Collaboration. It’s a term I hear at least a few times a day when speaking to my user base. The ability to seamlessly collaborate with team members, across the organization, with trusted partners, and with customers is a must. It’s a driving force between much of the evolution of software-as-a-service collaboration offerings such as Office 365. While the industry is evolving to make collaboration easier than ever, it’s also introducing significant challenges for organizations to protect and control their data.
In a recent post I talked about Microsoft’s entry into the cloud access security broker (CASB) market with Cloud App Security (CAS) and its capability to provide auditing and alerting on activities performed in Amazon Web Services (AWS). Microsoft refers to this collection of features as the Investigate capability of CAS. Before I cover an example of the Control features in action, I want to talk about the product that works behind the scenes to provide CAS with many of the Control features.
That product is Azure Information Protection (AIP) and it provides the capability to classify, label, and protect files and email. The protection piece is provided by another Microsoft product, Azure Active Directory Rights Management Services (Azure RMS). Beyond just encrypting a file or email, Azure RMS can control what a user can do with a file such as preventing a user from printing a document or forwarding an email. The best part? The protection goes with the data even when it leaves your security boundary.
For those of you that have read my blog you can see that I am a huge fanboy of the predecessor to Azure RMS, Active Directory Rights Management Services (AD RMS, previously Rights Management Service or RMS for you super nerds). AD RMS has been a role available in Microsoft Windows Server since Windows Server 2003. It was a product well ahead of its time that unfortunately never really caught on. Given my love for AD RMS, I thought it would be really fun to do a series looking at how AIP has evolved from AD RMS. It’s a dramatic shift from a rather unknown product to a product that provides capabilities that will be as standard and as necessary as Antivirus was to the on-premises world.
I built a pretty robust lab environment (two actually) such that I could demonstrate the different ways the solutions work as well as demonstrate what it looks to migrate from AD RMS to AIP. Given the complexity of the lab environment, I’m going to take this post to cover what I put together.
The layout looks like this:
On the modern end I have an Azure AD tenant with the custom domain assigned of geekintheweeds.com. Attached to the tenant I have some Office 365 E5 and Enterprise Mobility + Security E5 trial licenses For the legacy end I have two separate labs setup in Azure each within its own resource group. Lab number one contains three virtual machines (VMs) that run a series of services included Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), AD RMS, and Microsoft SQL Server Express. Lab number two contains four VMs that run the same set as services as Lab 1 in addition to Active Directory Federation Services (AD FS) and Azure Active Directory Connect (AADC). The virtual network (vnet) within each resource group has been peered and both resource groups contain a virtual gateway which has been configured with a site-to-site virtual private network (VPN) back to my home Hyper-V environment. In the Hyper V environment I have two workstations.
Lab 1 is my “legacy” environment and consists of servers running Windows 2008 R2 and Windows Server 2012 R2 (AD RMS hasn’t changed in any meaningful manner since 2008 R2) and a client running Windows 7 Pro running Office 2013. The DNS namespace for its Active Directory forest is JOG.LOCAL. Lab 2 is my “modern” environment and consists of servers running Windows Server 2016 and a Windows 10 client running Office 2016 . It uses a DNS namespace of GEEKINTHEWEEDS.COM for its Active Directory forest and is synchronized with the Azure AD tenant I mentioned above. AD FS provides SSO to Office 365 for Geek in The Weeds users.
For AD RMS configuration, both environments will initially use Cryptographic Mode 1 and will have a trusted user domain (TUD). SQL Server Express will host the AD RMS database and I will store the cluster key locally within the database. The use of a TUD will make the configuration a bit more interesting for reasons you’ll see in a future post.
Got all that?
In my next post I’ll cover how the architecture changes when migrating from AD RMS to Azure Information Protection.