Security Bootcamp 2012 - 28,29,30/12/2012

Microsoft SharePoint Most Valuable Professional (2011,2012)

Author, Writer, Trainer & Public Speaker

Founder & Editor in Chief of SharePointVNPublisher

Focus on Microsoft Security & Federation Identity, Infrastructure, Methodologies and Architecture.

Data Compliance

Understand the new Dynamic Access Control capabilities built into Windows Server 2012

Demonstration

Compliance is generally a response to governmental regulation, but

it can also be a response to industry or internal requirements.

The U.S. Health Insurance Portability and Accountability Act

(HIPPA) for health providers

Sarbanes-Oxley Act (SOX)

The European Union Data Protection Directive

U.S. state data breach laws

I’m not talking about in-depth Data compliance

and privacy.

Can you make sure that only authorized individuals can access confidential data?

Do you have granular control over auditing access?

How to reduce the number of security groups your organization has?

Deal with regulatory standard?

…. There are many questions come up when it comes to data access control.

CSO/CIO

department

“I need to have the right

compliance controls to keep me out of jail”

Infrastructure

Support

“I don’t know what data is in my repositories and how to control it”

Content Owner

““Is my important data

appropriately protected and compliant with

regulations – how do I audit this”

Information

Workder

“I don’t know if I am complying

with my organization’s

polices”

Storage growthDistributed Information

Regulatory compliance Data leakage

45%: File based storage

CAGR.

MSIT cost $1.6

GB/Month for managed

servers.

>70%: of stored data is

stale

Cloud cost would be

approximately 25 cents

GB/Month

Corporate information is

everywhere: Desktops,

Branch Offices, Data

Centers, Cloud…

MSIT 1500 file servers

with 110 different groups

managing them

Very hard to consistently

manage the information.

New and changing

regulations (SOX, HIPPA,

GLBA…)

International and local

regulations.

More oversight and

tighter enforcement.

$15M: Settlement for

investment bank with

SEC over record

retention.

246,091,423: Total

number of records

containing sensitive

personal information

involved in security

breaches in the US since

January 2005

$90 to $305 per record

(Forrester: in “Calculating

the Cost of a Security

Breach”)

Encryption

Automatic RMS

encryption based on

document classification.

Data Classification

Classify your documents

using resource properties

stored in Active

Directory.

Automatically classify

documents based on

document content.

Expression-based auditing

Targeted access auditing

based on document

classification and user

identity.

Centralized deployment

of audit policies using

Global Audit Policies.

Expression-based access conditions

Flexible access control

lists based on document

classification and

multiple identities

(security groups).

Centralized access

control lists using Central

Access Policies.

Data Classification

File Classification Infrastructure provides insight into your data by

automating classification processes.

File Classification Infrastructure uses classification rules to

automatically scan files and classify them according to the contents

of the file.

Some examples of classification rules include:

Classify any file that contains the string “SBC12 Confidential” as

having high business impact.

Classify any file that contains at least 10 social security

numbers as having personally identifiable information.

Data Classification

Classify your documents

using resource properties

stored in Active

Directory.

Automatically classify

documents based on

document content.

A content classification rule that searches a set of files for the string

“SBC12 Confidential”. If the string is found in a file, the Impact

resource property is set to High on the file.

A content classification rule that searches a set of files for a regular

expression that matches a social security number at least 10 times

in one file. If the pattern is found, the file is classified as having

personally identifiable information and the Personally Identifiable

Information resource property is set to High.

Data Classification

Classify your documents

using resource properties

stored in Active

Directory.

Automatically classify

documents based on

document content.

Manage fewer security groups by using conditional expressions

Expression-based access conditions

Flexible access control

lists based on document

classification and

multiple identities

(security groups).

Centralized access

control lists using Central

Access Policies.

Country x 30

Department x 20

Sensitive/Confidential documents

Expression-based access condition

What is Central Access Policy?

You can think of Central Access Policies as a safety net

that your organization applies across its servers to

enhance the local access policy

User claimsUser.Department = Finance

User.Clearance = High

Access policy

Applies to: @File.Impact = High

Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department = Finance

Resource.Impact = High

Active Directory Domain Services

Expression-based access rules

File server

Active Directory Domain Services

Characteristics

• Composed of central access rules

• Applied to file servers through Group Policy

objects

• Supplement (not replace) native file and folder

access control lists from New Technology File

System (NTFS)

Central access policies

Corporate file servers

Personally identifiable information policy

Finance policy

User folders

Finance folders

Organizational policies• High business impact• Personally identifiable

information

High business impact policy

Finance department policies• High business impact• Personally identifiable

information• Finance

Active Directory

Domain Services

Create claim definitionsCreate file property definitionsCreate central access policy

Group PolicySend central access policies to file servers

File Server

Apply access policy to the shared folderIdentify information

User’s computer User tries to access information

Central access policy workflow

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Organization-wide

authorization

Departmental

authorization

Specific data

management

Need-to-know

Central access policy examples

Limit auditing to data that meets specific

classification criteria.

Limit auditing by action and by identity

Add contextual information into the audit

events.

Expression-based Auditing

Expression-based auditing

Targeted access auditing

based on document

classification and user

identity.

Centralized deployment

of audit policies using

Global Audit Policies.

Security auditing

Active Directory

Domain ServicesCreate claim typesCreate resource properties

Group Policy Create global audit policy

File Server

Select and apply resource

properties to the shared

folders

User’s computer User tries to access information

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Audit everyone who does not have a high security

clearance and who tries to access a document that

has a high impact on business

Audit all vendors when they try to access

documents related to projects that they are not

working on

Audit policy examples

Audit | Everyone | All-Access |

Resource.BusinessImpact=HBI AND

User.SecurityClearance!=High

Audit | Everyone | All-Access |

User.EmploymentStatus=Vendor AND User.Project

Not_AnyOf Resource.Project.

Data Encryption Challenges

How do I protect sensitive information after it leaves my

protected environment?

I cannot get the users to encrypt their sensitive data.

Process to encrypt a file based on

classification

Claim definitions, file property definitions, and access

policies are established in Active Directory Domain

Controller.

A user creates a file with the word “confidential” in the

text and saves it. The classification engine classifies

the file as high-impact according to rules configured.

On the file server, a rule automatically applies RMS

protection to any file classified as high-impact.

The RMS template and encryption are applied to the

file on the file server and the file is encrypted.

Classification-based encryption process

1

2

3

File server

RMS serverClassification engine

4

User

Active Directory Domain Services

23

Demonstration Lab There are two virtual machines that are involved in the

demonstration lab.

AD-Srv (Active Directory Domain Controller)

File-Srv (File Server)

There are two security groups

Finance

System Integration

There are two domain users:

thuan@sbc12.local (Finance)

thang@sbc12.local (System Integration)

Steps Create a new claim

Department

Create resources properties and add it to resource property list

Finance Department

Create a new central access rule/central policies

Resource Finance Department Exists

Resource Finance Department Equals Value Finance

Publish central access policy

Configure Group Policy and enable KDC

Install File Server Resource Manager on File server

Update-FSRMClassificationPropertyDefinition

Add Central Access Policy to shared folder

Validate

Thanks for joining with us