在内部和外部共享敏感数据Share sensitive data internally and externally

虽然许多数据泄露是由网络攻击造成的,但专家认为更多的原因在于人为错误,或者说是因为员工无意间或不慎泄漏敏感商业数据所致。While many data breaches are due to cyberattacks, experts agree that many more are the result of human error, otherwise known as “oops” moments that happen when employees inadvertently leak sensitive business data. 通过设置适当的安全信息和数据丢失防护协议,几乎能够避免所有这类泄露。With the right security information and data loss prevention protocols in place, nearly all of these kinds of breaches are avoidable.

对于企业和用户而言,共享数据不可避免,尽管这很有必要,但同时也带来行业中的最大挑战之一,即:在跨设备共享数据的同时如何减少与他人共享数据时的数据泄露情况?For business and users, data sharing is inevitable and while this is necessary, it also creates one of the biggest challenges in the industry, which is: how to enable data sharing across different devices while reducing leakage of data shared with others? 在需要与外部源(如合作伙伴、客户和其他方)共享敏感数据时,这种威胁波及的范围甚至更广。The threat landscape is even broader when you need to share sensitive data with external sources, like partners, customers and other parties.

图示

在这种情况下,通常企业会进行这类项目:员工需能够跨数据接收器进行内部协作并与第三方供应商进行外部协作,在业务中采用一致的安全协议的同时,在数据分类和保护过程中影响最终用户行为。In this context, it is a common scenario for enterprises to have projects where they need to enable employees to collaborate internally across data silos and externally with third-party vendors, while aligning security protocols to the business and influence end-user behavior in data classification and protection processes.

企业移动性 + 安全性可提供哪些帮助?How can Enterprise Mobility + Security help you?

企业移动性 + 安全性 (EMS) 是一个不仅从设备自身本机保护公司数据,还采用身份、设备、应用和数据这四个保护层提供更多保护的综合云解决方案。Enterprise Mobility + Security (EMS) is the only comprehensive cloud solution that natively protects corporate data on the device itself and beyond with four layers of protection across identities, devices, apps, and data. EMS 可帮助解决移动优先、云优先世界中的一个重大难题,即如何向出行在外的员工传送安全的电子邮件。EMS helps you solve one of the key challenges in the mobile-first, cloud-first world – how to deliver secure email to employees’ on-the-go. 使用 EMS,可以让员工在组织内外安全地进行协作。With EMS, you will enable your employees to collaborate securely within and outside of your organization. EMS 允许 IT 管理员对电子邮件使用应用 Azure 权限管理策略模板。EMS allows IT Administrators to leverage Azure Rights Management policy template to email usage. 使用权限附加在邮件上,以便在联机和脱机、组织防火墙内部和外部提供保护。Usage rights are attached to the message itself so that protection occurs online and offline as well as inside and outside of the organization’s firewall.

通过集成 Azure 权限管理和 Exchange Online 权限管理,EMS 使组织能够保护经由电子邮件离开组织的数据。By integrating Azure Rights Management with Rights Management in Exchange Online, EMS allows organizations to protect data that leaves the organization via email. 可以对位于本地的 Exchange Server 和 Exchange online (Office 365) 实施这一解决方案。You can implement this solution for Exchange Servers located on-premises and for Exchange online (Office 365). 信息权限管理和 Office 365 邮件加密均基于策略,旨在与 Exchange 传输规则引擎配合使用。Both Information Rights Management and Office 365 Message Encryption are policy based and designed to work with the Exchange transport rule engine. 这意味着 Microsoft Azure 权限管理支持通过单步操作轻松设置复杂的策略限制。That means Microsoft Azure Rights Management allows you to set up complex policy restrictions easily, with just a single action.

下面介绍一些通过此解决方案可实现的功能:Some of the capabilities available with this solutions are described below:

  • 通过向电子邮件应用不同的 IRM 选项帮助防止电子邮件受到未经授权的访问。Help protect emails against unauthorized access by applying different IRM options to your email messages.
  • 在联机和脱机的情况下保证信息安全,因为无论使用 Office Online 查看文件或将文件下载到本地计算机,文件都受到保护。Help keep your information safe, online or offline, because your files are protected whether they’re viewed using Office Online or downloaded to a local machine.
  • 与所有 Office 文档无缝集成,可帮助保护组织的知识产权。Seamless integration with all Office documents helps guard your organization’s intellectual property.
  • 除使用默认权限管理服务模板外,还可根据业务需要应用自定义模板。Apply custom templates based on your business needs in addition to using default Rights Management Services templates.

实现本解决方案的方式How to implement this solution

若要配置 Exchange Online 以支持 Azure RMS,你必须为 Exchange Online 配置信息权限管理 (IRM) 服务。To configure Exchange Online to support Azure RMS, you must configure the information rights management (IRM) service for Exchange Online. 执行以下步骤以实施本解决方案:Follow these steps to implement this solution:

  1. 与 Exchange 集成:Integration with Exchange:
    • Exchange Online:使 Exchange Online 能够使用 Azure RMSExchange Online: Enable Exchange Online to use Azure RMS
    • Exchange 内部部署:部署 Azure 权限管理连接器Exchange On-premises: Deploying the Azure Rights Management connector
  2. 使用 Exchange 发送受保护的 Office 文档Send a Protected Office Document Using Exchange

如何在内部和外部共享敏感数据How to share sensitive data internally and externally

企业需要让员工能够跨数据接收器进行内部协作并与第三方供应商进行外部协作,在业务中采用一致的安全协议的同时,在数据分类和保护过程中影响最终用户行为。Companies need to need to enable employees to collaborate internally across data silos and externally with third-party vendors, while aligning security protocols to the business and influence end-user behavior in data classification and protection processes. 数据共享成为整个过程中关键的一环,企业在实现数据共享的同时也要减少数据隐私性和完整性受损的情况。Data share becomes a critical part of the process and organizations need to enable while reducing the likelihood that data privacy and integrity will be compromised.

步骤 1:与 Exchange 集成Step 1: Integration with Exchange

通过将 Azure 权限管理策略模板应用于电子邮件,向电子邮件应用权限管理保护。Rights Management protection is applied to email by applying an Azure Rights Management policy template to an email message. 启用集成的第一步将因 Exchange 的位置而异,取决于其是在云中 (Exchange online) 还是在本地。The first step to enable this integration to take place will vary according to where you Exchange is located: in the cloud (Exchange online) or on-premises.

实现权限管理与 Exchange Online 的集成Enable Rights Management Integration with Exchange Online

若要配置 Exchange Online 以支持 Azure RMS,你必须为 Exchange Online 配置信息权限管理 (IRM) 服务。To configure Exchange Online to support Azure RMS, you must configure the information rights management (IRM) service for Exchange Online. 按照 Office 365:客户端和联机服务的配置一文中 Exchange Online:IRM 配置部分中的步骤配置 Exchange Online 以实现 IRM。In the article Office 365: Configuration for clients and online services, follow the steps from the section Exchange Online: IRM Configuration to configure Exchange Online for IRM.

最后一步应是用于检验配置的最后测试,所得结果应类似于以下屏幕中的某一结果:The last step should be the final test to validate the configuration and you should see a result similar to the one shown in the following screen:

PowerShell

实现权限管理与 Exchange本地部署的集成Enable Rights Management Integration with Exchange On-Premises

若要配置权限管理与 Exchange 本地部署的集成,需要配置 Microsoft 权限管理 (RMS) 连接器。To configure rights management integration with Exchange on-premises you need to configure the Microsoft Rights Management (RMS) connector. 该连接器将启用现有本地 Exchange 服务器以将其信息权限管理 (IRM) 功能与基于云的 Microsoft 权限管理服务 (Azure RMS) 配合使用。This connector will enable existing on-premises Exchange servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). 你可以在混合方案中使用此连接器,即使你的一些用户连接到了在线服务。You can use this connector even if some of your users are connecting to online services, in a hybrid scenario.

查看安装 RMS 连接器的先决条件,并按照安装和配置 Azure 权限管理连接器一文中提供的五个步骤进行操作。Review the prerequisites to install RMS Connector and follow the five steps available in the article Installing and configuring the Azure Rights Management connector.

步骤 2:使用 Exchange 发送受保护的文档Step 2: Send a Protected Document Using Exchange

请按照使用分类和标记保护数据方案中的步骤 3 来安装 RMS 共享应用程序。Follow Step 3 of the Secure data using classification and labelingscenario to install RMS Sharing application. 如需支持不同类型的客户端,请查看权限管理共享应用程序:安装和配置客户端一文,了解如何安装 RMS 共享应用程序的更多详细信息。If you need to support different types of clients, review the article Rights Management sharing application: Installation and configuration for clients for more details on how to install RMS Sharing application.

如果希望共享 Office 文档,例如直接从 Word 共享,只需使用功能区中的“共享保护项”图标即可,如下图所示:If you want to share an Office document, for example directly from Word, you can simple use the Share Protected icon in the ribbon as shown in the following image:

ShareProtect

单击此选项后,应会显示“共享保护项”对话框,其中包括希望如何共享此文档的更多详细信息,如下图所示:After you click on this option you should see the share protected dialog with more details about how you want to share this document as shown in the following image:

共享

必须在此窗口的顶端键入目标用户的电子邮件,并选择想要为此用户提供的访问类型。On top of this window you must type the target user’s email, and select the type of access that you want to provide for this user. 在此窗口的底部,可以控制文档的过期日期,还可以启用选项:每次有人尝试打开此文档时你都将收到一封电子邮件。In the bottom of this window, you can also control the document’s expiration date and enable the option to receive an email every time someone tries to open this document. 正确进行选择后,单击“发送”,Outlook 将会打开一封新邮件,如以下屏幕所示:After finishing making the proper selections, click Send and Outlook will open with a new message as shown in the following screen:

电子邮件

重要

从 Microsoft Ignite 观看演示文稿使用 Azure 信息保护安全地进行协作,了解有关此方案的详细信息。Watch Collaborate securely using Azure Information Protection presentation from Microsoft Ignite for more information about this scenario.