We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft
The move from need to know to need to share Within Organizations Within Organizations Across Organizations Across Organizations Across Civilian and Military Across Civilian and Military 5Is 5Is Across Govt. and Commercial Across Govt. and Commercial
Interest – the wrong type Florida Dept. of Labor: 4,624 files Florida Dept. of Labor: 4,624 files Bureau of the Census: 1,138 Laptops Bureau of the Census: 1,138 Laptops City of Savanna, Georgia: 8,800 files City of Savanna, Georgia: 8,800 files USDA Data Breach: 26,000 files USDA Data Breach: 26,000 files US Navy Data Breach: 28,00 files US Navy Data Breach: 28,00 files TJX Sued for Loss of Consumer Data TJX Sued for Loss of Consumer Data U.S. Department of Veterans Affairs 25.5 million veterans and military personnel U.S. Department of Veterans Affairs 25.5 million veterans and military personnel ataBreaches.htm#CP ataBreaches.htm#CP ataBreaches.htm#CP ataBreaches.htm#CP
4 Risk Management
Microsoft Confidential Secure Infrastructure Protection against malware, unauthorized access and evolving threats Managed identities and protected personal information from unauthorized access Protected sensitive data from prying eyes Protected document security throughout its lifecycle Monitoring systems and measuring compliance BitLocker Drive Encryption Encrypting File System Windows Server Rights Management Services (RMS) Office Information Management Services (IRM) Technology Framework for Data Governance Identity & Access Control Data Encryption DocumentManagementDocumentManagement Auditing & Reporting Reporting
Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to safeguard digital information Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to safeguard digital information Expiration of content required for many other industry and governmental regulations Expiration of content required for many other industry and governmental regulations Government and Industry Compliance
Todays Policy Expression Today, most communication policies only exist on paperToday, most communication policies only exist on paper Its easy to unintentionally forward s & documentsIts easy to unintentionally forward s & documents Its easy to intentionally share/sell plans w/competitors, press, InternetIts easy to intentionally share/sell plans w/competitors, press, Internet
Boundary-Based Technologies 5
6
Access Control List Yes No Perimeter Todays Information Protection
Microsoft Confidential Windows RMS provides organizations with the tools they need to safeguard confidential & sensitive data Data protected at rest and during collaboration Information Protection Specify not only who has initial access to information but also what they can do with it Policy Enforcement Integrated with SharePoint, Office, XPS, Exchange, Windows Mobile Out-of-box scenarios RMS SDK Partner Ecosystem Customizable Solution 9
Document Author can define who do the following: Document Author can define who do the following: View document View document Edit document Edit document Print document Print document Copy/Paste Copy/Paste RMS Gives Authors Control
1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions How RMS Works
Windows RMS Usage Scenarios Control access to sensitive plans Set level of access: view, change, print, etc. Determine length of access Protect Sensitive Files Keep Executive off the Internet Reduce internal forwarding of confidential information Templates to centrally manage policies Do-Not-Forward Safeguard financial, legal, HR content Set level of access: view, print, export View Office 2003 rights protected info Safeguard Intranet Content Keep Internal Information Internal
RMS Will NOT … …provide unbreakable, hacker-proof security …provide unbreakable, hacker-proof security …protect against analog attacks …protect against analog attacks
Comparing S/MIME and RMS Comparing S/MIME and RMS When Should I Use Which Technology? Comparing implementation of S/MIME signing, S/MIME encryption, and IRM. Feature S/MIME Signing S/MIME Encryption IRM Authenticates the senderYesNo Authenticates the recipientNoYes Uses two-factor authentication *Yes No Can encrypt contentNoYes Prevents content tamperingYes Offers content expirationNo Yes Controls content viewing, forwarding, saving, modifying, or printing by recipient No Yes Differentiates permissions by recipientNo Yes
With IRM turned on in SharePoint Central Admin, define Policies for specific document libraries, such as Project X, Confidential, Restricted, FOUO, etc. With IRM turned on in SharePoint Central Admin, define Policies for specific document libraries, such as Project X, Confidential, Restricted, FOUO, etc. Define when policies expire, whether users can print, how often credentials must be validated, etc. Define when policies expire, whether users can print, how often credentials must be validated, etc. Automates and forces the RMS encryption of the files in the specific document library Automates and forces the RMS encryption of the files in the specific document library Users can still create their own policies and upload encrypted documents to other doclibs Users can still create their own policies and upload encrypted documents to other doclibs IRM and SharePoint
DoD certification Certified May 24, It is now listed on the JITC product register Certified May 24, It is now listed on the JITC product registerJITC product registerJITC product register Applies to: Microsoft Office SharePoint Server 2007 Applies to: Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007
Titus Labs Suite: Message Classification Message Classification Microsoft Outlook, OWA and Windows Mobile to force the classification of s Microsoft Outlook, OWA and Windows Mobile to force the classification of s Document Classification Document Classification Microsoft Office to force the classification of Office documents (Word, PowerPoint & Excel) Microsoft Office to force the classification of Office documents (Word, PowerPoint & Excel)
Internal Use Confidential Restricted x-header 3 rd party Gateway Confidential Restricted Public Enforcing policy… proper handling… prevent disclosure… Encrypted User A User B Visual (Labels) Non-Visual (MetaData)
RMS at Microsoft Example of RMS Templates Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel Microsoft Confidential Only Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft Confidential Read Only Only Microsoft employees can access the message. Allows for View, Reply, Reply All Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft FTE Confidential Read Only Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.
Summary RMS enables organizations to keep internal information internal RMS enables organizations to keep internal information internal Key benefits: Key benefits: Safeguards sensitive internal information Safeguards sensitive internal information Augments existing perimeter security technologies Augments existing perimeter security technologies Digitally enforces organization policies Digitally enforces organization policies Persistent file protection Persistent file protection Easy to use Easy to use
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.