Date post: | 12-Nov-2014 |
Category: |
Technology |
Upload: | security-bootcamp |
View: | 2,072 times |
Download: | 5 times |
Security Bootcamp 2012 - 28,29,30/12/2012
Microsoft SharePoint Most Valuable Professional (2011,2012)
Author, Writer, Trainer & Public Speaker
Founder & Editor in Chief of SharePointVNPublisher
Focus on Microsoft Security & Federation Identity, Infrastructure, Methodologies and Architecture.
Data Compliance
Understand the new Dynamic Access Control capabilities built into Windows Server 2012
Demonstration
Compliance is generally a response to governmental regulation, but
it can also be a response to industry or internal requirements.
The U.S. Health Insurance Portability and Accountability Act
(HIPPA) for health providers
Sarbanes-Oxley Act (SOX)
The European Union Data Protection Directive
U.S. state data breach laws
I’m not talking about in-depth Data compliance
and privacy.
Can you make sure that only authorized individuals can access confidential data?
Do you have granular control over auditing access?
How to reduce the number of security groups your organization has?
Deal with regulatory standard?
…. There are many questions come up when it comes to data access control.
CSO/CIO
department
“I need to have the right
compliance controls to keep me out of jail”
Infrastructure
Support
“I don’t know what data is in my repositories and how to control it”
Content Owner
““Is my important data
appropriately protected and compliant with
regulations – how do I audit this”
Information
Workder
“I don’t know if I am complying
with my organization’s
polices”
Storage growthDistributed Information
Regulatory compliance Data leakage
45%: File based storage
CAGR.
MSIT cost $1.6
GB/Month for managed
servers.
>70%: of stored data is
stale
Cloud cost would be
approximately 25 cents
GB/Month
Corporate information is
everywhere: Desktops,
Branch Offices, Data
Centers, Cloud…
MSIT 1500 file servers
with 110 different groups
managing them
Very hard to consistently
manage the information.
New and changing
regulations (SOX, HIPPA,
GLBA…)
International and local
regulations.
More oversight and
tighter enforcement.
$15M: Settlement for
investment bank with
SEC over record
retention.
246,091,423: Total
number of records
containing sensitive
personal information
involved in security
breaches in the US since
January 2005
$90 to $305 per record
(Forrester: in “Calculating
the Cost of a Security
Breach”)
Encryption
Automatic RMS
encryption based on
document classification.
Data Classification
Classify your documents
using resource properties
stored in Active
Directory.
Automatically classify
documents based on
document content.
Expression-based auditing
Targeted access auditing
based on document
classification and user
identity.
Centralized deployment
of audit policies using
Global Audit Policies.
Expression-based access conditions
Flexible access control
lists based on document
classification and
multiple identities
(security groups).
Centralized access
control lists using Central
Access Policies.
Data Classification
File Classification Infrastructure provides insight into your data by
automating classification processes.
File Classification Infrastructure uses classification rules to
automatically scan files and classify them according to the contents
of the file.
Some examples of classification rules include:
Classify any file that contains the string “SBC12 Confidential” as
having high business impact.
Classify any file that contains at least 10 social security
numbers as having personally identifiable information.
Data Classification
Classify your documents
using resource properties
stored in Active
Directory.
Automatically classify
documents based on
document content.
A content classification rule that searches a set of files for the string
“SBC12 Confidential”. If the string is found in a file, the Impact
resource property is set to High on the file.
A content classification rule that searches a set of files for a regular
expression that matches a social security number at least 10 times
in one file. If the pattern is found, the file is classified as having
personally identifiable information and the Personally Identifiable
Information resource property is set to High.
Data Classification
Classify your documents
using resource properties
stored in Active
Directory.
Automatically classify
documents based on
document content.
Manage fewer security groups by using conditional expressions
Expression-based access conditions
Flexible access control
lists based on document
classification and
multiple identities
(security groups).
Centralized access
control lists using Central
Access Policies.
Country x 30
Department x 20
Sensitive/Confidential documents
Expression-based access condition
What is Central Access Policy?
You can think of Central Access Policies as a safety net
that your organization applies across its servers to
enhance the local access policy
User claimsUser.Department = Finance
User.Clearance = High
Access policy
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department = Finance
Resource.Impact = High
Active Directory Domain Services
Expression-based access rules
File server
Active Directory Domain Services
Characteristics
• Composed of central access rules
• Applied to file servers through Group Policy
objects
• Supplement (not replace) native file and folder
access control lists from New Technology File
System (NTFS)
Central access policies
Corporate file servers
Personally identifiable information policy
Finance policy
User folders
Finance folders
Organizational policies• High business impact• Personally identifiable
information
High business impact policy
Finance department policies• High business impact• Personally identifiable
information• Finance
Active Directory
Domain Services
Create claim definitionsCreate file property definitionsCreate central access policy
Group PolicySend central access policies to file servers
File Server
Apply access policy to the shared folderIdentify information
User’s computer User tries to access information
Central access policy workflow
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Organization-wide
authorization
Departmental
authorization
Specific data
management
Need-to-know
Central access policy examples
Limit auditing to data that meets specific
classification criteria.
Limit auditing by action and by identity
Add contextual information into the audit
events.
Expression-based Auditing
Expression-based auditing
Targeted access auditing
based on document
classification and user
identity.
Centralized deployment
of audit policies using
Global Audit Policies.
Security auditing
Active Directory
Domain ServicesCreate claim typesCreate resource properties
Group Policy Create global audit policy
File Server
Select and apply resource
properties to the shared
folders
User’s computer User tries to access information
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Audit everyone who does not have a high security
clearance and who tries to access a document that
has a high impact on business
Audit all vendors when they try to access
documents related to projects that they are not
working on
Audit policy examples
Audit | Everyone | All-Access |
Resource.BusinessImpact=HBI AND
User.SecurityClearance!=High
Audit | Everyone | All-Access |
User.EmploymentStatus=Vendor AND User.Project
Not_AnyOf Resource.Project.
Data Encryption Challenges
How do I protect sensitive information after it leaves my
protected environment?
I cannot get the users to encrypt their sensitive data.
Process to encrypt a file based on
classification
Claim definitions, file property definitions, and access
policies are established in Active Directory Domain
Controller.
A user creates a file with the word “confidential” in the
text and saves it. The classification engine classifies
the file as high-impact according to rules configured.
On the file server, a rule automatically applies RMS
protection to any file classified as high-impact.
The RMS template and encryption are applied to the
file on the file server and the file is encrypted.
Classification-based encryption process
1
2
3
File server
RMS serverClassification engine
4
User
Active Directory Domain Services
23
Demonstration Lab There are two virtual machines that are involved in the
demonstration lab.
AD-Srv (Active Directory Domain Controller)
File-Srv (File Server)
There are two security groups
Finance
System Integration
There are two domain users:
[email protected] (Finance)
[email protected] (System Integration)
Steps Create a new claim
Department
Create resources properties and add it to resource property list
Finance Department
Create a new central access rule/central policies
Resource Finance Department Exists
Resource Finance Department Equals Value Finance
Publish central access policy
Configure Group Policy and enable KDC
Install File Server Resource Manager on File server
Update-FSRMClassificationPropertyDefinition
Add Central Access Policy to shared folder
Validate
Thanks for joining with us