Spark the future.

May 4 – 8, 2015Chicago, IL

Protecting Your Datawith Containers without Boxing Yourself InYogesh MehtaSenior Program Manager

BRK2329

You have the best security solutions…

…but the security landscape has changed.

GREATER THAN EVER. TODAY, RISK OF DATA FALLING IN THE WRONG HANDS IS

QUITE OFTEN THIS RISK IS NOT FROM EXTERNAL ATTACKERS. IT COMES FROM WITHIN.

MAJORITY OF DATA LEAKS HAPPEN ACCIDENTALLY.

“An employee of the department had inadvertently disclosed the passport numbers, visa details and other personal identifiers of the world leaders attending the G20 summit in Brisbane after an email was mistakenly sent to an organizer of the Asian Cup football tournament because of an autocomplete function”

Personal details of world leaders accidentally revealed by G20 organizersGuardian

March 30, 2015

AUSTRALIAN IMMIGRATION DEPT. DATA LEAK

Data Leakage

2HIPPA Secure Now, “A look at the cost of healthcare data breaches,” Art Gross, March 30, 2012

Have accidentally sent sensitive information to the wrong

person1

58%

…of senior managers admit to regularly uploading work files to

a personal email or cloud account1

87%

Average per record cost of a data breach across all

industries2

$240PER

RECORD

1Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013

???%

?

…focus on data leak prevention for personal devices, but ignore the issue on corporate owned devices where the risks are the same or worse.

???

??

Information protection journey

DEVICE PROTECTIONBitLocker enhancements in Windows 8.1

InstantGo

3rd party adoption

Protect data when device is lost or stolen

DATA PROTECTIONRights Management Services (RMS)

Office Information Rights Management (IRM)

Azure AD, Azure Rights Management in 2013

Protect data when …..

THE GAP

Accidental data leakage3rd party solutions

HOW OTHERS ARE FILLING THE GAP: PAIN POINTS

Switching modes and between containers

Users change apps to work securely

Experience between mobile and desktop inconsistent

Solutions are expensive

FINDING THE BALANCE

Without true platform-level integration, balancing experience, deployment, and cost is impossible

Compromised user experienceease of deployment, lowest cost

Better user experience,

difficult to deploy, higher costOR

OUR VISION

Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through email, social media and public cloud

DATA PROTECTON IN A CLOUD & MOBILE WORLD

Protection everywhere (at rest, in transit, across devices, storage location...everywhere)

Enable wipe and other management fundamentals

Supported by all the apps you use, fully integrated experience

REQUIRES

Different approach to app management

Mobile & Desktop

Windows 10 Enterprise Data Protection

Corp data identifiable from personal

Protects data at rest, and when roaming

Platform integrated, no mode switching

Only IT-Allowed apps see business data

IT controls keys, can remote wipe

Common experience, x-plat support

Extra Security with Data Protection Under Lock

Windows 10 Enterprise Data Protection

Blocks read when screen is locked

Optional screen lock security policy

System tosses decryption key on lock

Can encrypt new files and data

Logon, unlock restores keys and access

Helps mitigates system level attacks

Protection across Data Flows

Enterprise Data Protection

1

User enrolls with enterprise MDM or domain join

MDM or ConfigMgr provisions policy and encryption keys

User

2

PROVISIONING: KEYS AND POLICIES

Policies:

1. Enterprise allowed apps

2. Network policies

3. App restriction policy

Lync eMail Facebook

OneDrive for Business Contacts

WhatsApp

PowerPoint Calendar OneDrive

PDF Reader Photos Weather

Business Apps & Data(Managed)

Personal Apps & Data(Unmanaged)

Data exchange is blocked or audited

Enterprise Data Protection

User

DATA INGRESS

Data from enterprise network is encrypted

E.g. OneDrive For Business, Corporate Exchange mail, etc.

Enterprise Data Protection

User

Saving to enterprise folder encryption auto-applied

User option to save as corporate

IT can configure unenlightened apps to automatically protect data

Enlightened apps protect corporate data

(from app to disk)

DATA EGRESS

Enterprise Data Protection

User

DATA EGRESS

Enlightened apps can maintain protection

App restriction policy: Can block egress to other apps

Network policy: Can block egress to non-corporate

sites

(Inter-app, or over network)

Enterprise Data Protection

User

CROSS PLATFORM DATA SHARING

Readers available for cross-platform editing

Public API for secure sharing

Common MDM support across Windows, iOS & Android with Microsoft Intune

Common developer experience across platforms

iOS & Android enabled via Intune App Wrapping Tool for IT Pros

iOS & Android apps enabled via Intune App SDK

Microsoft Intune SDK for iOS & Android

Enterprise Data Protection

User

REVOKEUnenroll removes keys, and

wipes the inaccessible enterprise data

(On unenroll)

Demo

Protect data is shared

SHARINGPROTECTION

DEVICE PROTECTION

Protect data when device is lost or stolen

Information protection continuum

DATA PROTECTION

Accidental data leakage

Device Encryption vs. BitLocker

Device Encryption• Encryption is automatic out of the box• Microsoft account sign-in enables protection• Recovery password escrowed in OneDrive• Ships in all editions of Windows

BitLocker and BitLocker To Go• Full management capabilities supported; including FIPS support• Imaging, management solutions (e.g.: MBAM), or end user can enable

protection• Recovery keys can be stored in AD or management solutions (e.g.:

MBAM)• Ships in Windows Pro and Enterprise editions

Provisioning Enhancements

Provisioning is the top pain point for encrypting devices• Provisioning is challenging• TPM provisioning is complex for IT and end users• Encryption takes too much time

Solutions in Windows make BitLocker the best choice:• TPM auto-provisioning• Support for encrypted hard drives (eHDD)• Used Disk Space Only Encryption• Pre-provisioning during setup

Experience & Security

Improving the IT and End-user Experience• Eliminating the need for Pre-Boot Authentication (InstantGo devices)• Fewer support issues on >=Windows 8 Certified devices • Automatic device encryption

Improved Security with Windows BitLocker• Improved anti-hammering for sign-in on BitLocker protected devices• One-time suspend mode• Exchange ActiveSync & MDM policy for device encryption

Protecting Devices with Pre-Boot Auth

• Why have we needed it in the past?• Encryption keys for any encryption solution are loaded into system memory• Cold boot attacks enable attackers with physical access to extract the key

from memory• Key Attack Vectors: DMA Port attack; Memory Remanence attack

• Downside to pre-boot authentication• Device must be turned off when unattended• Breaks – user experience, management, remote access

The conventional wisdom amongst security architects is that the encryption can only be secured by implementing pre-boot

authentication

Protecting Devices with Pre-Boot Auth

• Mitigating DMA Port attacks (e.g.: Elcomsoft & Passware)• Ports restricted on InstantGo devices• Ports not present on Windows mobile PC’s• Windows 8.1 certified hardware disables external DMA during boot• Ports can be disabled or restricted to authorized devices on Windows 7

devices• Mitigating Memory Remanence attack (Frozen Memory -

Princeton)• Physical removal of frozen memory trick easier said that done• Not possible on tablets which have fixed memory• Published research (Canadian DoD) shows attack is highly unreliable

Modern devices can offer immunity to traditional cold boot attacks.Even Windows 7 devices may be able to be configured to mitigate

against them.

Key Improvements in Windows 10

• Pre-Boot Authentication Improvement • Disallow hot plug DMA until user signs in and when locked

• Automatic Device Encryption with Azure Active Directory (AAD) sign-in to Windows• Supports backup of BitLocker recovery password to AAD

• BitLocker Support for Virtual Machines using Virtual TPM (vTPM)

• Windows Phone users can enable Device Encryption without MDM

Protect data is shared

SHARINGPROTECTION

DEVICE PROTECTION

Protect data when device is lost or stolen

Information protection continuum complete

DATA PROTECTION

Accidental data leakage

Next Steps

Talk to your MDM server vendor about Windows 10 support

Check out related sessions to learn more – See resources on the next slide

Evaluate Data Protection enhancements in Windows 10 – talk to your TAP buddy!

Give us feedback!

Related sessions here @ Ignite Jim Alkove | Overview of Windows 10 for Enterprises [Link] Dustin Ingalls | A New Era of Threat Resistance for the Windows Platform [Link] Janani Vasudevan | Windows 10 Mobile Device Management (MDM) in Depth [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Gagan Gulati | Protecting and Tracking Sensitive Data with RMS: Today and What’s Next

[Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link

] Sumit Parikh | Windows 10 for Mobile Devices: Get and Stay in Control of Your Mobile

Fleet [Link] Lance Crandall | BitLocker Deployment using MBAM is a Snap! [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO

with Intune [Link] Adam Skewgar | Work Folders: Accessing and securing your File Server data in a BYOD

world [Link] Allen Marshall | Harden the fabric: Protecting tenant secrets in Hyper-V [Link]

Resources!

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.