Using Dynamic Access Control and Rights Management for InformationProtectionNir Ben-ZviStan Symms

PCIT-B214

Using Dynamic Access Control and Rights Management for InformationProtection

Nir Ben-ZviStan Symms

Agenda:• Intro to Dynamic Access Control• Data Classification Toolkit for Windows Server 2012 and 2012 R2• Customer and Microsoft IT solution examples

Objectives• Understand Dynamic Access Control capabilities built into Windows Server 2012/R2• Understand how to leverage Dynamic Access Control for compliance and DLP• Learn about the technologies in action

This session

Data management landscape

Growth of users and

data

?

Distributed computing

Regulatory and Business

Compliance

?

Budget Constraints

Breach

Let’s talk about Breach

63Kconfirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets.

73%of enterprise IT hardware decision makers are concerned about security/privacy issues in virtualized and cloud environments.

92%of enterprises see security capabilities of public service providers a top influence in their purchasing decision.`

2014 Verizon Data Breach Investigations ReportForrSights Hardware Survey, Q3 2012 Forrester Research, Inc

2013: Advanced Malware Detection and Protection Trends, ESG Research

Different views of data management

CSO/CIO department

“I need to have the right

controls to keep my job”

Infrastructure Support

“I don’t know what data is in

my repositories and how to control it”

Content Owner

“Is my important data appropriately protected and compliant with regulations”

Information Worker

“I don’t know if I am

complying with my

organization’s polices”

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression based auditing

Expression based access conditions

Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Concepts

Data classification – identifying data Classify data based on

location inheritance

Classify data automatically

Data Classification Toolkit

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

DemoData classification

Demo

Automatic Rights Management encryption Automatically protect

your sensitive informationAdhere to compliance regulations that require data encryptionIntegrated with Windows Server 2012 R2 Work FoldersUse RMS on-prem or RMS online

Automatic RMS encryption based on document classification.

Encryption

DemoAutomatic RMS protection

Demo

Baseline Classification PropertiesArea Properties Values

Information Privacy

Personally Identifiable Information High; Moderate; Low; Public; Not PII

Protected Health Information High; Moderate; Low

Information Security Confidentiality High; Moderate; LowRequired Clearance Restricted; Internal Use; Public

Legal

CompliancySOX; PCI; HIPAA/HITECH; NIST SP 800-53; NIST SP 800-122; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act

Discoverability Privileged; HoldImmutable Yes/No

Intellectual PropertyCopyright; Trade Secret; Parent Application Document; Patent Supporting Document

Records Management Retention Long-term; Mid-term; Short-term; Indefinite

Retention Start Date <Date Value>

Organizational

Impact High; Moderate; Low

Department Engineering ;Legal; Human Resources …

Project <Project>Personal Use Yes/No

Multi server deployment using the Data Classification Toolkit

DCT Databas

e

4. Report

1. Import

2. Export

3. Deploy

• OOB Knowledge• Scale (#File Servers)• Hybrid Environment

Staging File ServerProduction File Servers

Windows 2008 R2

Windows 2012

Collect

Domain Controller(Active Directory)

Management Client Windows 2012 R2

Expression based access controlManage fewer security groups by using conditional expressions

Using resource classification and user and device claims in access conditions

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Expression based access conditions

Expression based access controlManage fewer security groups by using conditional expressions

x 50Country

50 GroupsBranch x 20 1000 Groups

Customers

100,000 Groups!

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Expression based access conditions

100,000 groups170 groups with conditional expressionsMemberOf(US) AND MemberOf(Seattle_Branch) AND MemberOf(Contoso_Customer)

x 100

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICY

Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND

(@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

17

Central access policiesFile

Server

Which client devices are supported?Do I need to upgrade all my DCs to Server 2012+?User claims vs. groups – when to use what?What are the requirements to use device claims?Do I need to worry about Kerberos token size?Do I need to worry about performance?What’s the ADFS story?

FAQ for expression based policies

DemoCentral access policies

Demo

Customer Solution Example

Department of Defense

Customer Active Directory Environment

Domain Controller(Active Directory)

Client

User Accounts Forest

2012Domain Controller(Active Directory)

Resources Forest

Share with Access Based

Enumeration on

Windows 2012

File Server

COI1

COI2

COI3

Active Directory Trusts with Selective Authentication

Access to User Data

Shares

Customer DAC Scenario – Current (AD Groups)

1 CAP - “Community of Interest Shares”

2 File RulesAll Files with COI ClassificationAll Files with No Classification

1 Resource Property Definition – “COI”

Central Access Policy“Community of Interest Shares”

Files Rule 1 Files Rule 2 Files Rule 3

Resource Property Definition“COI”

Customer Defined Access PolicyFor access to COI information, a user must be a member of the COI for which the data

is classified. If data is not classified, only the Owner, Administrators, and SYSTEM have Full Control.

Click icon to add picture

MSIT File CIassification DeploymentStan Symms

FCI Deployment overviewLarge file server infrastructure Over 540 terabytes of data stored across 86 file serversExpected growth of 15% over FY15 to 620 TB

ChallengesNo automated data file classification existed (manual only)High Business Impact data (HBI) and Personally Identifiable Information (PII) was at risk

MSIT requirementsClassify all files suspected of containing HBI or PII setting “Impact_MS” file property to “high”Encrypt files classified as High impact with Rights Management template “Microsoft – All”Notify users of HBI content found and advise on corporate policies

Deployment scopeWindows 2012 production file servers used for the DataBox program – used for File History and IntelliMirror services to store and sync employee working documents and settings

Approach & planningDevelop baseline configurationConfigured primary file server manually to establish baseline configurationConducted extensive testing of classification rules and FCI configuration settingsExported final configuration to production file servers using Data Classification Toolkit (DCT)

Deployment testingDeployed “baseline” FCI configuration to 23 production file servers built with Server 2012 & 2012R2Analyzed results from daily scans evaluating rule accuracy & effectivenessRefined rules and FCI configuration based on scanning results over a 15 week periodAnalyzed FCI audit logs and FSRM Storage Reports by File Property

Deployment results analysisBuilt automated Excel pivot combining results from all servers FCI .csv audit log files Conducted user “litmus” testing based on HBI detection results Pivot reports used to validate appropriate policy adherence for “top 10” users

Deployment results achievedFinal scope at conclusionDeployed to 23 file servers with >85 Terabytes of employee documents Scanned >80M files across 26K users on a weekly basis

Detection rate statisticsHBI: rates ranged from: 0.24% - 2.23%, average 1.03% for 702,373 detectionsPII: rates ranged from 0.002% to 2.91%, average 0.32% for 220,373 detections

FCI scanning performance Scanned, classified and encrypted 26 to 45 MB/sec, average of 36 MB/sec Scanned, classified and encrypted 1440 to 2470 files/min, average of >2000 files/min

Results comparison to competing solutionCompeting solution scans and encrypts ~ 54 files/min, 40X slower than FCI with no file classification capability

InsightsNotifying users of classification events created unnecessary churn – We turned them off!Looking to leverage RMS Online service to expand our encryption capabilitiesContinued rules improvement to close IP detection gaps while reducing false positivesOngoing analysis can help determine whether we invest in additional iFilters such as Foxit PDFAs audit files grow in size new tools and processes can be leveraged to make analysis more efficient

Anecdotal evidence indicates accuracyUsers with the greatest # and/or rate of HBI/PII detections are in these roles:

Director of compensation, GM Marketing Communications, US Payroll Director, Headcount Data Management, Director of MSA Strategy…

Performance is high even at scaleNo noticeable impact to server performance nor user file processing – transparent to users.Moved to continuous classification for near real time protection of sensitive data

Related ResourcesYou can install the Data Classification Toolkit from:

http://www.microsoft.com/en-us/download/details.aspx?id=27123 (use run as Admin).- An update to the DCT to support Server 2012 R2 will be released very soon.

The Microsoft Office 2010 iFilters Pack is available from http://www.microsoft.com/en-us/download/details.aspx?id=17062

iFilters are available for most formats from 3rd party companies. For more information on iFilters, visit http://www.ifilter.org/

Learn about RMS Online at http://technet.microsoft.com/en-us/library/jj585004.aspx Address known Server 2012 FCI issues by installing KB2795944: Windows8-RT-KB2795944-

x64.msu from the MS Download Center: http://www.microsoft.com/en-us/download/details.aspx?id=36561

Email me if you have questions!!! stansy@microsoft.com

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.