the BYOK scheme may work, see above.

Documents are protected on the basis of the AES symmetric algorithm with a key length of 128 bits, encryption keys are protected using RSA with a key length of 2048 bits, and the certificate is signed with SHA-256. At the same time, cryptoalgorithms cannot be replaced.

A little about the killer features . In our opinion, the first such opportunity is the appearance of Azure Trust Fabric. If, in the case of using AD FS or other federation solutions, you have to set up relationships between each organization, then in the case of using Azure AD / Azure RMS, the cloud-based directory service provides a platform for authorizing several organizations. At the same time, it is enough to establish a federated relationship once to Azure AD, and after that have a connection to all companies that have such access. The flip side of the coin in this case is trust in the cloud. But you can always manage the attributes you plan to synchronize.

The second interesting feature is the use of RMS for individual users. Your company may not have RMS, but you want to access documents that someone has protected for you. In this case, Azure RMS for individuals can be a great solution! Users in the company can register for a free account in the Azure RMS service, install the app and access the content completely free. In this case, a tenant limited to the administration is created for the company, which in the future with the acquisition of a subscription can be converted to corporate use. More details can be found here .

Superuser mode in PowerShell . And now add to our article a little admin hardcore. Scripts, command line, deep troubleshooting - everything we love. The fact is that by default, the “superuser” mode is not included in Azure RMS for individual tenants, and there are no corresponding users. This mode gives you the opportunity to get full access to all protected content in Azure RMS. Superusers get access at the owner level to all protected materials for all licensed users throughout the organization. These users can decrypt any content and remove encryption, even if the period has already expired. For example, a possible use case is integration with antivirus solution or DLP. As a rule, postal services need to access raw, unencrypted content. Administrators also need to have access to the essence of transmitted e-mail messages and encrypted files to investigate incidents. Attention: this functionality should be treated with care and follow the information security policies of your company.

To use scripts, you need to install Windows PowerShell for Azure Rights Management and the Microsoft Online Services Sign-in Assistant version 7.0.

1. We declare a variable that we will use to access the account in the future. Enter the data to connect to the administrator account:
   
   
   
   
2. Connect to your subscription:
   
   
   
   
3. We receive an affirmative answer from the system:
   
   
   
   
4. We include the opportunity in Azure RMS and get a confirmation from the service:
   
   
   
   
5. Add a user with superuser rights. You can add several such accounts:
   
   
   
   
6. Check out the list of available super users using the Get-AadrmSuperUser cmdlet.

Now a user or service gets absolute rights over encrypted content. And do not forget to disable super users when you do not need access to their functions.

Examples of use . And as the end of our article, I want to talk about a couple of examples of real use with customers of Azure RMS.

Example 1 Customer from the educational segment. E-mail is used both on-premises Exchange-based and cloud-based in Office 365. Employees' mailboxes are located locally, and students and teachers are located in the Exchange Online cloud. An educational institution was faced with the task of protecting documents transmitted by e-mail. In particular, working time and salary statements are sent to temporary and main teachers. And students receive information about the final performance on the basis of all training. Azure RMS is used for accounts of accounting staff and teachers during the formation and sending of payroll sheets, and for graduate students - to transfer data from several final tests. It uses a hybrid RMS deployment scheme.

Example 2 Customer from the production segment, plant engineering. Azure RMS is used to protect office documents. Basically, 2 tasks are implemented:

• Control over sending drawing files in a specialized non-MS Office format. The customer has a list of files to which access is limited between employees of various departments. These files are overlaid with “read only” policies within various departments.
• Data transfer to external auditors. Once every six months, the company submits reports to external regulatory organizations. The RMS for Individuals service allows free access to limited content only to certain external companies.

We discussed the work of the Azure RMS service, which provides ready-made functionality for protecting files in both local and cloud infrastructures.