Securing Your Data with Securing Your Data with Microsoft TechnologiesMicrosoft Technologies

Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comStephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb

What you can expect during this sessionWhat you can expect during this session

Our current thinking on Scenarios & SolutionsOur current thinking on Scenarios & SolutionsWhat technologies to use where and whyWhat technologies to use where and why

60 minutes for discussion & quick demo60 minutes for discussion & quick demo15 minutes for questions at the end15 minutes for questions at the end

Why Am I Talking To You About This?Why Am I Talking To You About This?

““When should I use X?”When should I use X?”EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, EFS, RMS, S/MIME, BDE, XPS, CAPI, CAPICOM, CAPI-NG, WS-Sec, Smart Cards…CAPI-NG, WS-Sec, Smart Cards…

““What is the What is the right right encryption to use?”encryption to use?”““Give me a strategic direction”Give me a strategic direction”

Where is your Data Stored?Where is your Data Stored?

Q: Where is your biggest Q: Where is your biggest security exposure?security exposure?Trick question!Trick question!

SQL

ClientsClients

DocumentsDocumentsWhere do Where do your your users keep their documents?users keep their documents?

User ProfileUser ProfileOutlook, Sharepoint, Desktop, TempOutlook, Sharepoint, Desktop, Temp

per-machine dataper-machine dataSearch index, file cacheSearch index, file cache

ServersServers

File SharesFile SharesCollaboration store (e.g. Sharepoint)Collaboration store (e.g. Sharepoint)RDBMS (e.g. SQL)RDBMS (e.g. SQL)Mail (e.g. Exchange)Mail (e.g. Exchange)SANSANHSMHSMEnterprise backupEnterprise backup

Where ISN’T Data stored?Where ISN’T Data stored?

SQL

Big Picture…Big Picture…

What Technologies Can Be Used?What Technologies Can Be Used?

ACLsACLsRights Management (eek!)Rights Management (eek!)Role-based AccessRole-based AccessSystem encryptionSystem encryptionApplication encryptionApplication encryption

ACLsACLs

Classic approachClassic approachConfiguring:Configuring:

Windows Explorer, cacls.exeWindows Explorer, cacls.exeGroup Policy/SeceditGroup Policy/SeceditNEW!NEW! .NET Framework 2.0 (SDDL) .NET Framework 2.0 (SDDL)

Good: protect against online/remote attackersGood: protect against online/remote attackersBad: protecting against local AdminsBad: protecting against local AdminsUgly: protecting against offline attacksUgly: protecting against offline attacks

ACLs example: File serverACLs example: File server

Uses AD, Group Policy, Windows clientUses AD, Group Policy, Windows clientGoal: users cannot see each others’ filesGoal: users cannot see each others’ filesServer shares folder Server shares folder \\Server\Home

Share permissions = Users: ChangeShare permissions = Users: ChangeFolder root permissions allow:Folder root permissions allow:

Users: Traverse folder, List folder, Create folders, Read Users: Traverse folder, List folder, Create folders, Read (This folder only)(This folder only)Creator/owner: Change (Subfolders and files only)Creator/owner: Change (Subfolders and files only)

Result:Result:User creates new folderUser creates new folderCan do anything they want with that folderCan do anything they want with that folderNo other user can see inside that folderNo other user can see inside that folder

Rights ManagementRights Management

The “ACL” goes wherever the document goesThe “ACL” goes wherever the document goesCombines encryption with policy enforcementCombines encryption with policy enforcement

Good: protecting against offline, online attacksGood: protecting against offline, online attacksBad: protecting against Super UsersBad: protecting against Super UsersUgly: protecting against Active Directory adminsUgly: protecting against Active Directory admins

Roles-based access (RBAC)Roles-based access (RBAC)

Idealized approachIdealized approachMust combine with other techMust combine with other tech

ACLsACLsEncryptionEncryptionRights ManagementRights ManagementApp-specific authorization (e.g. SQL, Exchange)App-specific authorization (e.g. SQL, Exchange)

Issues: Issues: Every Windows app has a different approachEvery Windows app has a different approachStill no better against offline attacksStill no better against offline attacks

ADAD

RBAC scenario: rights managementRBAC scenario: rights management

Leverage Active Directory, RMS, OfficeLeverage Active Directory, RMS, Office1.1. Assign users to groups (roles) in ADAssign users to groups (roles) in AD2.2. RMS Templates assign rights to groupsRMS Templates assign rights to groups3.3. Use RMS-enabled app (e.g. Office) to assign Use RMS-enabled app (e.g. Office) to assign

rights via templatesrights via templates4.4. RMS server and client grant limited access to RMS server and client grant limited access to

documentsdocuments

22

Corporate IntranetCorporate Intranet1.1. Assume author is already bootstrapped Assume author is already bootstrapped

with a RAC and CLCwith a RAC and CLC2.2. Author creates mailAuthor creates mail3.3. Author protects mail using RAC and CLCAuthor protects mail using RAC and CLC4.4. Author sends mail to recipientAuthor sends mail to recipient5.5. Recipient contacts AD for service Recipient contacts AD for service

discoverydiscovery6.6. Recipient gets bootstrapped from RMSRecipient gets bootstrapped from RMS7.7. Recipient gets use license from RMSRecipient gets use license from RMS8.8. Recipient can access contentRecipient can access content

Intranet / VPN scenarioIntranet / VPN scenarioPublishing and consumptionPublishing and consumption

RACRAC CLCCLC

11

RACRAC CLCCLC

66

88

ULUL

77

44

55

RMS SCP:http://...

InternetInternetPLPL

33

RMSRMSADAD

System encryptionSystem encryption

Encrypt each file = Encrypting File System (EFS)Encrypt each file = Encrypting File System (EFS)Encrypt each sector = BitLocker Drive Encrypt each sector = BitLocker Drive Encryption (BDE)Encryption (BDE)

Good: protect against offline attackGood: protect against offline attackBad: doesn’t protect against user errorBad: doesn’t protect against user errorUgly: doesn’t protect between systemsUgly: doesn’t protect between systems

Application EncryptionApplication Encryption

Leverage each app’s data protection approachLeverage each app’s data protection approach““Every” app has its own approach, e.g. Every” app has its own approach, e.g. Outlook S/MIME, SQL Server, Office, WinzipOutlook S/MIME, SQL Server, Office, Winzip

Good: there’s encryptionGood: there’s encryptionBad: hard to manageBad: hard to manageUgly: brutal to manage across the enterpriseUgly: brutal to manage across the enterprise

SQL

App example: SQL 2005App example: SQL 2005

SQL 2005 uses DPAPISQL 2005 uses DPAPIComparable to EFSComparable to EFS

Multiple layers of keysMultiple layers of keysPartition accessPartition access

Encrypt instances, databases, tables with Encrypt instances, databases, tables with separate keysseparate keysLeverage HSM @ server levelLeverage HSM @ server level

Advantages: keys managed with data, max Advantages: keys managed with data, max perf, uses system librariesperf, uses system librariesDisadvantages: Server & DB Ops can get keysDisadvantages: Server & DB Ops can get keys

SQL

ScenariosScenarios

1.1. Loss or Theft of PCLoss or Theft of PCaka “notebook in taxi”aka “notebook in taxi”

2.2. Reduced data leaksReduced data leaksaka “whoopsie”aka “whoopsie”

3.3. Server-side encryptionServer-side encryptionaka “untrustworthy Admins”aka “untrustworthy Admins”

4.4. End-to-end encryptionEnd-to-end encryptionaka “regulatory compliance”aka “regulatory compliance”

(1) Loss or Theft of PC(1) Loss or Theft of PC

Threat: Attackers with infinite time, many Threat: Attackers with infinite time, many tools, well-documented attack techniquestools, well-documented attack techniquesGoal: mitigate the risk of Data exposureGoal: mitigate the risk of Data exposure

Reduce the risk, NOT eliminateReduce the risk, NOT eliminateGoodGood

Application EncryptionApplication EncryptionBetterBetter

Minimize the stored dataMinimize the stored dataSystem EncryptionSystem Encryption

Don't bother with ACLs, RBAC, DRMDon't bother with ACLs, RBAC, DRM

(1) Loss or Theft of PC(1) Loss or Theft of PC

1.1. EFSEFSMitigates offline attacks except against user accountMitigates offline attacks except against user accountPrevents online attacks (on encrypted files)Prevents online attacks (on encrypted files)Threats focus on user’s passwordThreats focus on user’s password

2.2. BitLocker with TPM or USB (Vista)BitLocker with TPM or USB (Vista)Prevents offline attacks (replace passwords, copy hashes, Prevents offline attacks (replace passwords, copy hashes, change system files)change system files)Threats focus on user logonsThreats focus on user logons

3.3. Ideal: BitLocker with TPM + EFS with Smart Card Ideal: BitLocker with TPM + EFS with Smart Card (Vista)(Vista)

Attacker with notebook + Smart Card needs PIN (not Attacker with notebook + Smart Card needs PIN (not password)password)After “x” bad tries, Smart Card locked FOREVERAfter “x” bad tries, Smart Card locked FOREVER

(1) Loss or Theft of PC(1) Loss or Theft of PC

Reality check: Windows XP todayReality check: Windows XP todayAttack focus: user passwords, cleartext dataAttack focus: user passwords, cleartext dataTactics:Tactics:

BetterBetter passwords/phrases passwords/phrasesEncrypt significant sets of dataEncrypt significant sets of data

EFS for Documents, email, desktop, TIF, server cachesEFS for Documents, email, desktop, TIF, server cachesSmartcard logon per-PCSmartcard logon per-PC

Residual risk: pagefile fragments, hiberfile, Residual risk: pagefile fragments, hiberfile, cached logon verifierscached logon verifiers

(2) Reduced data leaks(2) Reduced data leaks

Threat: Authorized users with legit access Threat: Authorized users with legit access giving data to othersgiving data to othersGoal: mitigate the risk of spread of dataGoal: mitigate the risk of spread of data

Reduce, NOT eliminateReduce, NOT eliminateGoodGood

ACLs, Role-based AccessACLs, Role-based AccessBetterBetter

DRM, Application encryptionDRM, Application encryptionDon't bother with Don't bother with System encryptionSystem encryption

(2) Reduced data leaks(2) Reduced data leaks

1.1. ACL shared files on servers with RBAC groupsACL shared files on servers with RBAC groupsPrevents users from granting each other permissionsPrevents users from granting each other permissions

2.2. Leverage a rights management technologyLeverage a rights management technologyReduces the amount of unprotected filesReduces the amount of unprotected files

3.3. Ideal: RM automatically assigned (RMS partners)Ideal: RM automatically assigned (RMS partners)Enforces RM protection according to pre-defined Enforces RM protection according to pre-defined business rulesbusiness rules

Bonus: encryption on physical mediaBonus: encryption on physical mediaBonus: removable media policy (Vista)Bonus: removable media policy (Vista)

(2) Reduced data leaks(2) Reduced data leaks

Reality check: user-initiated RMS is unreliableReality check: user-initiated RMS is unreliableRisk focus: leaks to outsidersRisk focus: leaks to outsidersTactics:Tactics:

““do not forward” emails from execs, legal, R&Ddo not forward” emails from execs, legal, R&DRMS automation on servers (future)RMS automation on servers (future)Converting AD roles to security-enabled Converting AD roles to security-enabled Distribution GroupsDistribution GroupsExperiment with WinFX, Print-to-XPSExperiment with WinFX, Print-to-XPS

(3) Server-Side Encryption(3) Server-Side Encryption

Threat: some Admins have or grant themselves Threat: some Admins have or grant themselves access with no oversight or detectionaccess with no oversight or detectionGoal: mitigate the risk of widespread leaksGoal: mitigate the risk of widespread leaks

Reduce, NOT eliminateReduce, NOT eliminateGoodGood

Role-based AccessRole-based AccessBetterBetter

System encryption, Application encryption, System encryption, Application encryption, ERMERM

Don't Bother with Don't Bother with ACLsACLs

(3) Server-Side Encryption(3) Server-Side Encryption

Roles-based access on all servers (and clients)Roles-based access on all servers (and clients)Prevents Admins from unaudited access to dataPrevents Admins from unaudited access to data

EFS, BitLocker, RMS with central keys EFS, BitLocker, RMS with central keys managed elsewheremanaged elsewhere

Reduces opportunity for quick access to protected Reduces opportunity for quick access to protected datadataThreats switch to impersonating usersThreats switch to impersonating users

Bonus: audit for Object Access (Take Bonus: audit for Object Access (Take Ownership, Change Permissions), Policy Ownership, Change Permissions), Policy Change, System EventsChange, System EventsBonus: role-separated audit collectionBonus: role-separated audit collection

(4) End-to-end encryption(4) End-to-end encryption

ChallengesChallengesApproachesApproachesFuturesFutures

(4) End to End: Challenges(4) End to End: Challenges

Lack of product integrationLack of product integrationKey managementKey management

Keep keys close to data (performance, portability)?Keep keys close to data (performance, portability)?Keep keys far from data (security, administration)?Keep keys far from data (security, administration)?

Cross-platform issuesCross-platform issuesManaging transitions between systems, applications Managing transitions between systems, applications and organizationsand organizations

(4) End to End: Approaches(4) End to End: Approaches

Standard algorithmsStandard algorithmsThird-party productsThird-party productsBest-fit solutionsBest-fit solutionsMitigate greatest exposures firstMitigate greatest exposures first

(4) End to End: Futures(4) End to End: Futures

““information protection platform”information protection platform”Possibly integrate EFS, RMS, NGSCBPossibly integrate EFS, RMS, NGSCB

WS-Sec (and other standards)WS-Sec (and other standards).NET Framework 3.0 (WinFX).NET Framework 3.0 (WinFX)IPv6IPv6

Beyond Microsoft technologiesBeyond Microsoft technologies

Pervasive hardware-integrated cryptoPervasive hardware-integrated cryptoISV encryptionISV encryptionISV rights managementISV rights managementSmart cardsSmart cardsother multi-factor access controlother multi-factor access control

ResourcesResources

Technical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet

Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

Technical Community Siteshttp://www.microsoft.com/communities/default.mspx

User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thanks to Mike Smith-Lonergan for Thanks to Mike Smith-Lonergan for creating the slidescreating the slides

Steve LambSteve LambTechnical Security Evangelist @ Microsoft LtdTechnical Security Evangelist @ Microsoft Ltd

Stephen.lamb@microsoft.comStephen.lamb@microsoft.comhttp://blogs.technet.com/steve_lambhttp://blogs.technet.com/steve_lamb