mohan atreya sr. product manager rsa corporation sia311 marcio mello sr. program manager lead...
TRANSCRIPT
Protect Against Information Leaks with Microsoft Active Directory Rights Management Services and RSA Data Loss Prevention Solutions
Mohan AtreyaSr. Product ManagerRSA CorporationSIA311
Marcio MelloSr. Program Manager LeadMicrosoft Corporation
Agenda
The Microsoft and RSA PartnershipAD RMS OverviewRSA DLP / AD RMS Integration OverviewRSA DLP ArchitectureDemonstrationQ & A
The Business Challenge
Data breaches have reached record levels – 245M exposed records due to breaches since 2005Cost of compliance is a significant burden and continues to grow
Companies face growing risks of data leaks &
increase in compliance requirements
Data must be protected,but also be accessible
Balance required between security and accessibilityIncreasingly need to enable use of information across company boundaries (partners,vendors, customers)
Current Point Solutions not Solving the End to End Data Security Problem
VPN
WAN
LAN
Partners
RemoteEmployees
InternalEmployees
Business Analytics
Outsourced Dev.
EnterpriseApplications
ProductionDatabase
Replica
Staging
File Server
File Server
Collaboration &Content Mgmt
Systems
Disk Arrays
Backup Disk
BackupTape
BackupSystemDisk Arrays
Disk Arrays
Endpoint Network/E-mail Apps/DB FS/CMS Storage
Endpoint Network/E-mail Apps/DB FS/CMS Storage
Current solutions are not content aware across infrastructure so controls often applied without context
Current solutions are not identity aware across infrastructure making it difficult to share sensitive data
Separate management and policy tools must be stitched together
What Microsoft and RSA Announced on December 4, 2008
Microsoft and RSA partnering with a Built-In “systems” approach to protect sensitive information throughout the infrastructure based on content, context, and identity
Microsoft building RSA Data Loss Prevention (DLP) classification technology directly into the Microsoft platform and future information protection products
What Microsoft and RSA Announced on December 4, 2008
RSA integrating Active Directory Rights Management Services (AD RMS) with RSA's DLP Suite
Automate the application of AD RMS policies based on data sensitivity
Microsoft and RSA collaboration enables organizations to:
Centrally define information security policyAutomatically identify and classify sensitive data anywhere in the infrastructureUse a range of controls to protect data throughout the infrastructure
AD Rights Management Services
Provides identity-based protection for sensitive data
Controls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryptionEmbeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery
Persistent Protection +Encryption Policy: • Access Permissions
• Use Right Permissions
RMS Provides Persistent Information ProtectionLocation-based solutions protect initial access…
Authorized
Users
Firewall Perimeter
Unauthorized
Users
YES
Information Leakage
Access Control List Perimeter
Authorized
Users
Unauthorized
Users
…but not usage
Information Workflow
2
1. Author and recipient are already bootstrapped with RMS certificates
2. Author creates e-mail
3. Author protects e-mail by defining RMS permissions and targeted recipients (Publish License)
4. Author sends e-mail to recipient
5. Recipient gets Use License from RMS Server
6. Recipient can access RMS protected e-mail
1
RAC CLCRAC CLC6
UL
4
5
PL
3
AD
SQL
Author
Recipient
AD RMSServer
Rights Protected DocumentSQL
Created when file is protected. Encrypted with the AD RMS server’s public key
Encrypted with content key Contents of the file
(text, pictures, and so on)
Usage [email protected]: Read, [email protected]: Read
Publishing License
Signed with AD RMS server’s private key
Content Key
AD RMS Client
AD RMS Server
ProductsSQL
2007
6XML Paper Specification
SP11 2
34
5
RMS protecting a Word 2007 documentdemo
What is Data Loss Prevention (DLP)?
Define information security policy centrally
Push policies across corporate infrastructure
Discover and classify sensitive data
Apply controls to protect sensitive data
Report and audit to verify policy enforcement
The DLP Process:
RSA DLP Product SuiteDLP Datacenter
Monitor
Enforce
Discover
Enforce
DLP Endpoint
DLP Network
Discover and Remediate
ENTERPRISE
MANAGER
Discover and remediate data at rest in the Datacenter
Monitor sensitive data in motion as it leaves the Network
Enforce sensitive data in motion as it leaves the Network
Discover sensitive data at rest on corporate endpoints including laptops
Enforce sensitive data in use on corporate endpoints including laptops
Discover and Remediate
Discover
RSA Data Loss Prevention Architecture
How Does Datacenter Scan Work?
1. Enterprise Manager sends a request to the Enterprise Coordinator2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network.3. The Site Coordinator installs or connects to the grid workers in the grid machines4. The Site Coordinator divides up the scanning work among them until the entire repository has been scanned5. With either a dedicated server or making use of an existing server within a enterprise's infrastructure, the
deployed grid software retrieves content from the assigned job and analyzes the content based on policy configuration
6. The Site Coordinator harvests the results from the grid machines (results are always harvested upstream)7. The Enterprise Coordinator harvests the results from the Site Coordinator8. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the
database for display to the user.
1 2 3 4
5
7 68
Scanning File Servers in Remote Offices
1. Enterprise Manager within Corporate Headquarters sends a request to the Enterprise Coordinator
2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network
3. The Site Coordinator connects to the Remote File Server and installs either a permanent or temporary agent on the File Server
4. The agent performs the scan locally on the File Server using the system resources that have been determined by the Agent Throttling Settings: if the agent is installed in temporary mode, once the scan has completed the agent will automatically uninstall itself from the Remote File Server
5. The Site Coordinator harvests the results from the Remote File Server (results are always harvested upstream)
6. The Enterprise Coordinator harvests the results from the Site Coordinator
7. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the database for display to the user
1 2 3
4
57 6
Tempor
PermAgent
Scanning Data on Endpoints
1. Enterprise Manager sends a request to the Enterprise Coordinator
2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network.
3. The Site Coordinator connects to the Remote File Server and installs either a permanent or temporary agent on the target Endpoint.
4. The agent performs the scan locally on the Endpoint using the system resources that have been determined by the Agent Throttling Settings. If the agent is installed in temporary mode, once the scan has completed the agent will automatically uninstall itself from the Endpoint.
5. The Site Coordinator harvests the results from the Endpoint (results are always harvested upstream)
6. The Enterprise Coordinator harvests the results from the Site Coordinator
7. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the database for display to the user.
1 2 3
4
57 6
Tempor
PermAgent
RMS Integration with DLP 6.5
2. Gets Rights Policy Templates (sync)
5. Processes Files
4. Sends Policies, associated Templates
7. Returns Events, error messages
Microsoft AD Rights Management Services (AD RMS)
Enterprise Manager
Enterprise Coordinator
3. EM Administrator associates Rights Policy Template with Datacenter Policy Violation Rules
1. Active Directory Administrator configures Rights Policy Templates
Site Coordinator/
Agents
6. Creates Publishing License using Template
RSA DLP RMS Demodemo
Long term – Microsoft and RSA Building Information Protection into Infrastructure
Add-onPolicies
RSA DLP Enterprise ManagerRSAMicrosoft
E-mail/UCEndpoint Network Apps FS/CMS Storage
Microsoft Information Protection Management
Built-in DLPClassificationand RMS Controls
Microsoft Environment and Applications
RSA DLPEndpoint
ComplementaryPlatforms andfunctionality
RSA DLPNetwork
RSA DLPDatacenter
Common policies throughout infrastructureBuilt-in approach to protect data based on content, context, identity Future ready: Seamless upgrade path for current DLP customers
SummaryMicrosoft and RSA partnering to secure sensitive data with a Built-In “systems” approach to build protection intothe infrastructure
Common policies and classification throughout the entire systemMicrosoft building RSA Data Loss Prevention (DLP) classification technology directly into the Microsoft platform and future information protection products
Microsoft selected RSA due to its strength in the areas of correlation, policies, scalability
First step is the RSA DLP Suite’s integration with AD RMSAutomate the application of AD RMS policies based on data sensitivity
Additional RMS Resources
Website http://www.microsoft.com/rms
Blog http://blogs.msdn.com/rms
TechNet virtual lab http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
MSIT deployment http://www.microsoft.com/technet/itsolutions/msit/infowork/deprmswp.mspx
www.microsoft.com/teched Sessions On-Demand & Community
http://microsoft.com/technet Resources for IT Professionals
http://microsoft.com/msdn Resources for Developers
www.microsoft.com/learning Microsoft Certification & Training Resources
Resources
www.microsoft.com/learningMicrosoft Certification and Training Resources
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
AD RMS Template Acquisition
AD RMS Template Selection
AD RMS Template in a DLP Policy
DLP Incidents Involving AD RMS