Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013 W...
-
Upload
hester-elliott -
Category
Documents
-
view
216 -
download
1
Transcript of Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013 W...
3-662
Enterprise Data Protection: Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure
Derek AdamProgram Manager
This talk is about making them ready for the workplace
Our apps are our babies
Respect the stewardship you (might) have
Don’t reveal company secrets
Respect boundaries of access and use terms
Wants things locked up in his domain
Makes rules to try to keep it that way
Understanding the Enterprise customer: IT Administrator
Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013
WillyVWonka
Want access from personal devices
Prefer as little management as possible
We all make mistakes
Understanding the Enterprise customer: Information Worker
People Like You and Me
Information protection journey
DEVICE PROTECTIONBitLocker enhancements in Windows 8.1
InstantGo
3rd party adoption
Protect data when device is lost or stolen
DATA PROTECTIONRights Management Services (RMS)
Office Information Rights Management (IRM)
Azure AD, Azure Rights Management in 2013
Protect data when …..
THE GAP
Accidental data leakage
Enterprise Data Protection
OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
Switching modes and between containers
Users change apps to work securely
Experience between mobile and desktop inconsistent
Solutions are an add on to the platform == expensive
OUR VISION
Integrate data protection at the platform level to protect corporate data against inadvertent disclosure to unauthorized users and public services through email, social media and public cloud
Windows 10 Enterprise Data Protection
Better approach to data management
Mobile & Desktop
Corp data identifiable from personal
Protects data at rest, and when roaming
Platform integrated, no mode switching
Only IT-Allowed apps see business data
IT controls keys, can remote wipe
Common experience, x-plat support
Windows 10 Enterprise Data Protection
Extra Security with
Data Protection Under Lock
Blocks read when screen is locked
Optional screen lock security policy
System tosses decryption key on lock
Can encrypt new files and data
Logon, unlock restores keys and access
Helps mitigate system level attacks
See session 639 “Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft”
Business/PersonalOne experience
Data is isolated
Data is encrypted at rest
Block/audit data exchange
Organization holds keys
Office and OneDrive
APIs for ISVs
MDM managed
Lync eMail Facebook
OneDrive for Business Contacts
PowerPoint Calendar OneDrive
PDF Reader Photos Weather
Business Apps & Data(Managed)
Personal Apps & Data(Unmanaged)
Data exchange is blocked or audited
Enterprise Data Protection
1
User enrolls with enterprise MDM or domain join
MDM or ConfigMgr provisions policy and encryption keys
User
2
PROVISIONING: KEYS AND POLICIES
Policies:
1. Enterprise allowed apps
2. Network policies
3. App restriction policy
See: “Managing Mobile Devices and Applications in an Enterprise” (Session 654)
Enterprise Data Protection
User
DATA INGRESS
Data from enterprise network is encrypted
E.g. OneDrive For Business, Corporate Exchange mail, etc.
Enterprise Data Protection
User
Saving to enterprise folder encryption auto-applied
User option to save as corporate
IT can configure unenlightened apps to automatically protect data
Enlightened apps protect corporate data
(from app to disk)
DATA EGRESS
Enterprise Data Protection
User
DATA EGRESS
Enlightened apps can maintain protection
App restriction policy: Can block egress to other apps
Network policy: Can block egress to non-corporate
sites
(Inter-app, or over network)
Enterprise Data Protection
User
CROSS PLATFORM DATA SHARING
Readers available for cross-platform editing
Public API for secure sharing
Common MDM support across Windows, iOS & Android with Microsoft Intune
Common developer experience across platforms
iOS & Android enabled via Intune App Wrapping Tool for IT Pros
iOS & Android apps enabled via Intune App SDK
Microsoft Intune SDK for iOS & Android
Enterprise Data Protection
User
REVOKEUnenroll removes keys, and
wipes the inaccessible enterprise data
(On unenroll)
Enterprise Data Protection - Demo
Enlightening your app forEnterprise Data Protection
Recognize enterprise data sources
Protect data at rest, in use, in flight
Follow policy
Enterprise Enlightened Apps
Recognize personal data sources
Let personal data be personal
No policy for personal apps & data
Enterprise Enlightened Apps
Something IT and IW can agree on
Competitive advantage: satisfy both
Enterprise Enlightened Apps
xmlns:rescap= "http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
<Capabilities> <rescap:Capability Name="enterpriseDataPolicy"/> </Capabilities>
Declare your app enlightened (WinRT)Add the enterpriseDataPolicy capability
MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOIDBEGIN 0x0001END
Declare your app enlightened (Win32)Add entry to resources.rc
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Data Ingress – Recognize enterprise files
Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: GetProtectionInfoAsync
Takes an IStorageItemReturns protection status and identity string
FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}
Check file
Data Ingress – Recognize enterprise files (Pt.2)
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: IsIdentityManaged
Identity is an email address or domain
Data managed only when identity managed
FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}
Check file
FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}
Check file
FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}
Check file
FileProtectionInfo protectionInfo = await FileProtectionManager.GetProtectionInfoAsync(FileHandle);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}if (protectionInfo.Status == FileProtectionStatus.Revoked){ // Call your revocation handling code}
Check file
Data Ingress – Enterprise data packages
Namespace:Windows.ApplicationModel.DataTransferClass: DataPackagePropertySetViewProperty: EnterpriseId
Managed clipboard / share data is taggedProperty is empty string when not managed
var enterpriseID = shareOperation.data.properties.enterpriseId;
if (string.IsNullOrEmpty(enterpriseId)){
// Personal}else{
// Enterprise managed}
Check data package view properties(clipboard / share)
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Data Ingress – Check if host is enterprise
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: GetPrimaryManagedIdentityForNetworkEndpointAsync
Takes a host name objectReturns enterprise identity stringEmpty string means personal, not enterprise
var resourceUri = new Uri(serverNameString);
// Check if URI is an enterprise managed endpoint. string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host));
if(!string.IsNullOrEmpty(enterpriseId)) { // If the enterprise ID is non-empty, it’s managed.
// Make VPN claim, protect download data, etc.// ...
}
Check network host
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
AND
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
Unwrap files (if necessary)
OR Wrap files for transport
Data Ingress – Unwrap enterprise container files
Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: LoadFileFromContainerAsync
Takes a containerized fileMakes a new file with local encryption
var tempFolder = ApplicationData.Current.TemporaryFolder; var appDataFolder = ApplicationData.Current.LocalFolder;
// Get a handle to the downloaded containerized file. var containerFile = await tempFolder.GetFileAsync("myAppDataFile.dat"); // Import container to encrypted file systemProtectedContainerImportResult result = await
FileProtectionManager.LoadFileFromContainerAsync(containerFile,appDataFolder);
StorageFile protectedFile = result.File;
Load encrypted container into the file system
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Data In Use – Set app view to enterprise
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: GetForCurrentViewProperty: Identity
Puts AppView (i.e. window) into enterprise modeWindows enforces clipboard & share policy
private void TagCurrentViewWithEnterpriseId(string enterpriseId){ // Note: Empty enterpriseId sets mode to personal
ProtectionPolicyManager protectionPolicyManager =
ProtectionPolicyManager.GetForCurrentView();
protectionPolicyManager.Identity = enterpriseId; }
Set AppView to enterprise
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Data In Use – Set network context on thread
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerMethod: CreateCurrentThreadNetworkContext
Marks thread for enterprise network accessSockets created on the thread get VPN
// Set enterprise context to access enterprise network resources// Create protected network context on current threadThreadNetworkContext context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId);
var client = new HttpClient(); // Gets VPN for enterpriseId
if(context != null) // Clear context before leaving scope{ context.Dispose();}// New connections don’t get ‘enterpriseId’ VPN now...
Set / Clear enterprise network thread context
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Data Egress – Protect enterprise data: Files
Namespace: Windows.Security.EnterpriseDataClass: FileProtectionManagerMethod: ProtectAsync
Takes IStorageItem and enterprise ID string
Encrypts file with key tagged to enterprise ID
// Protect file to ‘identity’ (Managed email address or domain)
FileProtectionInfo protectionInfo = await FileProtectionManager.ProtectAsync(file, identity); // Use standard APIs to read or write from the file.
Protect file
Data Egress – Protect enterprise data: Buffers
Namespace: Windows.Security.EnterpriseDataClass: DataProtectionManagerMethod: ProtectAsync
Takes IBuffer and enterprise ID string
Returns new IBuffer encrypted to enterprise
IBuffer inputBuffer = CryptographicBuffer.ConvertStringToBinary(protectedMessage,
BinaryStringEncoding.Utf8); protectedBuffer = await
DataProtectionManager.ProtectAsync(inputBuffer, EnterpriseIdentity);
// Best practice: check return statusif (protectedBuffer.ProtectionInfo.Status == Unprotected){ // Protection can fail if app not allowed for EnterpriseIdentity}
Protect buffer
Data Egress – Protect enterprise data: Save UX
Namespace: Windows.Storage.PickersClass: FileSavePickerMethod: FileSavePicker (constructor)Property: EnterpriseId
Takes enterprise identity stringSets encryption dropdown to match (if managed)
private async void SaveFile_Click(object sender, RoutedEventArgs e) { var savePicker = new FileSavePicker(); savePicker.EnterpriseId = GetCurrentEnterpriseId();
var file = await savePicker.PickSaveFileAsync(); if (file != null) { // Best practice: // Check status with GetProtectionInfoAsync(file) } }
Set enterprise context for FilePicker
Enlightening Apps for Enterprise Data Protection
Local (productivity apps) Network capable (channel apps)
Data IngressCheck for enterprise tag on dataCheck if host belongs to the enterprise
Data In Use Set mode: Enterprise / Personal Turn VPN On / Off
Data Egress Protect enterprise dataBlock sending to non-enterprise hosts
Event
handling
Revoke: Close & cleanup Revoke: Stop enterprise sync completely
Screen lock: Close contentScreen unlock: Reopen content
Screen lock: Stop uploadsScreen unlock: Resume uploads
ANDUnwrap files (if necessary)
OR Wrap files for transport
Event Handling – Revoke
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerEvent: ProtectedContentRevoked
Register your event handler for revoke
// Register handler for revoke eventProtectionPolicyManager.ProtectedContentRevoked += HandleProtectedContentRevoked;
void HandleProtectedContentRevoked(Object sender,ProtectedContentRevokedEventArgs args)
{ MyRevokeCleanupRoutine();
// Clean up files, settings, accounts, creds, etc. // Sync engines should break enterprise sync relationship. }
Handle revoke events
Event Handling – Screen lock / unlock
Namespace: Windows.Security.EnterpriseDataClass: ProtectionPolicyManagerEvent: ProtectedAccessSuspending (screen locking)
ProtectedAccessResumed(screen unlocked)
Register event handlers for both events
Tip: Close as much enterprise data as possible
Tip: Can’t read enterprise under lock, but Can create new files, buffers, streams
// Register for device lock and unlockProtectionPolicyManager.ProtectedAccessSuspending += HandleProtectedAccessSuspending;ProtectionPolicyManager.ProtectedAccessResumed += HandleProtectedAccessResumed;
void HandleProtectedAccessSuspending(Object sender,ProtectedAccessSuspendingEventArgs
args) { // Stop enterprise upload, close enterprise files, etc.} void HandleProtectedAccessResumed(Object sender,
ProtectedAccessResumedEventArgs args) { // Resume enterprise upload, reopen enterprise content, etc.}
Handle suspend / resume events
OS Settings and App Data Roaming…in the Enterprise!
• Windows 10 supports roaming based on AAD as well as MSA accountsFeature parity to Win 8/8.1 with additional security and management capabilitiesPremium administrative features as part of Enterprise Mobility Suite (EMS)
• Data is automatically sync’d with the correct storage cloud (OneDrive/AzureAD tenant)OS settings roam based on the identity used to sign into WindowsWindows App state roams on the identity used to acquire the app
• Supported on Windows Phone and Desktop
Enterprise Roaming in Windows 10
See session 709 “Single Sign-On with Secure Authentication” by Karanbir Singh
• SecurityAll enterprise data is encrypted both in transit (TLS) and at rest in the cloud (RMS)Support for both “default” and “premium” key management capabilities• Default: Keys managed in the cloud by Microsoft (free)• Premium: Keys managed in the cloud by the customer
• ManagementAdmin UX is available from the Azure Active Directory portal• Default: On/off switch; data deletion (free)• Premium: Security group “allowed list”; user reports
MDM provides admins the ability to turn on/off per device
Enterprise Roaming in Windows 10
• General• Guidelines for roaming app data• Quickstart: Roaming app data • How to roam data between a Windows Store app and a Windows Phone
Store app
• Blog: Roaming your app data
• APIs• ApplicationData.RoamingFolder | roamingFolder property • ApplicationData.RoamingSettings | roamingSettings property• ApplicationData.SignalDataChanged | signalDataChanged method
MSDN Roaming References
Windows 10 MDM documentation ONLINE http://aka.ms/kw2vwj
MDM related sessions @ Ignite Vladimir Holostov | Provisioning Windows 10 Devices with New Tools [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and SPO with Intune [Link] John Vintzel | Windows 10 Universal App Deployment for Enterprises [Link] Tejas Patel | Using the Business Store Portal with Windows 10 Devices [Link] Yogesh Mehta | Protecting your data with containers without boxing yourself in [Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link] Nelly Porter | Secure authentication with Windows Hello [Link] Deepak Manohar | Next Generation Malware detection with Windows Defender [Link]
MDM Resources
• Join the Windows Insider Program …… and give us feedback!
• Explore the Enterprise Data Protection samples
• Check the Roaming App Data resources
• Get your app ready for management!
Call to Action
Raise apps that help users respect enterprise data,and you will be rewarded
Trustworthy apps will be chosen
Click icon to add picture
© 2015 Microsoft Corporation. All rights reserved.