Using Dynamic Access Control and Rights Management for InformationProtectionNir Ben-ZviStan Symms
PCIT-B214
Using Dynamic Access Control and Rights Management for InformationProtection
Nir Ben-ZviStan Symms
Agenda:• Intro to Dynamic Access Control• Data Classification Toolkit for Windows Server 2012 and 2012 R2• Customer and Microsoft IT solution examples
Objectives• Understand Dynamic Access Control capabilities built into Windows Server 2012/R2• Understand how to leverage Dynamic Access Control for compliance and DLP• Learn about the technologies in action
This session
Data management landscape
Growth of users and
data
?
Distributed computing
Regulatory and Business
Compliance
?
Budget Constraints
Breach
Let’s talk about Breach
63Kconfirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets.
73%of enterprise IT hardware decision makers are concerned about security/privacy issues in virtualized and cloud environments.
92%of enterprises see security capabilities of public service providers a top influence in their purchasing decision.`
2014 Verizon Data Breach Investigations ReportForrSights Hardware Survey, Q3 2012 Forrester Research, Inc
2013: Advanced Malware Detection and Protection Trends, ESG Research
Different views of data management
CSO/CIO department
“I need to have the right
controls to keep my job”
Infrastructure Support
“I don’t know what data is in
my repositories and how to control it”
Content Owner
“Is my important data appropriately protected and compliant with regulations”
Information Worker
“I don’t know if I am
complying with my
organization’s polices”
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Concepts
Data classification – identifying data Classify data based on
location inheritance
Classify data automatically
Data Classification Toolkit
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
DemoData classification
Demo
Automatic Rights Management encryption Automatically protect
your sensitive informationAdhere to compliance regulations that require data encryptionIntegrated with Windows Server 2012 R2 Work FoldersUse RMS on-prem or RMS online
Automatic RMS encryption based on document classification.
Encryption
DemoAutomatic RMS protection
Demo
Baseline Classification PropertiesArea Properties Values
Information Privacy
Personally Identifiable Information High; Moderate; Low; Public; Not PII
Protected Health Information High; Moderate; Low
Information Security Confidentiality High; Moderate; LowRequired Clearance Restricted; Internal Use; Public
Legal
CompliancySOX; PCI; HIPAA/HITECH; NIST SP 800-53; NIST SP 800-122; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act
Discoverability Privileged; HoldImmutable Yes/No
Intellectual PropertyCopyright; Trade Secret; Parent Application Document; Patent Supporting Document
Records Management Retention Long-term; Mid-term; Short-term; Indefinite
Retention Start Date <Date Value>
Organizational
Impact High; Moderate; Low
Department Engineering ;Legal; Human Resources …
Project <Project>Personal Use Yes/No
Multi server deployment using the Data Classification Toolkit
DCT Databas
e
4. Report
1. Import
2. Export
3. Deploy
• OOB Knowledge• Scale (#File Servers)• Hybrid Environment
Staging File ServerProduction File Servers
Windows 2008 R2
Windows 2012
Collect
Domain Controller(Active Directory)
Management Client Windows 2012 R2
Expression based access controlManage fewer security groups by using conditional expressions
Using resource classification and user and device claims in access conditions
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Expression based access conditions
Expression based access controlManage fewer security groups by using conditional expressions
x 50Country
50 GroupsBranch x 20 1000 Groups
Customers
100,000 Groups!
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Expression based access conditions
100,000 groups170 groups with conditional expressionsMemberOf(US) AND MemberOf(Seattle_Branch) AND MemberOf(Contoso_Customer)
x 100
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
17
Central access policiesFile
Server
Which client devices are supported?Do I need to upgrade all my DCs to Server 2012+?User claims vs. groups – when to use what?What are the requirements to use device claims?Do I need to worry about Kerberos token size?Do I need to worry about performance?What’s the ADFS story?
FAQ for expression based policies
DemoCentral access policies
Demo
Customer Solution Example
Department of Defense
Customer Active Directory Environment
Domain Controller(Active Directory)
Client
User Accounts Forest
2012Domain Controller(Active Directory)
Resources Forest
Share with Access Based
Enumeration on
Windows 2012
File Server
COI1
COI2
COI3
Active Directory Trusts with Selective Authentication
Access to User Data
Shares
Customer DAC Scenario – Current (AD Groups)
1 CAP - “Community of Interest Shares”
2 File RulesAll Files with COI ClassificationAll Files with No Classification
1 Resource Property Definition – “COI”
Central Access Policy“Community of Interest Shares”
Files Rule 1 Files Rule 2 Files Rule 3
Resource Property Definition“COI”
Customer Defined Access PolicyFor access to COI information, a user must be a member of the COI for which the data
is classified. If data is not classified, only the Owner, Administrators, and SYSTEM have Full Control.
Click icon to add picture
MSIT File CIassification DeploymentStan Symms
FCI Deployment overviewLarge file server infrastructure Over 540 terabytes of data stored across 86 file serversExpected growth of 15% over FY15 to 620 TB
ChallengesNo automated data file classification existed (manual only)High Business Impact data (HBI) and Personally Identifiable Information (PII) was at risk
MSIT requirementsClassify all files suspected of containing HBI or PII setting “Impact_MS” file property to “high”Encrypt files classified as High impact with Rights Management template “Microsoft – All”Notify users of HBI content found and advise on corporate policies
Deployment scopeWindows 2012 production file servers used for the DataBox program – used for File History and IntelliMirror services to store and sync employee working documents and settings
Approach & planningDevelop baseline configurationConfigured primary file server manually to establish baseline configurationConducted extensive testing of classification rules and FCI configuration settingsExported final configuration to production file servers using Data Classification Toolkit (DCT)
Deployment testingDeployed “baseline” FCI configuration to 23 production file servers built with Server 2012 & 2012R2Analyzed results from daily scans evaluating rule accuracy & effectivenessRefined rules and FCI configuration based on scanning results over a 15 week periodAnalyzed FCI audit logs and FSRM Storage Reports by File Property
Deployment results analysisBuilt automated Excel pivot combining results from all servers FCI .csv audit log files Conducted user “litmus” testing based on HBI detection results Pivot reports used to validate appropriate policy adherence for “top 10” users
Deployment results achievedFinal scope at conclusionDeployed to 23 file servers with >85 Terabytes of employee documents Scanned >80M files across 26K users on a weekly basis
Detection rate statisticsHBI: rates ranged from: 0.24% - 2.23%, average 1.03% for 702,373 detectionsPII: rates ranged from 0.002% to 2.91%, average 0.32% for 220,373 detections
FCI scanning performance Scanned, classified and encrypted 26 to 45 MB/sec, average of 36 MB/sec Scanned, classified and encrypted 1440 to 2470 files/min, average of >2000 files/min
Results comparison to competing solutionCompeting solution scans and encrypts ~ 54 files/min, 40X slower than FCI with no file classification capability
InsightsNotifying users of classification events created unnecessary churn – We turned them off!Looking to leverage RMS Online service to expand our encryption capabilitiesContinued rules improvement to close IP detection gaps while reducing false positivesOngoing analysis can help determine whether we invest in additional iFilters such as Foxit PDFAs audit files grow in size new tools and processes can be leveraged to make analysis more efficient
Anecdotal evidence indicates accuracyUsers with the greatest # and/or rate of HBI/PII detections are in these roles:
Director of compensation, GM Marketing Communications, US Payroll Director, Headcount Data Management, Director of MSA Strategy…
Performance is high even at scaleNo noticeable impact to server performance nor user file processing – transparent to users.Moved to continuous classification for near real time protection of sensitive data
Related ResourcesYou can install the Data Classification Toolkit from:
http://www.microsoft.com/en-us/download/details.aspx?id=27123 (use run as Admin).- An update to the DCT to support Server 2012 R2 will be released very soon.
The Microsoft Office 2010 iFilters Pack is available from http://www.microsoft.com/en-us/download/details.aspx?id=17062
iFilters are available for most formats from 3rd party companies. For more information on iFilters, visit http://www.ifilter.org/
Learn about RMS Online at http://technet.microsoft.com/en-us/library/jj585004.aspx Address known Server 2012 FCI issues by installing KB2795944: Windows8-RT-KB2795944-
x64.msu from the MS Download Center: http://www.microsoft.com/en-us/download/details.aspx?id=36561
Email me if you have questions!!! [email protected]
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.