Using classification for access control and compliance 12/2/2018 1:30 AM SAC-426T Using classification for access control and compliance Matthias Wollnik Senior program manager Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda slide IT architects Data management overview WHO WILL BENEFIT FROM THIS TALK TOPICS WHAT YOU’LL LEAVE WITH IT architects DLP developers Security developers Information Lifecycle app developers Data management overview File Classification Infrastructure and the Data classification toolkit Classification Enhancements in Windows 8 Protecting sensitive data Using classification to address key challenges in managing data across the organization Controlling access, auditing and encryption based on classification Developing products and LOB applications that use classification and native Windows Server 8 access, audit and encryption policies
Data Management Challenges Growth of users and data ? Budget Constraints Distributed computing Regulatory and Business Compliance ?
Business Needs → Storage Results Need per-project share Business needs can start simple Ensure that business-secret files do not leak out But adding policies can fragment the storage infrastructure Retain contract data for 10 years Complexity increases the chances of ineffective policies and prevents insight into business data
Lack of insight into your data means that you cannot manage your costs and risks
Manage Data Based On Business Value Step 1 Classify Data Apply policy according to classification Step 2
How can you classify information? Based on the Folder the file is created in Driven by “Business owner” that sets up the folder Location based Specified by Information Worker Templates of documents can be used for default settings Data entry applications that marks files created by users Manual Automatic classification based on content and other characteristics Great solution for classifying large amounts of existing information Automatic classification Line of business applications that store information on file servers Data management applications Application
File Classification Infrastructure Architecture Set classification properties API for external applications Classify Data Store classification properties Windows Server 2008 R2 File Classification Extensibility points Apply Policy based on classification Discover Data Extract classification properties Get classification properties API for external applications Designed to enable an ecosystem around classification Comprehensive API for solutions Extensible classification infrastructure
File Classification Infrastructure Architecture Set classification properties API for external applications Classify Data Store classification properties Windows Server File Classification Extensibility points Apply Policy based on classification Discover Data Extract classification properties Get classification properties API for external applications Existing APIs retained and extended Get/Set classification properties APIs now available to non-Admin
Classification in Windows 8
Baseline Classification Properties Area Properties Values Information Privacy Personally Identifiable Information High; Moderate; Low; Public; Not PII Protected Health Information High; Moderate; Low Information Security Confidentiality Required Clearance Restricted; Internal Use; Public Legal Compliancy SOX; PCI; HIPAA/HITECH; NIST SP 800-53; NIST SP 800-122; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act Discoverability Privileged; Hold Immutable Yes/No Intellectual Property Copyright; Trade Secret; Parent Application Document; Patent Supporting Document Records Management Retention Long-term; Mid-term; Short-term; Indefinite Retention Start Date <Date Value> Organizational Impact Department Engineering ;Legal; Human Resources … Project <Project> Personal Use
Centrally Defined Classification Properties Resource Property Definitions Impact <- High, Moderate, Low Personally Identifiable Information <- High; Moderate; Low; Public; Not PII
Automatic classification Tagging information Location based Manual Automatic classification Application Consume classification properties Set classification properties Automation-compatible COM API Works with native code, managed code, or scripts Available through IFsrmClassificationManager2 object
Tagging information Location based Manual Automatic classification In-box content classifier Location based Manual Automatic classification Application See modified / created file FCI 3rd party classification plugin Determine classification 3rd party classification plugin Save classification
Automatic classification Tagging information Location based Manual Automatic classification Application FsrmClassificationManager cls = new FsrmClassificationManager(); ICollection c = cls.EnumPropertyDefinitions (_FsrmEnumOptions.FsrmEnumOptions_None); foreach (IFsrmPropertyDefinition p in c) { /*...*/ }
File Classification Infrastracture 12/2/2018 1:30 AM demo File Classification Infrastracture © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
File Classification with Websense DLP Accurate Content Classification Hundreds of built-in classifiers Patterns Dictionaries File properties Precise ID NLP > 1,000 out-of-the box policies Performed locally on Windows Server 8 Easily customizable Fully integrated with Websense Data Security Suite Data Loss Prevention
File Classification with Websense DLP Microsoft “Windows Server 8” Websense TRITON Manager Websense Endpoint Agent Websense DLP Policy Templates Microsoft FCI Data Classifier Policy Engine Policy Property Mapping System Architecture
Information governance policies Determine Who can access information Audit access to information Encrypt information Apply appropriate retention to information
Continuous File Management Tasks See classification update File Management Task Match file to policy Classify file FCI Apply Policy
Continuous Encryption See classification update File Management Task Match file to policy Classify file FCI RMS Encrypt
Model for central access and audit of information Central Access and audit policy Information labeling (FCI classification properties) User claims User.Company=Contoso User.Department=Finance User.Clearance=High Machine claims Access and audit Evaluation Read request for: \\financeServer\Share\estimates.xlsx
Policy based on classification 12/2/2018 1:30 AM demo Policy based on classification © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Client Server Windows Server 8 Windows Explorer Visual Indicators Client File Classification Infrastructure on Desktop Server Active Directory Classification Schema File Classification Infrastructure APIs Exchange Windows Server 8
Expanding the reach of Windows FCI on Windows Systems Enables enterprise-wide file classification dataglobal dg incorporates Windows Server 8 FCI and extends its classification abilities in three areas: Expands classification and Windows FCI to legacy windows servers (2000, 2003) and to ntfs-based NAS systems Performs fast and automated classification of a vast number of existing files Platform enabling 1 Enterprise-wide classification policies Spans multiple data sources e.g. file systems, SharePoint, Exchange Delegates administration over hundreds of servers Enterprise readiness 2 Archiving Compliance Management Life Cycle Management Renditions Encryption Multi-Tier Storage … and much more … Classification based actions 3 dataglobal is a global technology leader for the analysis, classification, management and archiving of enterprise-wide data. dataglobal and its Universal and Storage Information Management platform dg suite, is a close technology partner of the Microsoft Windows Server team. For more information, visit us at www.dataglobal.com .
GigaTrust File Classification Protector Windows 8 Server AD RMS Server Active Directory FSRM GigaTrust FCI Protector Extends FCI-RMS-protection to additional file types including PDF Configured same as Office IRM Protector. File Server Resource Manager (FSRM) configures File Management Task. Based on classification, FCI applies task to protect files. Rights enforced as files accessed by client either directly or as a copy. File Share Office IRM Protector 2 1 GigaTrust IRM Protector File Management Task RMS-protect Files 3 4 3 4
GigaTrust Central Access Policy Protector Windows 8 Server GigaTrust CAP Protector Combines claims-based access control with ADRMS protection Global Access Policy pushed to AD RMS and File servers. GigaTrust CAP protector extends ADRMS protection to include reference to the access policy. GigaTrust Dynamic Policy Connector verifies the access policy claims. Use license issued only if the claims are still satisfied. If claims are valid, then the ADRMS rights apply. Active Directory Administrative Center FSRM AD RMS Server File Share 1 1 Global Policy GigaTrust CAP Protector 2 GigaTrust Dynamic Policy Connector File Mgmt Task RMS-protect Files With Global Policy 3 2 4
Developer opportunities for Classification in Windows 8 FCI provides many avenues to be part of end-to-end data lifecycle management solutions Classification plugin – provide classification based on content, identity, regulations, etc. Data management products – leverage in solutions to protect data and ensure compliance Most extensions to FCI can be built for Windows 2008 R2 and work on Windows 8 Centrally defined properties in Active Directory for consistent classification Data is automatically classified as it is created on the server Sensitive data can automatically be encrypted shortly after it is created Access to a file can be restricted based on the classification of the file
thank you Feedback and questions http://forums.dev.windows.com Session feedback http://bldw.in/SessionFeedback
12/2/2018 1:30 AM © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.