Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206

Expanding Importance of Identity Advanced Persistent ThreatCloud Computing Government Interests Consumerization of IT

Information Privacy is the most important security concern in the enterprise, outranking malware for the first time

Percentage cause of data breach Cost of Data Breach report Ponemon Institute 2010 Estimated sources of data breach Global State of Information Security Survey PriceWaterhouseCoopers 2010 Likely Source Current Employee34%33%32% Former Employee16%29%23% Hacker28%26%31% Customer8%10%12% Partner/Supplier7%8%11% Unknown42%39%34%

Information Protection Discover, protect and manage confidential data throughout your business with a comprehensive solution integrated into the platform and applications Protect critical data wherever it goes Protect data wherever it resides Secure endpoints to reduce risk Protect everywhere, access anywhere Simplify deployment and ongoing management Enable compliance with information security policy Simplify security, manage compliance Extend confidential communication to partners Built into the Windows platform and Microsoft applications Integrate and extend security

Active Directory Rights Management Services

Persistent Protection + Encryption Policy: Access Permissions Use Right Permissions

Information Author AD RMS Recipient

Automatic Content-Based Privacy: Transport Rule action to apply AD RMS template to message Transport Rules support regex scanning of attachments in Exchange 2010 Do Not Forward policy available out of box Automatic Content-Based Privacy: Transport Rule action to apply AD RMS template to message Transport Rules support regex scanning of attachments in Exchange 2010 Do Not Forward policy available out

SharePoint Server AD RMS

Demo AD Rights Management Services

Access Control Auditing Classification RMS Protection What data do I have? Who should have accessed it? Who has accessed it, and how? How do I protect my sensitive data?

Modify / Create file Determine classification Save classification In-box content classifier 3 rd party classification plugin LocationManualContextualApplication

USER CLAIMS User.Department = Finance User.Clearance = High USER CLAIMS User.Department = Finance User.Clearance = High ACCESS POLICY For access to finance information that has high business impact, a user must be a finance department employee with a high security clearance, and be using a managed device registered with the finance department. ACCESS POLICY For access to finance information that has high business impact, a user must be a finance department employee with a high security clearance, and be using a managed device registered with the finance department. DEVICE CLAIMS Device.Department = Finance Device.Managed = True DEVICE CLAIMS Device.Department = Finance Device.Managed = True FILE PROPERTIES File.Department = Finance File.Impact = High FILE PROPERTIES File.Department = Finance File.Impact = High Components

Workflow Access denied remediation provides a user access to a file when it has been initially denied: 1.The user attempts to read a file. 2.The server returns an “access denied” error message because the user has not been assigned the appropriate claims. 3.On a computer running Windows® 8, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access. 4.When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file

Today Audit is all or nothing Not contextual information Windows Server 2012 Expression based auditing Audit resource attribute changes Enhanced audit entries to include context required for compliance and operational reporting USER CLAIMS User.Department = Finance User.Clearance = High USER CLAIMS User.Department = Finance User.Clearance = High AUDIT POLICY Audit Success/Fail if (File.Department==Finance) OR (File.Impact=High) AUDIT POLICY Audit Success/Fail if (File.Department==Finance) OR (File.Impact=High) DEVICE CLAIMS Device.Department = Finance Device.Managed = True DEVICE CLAIMS Device.Department = Finance Device.Managed = True FILE PROPERTIES File.Department = Finance File.Impact = High FILE PROPERTIES File.Department = Finance File.Impact = High

Dynamic Access Control allows sensitive information to be automatically protected using AD Rights Management Services 1.A rule is created to automatically apply RMS protection to any file that contains the word “confidential”. 2.A user creates a file with the word “confidential” in the text and saves it. 3.The RMS Dynamic Access Control classification engine, following rules set in the Central Access Policy, discovers the doc with the word “confidential” and initiates RMS protection accordingly. 4.The RMS template and encryption are applied to the document on the file server and it is classified and encrypted

Dynamic Access Control

 File inherits classification tags from parent folder  Manual tagging by owner  Automatic tagging  Tagging by applications  File inherits classification tags from parent folder  Manual tagging by owner  Automatic tagging  Tagging by applications  Central access policies based on classification  Expression-based access conditions for user claims, device claims, and file tags  Access denied remediation  Central access policies based on classification  Expression-based access conditions for user claims, device claims, and file tags  Access denied remediation  Central audit policies can be applied across multiple file servers  Expression-based audits for user claims, device claims, and file tags  Staging audits to simulate policy changes in a real environment  Central audit policies can be applied across multiple file servers  Expression-based audits for user claims, device claims, and file tags  Staging audits to simulate policy changes in a real environment  Automatic Rights Management Services (RMS) protection for Microsoft Office documents  Near real-time protection when a file is tagged  Extensibility for non- Office RMS protectors  Automatic Rights Management Services (RMS) protection for Microsoft Office documents  Near real-time protection when a file is tagged  Extensibility for non- Office RMS protectors Classification Access ControlAuditingRMS Protection

Breakout Sessions (session codes and titles) Hands-on Labs (session codes and titles) Product Demo Stations (demo station title and location) Related Certification Exam Find Me Later in the TLC Windows Server 2012 Identity Booth

Resource 1 Resource 2 Resource 3 Resource 4 Required Slide *delete this box when your slide is finalized Track PMs will supply the content for this slide, which will be inserted during the final scrub.

Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

Required Slide Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTechEd Mobile Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub.