Webinar Recording

Secure Information Sharing: Microsoft Azure RMS Enabling your Organisation to Securely Share Any Document with Anyone

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon. Good evening, ladies and tr welcome to our webinar. Secure information, sharing Microsoft Azure, RMS, enabling your organization to securely share any document with anyone. My name is Martin Kuppinger I'm founder and principle Analyst at Cole. And with me today is danina group manager, information protection, Microsoft who will do the second part of our presentations today. So I will do my presentation first and then, and then we will have to Q and a, this webinar is supported by Microsoft. And as the title indicates, we will talk about secure information sharing. So I will mainly cover how this market for itself looks like where, what are what's is going on there, which approaches we see, et cetera. And then we'll then dive deeper into Microsoft Azure RMS, one of the solutions in that space. So before we start some housekeeping and our information could be call is an Analyst company.
We are providing enterprise it research advisory services, decision support, and networking for it professionals. We do events like the European identity and cloud conference and secure information sharing will be a important topic at conference. So we'll have various sessions around secure information sharing. We also plan to cover it in the automotive round table, which will be held at the European and cloud conference. So if you're interested in the topic, you shouldn't list that conference, which will be held in may in Munich, regarding the webinar. Some guidelines you are muted centrally, so you don't have to mute or unmute yourself. We are controlling these features. We will record the webinar. The podcast recording will be available by tomorrow and you can then download it or review it. The question and answer will be at the end, you can enter questions at any time using the questions feature in the go to webinar control panel.
I always recommend entering questions once they came to your come to your mind so that we can work on a longer list of questions when we started the Q and a session, looking at the agenda today. So in the first part, I will talk about the overview of the requirements and current solutions for secure information sharing. And the second part then with, and we'll talk about Microsoft RMS strategy, moving information, rights management to the next level. Finally developing will be a part three with the Q and a session as I've already said. So I want to start with sort of my standard slide and the ones of you who have been in more of my webinars recently probably are familiar with the slide. So what we really see here is the information security is changing until now, or until some, some time ago, we mainly focused on this internal area of internal systems.
A little outsourcing may be a little and private law on internal uses a few business partners and on the desktop systems are maybe our notebooks and some few systems right now, this has changed with cloud computing, mobile computing, social computing. So this computing dry, which extends our scope of information security, it makes things for us fairly more complex to handle. And one of the challenges there is how can we in such an environment with more use mobile users was variety of services, securely share information. That's one of the challenges and the other challenge, or the other thing which has changed is that the business changed in the business. Challenges are changing. There are some which are sort of occasional changes such as economic turmoil or changes in regulations. There are permanent challenges such as the globalization, the competitive landscape, the need for crews and other challenges such as the permanent need for increasing earnings or the hunt for talent.
And a lot of these challenges, in fact, from a business perspective are related to the need for being able to better collaborate, to better exchange information with business partners, to extend the supply change, to extend the business process beyond the traditional parameter of the organization. So this is really the situation where we are working on. So there are various success factors for organizations and I won't go through all of them, but there's for instance, success factor of the extended enterprise. When we look at new business model grows and other things, the change in competitive landscape, a lot of these things are around extended enterprise, dealing with our business partners, with our customers, the agility stuff is also about finding new ways to work with suppliers, changing the supply chains, etcetera, etcetera innovation. If you look at many industries such as life sciences, aerospace, and defense, and so on innovation is key success factor.
And this means also collaborating with specialized service providers. Cetera. When we look at collaboration communication, so new people on board, which want to collaborate and communicate in a different way, again, it's about secure collaboration, secure information, sharing cetera. So when we look at various of these business challenges and these key success factors for business, then we have to look at secure information sharing because being able to securely share information, clearly it's requisite to fulfill these emerging business requirements. And every organization I deal with in our advisory business really has the need for securely sharing information. So when looking at the secure information sharing challenge, the question, the main question is which technology or technologies will allow us to protect information, always addressed in move in use. So how can we secure information once it leads the server? How can we secure information? Not only when it's attached to an email, but when it's detached from that email and when someone opens the document, how can we secure information at any time?
There are many terms around it. So we have the term of secure information sharing term that describes all types of technologies, which are within that term. I tend to use as the, sort of the name for the entire various technologies we are seeing here. We have digital rights management, which mainly applies to videos and music. We have enterprise rights management, which is probably more targeted to protecting shared documents for the organization. I personally attempt to use information rights management is the term where rights are used in the sense of access rights or entitlements or right to use letter more for digital rights management. So let's say for this, mainly with information rights management, as one technology, within secure information sharing, and from what I see as the main technology secure information sharing. So to explain it very simply what we have is a document and we want to share it securely.
So we have a key or keys, a set of keys. We encrypt the document. So we have an encrypted document and we attach access control to this document. So is allowed to do what, and then we have applications which can handle that document so they can request the key to decry. They can decre, and they then allow only the activities which are defined with the access controls for that document. So instead of just sending an encrypt encrypted document, they are also the access controls. This com combination is what really makes our rights management. So it's a very simple explanation, and I'm quite sure that then we'll dive a little bit more into detail later, but let's keep it at this abstract level. It's the combination of encryption and access controls, entitlement, which make it up. So at rest, we have a lot of use cases which we need to protect and file server documents that works well.
Databases records such different situation. We don't have the technology here. So we are really focusing on the document at move. So where can we handle it in the land, the land on storage, it works everywhere in use. It's important to secure it when it's processed by applications. And as I've said, the document, the technology itself is focusing on document protection, not on the single it reviewed within a database for current server and a thing like that. There are various approaches for secure information sharing out. So it's not that there's only a single way to do it. There are more things to information, rights management. However, when I, when I'm following this for many, many years, and if you look at my block, I think there are blog posts, which are six or eight years old around rights management, and always have been a believer in that technology because it's, from my perspective, the most comprehensive way to protect documents.
So we have the information, rights management stuff, encryption and entitlement applied. We have other approaches. So we have secure data rooms where you have a secure storage sometimes with web-based applications and first entitlements. However, once you leave the web-based application, you don't have this application occurred and regarding entitlement enforcement. So this might become a challenge to that area. Secure file transfer another technology. Yes, it allows you securely transfer fair into file. But what happens was the in used scenario, we have the industry collaboration networks, which allow to manage users to give them access, give them collaborative environments, etcetera. Usually there's not the enforcement of entitlements at the application level, unless you use sous web based application to edit some standard document from it. However, these approaches might be combined with information rights management, so you can bring these things together. And then you're in a very secure collaboration infrastructure.
So it's not that you can combine these things secure email. So if I use, I can securely transport document, however, once the recipient opens it and is able to open it, he can do everything he wants to. So if I combine it with information rights management, again, I'm secure across the entire lifecycle of the document without I'm not data leak prevention, it's only security edge. You might combine it with information, rights management to say, okay, this is a sensitive information. It needs to be encrypted, specific access controls need to be applied. Then you are again in a secure situation, but comparing them somewhere in sort of an overview. If you look at the three use cases, suppressed in motion and use, there's only one technology which fully supports all of the three, three faces of document lifecycle, which is information, rights management. So secure data rooms, yes, as long as addresses in the data room, it's fine and use as long as there is support for it.
Secured file transfer file transfers. I've talked about et cetera. So you might enhance things by IM then you have more access or crosses here, but basically information rights management is the way to really do it. So when we look at securing information and we might look at even more technologies, is there a single technology to solve the problem, data, leakage, prevention, identity, and access management. So access controls for services, cetera, access governance, looking at the access controls re-certifying, et cetera, Andon security, secure data rooms, secure file transfers for major rights management, basically information rights management is a very strong approach driver. Even there, you probably need the identity access management. So which users do you have? Cetera, privilege management, cetera, securing systems, access governance, securing the secure, the access controls at your Pfizers in your organization to SharePoint systems and so on. You need always a good GRC.
So governance first compliance approach, and then you need to combine it with information, rights management, maybe some other types of security and a little bit of endpoint security. So you've anyway, we'll need various technologies, but a cornerstone of everything you are doing here is really information, rights management. If you want to enable secure information, share sharing, secure collaboration, then you clearly have to have a look at information, rights management. So obviously rights management from what I see, and I've, I've looking at this all for many years and, and virtually every day, it's the only approach to protect information seamlessly. It should be the standard approach with point solutions potentially as additional security. It should be part of a broader view on how do I manage identities, access to existing systems and how do I set up controls to manage my access risk, my information risk, etcetera.
So with that in mind, the interesting question is why don't we use it today? Every one of us everywhere. That's because there have been a number of challenges. So far, one is key management encryption per se is complex. There's no simple way to do encryption and you need to understand a little bit of encryption at least to configure, to set up the systems, etcetera, you need to understand the concepts. It requires central backgrounds and most implementation. So this is a challenge user management. It's becoming increasingly complex. If you want to work in this collaborative environment with your business partners, with your customers, cetera, how can you onboard them? How can you register them? How can you do this Federation site registration, all that type of stuff, applications, approach. If you only can work with three applications or five, it's not sufficient. What, where, where, which are the document format for your sensitive information.
These are clearly where documents, axle, spreadsheets, etc. Are these are PDF files, but these are also files produced by CD systems. So computer data, design, cetera, there are many, many different things. And how do you handle, let's say an information which is created a document, which is created out of an SAP system, cetera, cetera. So you have to do it on a broad base and not only on for applications, but also for different types of devices, operating systems, etcetera, granularity. How can you protect things? That's also one of the interesting questions, usability. How is it still simple for, for the users? If the end user has to has a, a big deal of work with it, for every document, it creates the sense. Then he will not accept the technology, or it'll at least be hard to convince him that he has to accept it.
Data. It works for unstructured data. Clearly it doesn't work for structured data databases yet. So there's some remaining challenge, but there are various challenges and many of them haven't been solved well so far, at least not a broad scale. And that's, I think one of the important things. So success factors integration for standard file formats integration with standard applications, office SAP, simple user interface, simple user management, self registration, et cetera. If you have to classify, if you have to manage policies, it should be simple. And if you do it internally, start with defined use cases, not a big bang look at what are your quick one scenarios where it's really important. What are your highest risk information, etcetera, start here do it here. Rights management from my perspective is key for information security and has to become part of information, sorry for typo security strategies.
It can be deployed successfully in the define use cases. And I think it can even be deployed on right now using the right technologies. It has to be simple and as non, as, as non-intrusive as possible, and I'm convinced it will gain momentum. So we are sort of in a situation where we have a, a pretty interesting combination of demand from the business. So we have these concerns around security. How can we secure information? We have this regulatory compliance issues around protecting intellectual property, etcetera. So we have to demand from the business from various perspectives, also working more with business partners, new types of collaboration, there's the demand. And what we finally have from my perspective is we have a better supply on that. That's where them afterwards will talk about sort of the Microsoft supply on this business demand, looking at it from the Microsoft perspective.
And I think there are some interesting things then, and it's important for a lot of industry virtually any industry. Clearly there are some which are of the highest relevance, such as government and military finance defense in aerospace automotive and manufacturing, healthcare pharma, life sciences, etcetera, all the ones which are highly sensitive from the information deals are, which have highly complex collaborative environments. And there's a good reason to look at information rights management, again, even while you might have done it some years ago, if you did it five years ago, do it again now because a lot of things have changed. And as I said, I'm a strong believer in secure information sharing. I'm a strong believer in information, rights management. And so I think it's really time to look at this topic again, look at the approaches, consider technologies and look how to do it. I will right now hand over to them, Latina for Microsoft, who will talk about the Microsoft approach on doing this. And as I've said, I think it's a pretty interesting approach there taking here, Dennis, your job.
Great. Thank you very much, Martin. Thanks everyone for attending. Good afternoon. And good morning for some of you on the us time zone in terms of starting, I, I figured I'd start with our core promises. So these are the things that we would like to say that once. And for all, we're chasing down in the space of rights management, in some ways you can look at these core promises as addressing pretty plainly the gaps that we've had in rights protection in the past. So the first one is times have changed and it's important that any solution we build in the rights management space function on all important platforms on windows. We have the windows seven and eight platform. We have the need to support the windows store applications as well as windows phone, but iOS and Android are absolutely critical to our strategy. In fact, iOS and Android have shipped in many instances before some of our other platforms OSX or the Mac platform's important.
And then finally enabling services via a restful interface so that those services can connect with our cloud service or our on-prem service platforms also take different forms. So for example, some organizations that we work with would like to protect data that they're placing in Azure, the Azure blob storage. And so they can use a GitHub code library that we're gonna post shortly. We're also talking with print vendors and then some other vendors have an interest in Linux. We haven't done Linux yet, but we may go after that. At some point, we're also equally committed to supporting protection of any file type in the past. We've had a little bit of a chicken and an egg problem where customers wanted to protect their data. And the Microsoft RMS solution at the time was prioritizing the office file formats. And so customers didn't feel they could protect all of their files, maybe half, but not all.
And then the solution space vendors working in this space were not able to build products cause there wasn't a sufficient number of customers. So we're taking an approach now where we protect any file types. We definitely prioritize a very rich native support. I call that and enlightened application we'll touch on that later on, but we also support the concept of an RMS wrapper. And so you can think of wind zip or a PGP type wrapper. Basically you're just wrapping a file in RMS. And when it gets to the other end, the file has to be authenticated in order to be used. But once it's open, the protection provides no form of enforcement, still very powerful. It's probably the industry benchmark in terms of what can be done short of doing RMS, but it is very important to get to get there. And then another conversation I have with organizations is to help us lobby just recently, we we've been working with Adobe.
A good number of customers have asked us for support for the Adobe product, specifically enabling RMS and Adobe reader. And I was able to with Adobe's permission, ask a couple of customers if they wanted support. And we ended up getting millions and millions of requests that I shared with Adobe and now Adobe and us are partnering on creating an Adobe reader plugin. So if you have other file formats, say you're in the automotive industry and you care about certain CAD formats, please help us at the end of the presentation, there's a link for a survey. You'll have an opportunity to tell us what file formats you care about. And then I will go talk to all the vendors with the data that you provide to me, enabling users to share data or the verb we've put in our applications is share protected is important. Not only is it important, but you should be able to share with everyone specifically, you may have perimeters within your organization.
You could think of a SharePoint repository. Some organizations may have open text or document them. You have basically these repositories of important data, but data does travel. And Martin covered this well in the middle of his presentation, where he described the many phases in the life cycle of a document. We specialize in protecting data when it travels and very few others can do this very well. Data should be born protected. It should stay protected throughout its life. You should be able to share it with anyone, whether it be within your business. I call B within B B two B a business two business or business to consumer. When you share with others that don't have RMS support or the ability to authenticate, we give them RMS for free now. So there's a Porwal and I'll describe this a little bit later on, but effectively you can send an RMS protected document to anyone.
And when they sign in, they're given RMS for free. And then finally the difference between wrapping a document for generic protection or being able to share it in private with policy controls that you specify such as cant forward or can't print is a very important part of being able to share protected and more and more organizations site that need finally. And this is probably one of the less obvious, but most important aspects that I feel RMS offers. Point to point encryption solutions are, are opaque. They basically mean that if I send an email to Martin, my it department doesn't know what I sent. If I send attached documents, PGP protected, my it department doesn't know about it. And effectively data's flowing in a way that prevents the it organization from doing its job. It has a job of governance. It has a job of, you know, meeting regulatory compliance, and it's, it's having a hard time doing that.
If the data is encrypted in a way that they can't read it, some services or some deployments will perform key is escrow, but it it's a lot of work products like exchange and SharePoint basically because of their leverage of rights management services do this very well. Every mail that flows through an exchange pipeline, the email pipeline will have its documents, even if they're protected, inspected for malware, for leakage and for viruses. And that's something that I think all organizations need. It's that balance between strong encryption and then doing the job that the it department needs to do. So we're working on all of these, not everything on this slide is done. For example, B2C is not fully lit up, but we will have much of this running later on in the summer and later in the year for different releases. I'll describe that this is an example of our mobile platforms. I have a full walkthrough available on our blog, but I just wanted to show you a quick picture of an iOS device, an Android device, and a windows phone showing a secure image that was granted by Siri, the bottom line of the picture. And it was granted with view only rights. So here you basically have a symmetric experience. This experience. It also exists on your PC as well.
Talking a little bit about the building blocks. The intent here is to educate you a little bit to the mechanics of RMS and sort of how it permeates the ecosystem. And then I'll talk more about the choices that you have in terms of the architecture. Let's say that you have a document that contains your secret Cola formula, which is water. I fructose corn syrup and brown number 16. This is something that you want to keep secret. So you protect it. The act of protecting the document protects the core of the document in this case, the secret Cola formula, and it protects it with the symmetric key, the little green key at the bottom. What we then do is we take that green key and we put it in a policy, a license, if you wish. And that license includes the usage rights, what you would like for a given set of users to do and what rights they have such as print forward, edit, read, et cetera.
And then that payload, that license is in turn protected with this red key, which is your organization owned root key. It's your tenant key. That is the key that can unlock the symmetric key on all documents in your organization. So that red key is obviously a very important key and we need to treat it with with great care, but it also means that every document is encrypted to a different symmetric key. And so there's a security layered in, in, in that way for instances and UN protecting the document is nothing more than taking this license and having it decrypted such that the green key, the symmetric key could be extracted. Now, if we zoom out a little bit, you basically have this document on the left here, and then you have a series of applications such as the office suite Fox, it nitro desk, PDF readers, and, and pretty soon Adobe with a plug-in we build we'll be able to natively protect documents, the icon, the gray icon with the lock on it is the RMS app.
So this is an application that I'll give you a point or two later, and you'll be able to install it and you can protect any file, be it PDF office files or any files such as a AutoCAD DWG. And that application will let you right. Click protect it to the best of your ability. Those applications are layered over software development kits and those software development kits do all of the hard lifting. So if your organization would like to build products for a line of business applications, you can layer over the SDK. And our new software development kit is really a beauty full thing. It's very, very simple. It takes only a few lines of software to protect files. You can even do it with PowerShell, with one command light. And then finally the RMS SDK is obviously part of the client piece and it will interact with one of two servers, either an on-premises rights management server that ships in windows as a, a server role or a windows Azure role that is available for your use through the cloud.
I'm gonna show you this in, in a build slide in a moment, but this is an architectural roadmap of all of the moving parts of RMS. And before I do that, though, I'm gonna call out a couple things that you ought to pay attention to as I go through this. So one, as I walk you through the slide, this is something that many organizations don't necessarily internalize right away, but they say things like, oh, I'm afraid of the cloud. We're not a cloud company. You know, the cloud's not a friendly place to be, but the reality is that we're all in the same cloud. We're in this together, whether you like it or not. And the reason why is many of you collaborate, have a need to collaborate, support mobile users. And this means that you run some services in your DMZ, basically in the internet name space.
And when you run RMS and your DMZ, you are actually running your RMS service in the exact same cloud that I run the same RMS service. So you are susceptible to the same attacks. You have to keep the same SLAs running, et cetera, etcetera. We're basically in this together. Now, as I go through this architectural build, there are certain things that you can own and run yourself. There are certain things you can rent. And the beauty of what we've been trying to do over the last 18 months is effectively create a very symmetrical offering where you can choose to stay more on premises, or you can choose to go all in both feet in the cloud and you can do anything in between. And that is super important. And so I'll walk you through that very carefully, where you'll be able to go through various click stops for RMS and additionally, very several click stops for identity Federation.
And then finally, this is important. Hopefully the previous slide where I walked you through RMS works, made this clear, but running RMS in Azure is a great simplifying implementation. I can literally turn it on in three minutes for you. And if you do do that, my RMS servers do not see your data. So if you have an on-premise document and you share it with a thumb drive to some other secure partner of yours, but it was rights protected, you could lose the thumb drive and feel safe that no one's gonna see it because it was encrypted. And when the other person opens that document, that person will have to authenticate against your RMS instance to unlock it. If it's in the cloud, the entire document is not set up in the cloud. The only thing sent to the cloud is a key dance, which basically brought down that green key or the symmetric key that I described earlier to the client so that it can unlock the document.
In fact, the green key is, is always available on premises for the owner of the document. So with that, with those three things, to look at one we're in the same cloud, two, you have a choice of how you build out your infrastructure. And three, when you look at the Azure infrastructure, keep an eye on the moving parts to feel confident that I don't see your data. So this is what we've had since for the last decade. Plus basically this is the core of ad RMS at the center, active directory rights management services. You have ad active directory being used by your users. And ad RMS uses that as its form of authentication, it is basically the identity provider exchange SharePoint and the file server role call the file classification, infrastructure FCI, all make use of RMS as was office 2007, 10 and 13. So you could basically deploy this today. A hundred percent of your infrastructure would be on premises and it's moderately a moderate undertaking to do this. It's a heavier undertaking to do this deployment. If you have many, many forests, some companies have a large number of forests for some these days, less justifiable reasons, but they do have a large number of force. And that makes the burden a little heavier, but it's entirely possible. And many organizations do that, including my own Microsoft.
We then built an equivalent infrastructure in Azure. When we built this infrastructure, we took Liberty to do a couple things. I think really well. The first thing we did was we obviously made office 2007, 10 and 13, continue to function against Azure RMS. The core focuses on 2010 and 13, 2007. The app itself has some issues when you do collaboration, but office 2010 and 2013 work well with Azure RMS exchange online and SharePoint online as part of the office, 365 suite work very well with Azure RMS and we've added the mobile devices. So these are new mobile device features. There's an application on each of these that I'll show you where to download and that application can let you take a picture of a whiteboard and send a secure JPEG around. It can unlock any generically protected file. And it basically is the basis of our RMS mobile strategy.
Azure RMS has the ability to get identity proofing from Azure active directory. So your company would choose to use Azure ad and it can do synchronization right now. The synchronization requires most properties of a user object to go up, but there's work underway that will be available in July where it'll be about 10 properties effectively, just the properties needed to do Azure RMS, nothing more so you can enable your organization with Azure RMS in a very lightweight manner. And what's beautiful about this particular picture is any other company in the world that chooses to do Azure ad. You automatically can do secure collaboration because Azure RMS will know how to do identity proofing for anyone who has an Azure ad instance. So this means business to business collab and will eventually mean business to consumer collab, but it also enables us to create accounts for free for users that don't have an organizational account yet.
So for example, if I were to send a document to someone Sally at Fabricam, if Fabricam does not yet have an Azure ad footprint, we will create one automatically. And that's beyond the scope of this discussion, but is available in detail on the block. Now, Azure RMS obviously is holding high value keys. These keys are the tenant keys, the, the, the God key, so to speak that protects all your documents. And so you want us to take good care of it. And our infrastructure leverages something. We call the key management service. This is a high security service. It runs on Azure. It is partitioned across north America, EU and Asia Pacific. And by partitioning, I mean, not only is the data only replicated within a geography, but as we added hardware, security modules, those hardware security modules are initialized bootstrapped. The technical term is they have a security world configured so that European HSMs can only hold European keys.
A European key cannot be brought to the United States and loaded in an American HSM. So the HSMs that are initialized in Europe are only for the Europeans. The north American ones are only for north Americans and the Asia Pacific users. Their keys can only remain in Asia Pacific. Now we will have far more geos in the future, but right now these are the three we have, and these are fully failover tolerant infrastructures. So there's at least six soon to be seven data centers where everything is maintained. Now this cloud service obviously works with exchange and online and SharePoint online, but many organizations still have an on premise footprint. And so what we've done is we've created something. We call the RMS connector and what it does is it lets exchange SharePoint and windows FCI on premises make use of Azure RMS. And all the connector does is effectively.
It lies to exchange SharePoint and FCI and says, I have the ability to do RMS for you, but it's relaying the key dance that I described earlier to the Azure RMS endpoint. So this capability lets an on-premise company in just a few minutes, hours, deploy Azure RMS in the cloud, and then instant a connector, which is a few lightweight uhm, roles. So this is a very interesting way of setting up your on-premise assets with RMS without having to deploy the fully D RMS. Now, some organizations have said, well, we like that, but we care deeply about sensitive data. You know, we're a banking organization. And so, you know, what do you do for on-prem? So what we've done is we're bringing our mobile endpoints back to on-premise and we're also going to enable Azure ad collaboration from ad RMS. So both of these will light up one will. The mobile endpoints will come in the summer and the external collaboration will come with the next update to windows server.
Now, if I were to summarize this, how could I do this really quickly? There's three types of organizations. You're either cloud reluctant, accepting, or ready. If you're cloud reluctant, say a bank or an internally focused organization, go ahead and run ad RMS. You can start. Now we will add the mobile endpoint soon. And eventually you'll be able to get the B2B and B2C through Azure ad, which is a fantastic offering because you get to keep on premise for most of your private stuff. And as you share with others, you can leverage some of the cloud benefits, keep this out of a DMZ. If you're very concerned or effectively bet your bonus. So to speak that you will become an expert on running RMS because it is running in the same public cloud that I do. If you're cloud accepting and I encourage many organizations to consider this seriously, you basically are an organization that has a collaborative bent or need, and you may be doing more mobile work with bringing your own device type endpoints.
So in these cases, you clearly don't wanna part with your tenant key, but because of the work we've done with hardware, security modules and TAs and Azure RMS, we'd encourage you to say, look, I think that it's, it's actually quite a good offer. And an increasing number of organizations are looking at this as a great way to get started. A hybrid organization could obviously use the connector and that just makes life easy. As you start migrating somewhere close to the cloud, or even if this is your end point with RMS running in the cloud for cloud. Finally, if you're a cloud ready organization, we have videos online that show you this office 365 enables rapid deployment. I have a video online where when talking slowly, we turn on Azure RMS office RMS for the clients, SharePoint secure libraries and exchange data loss prevention all within three minutes.
And you're effectively good to go here of note when using Azure RMS and bring your own key. There's a special scenario with exchange that involves a different form of key ceremony. And the reason for that is exchange pretty much is in constant need of your key asset. So we've optimized that pipeline. They do anti malware, anti spam and data loss prevention. So they're unlocking all documents flowing through the exchange pipeline, making a call out to the Azure RMS server for every use in that pipeline is not something that you'd want as an organization. Real quick closing with a couple of common questions, anticipating some that may be asked, many of you likely already own RMS RMS is included in your enterprise. Cal, if you do EAL today, if you have office 365 E three or E four, which is by far the most common enterprise skew, you have RMS available to you and you can turn it on.
If neither of those cases are true, you can actually purchase a standalone client access license for RMS. I recommend you purchase the Azure one, even if you intend to use it on premise, because that enables the B2B collab and that license does include the right to use ad RMS on premise. And finally, a common question is that RMS is a pay once type model. So if you purchase it to use with office, it's available for free for exchange SharePoint, secure libraries, and you can even use products like secu day that does SAP data protection using RMS. And there would be no additional RMS licensing fees. It's the service you pay once in that way. It's like active directory. The second most common question is writing, starting small or writing full documents for DLP plans. I generally say start small, start focus, get going. As soon as you can learn on the job, this is one of those things that's best to learn on the job. And then many organizations are leaking data right now. Start now pick a scenario, nail it, pick another scenario, nail it, and then just keep on going. And then finally these are links for reference in the recorded talk. Thank you. Okay, Martin, back to you.
Thank you then for that presentation on the insight you provided and to Azure RMS, which I think is definitely a new level for information right management. And I think it's just really the sign we can do it right now. We can protect information better and it's leaking legacy or moving forward. I think this is the question we have to answer and we have some other questions here. And one question I think is, is pretty interesting by, by finally relying on sort of a standard indication you might have, isn't it? That you, you reduce all the security to the password level then?
Yeah, it is. It is a common question. I, I, I would agree you do, you do reduce your security to a password at that point, we are looking at adding the ability to protect an RMS document, such that you would require a second factor off. So the concept would be you say, protect this document, but this one is top secret, as opposed to just secret. And thus you could bind it to a smart card or something like the Azure multifactor authentication requirements where you'd have a text that said today, the document is floating around freely can be shared with other people. And so password protection is leaps and bounds above what generally people are protecting their sensitive documents with today.
Okay. Another question which came in on, if anyone else has questions, just enter your questions now. So if we can pick them up in this session, then could European software as a service provider, license and host in a way host Azure RMS in a way, similar to what Microsoft is offering Azure. So including the RMS connector component.
Yeah. At, at this time we, we don't offer RMS sort of for a reseller or what we call the service provider licensing agreement. We, we are working on. Yeah, no, we just don't provide it. The complexity ties into the prior question. If you did that, you'd actually have to host everything because hosting just RMS, doesn't give you enough. You'd have to host the identity provider. You'd have to host, you know, Azure active director. You'd have to host pretty much the entire court service.
Okay. Question. So a little bit more from my side. So when, when you look at, so you're following this market for a while and oh, maybe let's pick first set question. So how many European customers will share their document keys of their most sensitive documents within the us company?
Well, the, so this, this is one that I, I feel that this question a lot, so it's fantastic how that comes up. I'm on my way to Zurich and to Rome to meet with a large number of European companies on this topic. The, the, the general story that I would describe is with the way we've done our HSM implementation, we've implemented by K bring your own key in such a way that your key is transcripted to our HSM security context, the European one in a way that we can never see the key or leak the key we can use the key. And to that end, we do logging and we give you near realtime logs written out to, to story. And that particular offer has actually appeased a lot of folks, you know, sort of, you know, candidly speaking, there's a joke that tends to float around in the information protection community.
That the only reason why someone is served to sealed subpoena is when someone has done covert action on your organization, obtained the data they wanted, and now they need to use it in court. At Microsoft, the sealed subpoena scenario has only happened three times in, in the history of all of 365 and BPOs D and not one of those three times was with the European company. And this is public is stated in Brad Smith's blogs on microsoft.com. So I think we've come a long way and I'd encourage European companies to look at what we've done with vitals HSMs quite carefully.
Okay. I think that's a, a very, very good answer or a very complex problem. And I think what you'd see here is that there are concerns over here in Europe. On the other hand, I, I think we had this discussion right before webinar started. I think when, when listening to what Edward Snowden said yesterday, in fact, his recommendation was encrypt that will help you. So I think this is also a piece of the answer that even snows as encryption, both, probably the best thing you can do to protect yourself.
Yeah. And I think, you know, I should have said this earlier. There's a combination of two things. It's very, very powerful here. I have a white paper on, on the blog that talks about the elephant in the room. If you don't give me your data. In other words, if you don't put your files in cloud storage and you protect it with Azure RMS you're in a far, far better place, I still have to go get your data. And then I have to get into the Microsoft data center, the lock cages, et cetera. And I have to use those HSMs while in Europe, because those are the only HSMs that can lock the content. So I think the combination of keeping your data on premise, the most sensitive data anyway, and using something like Azure RMS lets you do secure business to business. Collab keeps partitioning for, you know, your future Mr and Mrs. Snowden in your own organization, but then also helps a great deal against this whole NSA storyline.
Yeah. And the other thing you brought it up around password stuff, the thing we never should forget is what are the real alternatives we have? So, so are we, are we really better when we do everything on premise? So how, how good are we in mitigating risks on premise? I think this is something where we trust should be fair. When, when looking at any type of, of cloud service, it's not that the one is better on the others worse, but I think it's very important to just be fair and look at things and say, okay, what are the consequences of doing it here? What are the consequences of doing it here? Do we really meet all the eyes for twenty thousand twenty seven thousand one 2013 controls internally at a higher level or don't we do it? Are we just not aware of it? I think this is, this is really the thing where it's important to move from being sort of overly too Castic regarding the cloud on one hand or being sort of paranoid to, to paranoid.
Maybe I'm, I'm really looking at it very realistically, very sitting back and looking at these are the factors. These are my risks. I rate them. And then I can decide on what to do where, and, and I think there there's some I things currently, which are important to understand regarding information security. And I think we had a lot of lessons learned over the last year. On the other hand, there are a lot of things which I have seen over the last year being announced as the, who created for security, which just don't work or which don't just don't fully deliver on the promise. And so it's, it's really about, I think stepping back from this or moving away from sort of a panic mode towards a realistic evaluation of all the things
Think that's the best thing we can do at all.
I, I fully agree, you know, building on what you, what you just said. I probably have met with over 200 organizations at the executive briefing center. It's probably more like 300 now in the executive briefing center here in Redmond, or as I travel and visit with our, our customers and future customers, the most of them over half will tell me that the NSA thing though, it is very disturbing and may not happen to agree that it's very disturbing. It is not the biggest worry that they have more problems with rodents, the unwanted guests in their networks than they have a chance of the NSA coming and snooping in their business. And that is super important in my eyes because that is where the core leakage opportunities lie. And frankly, the NSA's not, you know, not that stupid if they need to go get data and it's easier to, you know, go in through cover capture or any other organization, it's not just the American secret service.
They will go in through cover capture. And as an organization these days, you have to feel very confident that you are able to keep those people out. Okay,
Perfect. So I think we, we, we have, this is an Analyst topic, but I think we have learned a lot, have discussed a lot of points around secure information, sharing rights, my information, rights management, rights management service, Azure RMS. So we are at the end of this webinar. Thank you very much them for petitioning painting in this webinar. Thank you very much to the attend for participating this cold webinar. We have a lot of upcoming webinars. I think it was a very interesting one on Azure ID, which is sometimes in the April timeframe. She might be very interested in and various. I have a look at our website, have a look at our conference. Maybe we need to Munich them. Thank you. Have a nice day or a nice evening depending on your time soon. Thank you everyone. Thanks Martin. For the opportunity.