Keep Your Information Safe!

Josh HellerSr. Product ManagerMicrosoft Corporation

SIA206

New Demands on IT

Expanding Importance of Identity

Advanced Persistent Threat

Cloud Computing

Government Interests

Consumerization of IT

The Advanced, Persistent Threat

Information Privacy is the most important security concern in the enterprise, outranking malware for the first time

So how does this happen?

Ex-employees, partners, customersOver 1/3 due to negligenceNearly 30% of loss on portable devicesIncreasing loss from external collaborationPercentage cause of data breach

Cost of Data Breach reportPonemon Institute 2010

Estimated sources of data breach

Global State of Information Security SurveyPriceWaterhouseCoopers 2010

Likely Source 2008 2009 2010

Current Employee

34% 33% 32%

Former Employee

16% 29% 23%

Hacker 28% 26% 31%

Customer 8% 10% 12%

Partner/Supplier 7% 8% 11%

Unknown 42% 39% 34%US DE FR DE AU0%

10%20%30%40%50%60%70%80%90%

100%

System GlitchNegligenceMalicious Attack

Information ProtectionDiscover, protect and manage confidential data throughout your

business with a comprehensive solution integrated into the platform and applications

• Protect critical data wherever it goes

• Protect data whereverit resides

• Secure endpoints to reduce risk

Protect everywhere,access anywhere

• Simplify deployment and ongoing management

• Enable compliance with information security policy

Simplify security, manage compliance

• Extend confidential communication to partners

• Built into the Windows platform and Microsoft applications

Integrate and extend security

Active Directory Rights Management Services

Persistent Protection

+Encryption Policy: Access Permissions Use Right Permissions

Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery

AD Rights Management Services

The AD RMS Process: Document Protection & Consumption

Information Author

AD RMS

Recipient

12

3

45

Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages

Data in Motion: Exchange 2010 and AD RMS Integration

Automatic Content-Based Privacy:• Transport Rule action to apply AD RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010•Do Not Forward policy available out of box

@

@

Data at Rest: Integrating SharePoint with AD RMS

When content is downloaded from a library…RMS protection automatically appliedInformation still searchable in SharePoint library

SharePoint Server

AD RMS

Data at Rest: Generic File Protection Explorer

Data protection from Rights Management Services for all file typesFiles are stored in a Rights Protected Folder – a protected archive

Demo

AD Rights Management Services

Dynamic Access Control 101

Access Control AuditingClassification RMS Protection

What data do I have?Who should have accessed it?Who has accessed it, and how?How do I protect my sensitive data?

Classify Information

Modify / Create file

Determine classification

Save classificatio

n

In-box content classifier

3rd party classification plugin

Location

Manual

Contextual

Application

Centralized Access to Files

USER CLAIMSUser.Department = Finance

User.Clearance = High

ACCESS POLICYFor access to finance information that has high business impact, a user must be a finance

department employee with a high security clearance, and be using a managed device registered with the finance department.

DEVICE CLAIMSDevice.Department = Finance

Device.Managed = True

FILE PROPERTIESFile.Department = Finance

File.Impact = High

Active Directory

File Server

Components

Access Denied RemediationWorkflow

Access denied remediation provides a user access to a file when it has been initially denied:

1. The user attempts to read a file.

2. The server returns an “access denied” error message because the user has not been assigned the appropriate claims.

3. On a computer running Windows® 8, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access.

4. When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file.

1

2

3

4

Auditing For Compliance And AnalysisToday

Audit is all or nothingNot contextual information

Windows Server 2012Expression based auditingAudit resource attribute changesEnhanced audit entries to include context required for compliance and operational reporting

USER CLAIMSUser.Department = Finance

User.Clearance = High

AUDIT POLICYAudit Success/Fail if (File.Department==Finance) OR (File.Impact=High)

DEVICE CLAIMSDevice.Department = Finance

Device.Managed = True

FILE PROPERTIESFile.Department = Finance

File.Impact = High

Protecting Sensitive InformationDynamic Access Control allows sensitive information to be automatically protected using AD Rights Management Services

1. A rule is created to automatically apply RMS protection to any file that contains the word “confidential”.

2. A user creates a file with the word “confidential” in the text and saves it.

3. The RMS Dynamic Access Control classification engine, following rules set in the Central Access Policy, discovers the doc with the word “confidential” and initiates RMS protection accordingly.

4. The RMS template and encryption are applied to the document on the file server and it is classified and encrypted.

1

23

4

Dynamic Access Control

Dynamic Access Control on File Servers

File inherits classification tags from parent folder

Manual tagging by owner

Automatic tagging

Tagging by applications

Central access policies based on classification

Expression-based access conditions for user claims, device claims, and file tags

Access denied remediation

Central audit policies can be applied across multiple file servers

Expression-based audits for user claims, device claims, and file tags

Staging audits to simulate policy changes in a real environment

Automatic Rights Management Services (RMS) protection for Microsoft Office documents

Near real-time protection when a file is tagged

Extensibility for non-Office RMS protectors

Classification Access Control Auditing RMS Protection

Related Content

Breakout Sessions (session codes and titles)

Hands-on Labs (session codes and titles)

Product Demo Stations (demo station title and location)

Related Certification Exam

Find Me Later in the TLC Windows Server 2012 Identity Booth

Track Resources

Resource 1

Resource 2

Resource 3

Resource 4

Required Slide *delete this box when your slide is finalized

Track PMs will supply the content for this slide, which will be inserted during the final scrub.

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

Required Slide *delete this box when your slide is finalized

Your MS Tag will be inserted here during the final scrub.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.