We have to Share Data - Now What?
Jon R. WallSecurity / IA Microsoft
The move from need to know to need to share Within Organizations Across Organizations Across Civilian and Military 5I’s Across Govt. and Commercial
Interest – the wrong type Florida Dept. of Labor: 4,624 files Bureau of the Census: 1,138 Laptops City of Savanna, Georgia: 8,800 files USDA Data Breach: 26,000 files US Navy Data Breach: 28,00 files TJX Sued for Loss of Consumer Data U.S. Department of Veterans Affairs 25.5
million veterans and military personnel http://www.privacyrights.org/ar/ChronDa
taBreaches.htm#CP
What do you think of when someone says "Information Security"?
4
Risk Management
Microsoft Confidential
Secure Infrastructure
Protection against malware, unauthorized access and evolving threats
Managed identities and protected personal information from unauthorized access
Protected sensitive data from prying eyes
Protected document security throughout its lifecycle
Monitoring systems and measuring compliance
BitLocker Drive Encryption
Encrypting File System
Windows Server Rights Management Services (RMS)
Office Information Management Services (IRM)
Technology Framework for Data Governance
Identity & Access Control
Data Encryption
DocumentManagement
Auditing &Reporting
Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to safeguard digital information
Expiration of content required for many other industry and governmental regulations
Government and Industry Compliance
Today’s Policy Expression
• Today, most communication policies only exist on paper• Its easy to unintentionally forward e-mails & documents• Its easy to intentionally share/sell plans w/competitors, press, Internet
Boundary-Based Technologies
Encryption
Digital Signatures
Access Control Lists Firewalls
Secure Channels
(SSL)5
The limitations of boundary-based techologies
6
Acce
ss C
ontro
l L
ist
Yes
No
Perimeter
Today’s Information Protection
Microsoft Confidential
Windows RMS provides organizations with the tools they need to safeguard confidential & sensitive data
• Data protected at rest and during collaboration
Information Protection
• Specify not only who has initial access to information but also what they can do with itPolicy
Enforcement
• Integrated with SharePoint, Office, XPS, Exchange, Windows MobileOut-of-box
scenarios
• RMS SDK• Partner
Ecosystem
Customizable Solution 9
Document Author can define who do the following: View document Edit document Print document Copy/Paste
RMS Gives Authors Control
1. On first use, authors receive client licensor certificate from RMS server
2. Author creates content and assigns rights
3. File is distributed to recipient(s)
4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license
5. Application opens the file and enforces the restrictions
How RMS Works
Windows RMS Usage Scenarios
Control access to sensitive plansSet level of access: view, change,
print, etc.Determine length of access
Protect Sensitive Files
Keep Executive e-mail off the InternetReduce internal forwarding of
confidential informationTemplates to centrally manage policies
Do-Not-Forward Email
Safeguard financial, legal, HR content Set level of access: view, print, exportView Office 2003 rights protected info
Safeguard Intranet Content
Keep Internal Information Internal
RMS Will NOT …
…provide unbreakable, hacker-proof security …protect against analog attacks
Comparing S/MIME and RMS”
When Should I Use Which Technology?
Comparing implementation of S/MIME signing, S/MIME encryption, and IRM. Comparing implementation of S/MIME signing, S/MIME encryption, and IRM.
FeatureS/MIME Signing
S/MIME Encryption
IRM
Authenticates the sender Yes No No
Authenticates the recipient No Yes Yes
Uses two-factor authentication * Yes Yes No
Can encrypt content No Yes Yes
Prevents content tampering Yes Yes Yes
Offers content expiration No No Yes
Controls content viewing, forwarding, saving, modifying, or printing by recipient
No No Yes
Differentiates permissions by recipient No No Yes
With IRM turned on in SharePoint Central Admin, define Policies for specific document libraries, such as ‘Project X, Confidential’, ‘Restricted, FOUO, etc.
Define when policies expire, whether users can print, how often credentials must be validated, etc.
Automates and forces the RMS encryption of the files in the specific document library
Users can still create their own policies and upload encrypted documents to other doclibs
IRM and SharePoint
DoD 5015.2 certification
Certified May 24, 2007. It is now listed on the JITC product register
Applies to: Microsoft Office SharePoint Server 2007
Titus Labs Suite:
Message Classification Microsoft Outlook, OWA and Windows Mobile to force the
classification of e-mails
Document Classification Microsoft Office to force the classification of Office documents
(Word, PowerPoint & Excel)
RMS at MicrosoftExample of RMS Templates
Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel
Microsoft ConfidentialOnly Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward
Microsoft Confidential Read OnlyOnly Microsoft employees can access the message. Allows for View, Reply, Reply All
Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward
Microsoft FTE Confidential Read OnlyOnly Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.
Summary RMS enables organizations to keep
internal information internal Key benefits:
Safeguards sensitive internal information Augments existing perimeter security
technologies Digitally enforces organization policies Persistent file protection Easy to use
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.