Microsoft today announced the preview of Hold Your Own Key, an information protection feature designed to support organizations that need to comply with complex regulation and compliance policies. Whereas Bring Your Own Key (BYOK) hosts the RMS key in Azure Key Vault HSMs, Hold Your Own Key has you operating your own AD, your own RMS server, and your own HSMs for key retention.
- You deploy Azure Information Protection in your organization as per usual guidance. In effect, the Azure Information Protection services (Azure RMS, Admin Information protection configuration in Azure) are always cloud hosted but they enable you to operate in a cloud-only, hybrid, or on-premises only (via the RMS connector) deployment.
- Azure RMS is where you define your Azure RMS protection policies for sensitive data.
- AD RMS is where you define your AD RMS protection policies, for ‘top-secret’ data.
- Your Azure Information Protection service is where you define all your classification labels. Most of them will be bound to an Azure RMS server but some can now be bound to an AD RMS server.
Read more about it here.