Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | randolph-goodwin |
View: | 215 times |
Download: | 2 times |
Using Dynamic Access Control and Rights Management for Information Protection
Adam HallBrian Desmond
AI-B302
Topics• What is Dynamic Access Control?• Understanding claims• User versus Device claims• Enabling content policies• Central Auditing• Automated Rights Management
What is the problem we are trying to solve?
Users want to work anywhere on any device
IT needs to retain control and manage
risk
Classification Access control Auditing
Rights Management Services protection
Dynamic Access Control
6
Identifies data
Classifies files automatically and
manually
Controls access to files
Provides central access policies for an
organization-wide safety net
Audits access to files
Provides central audit policies for compliance reporting and forensic
analysis
Applies RMS encryption
Reduces information leaks
Classification Access control Auditing
Rights Management Services protection
• Files inherit classification tags from parent folder
• File owners tag files manually
• Files are tagged automatically
• Files are tagged by applications
• Central access policies are based on classification
• Access conditions for user claims, device claims, and file tags are based on expressions
• Assistance is available for denial of access
• Central audit policies can be applied across multiple file servers
• Audits for user claims, device claims, and file tags are based on expressions
• Audits can be staged to simulate policy changes in a real environment
• Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents
• Protection is in near-real–time when a file is tagged
• RMS protection extends to files not created in Microsoft Office
Dynamic Access Control
7
Identify and classify information
9
Create or modify file
Determine classification
Save classification
In-box content classifier
Third-party classification plug-in
Location
Manual
Contextual
Application
Resource claims build on users and groups
10
Userredmond\jsmith / S-1-5-21-12345-12345-12345
GroupsMktgFTE / S-1-5-21-23456-23456-23456-23456-23456RemoteAccess / S-1-5-21-34567-34567-34567-34567High-PII / S-1-5-21-45678-45678-45678-45678
Viewed using “whoami /claims” from the command line
Derived from property values and issued as part of the token received at logon
Consumed during authorization events
Claims“Department” Dept_4329617375 String “Mktg”“Country” Country_54927768 String
“US”
User claimsUser.Department = Finance
User.Clearance = High
Access policyFor access to financial information that has high business impact, a user must
be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory Domain Services
Expression-based access rules
11
File server
Active Directory Domain Services
Characteristics• Composed of central access rules
• Applied to file servers through Group Policy objects
• Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS)
Central access policies
13
Corporate file servers
Personally identifiable information policy
Finance policyUser folders
Finance folders
Organizational policies• High business
impact• Personally
identifiable information
High business impact policy
Finance department policies• High business
impact• Personally
identifiable information
• Finance
Active Directory Domain Services
Create claim definitionsCreate file property definitionsCreate central access policy
Group PolicySend central access policies to file servers
File Server
Apply access policy to the shared folderIdentify information
User’s computer
User tries to access information
Central access policy workflow
14
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Organization-wide authorization
Departmental authorization
Specific data management
Need-to-know
Getting started with access policies
15
Access-denied assistance
16
On a computer running the Windows 8 operating system, Windows retrieves access information from the File Server Resource Manager and displays a message with access remediation options.
If remediation options include a link for requesting access, the user can request access to the file. Alternatively, users can request access help through email.
After the user satisfies access requirements, the user’s claims are updated and the user can access the file.
1
2
3File server
1
2
3
User
Active Directory Domain Services
Security auditing
18
18
Active Directory Domain Services
Create claim typesCreate resource properties
Group Policy Create global audit policy
File Server
Select and apply resource properties to the shared folders
User’s computer
User tries to access information
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business
Audit all vendors when they try to access documents related to projects that they are not working on
Audit policy examples
19
Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High
Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.
A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.
On the file server, a rule automatically applies RMS protection to any file classified as high-impact.
The RMS template and encryption are applied to the file on the file server and the file is encrypted.
Classification-based encryption process
21
1
2
3
4
1
2
3
File server
RMS serverClassification engine
4User
Active Directory Domain Services
Classification Access control Auditing
Rights Management Services protection
Dynamic Access Control: Benefits
24
Identifies data
Classifies files automatically and
manually
Controls access to files
Provides central access policies for an
organization-wide safety net
Audits access to files
Provides central audit policies for compliance reporting and forensic
analysis
Applies RMS encryption
Reduces information leaks
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Easily resolve end-user permission issues
Centrally manage access control from Active Directory
Pre-stage and simulate the effect of changes to access policy
Automatically identify and classify data based on content
Central access policies
File access audit
Integration with Active Directory Rights Management Services
File Classification Infrastructure
Policy-driven access to data with Dynamic Access Control
26