Using Dynamic Access Control and Rights Management for Information Protection

Adam HallBrian Desmond

AI-B302

Topics• What is Dynamic Access Control?• Understanding claims• User versus Device claims• Enabling content policies• Central Auditing• Automated Rights Management

What is Dynamic Access Control?

What is the problem we are trying to solve?

Users want to work anywhere on any device

IT needs to retain control and manage

risk

Classification Access control Auditing

Rights Management Services protection

Dynamic Access Control

6

Identifies data

Classifies files automatically and

manually

Controls access to files

Provides central access policies for an

organization-wide safety net

Audits access to files

Provides central audit policies for compliance reporting and forensic

analysis

Applies RMS encryption

Reduces information leaks

Classification Access control Auditing

Rights Management Services protection

• Files inherit classification tags from parent folder

• File owners tag files manually

• Files are tagged automatically

• Files are tagged by applications

• Central access policies are based on classification

• Access conditions for user claims, device claims, and file tags are based on expressions

• Assistance is available for denial of access

• Central audit policies can be applied across multiple file servers

• Audits for user claims, device claims, and file tags are based on expressions

• Audits can be staged to simulate policy changes in a real environment

• Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents

• Protection is in near-real–time when a file is tagged

• RMS protection extends to files not created in Microsoft Office

Dynamic Access Control

7

Understanding Claims

Identify and classify information

9

Create or modify file

Determine classification

Save classification

In-box content classifier

Third-party classification plug-in

Location

Manual

Contextual

Application

Resource claims build on users and groups

10

Userredmond\jsmith / S-1-5-21-12345-12345-12345

GroupsMktgFTE / S-1-5-21-23456-23456-23456-23456-23456RemoteAccess / S-1-5-21-34567-34567-34567-34567High-PII / S-1-5-21-45678-45678-45678-45678

Viewed using “whoami /claims” from the command line

Derived from property values and issued as part of the token received at logon

Consumed during authorization events

Claims“Department” Dept_4329617375 String “Mktg”“Country” Country_54927768 String

“US”

User claimsUser.Department = Finance

User.Clearance = High

Access policyFor access to financial information that has high business impact, a user must

be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

Active Directory Domain Services

Expression-based access rules

11

File server

Enabling Content Policies

Active Directory Domain Services

Characteristics• Composed of central access rules

• Applied to file servers through Group Policy objects

• Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS)

Central access policies

13

Corporate file servers

Personally identifiable information policy

Finance policyUser folders

Finance folders

Organizational policies• High business

impact• Personally

identifiable information

High business impact policy

Finance department policies• High business

impact• Personally

identifiable information

• Finance

Active Directory Domain Services

Create claim definitionsCreate file property definitionsCreate central access policy

Group PolicySend central access policies to file servers

File Server

Apply access policy to the shared folderIdentify information

User’s computer

User tries to access information

Central access policy workflow

14

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Organization-wide authorization

Departmental authorization

Specific data management

Need-to-know

Getting started with access policies

15

Access-denied assistance

16

On a computer running the Windows 8 operating system, Windows retrieves access information from the File Server Resource Manager and displays a message with access remediation options.

If remediation options include a link for requesting access, the user can request access to the file. Alternatively, users can request access help through email.

After the user satisfies access requirements, the user’s claims are updated and the user can access the file.

1

2

3File server

1

2

3

User

Active Directory Domain Services

Central Auditing

Security auditing

18

18

Active Directory Domain Services

Create claim typesCreate resource properties

Group Policy Create global audit policy

File Server

Select and apply resource properties to the shared folders

User’s computer

User tries to access information

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business

Audit all vendors when they try to access documents related to projects that they are not working on

Audit policy examples

19

Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High

Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

Automated Rights Management

Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.

A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.

On the file server, a rule automatically applies RMS protection to any file classified as high-impact.

The RMS template and encryption are applied to the file on the file server and the file is encrypted.

Classification-based encryption process

21

1

2

3

4

1

2

3

File server

RMS serverClassification engine

4User

Active Directory Domain Services

Demo

Brian Desmond

Wrap

Classification Access control Auditing

Rights Management Services protection

Dynamic Access Control: Benefits

24

Identifies data

Classifies files automatically and

manually

Controls access to files

Provides central access policies for an

organization-wide safety net

Audits access to files

Provides central audit policies for compliance reporting and forensic

analysis

Applies RMS encryption

Reduces information leaks

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Easily resolve end-user permission issues

Centrally manage access control from Active Directory

Pre-stage and simulate the effect of changes to access policy

Automatically identify and classify data based on content

Central access policies

File access audit

Integration with Active Directory Rights Management Services

File Classification Infrastructure

Policy-driven access to data with Dynamic Access Control

26