info security: microsoft dynamic access control
DESCRIPTION
Security: Microsoft Dynamic Access Control Webinar from 1.30.2014TRANSCRIPT
![Page 1: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/1.jpg)
Dynamic Access ControlPresented by: Jason Kittrell, Regional InstructorMCT,MCSE,CEH,MCITPNew Horizons CLC
January 30, 2014
![Page 2: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/2.jpg)
• Intended Audience• Understanding of what D.A.C. offers
• Next steps
Welcome
![Page 3: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/3.jpg)
• Who is New Horizons?• Presentation: Dynamic Access
Control• Demo• Q & A
Agenda
![Page 4: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/4.jpg)
Who is New Horizons?
New Horizons is a proven, worldwide training provider with flexible learning solutions covering a broad spectrum of topics taught by industry-leading instructors.
![Page 5: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/5.jpg)
Facts to ConsiderLargest International Network • 2,100 Classrooms
• 2,400 Instructors in 56 Countries
• 3 Million Student Days of Training per Year
Flexible, Integrated Learning Methods • ILT – Instructor Led Training
• OLL – Online Live Virtual Delivery
• Private Group Training customized for your
organization
![Page 6: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/6.jpg)
Strong Vendor Partnerships
![Page 7: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/7.jpg)
• Data Compliance Challenges• Understanding the new Dynamic
Access Control built into Windows Server 2012
• Next Steps• Q & A
Introduction
![Page 8: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/8.jpg)
Data Compliance Challenges
![Page 9: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/9.jpg)
Compliance
• Compliance is generally an effect of some form of regulation; governmental or industry driven
• HIPPA
• Sarbanes-Oxley
• European Union Data Protection Directive
• State Laws
![Page 10: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/10.jpg)
Storage growth
Distributed Information
Regulatory compliance
Data leakage
45%: File based storage CAGR.
MSIT cost $1.6 GB/Month for managed servers.
>70%: of stored data is stale
Cloud cost would be approximately 25 cents GB/Month
Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud…
MSIT 1500 file servers with 110 different groups managing them
Very hard to consistentlymanage the information.
New and changing regulations (SOX, HIPPA, GLBA…)
International and local regulations.
More oversight and tighter enforcement.
$15M: Settlement for investment bank with SEC over record retention.
246,091,423: Totalnumber of records containing sensitive personal information involved in security breaches in the US since January 2005
$90 to $305 per record (Forrester: in “Calculating the Cost of a Security Breach”)
Microsoft Case Study
![Page 11: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/11.jpg)
Dynamic Access Control• “Safety Net” for all file server based resources
• Provides Data Classification
• Gives IDM a central management point for access
• Audits access attempts
• Integrates in with AD-RMS
Reasons for Implementing D.A.C.• An inability to achieve the desired security &
compliance results with NTFS alone
• Requirement to have access controls based on attributes rather than ACE entries
![Page 12: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/12.jpg)
The 4 Pillars of Dynamic Access Control
![Page 13: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/13.jpg)
Encryption Automatic RMS
encryption based on document classification.
Data Classification Classify your
documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Expression-based auditing Targeted access
auditing based on document classification and user identity.
Centralized deployment of audit policies using Global Audit Policies.
Expression-based access conditions Flexible access
control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Dynamic Access Control in a Nutshell
![Page 14: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/14.jpg)
• Decisions made only by user security principles or group membership
• Users had to log out before changes to security group membership were gained to their security token
• “Shadow Groups” were often made to mimic attributes
• Security Groups have rules on who can be members of which types of groups
• No way to cross AD trust boundaries• No way to make access decisions off user’s device
Pre-2012: NTFS Permissions
![Page 15: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/15.jpg)
• Selected AD attributes are included in Security Tokens
• Claims can be included directly in files server permissions
• Claims can be consistently issued to all users in the forest
• Claims can be “transformed” across trust boundaries
• Enabled new policy types NTFS alone cannot grant:– Example: Allow WRITE if User.MemberOf(Finance) and
User.EmployeeType=FTE and Device.Managed=TRUE
Windows Server 2012: Expression Based Access
![Page 16: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/16.jpg)
Data Classification File Classification Infrastructure provides insight
into your data by automating classification processes.
File Classification Infrastructure uses classification rules to automatically scan files and classify them according to the contents of the file.
Some examples of classification rules include: Classify any file that contains the string “SBC12
Confidential” as having high business impact. Classify any file that contains at least 10
social security numbers as having personally identifiable information.
![Page 17: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/17.jpg)
Data Encryption Challenges
How do I protect sensitive information after it leaves my protected environment?
I cannot get the users to encrypt their sensitive data.
![Page 18: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/18.jpg)
Process to encrypt a file based onclassification
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.
A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.
On the file server, a rule automatically applies RMS protection to any file classified as high-impact.
The RMS template and encryption are applied to the file on the file server and the file is encrypted.
Classification-based encryption process
1
2
3
File server
RMS server
Classification engine
4User
Active DirectoryDomain Services
![Page 19: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/19.jpg)
Want to know more?
• Microsoft Class 20412 Configuring Advanced Windows Server 2012 Services
• Contact your New Horizons Education Consultant• Feedback
![Page 20: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/20.jpg)
Q & A
![Page 21: Info Security: Microsoft Dynamic Access Control](https://reader038.vdocuments.site/reader038/viewer/2022102711/556d124dd8b42ad34f8b5216/html5/thumbnails/21.jpg)
THANK YOU FOR YOUR TIME