Date post: | 19-Dec-2015 |
Category: |
Documents |
Upload: | helena-morris |
View: | 212 times |
Download: | 0 times |
Spark the future.
May 4 – 8, 2015Chicago, IL
Protecting Your Datawith Containers without Boxing Yourself InYogesh MehtaSenior Program Manager
BRK2329
You have the best security solutions…
…but the security landscape has changed.
GREATER THAN EVER. TODAY, RISK OF DATA FALLING IN THE WRONG HANDS IS
QUITE OFTEN THIS RISK IS NOT FROM EXTERNAL ATTACKERS. IT COMES FROM WITHIN.
MAJORITY OF DATA LEAKS HAPPEN ACCIDENTALLY.
“An employee of the department had inadvertently disclosed the passport numbers, visa details and other personal identifiers of the world leaders attending the G20 summit in Brisbane after an email was mistakenly sent to an organizer of the Asian Cup football tournament because of an autocomplete function”
Personal details of world leaders accidentally revealed by G20 organizersGuardian
March 30, 2015
AUSTRALIAN IMMIGRATION DEPT. DATA LEAK
Data Leakage
2HIPPA Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012
Have accidentally sent sensitive information to the wrong
person1
58%
…of senior managers admit to regularly uploading work files to
a personal email or cloud account1
87%
Average per record cost of a data breach across all
industries2
$240PER
RECORD
1Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013
???%
?
…focus on data leak prevention for personal devices, but ignore the issue on corporate owned devices where the risks are the same or worse.
???
??
Information protection journey
DEVICE PROTECTIONBitLocker enhancements in Windows 8.1
InstantGo
3rd party adoption
Protect data when device is lost or stolen
DATA PROTECTIONRights Management Services (RMS)
Office Information Rights Management (IRM)
Azure AD, Azure Rights Management in 2013
Protect data when …..
THE GAP
Accidental data leakage3rd party solutions
HOW OTHERS ARE FILLING THE GAP: PAIN POINTS
Switching modes and between containers
Users change apps to work securely
Experience between mobile and desktop inconsistent
Solutions are expensive
FINDING THE BALANCE
Without true platform-level integration, balancing experience, deployment, and cost is impossible
Compromised user experienceease of deployment, lowest cost
Better user experience,
difficult to deploy, higher costOR
OUR VISION
Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through email, social media and public cloud
DATA PROTECTON IN A CLOUD & MOBILE WORLD
Protection everywhere (at rest, in transit, across devices, storage location...everywhere)
Enable wipe and other management fundamentals
Supported by all the apps you use, fully integrated experience
REQUIRES
Different approach to app management
Mobile & Desktop
Windows 10 Enterprise Data Protection
Corp data identifiable from personal
Protects data at rest, and when roaming
Platform integrated, no mode switching
Only IT-Allowed apps see business data
IT controls keys, can remote wipe
Common experience, x-plat support
Extra Security with Data Protection Under Lock
Windows 10 Enterprise Data Protection
Blocks read when screen is locked
Optional screen lock security policy
System tosses decryption key on lock
Can encrypt new files and data
Logon, unlock restores keys and access
Helps mitigates system level attacks
Protection across Data Flows
Enterprise Data Protection
1
User enrolls with enterprise MDM or domain join
MDM or ConfigMgr provisions policy and encryption keys
User
2
PROVISIONING: KEYS AND POLICIES
Policies:
1. Enterprise allowed apps
2. Network policies
3. App restriction policy
Lync eMail Facebook
OneDrive for Business Contacts
PowerPoint Calendar OneDrive
PDF Reader Photos Weather
Business Apps & Data(Managed)
Personal Apps & Data(Unmanaged)
Data exchange is blocked or audited
Enterprise Data Protection
User
DATA INGRESS
Data from enterprise network is encrypted
E.g. OneDrive For Business, Corporate Exchange mail, etc.
Enterprise Data Protection
User
Saving to enterprise folder encryption auto-applied
User option to save as corporate
IT can configure unenlightened apps to automatically protect data
Enlightened apps protect corporate data
(from app to disk)
DATA EGRESS
Enterprise Data Protection
User
DATA EGRESS
Enlightened apps can maintain protection
App restriction policy: Can block egress to other apps
Network policy: Can block egress to non-corporate
sites
(Inter-app, or over network)
Enterprise Data Protection
User
CROSS PLATFORM DATA SHARING
Readers available for cross-platform editing
Public API for secure sharing
Common MDM support across Windows, iOS & Android with Microsoft Intune
Common developer experience across platforms
iOS & Android enabled via Intune App Wrapping Tool for IT Pros
iOS & Android apps enabled via Intune App SDK
Microsoft Intune SDK for iOS & Android
Enterprise Data Protection
User
REVOKEUnenroll removes keys, and
wipes the inaccessible enterprise data
(On unenroll)
Demo
Protect data is shared
SHARINGPROTECTION
DEVICE PROTECTION
Protect data when device is lost or stolen
Information protection continuum
DATA PROTECTION
Accidental data leakage
Device Encryption vs. BitLocker
Device Encryption• Encryption is automatic out of the box• Microsoft account sign-in enables protection• Recovery password escrowed in OneDrive• Ships in all editions of Windows
BitLocker and BitLocker To Go• Full management capabilities supported; including FIPS support• Imaging, management solutions (e.g.: MBAM), or end user can enable
protection• Recovery keys can be stored in AD or management solutions (e.g.:
MBAM)• Ships in Windows Pro and Enterprise editions
Provisioning Enhancements
Provisioning is the top pain point for encrypting devices• Provisioning is challenging• TPM provisioning is complex for IT and end users• Encryption takes too much time
Solutions in Windows make BitLocker the best choice:• TPM auto-provisioning• Support for encrypted hard drives (eHDD)• Used Disk Space Only Encryption• Pre-provisioning during setup
Experience & Security
Improving the IT and End-user Experience• Eliminating the need for Pre-Boot Authentication (InstantGo devices)• Fewer support issues on >=Windows 8 Certified devices • Automatic device encryption
Improved Security with Windows BitLocker• Improved anti-hammering for sign-in on BitLocker protected devices• One-time suspend mode• Exchange ActiveSync & MDM policy for device encryption
Protecting Devices with Pre-Boot Auth
• Why have we needed it in the past?• Encryption keys for any encryption solution are loaded into system memory• Cold boot attacks enable attackers with physical access to extract the key
from memory• Key Attack Vectors: DMA Port attack; Memory Remanence attack
• Downside to pre-boot authentication• Device must be turned off when unattended• Breaks – user experience, management, remote access
The conventional wisdom amongst security architects is that the encryption can only be secured by implementing pre-boot
authentication
Protecting Devices with Pre-Boot Auth
• Mitigating DMA Port attacks (e.g.: Elcomsoft & Passware)• Ports restricted on InstantGo devices• Ports not present on Windows mobile PC’s• Windows 8.1 certified hardware disables external DMA during boot• Ports can be disabled or restricted to authorized devices on Windows 7
devices• Mitigating Memory Remanence attack (Frozen Memory -
Princeton)• Physical removal of frozen memory trick easier said that done• Not possible on tablets which have fixed memory• Published research (Canadian DoD) shows attack is highly unreliable
Modern devices can offer immunity to traditional cold boot attacks.Even Windows 7 devices may be able to be configured to mitigate
against them.
Key Improvements in Windows 10
• Pre-Boot Authentication Improvement • Disallow hot plug DMA until user signs in and when locked
• Automatic Device Encryption with Azure Active Directory (AAD) sign-in to Windows• Supports backup of BitLocker recovery password to AAD
• BitLocker Support for Virtual Machines using Virtual TPM (vTPM)
• Windows Phone users can enable Device Encryption without MDM
Protect data is shared
SHARINGPROTECTION
DEVICE PROTECTION
Protect data when device is lost or stolen
Information protection continuum complete
DATA PROTECTION
Accidental data leakage
Next Steps
Talk to your MDM server vendor about Windows 10 support
Check out related sessions to learn more – See resources on the next slide
Evaluate Data Protection enhancements in Windows 10 – talk to your TAP buddy!
Give us feedback!
Related sessions here @ Ignite Jim Alkove | Overview of Windows 10 for Enterprises [Link] Dustin Ingalls | A New Era of Threat Resistance for the Windows Platform [Link] Janani Vasudevan | Windows 10 Mobile Device Management (MDM) in Depth [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Gagan Gulati | Protecting and Tracking Sensitive Data with RMS: Today and What’s Next
[Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link
] Sumit Parikh | Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile
Fleet [Link] Lance Crandall | BitLocker Deployment using MBAM is a Snap! [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO
with Intune [Link] Adam Skewgar | Work Folders: Accessing and securing your File Server data in a BYOD
world [Link] Allen Marshall | Harden the fabric: Protecting tenant secrets in Hyper-V [Link]
Resources!
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.