Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amit Fulay Senior Lead Program Manager Microsoft SIA 324.

Published byCharleen French Modified over 9 years ago

Similar presentations

Presentation on theme: "Amit Fulay Senior Lead Program Manager Microsoft SIA 324."— Presentation transcript:

1

2 Amit Fulay Senior Lead Program Manager Microsoft SIA 324

3

4

5 $40

6 US military secrets were found in USB sticks on sale outside US airbase http://news.bbc.co.uk/2/hi/technology/4946512.stm

7

8

9 85%

10 28% IDC 2009 Report

11

12 Session Objectives Email as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

13 Business Ready Security Help securely enable business by managing risk and empowering people Highly Secure & Interoperable Platform Block from: Enable CostValue SiloedSeamless to:

14 Session Objectives Email as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

15 Email Information Leakage is Broadly Reaching Financial Services Equity Research, M&A GLB, NASD 2711 Healthcare & Life Services Research, Clinical Trials HIPAA Manufacturing & High Technology Collaborative Design, Data Protection in Outsourcing Government RFP Process, Classified Information National Security Horizontal Scenarios Sensitive e-mails Executive communications Financial data Price lists HR Information Legal information Corporate Governance: Sarbanes Oxley (US) Horizontal Scenarios Sensitive e-mails Executive communications Financial data Price lists HR Information Legal information Corporate Governance: Sarbanes Oxley (US)

16 Legal, Regulatory and Financial impacts Cost of digital leakage per year is measured in $Billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more Damage to Image and Credibility Damage to public image and credibility with customers Financial impact on company Leaked e-mails or memos can be embarrassing Loss of Competitive Advantage Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital Email Information Leakage is Costly On Multiple Fronts

17 Session Objectives Email as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

18 Traditional Solutions Protect Initial Access … Access Control List Perimeter List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not ongoing usage

19 What is Rights Management Services? Better safeguard sensitive information Protect against unauthorized viewing, editing, copying, printing, or forwarding of information Limit file access to only authorized users Audit trail tracks usage of protected files Persistent protection Protects your sensitive information no matter where it goes Uses technology to enforce organizational policies Authors define how recipients can use their information Flexible and customizable technology RMS integrates with familiar applications and is easy to use Users assign “Full Control” rights to a trusted group ISVs build custom solutions via SDKs

20 System Architecture SQL OS Platform Security Processor Client API Application HTTP/SOAP RMS Server HTTP/SOAP Admin MMC Snap-in RMS Client (Built into Windows Vista and Windows 7) RMS Server (WS08 /08 R2 server role) RMS Administration AD WS2008 Admin Scripting API MMC 3.0 Host

21 2 2 1. Assume author and recipient are already bootstrapped with a RAC and CLC 2. Author creates mail 3. Author protects mail using RAC and CLC 4. Author sends mail to recipient 5. Recipient gets use license from RMS 6. Recipient can access content Information Workflow Information Workflow Publishing and consumption 1 1 RACCLCRACCLC 6 6 UL 45 PL 3 3 AD SQL RMS AuthorRecipient

22 System Workflow 1.Deployment 2.User certification 3.Publishing information 4.Licensing 5.Information consumption System Workflow 1.Deployment 2.User certification 3.Publishing information 4.Licensing 5.Information consumption 1. RMS Client 2. SPC 1 To server: 1. SPC 2. Authentication To client: 1. RAC 2. CLC 2 1. Symmetric key 2. Protect information 3. PL3 To server: 1. RAC 2. PL To client: 1. UL 4 1. Authorize UL 2. Decrypt information 5 RMS System Workflow

23 What’s on the user’s PC? Client Licensor Certificate Rights Account Certificate RMS Client “Lock Box” Machine Private Key obfuscated User Private Key (encrypted by machine public key) User Public Key Server Public Key Machine Certificate Machine Public Key Per machine keys guaranteeing that content cannot be exploited by just moving content or certificates to another machine Credentials to consume rights-protected content Credentials to publish rights-protected content offline Public key for this machine; necessary in order to acquire a RAC (Rights Account Certificate) RMS-enabled Applications

24 Example: Rights-Protected Doc Rights Info (w/ email addresses) Content Key (random AES-128) Encrypted with server public key PL (Publish license) File content (Text, Pictures, metadata, etc.) File content (Text, Pictures, metadata, etc.) UL (Use License) Content Key Rights (for a particular user) Rights (for a particular user) Encrypted with the user public key Created when content (file) is protected Only added to file after server licenses a user to open it Encrypted with content key Encrypted with server public key Encrypted with user public key NOTE: Outlook E-mail EULs are stored in the local user profile directory

25 External Collaboration Trusted User Domains Special AD Accounts Trust Windows Live ID Hosted Service Identity Federation

26 External Collaboration via AD FS Scenario Fabrikam is a supplier to Contoso They have set up a federated trust relationship using AD FS (access to SharePoint libraries, Intranet sites, etc.) Contoso deploys RMS Contoso is able to protect content it shares with Fabrikam Contoso RMS server issues use licenses to Fabrikam employees

27 New content New content  Assume author is already bootstrapped  Author sends protected mail to recipient at Fabrikam  Recipient contacts RMS server to get bootstrapped  WebSSO agent intercepts request  RMS client is redirected to FS-R for home realm discovery  RMS client is redirected to FS-A for authentication  RMS client is redirected back to FS-R for authentication  RMS client makes request to RMS server for bootstrapping  WebSSO agent intercepts request, checks authentication, and sends request to RMS server  RMS server returns bootstrapping certificates to recipient  RMS server returns use license to recipient  Recipient accesses protected content ContosoFabrikam AD RMS AD FS-A FS-R 1 RACCLC PL 2 WebSSO 4 3 5 6 7 8 9 RACCLC 10 UL 11 12 External Collaboration via AD FS

28 Vista/WS2008 Investments Easy deployment External collaboration (through AD FS federation) Policy distribution (Vista SP1 + WS2008) Native 64-bit client XPS integration

29 Win 7/WS2008 R2 Investments External collaboration Support extended to include 3rd-party identity providers Internal group support (i.e., groups on the federation side that include external users) Deployment Through PowerShell Administration Through PowerShell New reports

30 Session Objectives Email as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

31 Exhange 2010 Investments Manage Inbox Overload Manage Inbox Overload Enhance Unified Messaging Enhance Unified Messaging Anywhere Access and Collaboration Anywhere Access and Collaboration Deployment Flexibility Deployment Flexibility High Availability High Availability Simplified Administration Simplified Administration Protect Communications Protect Communications Compliance and Archiving Compliance and Archiving Reporting and Alerts Reporting and Alerts

32 RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

33 Automatic Content-Based Privacy Eliminate reliance on end-user Enforcement Tools are required. Content Protection should be automated. Enforcement Tools are required. Content Protection should be automated.

34 Automatic Content-Based Privacy Eliminate reliance on end-user Protect messages in transit via Transport Rules action Protect messages by default at Outlook Client Private voice message automatically protected by Unified Messaging (UM) Delegate policy determination to Compliance Officer role via RBAC

35 Transport Rule Protection

36 Automatic Content-Based Privacy Transport Rule Protection Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages Automatic Content-Based Privacy: Transport Rule action to apply RMS template to e-mail message Transport Rules support regex scanning of attachments in Exchange 2010 Internet Confidential and Do Not Forward Policies available out of box Automatic Content-Based Privacy: Transport Rule action to apply RMS template to e-mail message Transport Rules support regex scanning of attachments in Exchange 2010 Internet Confidential and Do Not Forward Policies available out of box

37 Transport Rule Protection Rules Agent stamps X-Org Header to message with value set to RMS template GUID Encryption Agent applies RMS protection to message and attachments on onRouted Transport Agent Event Office 2003, 2007, 14 and XPS docs supported as attachments All encryption/decryption API located in XSO layer

38 Transport Rule Protection Active Directory AD RMS Exchange 2010 Enterprise 2) Bootstrap ( RAC, CLC ) 3) Acquire Template Informaiton 1) Service Lookup 4) Publish 5) Encrypt

39 RMS Integration in UM

40 UM Administrator can allow incoming voice mail messages to be marked as “private” Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying content Uses the Encryption/Decryption XSO API to rights protect Private Voice mail supported by Unified Messaging in Outlook 14 and OWA

41 Outlook Protection Rules Small scale rules engine delivered in Outlook 2010 add-in Prevents host/Admin from accessing sensitive mail Rules Predicates: Sender’s department, recipient’s identity, recipient’s scope retrieved by add-in from CAS through EWS optional/mandatory, applied offline/online

42 Step 1: User creates a new message in Outlook

43 Step 2: User adds the R&D distribution list to the To line

44 Step 3: Outlook detects a sensitive DL and automatically protects as confidential

45 Step 4: Administrator can define a policy as required, disabling the Permission button

46 RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

47 Streamline End User Experience Prevent RMS Protection from Getting In IW's Way Prelicensing enables offline and mobile access to RMS protected messages Create and compose RMS protected messages in OLK and OWA Conduct full-text search on RMS protected messages in OWA

48 RMS Integration in OWA

49

50 Create/Consume RMS protected messages natively, just like Outlook No client download or installation required Supports Firefox, Safari, Macintosh and Windows Conversation view, Preview pane Full-text search on RMS protected messages

51 RMS Integration in OWA CAS uses Super User Privileges to decrypt End User License (EUL) to determine which rights to enforce Single EUL shared across all CAS servers to give multiple machines a common RMS identity Rights enforcement concerns in the browser mitigated by disabling feature at mailbox policy level

52 RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

53 Enable IT Infrastructure RMS protection should not break IT infrastructure Simplified Exchange-RMS Integration via installation scripts and health check task Enable e-discovery via Journal Report Decryption Virus and spam filtering of RMS protected messages enabled at Hub Transport

54 Journal Report Decryption Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Stamps x-Org header to prevent future decrypt attempts Stamps x-Org header to prevent future decrypt attempts Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Stamps x-Org header to prevent future decrypt attempts Stamps x-Org header to prevent future decrypt attempts Archive/Journal

55 Journal Report Decryption

56 Transport Pipeline Decryption Enables Hub Transport Agents scan/modify RMS protected messages Pipeline Decryption Agent uses Super-User privileges to decrypt decrypts message and attachments protected with same Publishing License Encryption Agent re-encrypts messages, forks and NDRs with original PL

57 Transport Pipeline Decryption Option to NDR messages that can’t be decrypted Low performance impact message decrypted at 1st Hub of each forest Message property to determine whether clear- text message was decrypted by pipeline decryption Agents not prevented from copying decrypted content

58 RMS Integration Agents All RMS Integration Agents implemented as Transport agents Hub Transport Pipeline Decryption Agent Decrypt RMS message from SMTP End of Data Transport Rules Agent Journal Report Decryption Agent Encryption Agent PreLicense Agent Journal Agent On Routed Pipeline RMS Decryption Agent Decrypt AD RMS message from Pipeline On Submitted

59 Session Objectives Email as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

60 Deployment Pre-requisites Exchange 2010 Windows Server 2008 R2 Configure AD RMS server role on WS08R2 MBX and CAS servers must have Exchange 2010

61 Exchange Configuration Exchange Server must be part of RMS “Super- user” group. Enable corresponding Transport Agents For e.g. to enable Transport Rules agent, use Exchange Management Shell Set- IRMConfiguration –EncryptionEnabled $true

62 RMS Configuration 1.Register a Service Connection Point in AD 2.Add permissions for Exchange to access AD RMS 3.Setup an RMS Super User Group

63 Transport Rules, IRM in OWA, Journal Decryption

64 Key Takeaway Exchange 2010 and AD RMS can help your organization safeguard sensitive email communication

65 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources

66 Complete an evaluation on CommNet and enter to win!

67 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Amit Fulay Senior Lead Program Manager Microsoft SIA 324."

Similar presentations

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.
Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.

Microsoft ® Exchange Online Advanced Security Name Title Microsoft Corporation.
Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Unified. Simplified. Unified Communications Launch 2007.

Unified. Simplified. Unified Communications Launch 2007.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
Joe Schulman Program Manager, Forefront For Office

Joe Schulman Program Manager, Forefront For Office
Understanding Active Directory

Understanding Active Directory
As Never Seen Before Ronen Gabbay Microsoft Exchange Regional Director U-BTech & Hi-Tech CTO.

As Never Seen Before Ronen Gabbay Microsoft Exchange Regional Director U-BTech & Hi-Tech CTO.
Optimize for Software + Services E-mail ArchivingE-mail Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.

Optimize for Software + Services Archiving Archiving Protect CommunicationsProtect Communications Advanced SecurityAdvanced Security Manage.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs This would be presented.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs This would be presented.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
Module 6: Configuring AD RMS

Module 6: Configuring AD RMS
SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.

SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.
EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.

EXL302-R. Storage Management Balance mailbox size demands with available storage resources Reduce the proliferation of.PST files stored outside of IT.
Exchange 2010 Overview Micah Howard and Doug Whiteley Senior Network Engineers Reinsel Kuntz Lesher, LLP.

Exchange 2010 Overview Micah Howard and Doug Whiteley Senior Network Engineers Reinsel Kuntz Lesher, LLP.
Srinivas L Technology Specialist – Security | Microsoft

Srinivas L Technology Specialist – Security | Microsoft

Similar presentations

Ads by Google