What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk
ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control 6 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks
ClassificationAccess controlAuditing Rights Management Services protection Files inherit classification tags from parent folder File owners tag files manually Files are tagged automatically Files are tagged by applications Central access policies are based on classification Access conditions for user claims, device claims, and file tags are based on expressions Assistance is available for denial of access Central audit policies can be applied across multiple file servers Audits for user claims, device claims, and file tags are based on expressions Audits can be staged to simulate policy changes in a real environment Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents Protection is in near-real– time when a file is tagged RMS protection extends to files not created in Microsoft Office Dynamic Access Control 7
Identify and classify information 9 Create or modify file Determine classification Save classification In-box content classifier Third-party classification plug-in Location Manual Contextual Application
Resource claims build on users and groups 10 User redmond\jsmith / S Groups MktgFTE / S RemoteAccess / S High-PII / S Viewed using “whoami /claims” from the command line Derived from property values and issued as part of the token received at logon Consumed during authorization events Claims “Department” Dept_ String“Mktg” “Country” Country_ String“US”
User claims User.Department = Finance User.Clearance = High Access policy For access to financial information that has high business impact, a user must be a finance department employee with a high security clearance, and must use a managed device registered with the finance department. Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Active Directory Domain Services Expression-based access rules 11 File server
Active Directory Domain Services Characteristics Composed of central access rules Applied to file servers through Group Policy objects Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS) Central access policies 13 Corporate file servers Personally identifiable information policy Finance policy User folders Finance folders Organizational policies High business impact Personally identifiable information High business impact policy Finance department policies High business impact Personally identifiable information Finance
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Central access policy workflow 14 Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions
Organization-wide authorization Departmental authorization Specific data management Need-to-know Getting started with access policies 15
Access-denied assistance 16 On a computer running the Windows 8 operating system, Windows retrieves access information from the File Server Resource Manager and displays a message with access remediation options. If remediation options include a link for requesting access, the user can request access to the file. Alternatively, users can request access help through . After the user satisfies access requirements, the user’s claims are updated and the user can access the file. File server User Active Directory Domain Services
Security auditing Active Directory Domain Services Create claim types Create resource properties Group Policy Create global audit policy File Server Select and apply resource properties to the shared folders User’s computer User tries to access information Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions
Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business Audit all vendors when they try to access documents related to projects that they are not working on Audit policy examples 19 Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller. A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured. On the file server, a rule automatically applies RMS protection to any file classified as high-impact. The RMS template and encryption are applied to the file on the file server and the file is encrypted. Classification-based encryption process File server RMS server Classification engine 4 User Active Directory Domain Services
ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control: Benefits 24 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks
Easily resolve end-user permission issues Centrally manage access control from Active Directory Pre-stage and simulate the effect of changes to access policy Automatically identify and classify data based on content Central access policies File access audit Integration with Active Directory Rights Management Services File Classification Infrastructure Policy-driven access to data with Dynamic Access Control 26