View
216
Download
0
Category
Preview:
Citation preview
Keep Your Information Safe!
Josh HellerSr. Product ManagerMicrosoft Corporation
SIA206
New Demands on IT
Expanding Importance of Identity
Advanced Persistent Threat
Cloud Computing
Government Interests
Consumerization of IT
The Advanced, Persistent Threat
Information Privacy is the most important security concern in the enterprise, outranking malware for the first time
So how does this happen?
Ex-employees, partners, customersOver 1/3 due to negligenceNearly 30% of loss on portable devicesIncreasing loss from external collaborationPercentage cause of data breach
Cost of Data Breach reportPonemon Institute 2010
Estimated sources of data breach
Global State of Information Security SurveyPriceWaterhouseCoopers 2010
Likely Source 2008 2009 2010
Current Employee
34% 33% 32%
Former Employee
16% 29% 23%
Hacker 28% 26% 31%
Customer 8% 10% 12%
Partner/Supplier 7% 8% 11%
Unknown 42% 39% 34%US DE FR DE AU0%
10%20%30%40%50%60%70%80%90%
100%
System GlitchNegligenceMalicious Attack
Information ProtectionDiscover, protect and manage confidential data throughout your
business with a comprehensive solution integrated into the platform and applications
• Protect critical data wherever it goes
• Protect data whereverit resides
• Secure endpoints to reduce risk
Protect everywhere,access anywhere
• Simplify deployment and ongoing management
• Enable compliance with information security policy
Simplify security, manage compliance
• Extend confidential communication to partners
• Built into the Windows platform and Microsoft applications
Integrate and extend security
Active Directory Rights Management Services
Persistent Protection
+Encryption Policy: Access Permissions Use Right Permissions
Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery
AD Rights Management Services
The AD RMS Process: Document Protection & Consumption
Information Author
AD RMS
Recipient
12
3
45
Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages
Data in Motion: Exchange 2010 and AD RMS Integration
Automatic Content-Based Privacy:• Transport Rule action to apply AD RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010•Do Not Forward policy available out of box
@
@
Data at Rest: Integrating SharePoint with AD RMS
When content is downloaded from a library…RMS protection automatically appliedInformation still searchable in SharePoint library
SharePoint Server
AD RMS
Data at Rest: Generic File Protection Explorer
Data protection from Rights Management Services for all file typesFiles are stored in a Rights Protected Folder – a protected archive
Demo
AD Rights Management Services
Dynamic Access Control 101
Access Control AuditingClassification RMS Protection
What data do I have?Who should have accessed it?Who has accessed it, and how?How do I protect my sensitive data?
Classify Information
Modify / Create file
Determine classification
Save classificatio
n
In-box content classifier
3rd party classification plugin
Location
Manual
Contextual
Application
Centralized Access to Files
USER CLAIMSUser.Department = Finance
User.Clearance = High
ACCESS POLICYFor access to finance information that has high business impact, a user must be a finance
department employee with a high security clearance, and be using a managed device registered with the finance department.
DEVICE CLAIMSDevice.Department = Finance
Device.Managed = True
FILE PROPERTIESFile.Department = Finance
File.Impact = High
Active Directory
File Server
Components
Access Denied RemediationWorkflow
Access denied remediation provides a user access to a file when it has been initially denied:
1. The user attempts to read a file.
2. The server returns an “access denied” error message because the user has not been assigned the appropriate claims.
3. On a computer running Windows® 8, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access.
4. When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file.
1
2
3
4
Auditing For Compliance And AnalysisToday
Audit is all or nothingNot contextual information
Windows Server 2012Expression based auditingAudit resource attribute changesEnhanced audit entries to include context required for compliance and operational reporting
USER CLAIMSUser.Department = Finance
User.Clearance = High
AUDIT POLICYAudit Success/Fail if (File.Department==Finance) OR (File.Impact=High)
DEVICE CLAIMSDevice.Department = Finance
Device.Managed = True
FILE PROPERTIESFile.Department = Finance
File.Impact = High
Protecting Sensitive InformationDynamic Access Control allows sensitive information to be automatically protected using AD Rights Management Services
1. A rule is created to automatically apply RMS protection to any file that contains the word “confidential”.
2. A user creates a file with the word “confidential” in the text and saves it.
3. The RMS Dynamic Access Control classification engine, following rules set in the Central Access Policy, discovers the doc with the word “confidential” and initiates RMS protection accordingly.
4. The RMS template and encryption are applied to the document on the file server and it is classified and encrypted.
1
23
4
Dynamic Access Control
Dynamic Access Control on File Servers
File inherits classification tags from parent folder
Manual tagging by owner
Automatic tagging
Tagging by applications
Central access policies based on classification
Expression-based access conditions for user claims, device claims, and file tags
Access denied remediation
Central audit policies can be applied across multiple file servers
Expression-based audits for user claims, device claims, and file tags
Staging audits to simulate policy changes in a real environment
Automatic Rights Management Services (RMS) protection for Microsoft Office documents
Near real-time protection when a file is tagged
Extensibility for non-Office RMS protectors
Classification Access Control Auditing RMS Protection
Related Content
Breakout Sessions (session codes and titles)
Hands-on Labs (session codes and titles)
Product Demo Stations (demo station title and location)
Related Certification Exam
Find Me Later in the TLC Windows Server 2012 Identity Booth
Track Resources
Resource 1
Resource 2
Resource 3
Resource 4
Required Slide *delete this box when your slide is finalized
Track PMs will supply the content for this slide, which will be inserted during the final scrub.
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
Required Slide *delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Recommended