Transcript Module 2: Managing Data Protection Enterprise Device Infrastructure Camp Dan Stolts Chief Technology Strategist Microsoft [email protected] Twitter: @ITProGuru.

Module 2: Managing Data
Protection
Enterprise Device Infrastructure Camp
Dan Stolts
Chief Technology Strategist
Microsoft
[email protected] Twitter: @ITProGuru
Data
at Rest
Data
in Use
Data in
Motion
AppLocker
BitLocker
User Profiles
AD FS
Work Folders
Right Management Services
Active Directory
Dynamic Access Control
Web Application Proxy
Encrypting File System
Microsoft Azure AD
Exchange DLP
Microsoft Azure RMS
Window Server FCI
IPv6
SSL
BitLocker to Go
Microsoft Azure MFA
Remote Business Data Removal
Success Is…
Users can work
from anywhere on
their device with
access to their
corporate resources.
Users can enroll devices for
access to the Company Portal
for easy access to corporate
applications
IT can publish Desktop
Virtualization (VDI)
for access to centralized
resources
IT can publish access to
resources with the Web
Application Proxy
based on device
awareness and the users
identity
Users can register
devices for single
sign-on and access to
corporate data with
Workplace Join
IT can provide seamless
corporate access with
DirectAccess and
automatic VPN
connections.
BitLocker enhancements
Full Disk Encryption Going Mainstream
• Changing landscape
• Traditionally only on business editions of Windows
• Critical for business; Increasing demand for consumer
• BYOD putting consumer devices in business scenarios
• Being used to protect system itself, not just the data
• Challenges in making it pervasive
• TPM will soon become standard equip, but not there yet
• Performance on low end devices not sufficient
• Microsoft’s direction
• Device Encryption now available on all editions of Windows
• Requires InstantGo (Connected Standby) certified devices
Device Encryption vs. BitLocker
 Device Encryption




Encryption of OS volume is automatic and configured out of the box
Protection is enabled once an administrator uses a Microsoft Account to sign-in
If unmanaged Recovery Key Password is stored in the SkyDrive
Can quickly be configured to use BitLocker features (Pro and Ent only)
 BitLocker and BitLocker To Go – Windows Pro, and Enterprise




Enables encryption of fixed disk (BitLocker) and removable disks (BitLocker to Go)
Protection is enabled through imaging, mgmt solutions (e.g.: MBAM), or end user
Recovery Keys can be stored in AD or mgmt solutions (e.g.: MBAM)
FIPS Support
Unified Extensible Firmware Interface
A modern replacement for traditional BIOS
A Windows Certification Requirement (UEFI 2.3.1)
architecture-independent solution
initializes device and enables operation (e.g.; mouse, apps)
Secure Boot - Supported by Windows 8, Linux, …
Eliminates Bootkit threat by securing the boot process
Encrypted Drive support for Windows
Network unlock support for BitLocker
Trusted and Measured Boot
Trusted Boot
•
•
•
End to end boot process protection (Bootloader to Windows Sign-In)
ELAM complaint antimalware driver is protected, first 3rd party code to start
Automatic remediation/self-healing if compromised
Windows 78
Windows
Measured Boot and Remote Attestation
•
•
Creates comprehensive set of measurements based on Trusted Boot execution
Can offer measurements to a Remote Attestation Service for analysis
Introducing Remote Business Data Removal (RBDR)
• RBDR is a platform feature that:
•
•
•
•
enables services to request that corp data be secured
server requests client uses EFS to protect data sent to client from server
offers more control to organizations that are unable to invest in full DLP
offers platform capability that can simplify DLP solution implementations
• How it works
•
•
•
•
•
Server app implements API which can be used to set SW policy
Client apps implements API. Client receives policy and protects data (EFS)
EAS and OMA-DM can be used to trigger RBDR revoke access command
Revoke command destroys encryption key making data inaccessible
Client app may be implemented to delete data as well
RBDR in 8.1 and Beyond
• Ship the following end to end scenarios:
• Wipe Mail app data via EAS
• Wipe Mail attachments saved locally via EAS or OMA-DM
• Wipe WorkFolders data via EAS or OMA-DM
• Secure adoption commitments with MSFT apps
• Drive adoption with 3rd party apps and DLP products
Remote Business Data Removal requires that apps and
management systems take advantage of the RBDR API.
RBDR API
Server components (e.g.: Exchange ) will use the EAS
or OMA-DM protocol to communicate policy to the
client indicating that the data it sends to the client
must be encrypted via RBDR. Once the client
acknowledges RBDR capability data transfer can begin.
EAS or OMA-DM
Applications (e.g.: Mail) will use the RBDR API to
encrypt the data as it is received from the server.
RBDR API
Management system (e.g.: Intune/Airwatch) will use
EAS or OMA-DM to provision a wipe command to the
client when needed.
EAS or OMA-DM
RBDR API
Work
Folders
Simple access to corporate data
Enable offline access to files and folders stored
on a Windows Server 2012 R2 file server
Simple Group Policy configuration for domainjoined computers, with easy discoverability for
BYOD systems, as well
Leverages Web protocols (HTTP) for easy
synchronization through firewalls
A complement to OneDrive and OneDrive Pro
IT can selectively wipe the
corporate data from
Windows 8.1 clients
Devices
Users can sync
their work data to
their devices.
Users can register
their devices to be
able to sync data
when IT enforces
conditional access.
IT can configure a file server to
provide Work Folder sync
shares for each user to store
data that syncs to their devices,
including integration with
rights management
Active Directory
discoverability
provides users Work
Folders location
Apps and data
IT can publish access directly
through a reverse proxy, or
conditional access can be
enforced via device
registration through the
Web Application Proxy
20
Windows 7 support
http://support.microsoft.com/kb/2891638
Lab
Work Folders in Windows 8.1
Users with even the best intentions will use
devices and break policy to get their jobs done.
Controlling which peripherals can and can’t be
used on their devices maybe be required to
protect organizations and their data
Device Installation Restriction policies can put IT
back in control of which peripherals can and can not
be used using policy based white and black lists.
Unify your environment
Comprehensive application and device management
Single admin console
User
Mobile Data Protection – Managed Productivity
LoB
Protected
Browser
Native
E-mail
LoB
Layer 1 –
Mobile device lockdown via MDM
Protects corporate
data by…
Gaps it
leaves open
Restricting device behaviors:
PIN, encryption, wipe, disable
screen capture and cloud
backup, track compliance, etc.
Apps may share corporate
data with other apps outside
IT control
Provisioning credentials that
enable corporate resource
access control
Apps may save corporate data
to consumer cloud services
Mobile Data Protection – Managed Productivity
LoB
Protected
Browser
Native
E-mail
LoB
Layer 2 – Application and data
containers (aka “managed mobile productivity”)
Protects corporate
data by…
Gaps it
leaves open
Preventing apps from sharing
data with other apps outside
of IT control
Only protects corporate data
that resides on devices. Cannot
protect data beyond a device.
Preventing apps from saving
data to stores outside of
IT control
Applies same protection to all
data that an app touches. Does
not allow for specific
protection per document.
Encrypting app data to
supplement device encryption
Mobile Data Protection – Managed Productivity
Layer 3 – Data wrapping
LoB
Protected
Browser
Native
E-mail
LoB
Protects corporate
data by…
Gaps it
leaves open
Protecting data
wherever it resides
Requires enlightened
applications
Providing granular, content
specific protection – e.g. time
bomb vision docs
Requires all data to be
protected if not complemented
by Layers 1 and 2
Mobile Data Protection – Managed Productivity
Protected
Browser
Native
E-mail
1.
Susan tries to set up her new unmanaged tablet to connect to Exchange
and is blocked
2.
She enrolls the tablet into Microsoft Intune and is then granted access to Exchange
3.
Susan tries to save attachment to OneDrive, and is blocked since OneDrive is not
managed by IT
4.
She saves attachment to OneDrive for Business, which is allowed since it is
managed by IT
5.
She then tries to copy/paste content to a PowerPoint slide, and is successful
6.
Susan tries to copy text from her attachment and paste it into another,
unmanaged app
7.
Susan later leaves the company, and a selective wipe is done on her tablet,
removing corporate apps and data, leaving her personal content on the device
Protect data with rights management
Take advantage of
hybrid options across
Windows Server and
Azure Rights
Management service
Integrate Microsoft
SharePoint and
Microsoft Exchange
Server
Automatically identify
and classify data
based on content with
automatic encryption
More securely share
documents with
colleagues and
business partners
Improve ease of use
through integration
with Office 2010/13,
Windows Shell
extensions, and crossplatform clients
Connectors and Connections
RMS SDKs (apps coming) on popular
mobile platforms including
Windows, iOS, Android, Windows
Phone and Mac OS
Azure RMS provides the Rights Management
capabilities for Office 365, providing easy
enablement and enforcement of information
protection policies
Connect to Windows
Server File Services for
FCI and DAC integration
Leverage a common identity across Active
Directory and Azure Active Directory
Connect to on-premises Exchange and
SharePoint for the simplest way to get
Rights Management running in your
organization
Automatically
identify and classify
data based on
content. Classification
applies as files are
created or modified.
File classification, access
policies and automated
Rights Management
works against client
distributed data through
Work Folders.
Centrally manage
access control and
audit polices from
Windows Server
Active Directory.
Integration with
Active Directory
Rights Management
Services provides
automated
encryption of
documents.
Central access and audit
policies can be applied
across multiple file servers,
with near real-time
classification and processing
of new and modified
documents.
Example Workload: Single sign-on to 2000+ SaaS Apps
Directory Sync
When an Active Directory user logs
on, their synchronized credentials
are used to authenticate against
Azure Active Directory
SaaS App
Cloud Identity
A user with a cloud only identity can sign in
to the SaaS app using their Azure Active
Directory credentials
Federated Identity
When an Active Directory user logs
on, the authentication is passed
back and validated against Windows
Server Active Directory
For a the most updated content of the application gallery see:
http://www.windowsazure.com/en-us/gallery/active-directory
Putting it all together
BYO Cloud or
Partner
Next steps
Download evaluation software
Download free Microsoft software trials today at the TechNet Evaluation Center.
http://aka.ms/CampEval
Learn more
Boost your technical skills with free expert-led technical training on Windows 8 from Microsoft Virtual Academy.
http://aka.ms/CampMVAWin
Get certified
Get hired, get recognized, and get ahead with the MCSA Windows 8 certifications from Microsoft.
http://aka.ms/CampCertWin
Evaluate online
Test Microsoft’s newest products and technologies in a virtual environment for free at the Microsoft Virtual Labs.
http://aka.ms/CampVlabs