info security: microsoft dynamic access control
Post on 02-Jun-2015
167 Views
Preview:
DESCRIPTION
TRANSCRIPT
Dynamic Access ControlPresented by: Jason Kittrell, Regional InstructorMCT,MCSE,CEH,MCITPNew Horizons CLC
January 30, 2014
• Intended Audience• Understanding of what D.A.C. offers
• Next steps
Welcome
• Who is New Horizons?• Presentation: Dynamic Access
Control• Demo• Q & A
Agenda
Who is New Horizons?
New Horizons is a proven, worldwide training provider with flexible learning solutions covering a broad spectrum of topics taught by industry-leading instructors.
Facts to ConsiderLargest International Network • 2,100 Classrooms
• 2,400 Instructors in 56 Countries
• 3 Million Student Days of Training per Year
Flexible, Integrated Learning Methods • ILT – Instructor Led Training
• OLL – Online Live Virtual Delivery
• Private Group Training customized for your
organization
Strong Vendor Partnerships
• Data Compliance Challenges• Understanding the new Dynamic
Access Control built into Windows Server 2012
• Next Steps• Q & A
Introduction
Data Compliance Challenges
Compliance
• Compliance is generally an effect of some form of regulation; governmental or industry driven
• HIPPA
• Sarbanes-Oxley
• European Union Data Protection Directive
• State Laws
Storage growth
Distributed Information
Regulatory compliance
Data leakage
45%: File based storage CAGR.
MSIT cost $1.6 GB/Month for managed servers.
>70%: of stored data is stale
Cloud cost would be approximately 25 cents GB/Month
Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud…
MSIT 1500 file servers with 110 different groups managing them
Very hard to consistentlymanage the information.
New and changing regulations (SOX, HIPPA, GLBA…)
International and local regulations.
More oversight and tighter enforcement.
$15M: Settlement for investment bank with SEC over record retention.
246,091,423: Totalnumber of records containing sensitive personal information involved in security breaches in the US since January 2005
$90 to $305 per record (Forrester: in “Calculating the Cost of a Security Breach”)
Microsoft Case Study
Dynamic Access Control• “Safety Net” for all file server based resources
• Provides Data Classification
• Gives IDM a central management point for access
• Audits access attempts
• Integrates in with AD-RMS
Reasons for Implementing D.A.C.• An inability to achieve the desired security &
compliance results with NTFS alone
• Requirement to have access controls based on attributes rather than ACE entries
The 4 Pillars of Dynamic Access Control
Encryption Automatic RMS
encryption based on document classification.
Data Classification Classify your
documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Expression-based auditing Targeted access
auditing based on document classification and user identity.
Centralized deployment of audit policies using Global Audit Policies.
Expression-based access conditions Flexible access
control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Dynamic Access Control in a Nutshell
• Decisions made only by user security principles or group membership
• Users had to log out before changes to security group membership were gained to their security token
• “Shadow Groups” were often made to mimic attributes
• Security Groups have rules on who can be members of which types of groups
• No way to cross AD trust boundaries• No way to make access decisions off user’s device
Pre-2012: NTFS Permissions
• Selected AD attributes are included in Security Tokens
• Claims can be included directly in files server permissions
• Claims can be consistently issued to all users in the forest
• Claims can be “transformed” across trust boundaries
• Enabled new policy types NTFS alone cannot grant:– Example: Allow WRITE if User.MemberOf(Finance) and
User.EmployeeType=FTE and Device.Managed=TRUE
Windows Server 2012: Expression Based Access
Data Classification File Classification Infrastructure provides insight
into your data by automating classification processes.
File Classification Infrastructure uses classification rules to automatically scan files and classify them according to the contents of the file.
Some examples of classification rules include: Classify any file that contains the string “SBC12
Confidential” as having high business impact. Classify any file that contains at least 10
social security numbers as having personally identifiable information.
Data Encryption Challenges
How do I protect sensitive information after it leaves my protected environment?
I cannot get the users to encrypt their sensitive data.
Process to encrypt a file based onclassification
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.
A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.
On the file server, a rule automatically applies RMS protection to any file classified as high-impact.
The RMS template and encryption are applied to the file on the file server and the file is encrypted.
Classification-based encryption process
1
2
3
File server
RMS server
Classification engine
4User
Active DirectoryDomain Services
Want to know more?
• Microsoft Class 20412 Configuring Advanced Windows Server 2012 Services
• Contact your New Horizons Education Consultant• Feedback
Q & A
THANK YOU FOR YOUR TIME
top related