Dynamic Access Control Thuan NguyenSenior Infrastructure ArchitectBellamys IT International
Security Bootcamp 2012 - 28,29,30/12/2012
About Me
[email protected]@nnthuan
Microsoft SharePoint Most Valuable Professional (2011,2012)
Author, Writer, Trainer & Public Speaker
Founder & Editor in Chief of SharePointVN Publisher
Focus on Microsoft Security & Federation Identity, Infrastructure, Methodologies and Architecture.
This presentation explores how Dynamic Access Control in Windows Server 2012 help organizations address challenges data compliance.
Session objectives Data Compliance Understand the new Dynamic Access Control
capabilities built into Windows Server 2012 Demonstration
Windows File Server Solution
Data Compliance Challenges
Windows Platform Investments
Putting it Together
Compliance and Data protection Compliance is generally a response to governmental
regulation, but it can also be a response to industry or internal requirements. The U.S. Health Insurance Portability and
Accountability Act (HIPPA) for health providers Sarbanes-Oxley Act (SOX) The European Union Data Protection Directive U.S. state data breach laws
I’m not talking about in-depth Data compliance and privacy.
Data Compliance Challenges
Can you make sure that only authorized individuals can access confidential data?
Do you have granular control over auditing access? How to reduce the number of security groups your organization has? Deal with regulatory standard?…. There are many questions come up when it comes to data access control.
CSO/CIO department
“I need to have the right
compliance controls to
keep me out of jail”
Infrastructure Support
“I don’t know what data is in
my repositories and how to control it”
Content Owner
““Is my important data appropriately protected and compliant with regulations –
how do I audit this”
Information Worker
“I don’t know if I am
complying with my
organization’s polices”
Microsoft Case Study
Storage growthDistributed Information
Regulatory compliance Data leakage
45%: File based storage CAGR.
MSIT cost $1.6 GB/Month for managed servers.
>70%: of stored data is stale
Cloud cost would be approximately 25 cents GB/Month
Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud…
MSIT 1500 file servers with 110 different groups managing them
Very hard to consistently manage the information.
New and changing regulations (SOX, HIPPA, GLBA…)
International and local regulations.
More oversight and tighter enforcement.
$15M: Settlement for investment bank with SEC over record retention.
246,091,423: Total number of records containing sensitive personal information involved in security breaches in the US since January 2005
$90 to $305 per record (Forrester: in “Calculating the Cost of a Security Breach”)
Dynamic Access Control: In a nutshell
Encryption
Automatic RMS encryption based on document classification.
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Expression-based auditing
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit policies using Global Audit Policies.
Expression-based access conditions
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Data Classification
Data Classification File Classification Infrastructure provides insight into
your data by automating classification processes. File Classification Infrastructure uses classification rules
to automatically scan files and classify them according to the contents of the file.
Some examples of classification rules include: Classify any file that contains the string “SBC12
Confidential” as having high business impact. Classify any file that contains at least 10 social
security numbers as having personally identifiable information.
Data Classification Toolkit
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Example A content classification rule that searches a set of files
for the string “SBC12 Confidential”. If the string is found in a file, the Impact resource property is set to High on the file.
A content classification rule that searches a set of files for a regular expression that matches a social security number at least 10 times in one file. If the pattern is found, the file is classified as having personally identifiable information and the Personally Identifiable Information resource property is set to High.
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Expression-based Access Control
Manage fewer security groups by using conditional expressions
Expression-based access conditions
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Country x 30
Department x 20
Sensitive/Confidential documents
Expression-based access condition
What is Central Access Policy? You can think of Central Access Policies as a
safety net that your organization applies across its servers to enhance the local access policy
User claimsUser.Department = Finance
User.Clearance = High
Access policyApplies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory Domain Services
Expression-based access rules
File server
Active Directory Domain Services
Characteristics• Composed of central access rules
• Applied to file servers through Group Policy objects
• Supplement (not replace) native file and folder access control lists from New Technology File System (NTFS)
Central access policiesCorporate file servers
Personally identifiable information policy
Finance policy
User folders
Finance folders
Organizational policies• High business
impact• Personally
identifiable information
High business impact policy
Finance department policies• High business
impact• Personally
identifiable information
• Finance
Active Directory Domain Services
Create claim definitionsCreate file property definitionsCreate central access policy
Group Policy Send central access policies to file servers
File ServerApply access policy to the shared folderIdentify information
User’s computer User tries to access information
Central access policy workflow
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Organization-wide authorization
Departmental authorization
Specific data management
Need-to-know
Central access policy examples
Limit auditing to data that meets specific classification criteria.
Limit auditing by action and by identity
Add contextual information into the audit events.
Expression-based Auditing
Expression-based auditing
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit policies using Global Audit Policies.
Security auditing
Active Directory Domain Services
Create claim typesCreate resource properties
Group Policy Create global audit policy
File Server
Select and apply resource properties to the shared folders
User’s computer
User tries to access information
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business
Audit all vendors when they try to access documents related to projects that they are not working on
Audit policy examples
Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High
Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.
Data Encryption Challenges How do I protect sensitive information after it
leaves my protected environment? I cannot get the users to encrypt their sensitive
data.
Process to encrypt a file based on classification
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.
A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.
On the file server, a rule automatically applies RMS protection to any file classified as high-impact.
The RMS template and encryption are applied to the file on the file server and the file is encrypted.
Classification-based encryption process
1
2
3
4
1
2
3
File server
RMS serverClassification engine
4User
Active Directory Domain Services
DemoDynamic Access Control
23
Demonstration Lab There are two virtual machines that are involved in the
demonstration lab. AD-Srv (Active Directory Domain Controller) File-Srv (File Server)
There are two security groups Finance System Integration
There are two domain users: [email protected] (Finance) [email protected] (System Integration)
Steps Create a new claim
Department Create resources properties and add it to resource property list
Finance Department Create a new central access rule/central policies
Resource Finance Department Exists Resource Finance Department Equals Value Finance
Publish central access policy Configure Group Policy and enable KDC
Install File Server Resource Manager on File server Update-FSRMClassificationPropertyDefinition
Add Central Access Policy to shared folder Validate
Thanks for joining with us
Top Related