Using Active Directory Rights Management Services and Microsoft Exchange to Protect Sensitive E-mail Communication

Amit FulaySenior Lead Program ManagerMicrosoftSIA 324

$40

US military secrets were found in USB sticks on sale outside US airbase

http://news.bbc.co.uk/2/hi/technology/4946512.stm

85%

28%IDC 2009 Report

Session Objectives

Email as the primary leak vectorUnderstand AD RMSUnderstand Exchange 2010 – RMS Integration FeaturesUnderstand how to deploy them togetherDemos

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Highly Secure & Interoperable Platform

IdentityIntegrate and extend

security across the enterprise

Protect everywhere,access anywhere

Simplify the security experience,manage compliance

Block

from:

EnableCost Value

Siloed Seamless

to:

Session Objectives

Email as the primary leak vector

Understand AD RMS

Understand Exchange 2010 – RMS Integration Features

Understand how to deploy them together

Demos

Email Information Leakageis Broadly ReachingFinancial Services

Equity Research, M&AGLB, NASD 2711

Healthcare & Life ServicesResearch, Clinical TrialsHIPAA

Manufacturing & High Technology Collaborative Design, DataProtection in Outsourcing

Government RFP Process, Classified InformationNational Security

Horizontal ScenariosSensitive e-mailsExecutive communicationsFinancial dataPrice listsHR InformationLegal information Corporate Governance: Sarbanes Oxley (US)

Legal, Regulatory and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more

Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing

Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital

Email Information Leakageis Costly On Multiple Fronts

Session Objectives

Email as the primary leak vector

Understand AD RMS

Understand Exchange 2010 – RMS Integration Features

Understand how to deploy them together

Demos

Traditional Solutions Protect Initial Access …

Access Control List Perimeter

No

Yes

Firewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…but not ongoing usage

What is Rights Management Services?Better safeguard sensitive information

Protect against unauthorized viewing, editing, copying, printing, or forwarding of informationLimit file access to only authorized usersAudit trail tracks usage of protected files

Persistent protection Protects your sensitive information no matter where it goesUses technology to enforce organizational policies Authors define how recipients can use their information

Flexible and customizable technologyRMS integrates with familiar applications and is easy to useUsers assign “Full Control” rights to a trusted groupISVs build custom solutions via SDKs

System Architecture

SQL

OS Platform

Security Processor

Client API

Application HTTP/SOAP

RMS Server HTTP/SOAP

Admin MMC Snap-in

RMS Client(Built into Windows Vista

and Windows 7)

RMS Server(WS08 /08 R2 server role)

RMS Administration

AD

WS2008

Admin Scripting API

MMC 3.0 Host

2

1. Assume author and recipient are already bootstrapped with a RAC and CLC

2. Author creates mail

3. Author protects mail using RAC and CLC

4. Author sends mail to recipient

5. Recipient gets use license from RMS

6. Recipient can access content

Information WorkflowPublishing and consumption

1

RAC CLCRAC CLC6

UL4

5

PL

3

AD SQL RMS

Author

Recipient

System Workflow

1. Deployment2. User certification3. Publishing information4. Licensing5. Information

consumption1. RMS Client2. SPC

1

To server:1. SPC2. Authentication

To client:1. RAC2. CLC

2

1. Symmetric key2. Protect

information3. PL3

To server:1. RAC2. PL

To client:1. UL

4

1. Authorize UL2. Decrypt

information

5

RMS System Workflow

What’s on the user’s PC?

Client LicensorCertificate

Rights Account Certificate

RMSClient

“Lock Box”

MachinePrivate Key

obfuscated

UserPrivate Key(encrypted by

machinepublic key)

UserPublic Key Server

Public Key

MachineCertificate

MachinePublic Key

Per machine keys guaranteeing that content cannot be exploited by just moving content or certificates to another machine

Credentials to consume rights-protected content

Credentials to publish rights-protected content offline

Public key for this machine; necessary in order to acquire a RAC (Rights Account Certificate)

RMS-enabled Applications

Example: Rights-Protected Doc

Rights Info (w/ email addresses)

Content Key (random AES-128)

Encrypted withserver public key

PL(Publish license)

File content(Text, Pictures, metadata, etc.)

UL(Use License)

Content Key

Rights(for a particular user)

Encrypted with the user public key

Created when content (file) is protected Only added to file after

server licenses a user to open it

Encrypted withcontent key

Encrypted withserver public key

Encrypted withuser public key

NOTE: Outlook E-mail EULs are stored in the local user profile directory

External CollaborationTrusted User Domains Special AD Accounts

Trust Windows Live IDHosted Service

Identity Federation

External Collaboration via AD FSScenario

Fabrikam is a supplier to ContosoThey have set up a federated trust relationship using AD FS (access to SharePoint libraries, Intranet sites, etc.)Contoso deploys RMSContoso is able to protect content it shares with FabrikamContoso RMS server issues use licenses to Fabrikam employees

Newcontent

1. Assume author is already bootstrapped

2. Author sends protected mail to recipient at Fabrikam

3. Recipient contacts RMS server to get bootstrapped

4. WebSSO agent intercepts request5. RMS client is redirected to FS-R for

home realm discovery6. RMS client is redirected to FS-A for

authentication7. RMS client is redirected back to FS-

R for authentication8. RMS client makes request to RMS

server for bootstrapping9. WebSSO agent intercepts request,

checks authentication, and sends request to RMS server

10.RMS server returns bootstrapping certificates to recipient

11.RMS server returns use license to recipient

12.Recipient accesses protected content

Contoso FabrikamAD

RMS

AD

FS-AFS-R

1RAC CLC

PL

2

WebSSO

4

35

6

78

9

RAC CLC

10

UL

11

12

External Collaboration via AD FS

Vista/WS2008 Investments

Easy deploymentExternal collaboration (through AD FS federation)Policy distribution (Vista SP1 + WS2008)Native 64-bit clientXPS integration

Win 7/WS2008 R2 Investments

External collaborationSupport extended to include 3rd-party identity providersInternal group support (i.e., groups on the federation side that include external users)

DeploymentThrough PowerShell

AdministrationThrough PowerShellNew reports

Session Objectives Email as the primary leak vector

Understand AD RMS

Understand Exchange 2010 – RMS Integration Features

Understand how to deploy them together

Demos

Exhange 2010 Investments

Optimize for Software + Services

• Manage Inbox Overload

• Enhance Unified Messaging

• Anywhere Access and Collaboration

Streamline Communications

• Deployment Flexibility

• High Availability• Simplified Administration

Increase Operational

Flexibility

• Protect Communications

• Compliance and Archiving

• Reporting and Alerts

Deliver Greater Visibility & Control

RMS Integration Overview

•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic

Content Based Privacy

•IRM in OWA•Search IRM mails in OWAStreamline End

User Experience

•Journal Decryption•Transport Pipeline DecryptionEnable IT

Infrastructure

Automatic Content-Based PrivacyEliminate reliance on end-user

Enforcement Tools are required.Content Protection should be automated.

Automatic Content-Based PrivacyEliminate reliance on end-user

Protect messages in transit via Transport Rules actionProtect messages by default at Outlook ClientPrivate voice message automatically protected by Unified Messaging (UM)Delegate policy determination to Compliance Officer role via RBAC

Transport Rule Protection

Automatic Content-Based Privacy Transport Rule ProtectionExchange Server 2010 provides a single point in the organization to control the protection of e-mail messages

Automatic Content-Based Privacy:• Transport Rule action to apply RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010• Internet Confidential and Do Not Forward Policies available out of box

Transport Rule Protection

Rules Agent stamps X-Org Header to message with value set to RMS template GUIDEncryption Agent applies RMS protection to message and attachments on onRouted Transport Agent EventOffice 2003, 2007, 14 and XPS docs supported as attachmentsAll encryption/decryption API located in XSO layer

Transport Rule Protection

Active Directory

AD RMS Exchange 2010Enterprise

2) Bootstrap ( RAC, CLC )3) Acquire Template Informaiton

1) Se

rvice

Looku

p

4) Publish5) Encrypt

RMS Integration in UM

RMS Integration in UM

UM Administrator can allow incoming voice mail messages to be marked as “private”Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying contentUses the Encryption/Decryption XSO API to rights protect Private Voice mail supported by Unified Messaging in Outlook 14 and OWA

Outlook Protection Rules

Small scale rules engine delivered in Outlook 2010 add-inPrevents host/Admin from accessing sensitive mailRules

Predicates: Sender’s department, recipient’s identity, recipient’s scoperetrieved by add-in from CAS through EWSoptional/mandatory, applied offline/online

Step 1: User creates a new message in Outlook

Step 2: User adds the R&D distribution list to the To line

Step 3: Outlook detects a sensitive DL and automatically protects as confidential

Step 4: Administrator can define a policy as required, disabling the Permission button

RMS Integration Overview

•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic

Content Based Privacy

•IRM in OWA•Search IRM mails in OWAStreamline End

User Experience

•Journal Decryption•Transport Pipeline DecryptionEnable IT

Infrastructure

Streamline End User ExperiencePrevent RMS Protection from Getting In IW's Way

Prelicensing enables offline and mobile access to RMS protected messagesCreate and compose RMS protected messages in OLK and OWAConduct full-text search on RMS protected messages in OWA

RMS Integration in OWA

RMS Integration in OWA

RMS Integration in OWA

Create/Consume RMS protected messages natively, just like OutlookNo client download or installation requiredSupports

Firefox, Safari, Macintosh and WindowsConversation view, Preview paneFull-text search on RMS protected messages

RMS Integration in OWA

CAS uses Super User Privileges to decryptEnd User License (EUL) to determine which rights to enforce

Single EUL shared across all CAS servers to give multiple machines a common RMS identityRights enforcement concerns in the browser mitigated by disabling feature at mailbox policy level

RMS Integration Overview

•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic

Content Based Privacy

•IRM in OWA•Search IRM mails in OWAStreamline End

User Experience

•Journal Decryption•Transport Pipeline DecryptionEnable IT

Infrastructure

Enable IT InfrastructureRMS protection should not break IT infrastructure

Simplified Exchange-RMS Integration via installation scripts and health check taskEnable e-discovery via Journal Report DecryptionVirus and spam filtering of RMS protected messages enabled at Hub Transport

Journal Report Decryption

Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Stamps x-Org header to prevent future decrypt attempts

Archive/Journal

Journal Report Decryption

Transport Pipeline Decryption

Enables Hub Transport Agents scan/modify RMS protected messagesPipeline Decryption Agent

uses Super-User privileges to decryptdecrypts message and attachments protected with same Publishing License

Encryption Agent re-encrypts messages, forks and NDRs with original PL

Transport Pipeline Decryption

Option to NDR messages that can’t be decryptedLow performance impact

message decrypted at 1st Hub of each forestMessage property to determine whether clear-text message was decrypted by pipeline decryptionAgents not prevented from copying decrypted content

RMS Integration Agents

All RMS Integration Agents implemented as Transport agents

-

Hub Transport•Pipeline Decryption

Agent

Decrypt RMS message from SMTP

End of Data

•Transport Rules Agent•Journal Report

Decryption Agent•Encryption Agent •PreLicense Agent •Journal Agent

On Routed

•Pipeline RMS Decryption Agent

Decrypt AD RMS message from Pipeline

OnSubmitted

Session Objectives

Email as the primary leak vector

Understand AD RMS

Understand Exchange 2010 – RMS Integration Features

Understand how to deploy them together

Demos

Deployment

Pre-requisitesExchange 2010 Windows Server 2008 R2

Configure AD RMS server role on WS08R2MBX and CAS servers must have Exchange 2010

Exchange Configuration

Exchange Server must be part of RMS “Super-user” group.Enable corresponding Transport Agents

For e.g. to enable Transport Rules agent, use Exchange Management Shell

Set- IRMConfiguration –EncryptionEnabled $true

RMS Configuration

1. Register a Service Connection Point in AD2. Add permissions for Exchange to access AD

RMS3. Setup an RMS Super User Group

Transport Rules, IRM in OWA, Journal Decryption

demo

Key Takeaway

Exchange 2010 and AD RMS can help your organization safeguard sensitive email communication

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.