Protect Against Information Leaks with Microsoft Active Directory Rights Management Services and RSA Data Loss Prevention Solutions

Mohan AtreyaSr. Product ManagerRSA CorporationSIA311

Marcio MelloSr. Program Manager LeadMicrosoft Corporation

Agenda

The Microsoft and RSA PartnershipAD RMS OverviewRSA DLP / AD RMS Integration OverviewRSA DLP ArchitectureDemonstrationQ & A

The Business Challenge

Data breaches have reached record levels – 245M exposed records due to breaches since 2005Cost of compliance is a significant burden and continues to grow

Companies face growing risks of data leaks &

increase in compliance requirements

Data must be protected,but also be accessible

Balance required between security and accessibilityIncreasingly need to enable use of information across company boundaries (partners,vendors, customers)

Current Point Solutions not Solving the End to End Data Security Problem

VPN

WAN

LAN

Partners

RemoteEmployees

InternalEmployees

Business Analytics

Outsourced Dev.

EnterpriseApplications

ProductionDatabase

Replica

Staging

File Server

File Server

Collaboration &Content Mgmt

Systems

Disk Arrays

Backup Disk

BackupTape

BackupSystemDisk Arrays

Disk Arrays

Endpoint Network/E-mail Apps/DB FS/CMS Storage

Endpoint Network/E-mail Apps/DB FS/CMS Storage

Current solutions are not content aware across infrastructure so controls often applied without context

Current solutions are not identity aware across infrastructure making it difficult to share sensitive data

Separate management and policy tools must be stitched together

What Microsoft and RSA Announced on December 4, 2008

Microsoft and RSA partnering with a Built-In “systems” approach to protect sensitive information throughout the infrastructure based on content, context, and identity

Microsoft building RSA Data Loss Prevention (DLP) classification technology directly into the Microsoft platform and future information protection products

What Microsoft and RSA Announced on December 4, 2008

RSA integrating Active Directory Rights Management Services (AD RMS) with RSA's DLP Suite

Automate the application of AD RMS policies based on data sensitivity

Microsoft and RSA collaboration enables organizations to:

Centrally define information security policyAutomatically identify and classify sensitive data anywhere in the infrastructureUse a range of controls to protect data throughout the infrastructure

AD Rights Management Services

Provides identity-based protection for sensitive data

Controls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryptionEmbeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

Persistent Protection +Encryption Policy: • Access Permissions

• Use Right Permissions

RMS Provides Persistent Information ProtectionLocation-based solutions protect initial access…

Authorized

Users

Firewall Perimeter

Unauthorized

Users

YES

Information Leakage

Access Control List Perimeter

Authorized

Users

Unauthorized

Users

…but not usage

Information Workflow

2

1. Author and recipient are already bootstrapped with RMS certificates

2. Author creates e-mail

3. Author protects e-mail by defining RMS permissions and targeted recipients (Publish License)

4. Author sends e-mail to recipient

5. Recipient gets Use License from RMS Server

6. Recipient can access RMS protected e-mail

1

RAC CLCRAC CLC6

UL

4

5

PL

3

AD

SQL

Author

Recipient

AD RMSServer

Rights Protected DocumentSQL

Created when file is protected. Encrypted with the AD RMS server’s public key

Encrypted with content key Contents of the file

(text, pictures, and so on)

Usage RightsBob@fabrikam.com: Read, PrintLawyers@fabrikam.com: Read

Publishing License

Signed with AD RMS server’s private key

Content Key

AD RMS Client

AD RMS Server

ProductsSQL

2007

6XML Paper Specification

SP11 2

34

5

RMS protecting a Word 2007 documentdemo

What is Data Loss Prevention (DLP)?

Define information security policy centrally

Push policies across corporate infrastructure

Discover and classify sensitive data

Apply controls to protect sensitive data

Report and audit to verify policy enforcement

The DLP Process:

RSA DLP Product SuiteDLP Datacenter

Monitor

Enforce

Discover

Enforce

DLP Endpoint

DLP Network

Discover and Remediate

ENTERPRISE

MANAGER

Discover and remediate data at rest in the Datacenter

Monitor sensitive data in motion as it leaves the Network

Enforce sensitive data in motion as it leaves the Network

Discover sensitive data at rest on corporate endpoints including laptops

Enforce sensitive data in use on corporate endpoints including laptops

Discover and Remediate

Discover

RSA Data Loss Prevention Architecture

How Does Datacenter Scan Work?

1. Enterprise Manager sends a request to the Enterprise Coordinator2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network.3. The Site Coordinator installs or connects to the grid workers in the grid machines4. The Site Coordinator divides up the scanning work among them until the entire repository has been scanned5. With either a dedicated server or making use of an existing server within a enterprise's infrastructure, the

deployed grid software retrieves content from the assigned job and analyzes the content based on policy configuration

6. The Site Coordinator harvests the results from the grid machines (results are always harvested upstream)7. The Enterprise Coordinator harvests the results from the Site Coordinator8. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the

database for display to the user.

1 2 3 4

5

7 68

Scanning File Servers in Remote Offices

1. Enterprise Manager within Corporate Headquarters sends a request to the Enterprise Coordinator

2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network

3. The Site Coordinator connects to the Remote File Server and installs either a permanent or temporary agent on the File Server

4. The agent performs the scan locally on the File Server using the system resources that have been determined by the Agent Throttling Settings: if the agent is installed in temporary mode, once the scan has completed the agent will automatically uninstall itself from the Remote File Server

5. The Site Coordinator harvests the results from the Remote File Server (results are always harvested upstream)

6. The Enterprise Coordinator harvests the results from the Site Coordinator

7. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the database for display to the user

1 2 3

4

57 6

Tempor

PermAgent

Scanning Data on Endpoints

1. Enterprise Manager sends a request to the Enterprise Coordinator

2. Enterprise Coordinator passes the command to the appropriate Site Coordinator on a local or remote network.

3. The Site Coordinator connects to the Remote File Server and installs either a permanent or temporary agent on the target Endpoint.

4. The agent performs the scan locally on the Endpoint using the system resources that have been determined by the Agent Throttling Settings. If the agent is installed in temporary mode, once the scan has completed the agent will automatically uninstall itself from the Endpoint.

5. The Site Coordinator harvests the results from the Endpoint (results are always harvested upstream)

6. The Enterprise Coordinator harvests the results from the Site Coordinator

7. The Enterprise Manager harvests the results from the Enterprise Coordinator and process the results into the database for display to the user.

1 2 3

4

57 6

Tempor

PermAgent

RMS Integration with DLP 6.5

2. Gets Rights Policy Templates (sync)

5. Processes Files

4. Sends Policies, associated Templates

7. Returns Events, error messages

Microsoft AD Rights Management Services (AD RMS)

Enterprise Manager

Enterprise Coordinator

3. EM Administrator associates Rights Policy Template with Datacenter Policy Violation Rules

1. Active Directory Administrator configures Rights Policy Templates

Site Coordinator/

Agents

6. Creates Publishing License using Template

RSA DLP RMS Demodemo

Long term – Microsoft and RSA Building Information Protection into Infrastructure

Add-onPolicies

RSA DLP Enterprise ManagerRSAMicrosoft

E-mail/UCEndpoint Network Apps FS/CMS Storage

Microsoft Information Protection Management

Built-in DLPClassificationand RMS Controls

Microsoft Environment and Applications

RSA DLPEndpoint

ComplementaryPlatforms andfunctionality

RSA DLPNetwork

RSA DLPDatacenter

Common policies throughout infrastructureBuilt-in approach to protect data based on content, context, identity Future ready: Seamless upgrade path for current DLP customers

SummaryMicrosoft and RSA partnering to secure sensitive data with a Built-In “systems” approach to build protection intothe infrastructure

Common policies and classification throughout the entire systemMicrosoft building RSA Data Loss Prevention (DLP) classification technology directly into the Microsoft platform and future information protection products

Microsoft selected RSA due to its strength in the areas of correlation, policies, scalability

First step is the RSA DLP Suite’s integration with AD RMSAutomate the application of AD RMS policies based on data sensitivity

Additional RMS Resources

Website http://www.microsoft.com/rms

Blog http://blogs.msdn.com/rms

TechNet virtual lab http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

MSIT deployment http://www.microsoft.com/technet/itsolutions/msit/infowork/deprmswp.mspx

www.microsoft.com/teched Sessions On-Demand & Community

http://microsoft.com/technet Resources for IT Professionals

http://microsoft.com/msdn Resources for Developers

www.microsoft.com/learning Microsoft Certification & Training Resources

Resources

www.microsoft.com/learningMicrosoft Certification and Training Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

AD RMS Template Acquisition

AD RMS Template Selection

AD RMS Template in a DLP Policy

DLP Incidents Involving AD RMS