Azure Information Protection Hold Your Own Key (HYOK) in the preview is an information protection feature designed to support organizations that need to comply with complex regulation and compliance policies.
This capability is available as part of the recently-announced public preview of Azure Information Protection. “You need to have Azure Information Protection client version 1.0.233 or higher,” MSFT team stated.
Additionally, this capability also require an Azure Information Protection Premium P2 license (part of the EMS E5 SKU).
Microsoft notes that Office integration is limited to Office 2013 and 2016, and that Office 2010 will not be supported for HYOK.
And, Windows support is only for Windows 7 or higher.
However, you need to have AD RMS working in your environment, “with single sign-on setup, and only use one root cluster of AD RMS servers.”
“There is no need for AD RMS mobile device extension,” the team stated.
In fact, enabling RMS in the DMZ or on mobile devices per above is not recommend.
The Azure Information Protection HYOK (Hold Your Own Key) feature is about enabling organization to protect data where they “hold the key,” explains MSFT.
Adding, on the other hand, “BYOK (Bring Your Own Key) hosts the RMS key in Azure Key Vault HSMs.” Whereas “HYOK allows enterprises host your own AD, your own RMS server, and your own HSMs for key retention,” the team explained.
Setting up HYOK is quite simple—at a top level you deploy multiple RMS services within a singular Azure Information Protection environment:
- “You deploy Azure Information Protection in your organization as per usual guidance. In effect, the Azure Information Protection services (Azure RMS, Admin Information protection configuration in Azure) are always cloud hosted but they enable you to operate in a cloud-only, hybrid, or on-premises only (via the RMS connector) deployment.”
- Azure RMS is where you define your Azure RMS protection policies for sensitive data.
- AD RMS is where you define your AD RMS protection policies, for ‘top-secret’ data.
- Y”our Azure Information Protection service is where you define all your classification labels. Most of them will be bound to an Azure RMS server but some can now be bound to an AD RMS server,” explains Microsoft.
For more reference HYOK, you can head over this post, or download Azure Information Protection Public Preview client version 1.0.233 here.
In another Azure news, Azure RemoteApp will gradually “wind down” over the next year in favor of application virtualization software and services from Citrix.
In a blog post, Microsoft made the announcement stating “the next step in our broad partnership with Citrix in the remote desktop and applications space.”
Further they said, existing Azure RemoteApp customers will be supported through August 31st, 2017. After, which the service will be discontinued.
New purchases of Azure RemoteApp will end as of October 1st, 2016.
Microsoft said they’re in-touch with customers to ensure their better understanding of avilable options and smooth transition.
About additional options, the company said customers can “move to a hosted solution through one of our many hosting partners,” as well as “Remote Desktop Services deployed on Azure IaaS.”
Below is the email sent out to RemoteApp customers, from that email:
Following Microsoft’s annoucement of August 12, Citrix issued the statement noting,
“This future Citrix XenApp “express” offering will combine the simplicity and speed of Microsoft Azure RemoteApp with many of the enterprise capabilities of Citrix XenApp to revolutionize app delivery from the cloud.”