Business Ready Security Solutions Cristian Mora Technical Product Manager Microsoft Corporation Session Code: SIA 312 Abhijat Kanade Senior Program Manager Microsoft Corporation.
Download ReportTranscript Business Ready Security Solutions Cristian Mora Technical Product Manager Microsoft Corporation Session Code: SIA 312 Abhijat Kanade Senior Program Manager Microsoft Corporation.
Business Ready Security Solutions Cristian Mora Technical Product Manager Microsoft Corporation Session Code: SIA 312 Abhijat Kanade Senior Program Manager Microsoft Corporation Agenda • Business and IT Challenges • Business Ready Security • Information Protection • Customer Testimonial: Microsoft IT • The Road Ahead • Getting Started Customer Problem and Pains “Information Privacy is the most important security concern in the enterprise, outranking malware in 2007 for the first time” Personal Information Loss IP2, National Security Personal Information Loss -Sci-tech today 06/21/07 -Sci-tech today 06/15/07 -www.privacyrights.org, August 2008 Ohio state government loses 269,000 confidential information of taxpayers and employees. See more… A consultant from Los Alamos sent an email containing highly classified, nonencrypted nuclear weapons to several board members who forwarded it to other members see more… A flash drive with Social Security numbers and other personal information was removed from the unattended laptop of a state employee. Source: Ohio Data Loss Scope Broadens. Sci-Tech Today.com, June 2007. http://www.sci-techtoday.com/story.xhtml?story_id=53225 Other high-profile incidents: 1. T.J.Maxx , 45Million PCI3 records stolen. Financial loss: $75M 2. Veterans Affairs, 26.5M PII1 records. Financial loss: $500M 3. Boeing, 382,000 PII1 records stolen. Financial loss: undetermined Significant financial, business, and reputation loss due to regulatory compliance violations and intellectual property leaks Business Needs and IT Challenges Discover and classify information based on business importance Sensitive information stored in multiple locations Secure sensitive information while in use, in motion, and at rest Difficulty in discovering and securing information Enable simplified access to information from anywhere Multiple locations and devices Demonstrate compliance with information control policies Easy access to sensitive information on multiple devices BUSINESS Needs Agility and Flexibility IT Needs Control Current Situation Discovery, classification, and protection of sensitive information is expensive Sensitive information is sent via e-mail because partners do not have access to collaboration site Limited to no access Limited to no access SSN# 0000 Business Ready Security Help securely enable business by managing risk and empowering people Protect everywhere, access anywhere Identity Simplify the security experience, manage compliance Highly Secure & Interoperable Platform Integrate and extend security across the enterprise from: Block Cost Siloed to: Enable Value Seamless Business Ready Security Solutions Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Information Protection Discover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applications PROTECT everywhere ACCESS anywhere • Protect critical data wherever It goes • Protect data wherever it resides • Secure endpoints to reduce risk INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Extend confidential • Simplify deployment • Built into the Windows • Enable compliance with communication to partners platform and applications and ongoing management information policy Protect Critical Information Wherever It Goes Protect everywhere, access anywhere • Automatically protect sensitive e-mail with Active Directory Rights Management Services • Filter message body and subject based on content criteria SSN# 0000 • Policy-based restricted usage of e-mail attachments “ Source: Food Distributor Deploys Enterprise Rights Management to Help Protect Sensitive Data. Microsoft case study, February 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001482 Document Protection and Consumption Cristian Mora Sr. Solution Product Manager Microsoft Protect Information Wherever It Resides Protect everywhere, access anywhere • Automatically discover and classify sensitive information • Protect information based on content, context, and identity • Ensure only authorized usage through persistent policies • Restricts users from sharing inappropriate content “ Source: Microsoft, RSA Partner to Develop Next-Gen Data Loss Prevention. Channel Insider, December 2008. http://www.channelinsider.com/c/a/Security/Microsoft-RSA-Partner-to-Develop-NextGen-Data-Loss-Prevention/ MOSS IRM Cristian Mora Sr. Solution Product Manager Microsoft Secure Endpoints to Reduce Risk Access policy for removable media Device Control Reduce information loss risk through integrated disk encryption Protect everywhere, access anywhere Classify and protect information with built-in AD RMS BitLocker “ Source: Customs Service Improves Reporting with Simplified, Integrated Antivirus Solution. Microsoft case study, April 2007. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=201402 Enable Secure, Seamless Access to Information • Ability to move seamlessly between applications • Eliminate the need to manage external accounts • Simplified and flexible claims-based federation • Simplified partner on-boarding through administrative tools and wizards “ Source: Malicious insider attacks to rise. BBC News, February 2009. http://news.bbc.co.uk/2/low/technology/7875904.stm Integrate and extend security Federated AD RMS Cristian Mora Sr. Solution Product Manager Microsoft Demo 2.0 2.0 Charlie Trey Employee Simplify Management Simplify security, manage compliance • Automatically apply information policies from within Microsoft Office SharePoint® Server and Microsoft Exchange Server • Demonstrate compliance with logging and auditing tools • Simplify management by centrally applying information protection templates “ Source: Food Distributor Deploys Enterprise Rights Management to Help Protect Sensitive Data. Microsoft case study, February 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001482 Rights Policy Template Management Cristian Mora Sr. Solution Product Manager Microsoft Information Protection Solution Enterprise-wide classification, discovery, and protection Classification and protection built into platform SSN# 0000 Microsoft IT Environment ≈600K+ PCs and devices ≈2300 Line of Business Applications Largest Private Wireless Network Largest Private Cable & Satellite Network 6M+ internal e-mail messages per day 20M+ e-mails from the Internet per day 97% rejected as spam 120,000 SharePoint sites 15 TB of Data 2,000 High Level Shares 120 TB of data 140K+ end users 98 countries 550 buildings 1/3 Internet only Connections 9.5M+ VPN connections/month 85K Outlook / IM over the Internet users Microsoft Business Needs Microsoft must protect the Microsoft must follow national following information: and international laws and regulations such as: Financial information Customer data Intellectual property Personnel data GLBA SOX HIPAA SB 1386 EU directives Japan’s privacy laws Microsoft IT Requirements Large amounts of data (at rest and in motion). Policy must be enforced. Identifying High Business Impact (HBI) information. Protecting HBI information. Remediation must be efficient and effective. Manual processes do not keep up with the information growth and are taxing on the support team and the business. Information protection must be automatic and must facilitate business needs. Microsoft IT Approach Established an Operations Team Started Deploying and Developing Solutions Improved the Plan and Solutions •Defined the problem starting with risk analysis •Created the plan to protect HBI information •RSA DLP 3.2 + Custom business workflow engines (incld. a custom RMS solution) for managed file servers, SharePoint sites, non-FTE machines •RSA DLP 7.0.2 + AD RMS •WS2008 R2 FCI + AD RMS Bulk Protection Tool •Exchange 2010 + AD RMS FY06 FY07, FY08 FY09, FY10 RSA DLP + AD RMS Solution #1 File server scanning with automatic RMSprotection of sensitive files RSA DLP Datacenter AD RMS Server Role in WS2008 and WS2008 R2 Non-FTE machine scanning SQL server scanning RSA DLP + AD RMS How The Integration Works 1. AD RMS admin creates AD RMS templates for data protection 2. RSA DLP admin selects/ creates policies to find sensitive data and protect it using AD RMS 3. RSA DLP discovers and classifies sensitive files, and applies AD RMS protection based on policy 4. Users request files. AD RMS protection provides identity-based access Microsoft AD RMS R&D Department Marketing Department Others View, Edit, Print View No Access Find ‘IP’ documents IP Policy Apply ‘IP’ AD RMS template RSA DLP R&D department Marketing department Endpoints: Laptops/Desktops File Shares SharePoint Others Intellectual Property (IP) template WS2008 R2 FCI + AD RMS Bulk Protection Tool Solution #2 FCI classifies (tags) files on the file share through folder and content classifiers Classified files are automatically RMS-protected through the AD RMS Bulk Protection Tool FCI is also able to enforce retention policies based on classification WS2008 R2 FCI + AD RMS Bulk Protection Tool How The Integration Works 2 3 4 1 c FCI Classify Mgmt Task: AD RMS Protect 5 c User creates a file “marketing.docx” on Windows server 2008 R2 file server File Classification Infrastructure (FCI) classifies file as sensitive based on content analysis (keyword/RegEx) and/or folder location (e.g., Business Impact = High) Full Time Employee can access “marketing.docx” Automated File Management Task invokes AD RMS Bulk Protection Tool to automatically RMSprotect the file (restrict access to Full-Time Employees only) A malicious user getting access to the file through an un-intentional leak is not able to access file content Exchange 2010 + AD RMS Solution #3 Automatically RMS-protect e-mails in transit via Exchange transport rules Context rule: Automatically RMS-protect e-mails sent to HR Benefits Content rule: Automatically RMS-protect e-mails with Payment Card Industry (PCI) information – use keywords and RegEx detection rules created by Microsoft IT Automatic Journaling of RMS-protected e-mails in-the-clear Exchange 2010 + AD RMS How The Integration Works: Transport Rule • • Transport Rule action to apply AD RMS template to e-mail message Based on content and context analysis • Content analysis: Keywords and RegEx scanning of e-mails and attachments • Context examples: From, To Exchange 2010 + AD RMS How The Integration Works: Journal Decryption Journal Report Decryption Agent • Attaches clear-text copies of RMS-protected e-mails and attachments to journal mailbox Archive/Journal AD RMS Usage at Microsoft AD RMS and RSA DLP Cristian Mora Sr. Solution Product Manager Microsoft Information Protection Discover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applications PROTECT everywhere ACCESS anywhere • Protect critical data wherever It goes • Protect data wherever it resides • Secure endpoints to reduce risk INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Extend confidential • Simplify deployment • Built into the Windows • Enable compliance with communication to partners platform and applications Learn more at: www.microsoft.com/forefront and ongoing management information policy More Information •Documentation •AD RMS TechNet TechCenter •AD RMS TechNet Documentation Roadmap •Exchange 2010 and AD RMS Integration •File Classification Infrastructure Web Site •Evidence •How MSIT Deploys AD RMS - updated! •How MSIT deploys AD RMS and RSA DLP – New! •How MSIT deploys FCI and AD RMS Bulk Protection Tool – New! •Blogs •AD RMS Product Team Blog •Jason Tyler Blog Related Content Breakout Sessions SIA304 | Thu, Nov 12 | 1700-1815 hrs | Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive Interactive Theater Sessions SIA05-IS | Wed, Nov 11 | 1330-1445 hrs | Secure Messaging using Active Directory Rights Management Services (AD RMS) and Microsoft Exchange Server 2010 Hands-on Labs Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.