Transcript Abhijat Kanade Senior Program Manager Microsoft Corporation Session Code: SIA304 Agenda Information Leakage Problem AD RMS History What’s New in CY09 With Demos AD RMS Server Role in Windows.

Abhijat Kanade
Senior Program Manager
Microsoft Corporation
Session Code: SIA304
Agenda
Information Leakage Problem
AD RMS History
What’s New in CY09
With
Demos
AD RMS Server Role in Windows Server 2008 R2
Exchange 2010 integration
AD RMS Bulk Protection Tool
RSA DLP 6.5+ integration
Q&A
Business
Ready
Security
Help securely enable business by managing risk and empowering people
Identity
Highly Secure & Interoperable Platform
from:
Block
Cost
Siloed
to:
Enable
Value
Seamless
The Information Workplace
The Information Workplace
Home
USB Drive
Independent
Consultant
Mobile Devices
Partner
Organization
Companies face growing risks of data leaks
Information Leakage
Is Costly On Multiple Fronts
Legal, Regulatory, and Financial impacts
Cost of digital leakage per year is measured in $Billions
Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386
Non-compliance with regulations or loss of data can lead to significant legal fees
Damage to Image and Credibility
Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing
Loss of Competitive Advantage
Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market
capitalization
Loss of research, analytical data, and other intellectual capital
Data must be protected, but must remain accessible
Location Based Solutions
Protect Initial Access
Firewall Perimeter
Access Control
List Perimeter
Authorized
Users
Authorized
Users
Location Based Solutions
Protect Initial Access… But Do Not Protect Usage
Firewall Perimeter
Access Control
List Perimeter
Authorized
Users
Authorized
Users
Unauthorized
Users
Unauthorized
Users
AD RMS Is A Content-Based Solution
Protects the Information Itself – No Matter How It Is Shared And
Where It Goes
Policy
Policy
Policy
Policy
Active Directory Rights Management Services
Persistent
Encryption
+
Policy
• Access Permissions (Who)
• Use Right Permissions (What)
AD RMS Workflow
Publishing and Consumption
1. Assume author and recipient are already
bootstrapped with a RAC and CLC
AD RMS
SQL
AD DS
2. Author creates mail
3. Author protects mail using RAC and CLC
4. Author sends mail to recipient
5. Recipient gets use license from RMS
5
6. Recipient can access content
Author
Recipient
4
UL
3
1
RAC
CLC
2
PL
6
RAC CLC
Windows Server 2003
Windows Server 2008
Out-of-band installer for RMS
Server (v1, v1 SP1, v1 SP2)
AD RMS Trust
TUD, WLID
Client
Out-of-band installer for RMS
Client (v1, v1 SP1, v1 SP2) on
Windows XP and WS2003
Microsoft Solutions
Office 2003 (Outlook, Word,
Excel, PowerPoint)
Internet Explorer Add-On (RMA)
AD RMS server role (v2)
AD RMS Trust
AD FS federation support
Improved installation and mgmt
AD RMS template distribution (Vista
SP1 and above)
Admin reports
Different admin roles
Windows Server 2008 R2
AD RMS server role (v3)
AD RMS Trust
Publishing org (internal) group
support for federated users
Improved installation and mgmt
through PowerShell
Additional admin reports
Client
Client
AD RMS client integrated in Windows
Vista and WS2008
Microsoft Solutions
Windows Mobile 6 integration
Office 2007 (+InfoPath)
XPS Viewer
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1 (Prelicensing)
AD RMS client integrated in
Windows 7 and WS2008 R2
Microsoft Solutions
Exchange 2010
AD RMS Bulk Protection Tool
WS2008 R2 FCI integration
Partner Solutions
Partner Solutions
PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare
RSA DLP
PDF solution - Foxit
Secure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release
AD RMS Server Role in WS2008 R2
Customer Ask #1
Deployment and Administration
Consistency
Flexibility
• Ensure identical deployments
• Automate common tasks
• For managing the server
• Local and remote access
AD RMS Server Role in WS2008 R2
Deployment and Administration
PowerShell support for deployment and admin
Deployment cmdlets available out-of-the box
Admin cmdlets available after the AD RMS server
role has been deployed
Additional admin reports (system health)
AD RMS Administration
AD RMS Server Role in WS2008 R2
Customer Ask #2
Simplify
collaboration
Control
access
• Enable secure external collaboration
• Consistent end user experience
when working with internal and
external users
• Publishing organization maintains
full control of content
• Groups defined by publishing
organization
AD RMS Server Role in WS2008 R2
Secure External Collaboration
WS2008 introduced federation support via AD
FS – Need to individually identify external users
when protecting information
WS2008 R2 supports protecting to publishing
org (internal) groups that include external users
– No need to individually identify external users
External Collaboration via ADFS
Assume author is already bootstrapped
2. Alice sends protected mail to
[email protected] of which Bob at
Fabrikam is a member
3. Recipient contacts RMS Server to get
bootstrapped
4. WebSSO agent intercepts request
5. RMS Client is redirected to FS-R for home
realm discovery
6. RMS Client is redirected to FS-A for
authentication
7. RMS Client is redirected back to FS-R for
authentication
8. RMS Client makes request to RMS Server
for bootstrapping
9. RMS Server returns certificates to recipient
10. RMS Client makes request to RMS Server
for use license
11. RMS Server retrieves Bob’s group
membership from AD and compares to PL
12. RMS Server returns use license to
recipient
13. Recipient accesses protected content
1.
AD
Contoso
AD
Fabrikam
Bob
projectX
ADFS
FS-R
11
ADFS
FS-A
WebSSO
4
6
5
3
7
8
RMS
10
Alice
Bob
2
PL
9
1
RAC CLC
13
RAC CLC
12
UL
Exchange 2010 RMS Integration
Themes
Streamline enduser experience
Enable automatic
protection
Integrate
seamlessly with
IT infrastructure
Exchange 2010 RMS Integration
Customer Ask #1
Seamless
protection
OWA
support
• Ensure identical end user
experience for unprotected
and RMS-protected e-mails
• View and reply to RMSprotected e-mails in OWA
without an additional add-on
Exchange 2010 RMS Integration
Streamline End-user Experience
Prelicensing support enables offline and mobile
access to RMS-protected e-mails – introduced in
Exchange 2007 SP1
Consume and publish RMS-protected e-mails in
OWA – Internet Explorer, Firefox, Safari
Conduct full-text search on RMS-protected emails in OWA
RMS-Protected E-mails in OWA
Exchange 2010 RMS Integration
Streamline End-user Experience: RMS Integration In OWA: Details
Client Access Server (CAS) uses
Superuser privileges to decrypt
Prelicensed use license (UL) used to determine
rights to enforce
Rights enforcement concerns in the browser
mitigated by enabling the feature for a
specific set of users (at mailbox policy level)
Exchange 2010 RMS Integration
Customer Ask #2
Enable
automatic
protection
• Based on content and context
analysis
Exchange 2010 RMS Integration
Automatic Protection
Automatically protect e-mails in transit via
Exchange transport rules
Automatically protect e-mails in Outlook 2010
(through an add-in)
Automatically protect private voicemails
through Exchange Unified Messaging (UM)
Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules
•
•
Transport Rule action to apply AD RMS template
to e-mail message
Based on content and context analysis
• Content analysis: Keywords and RegEx
scanning of e-mails and attachments
• Context examples: From, To
Exchange Transport Rules Based
Automatic RMS-Protection
Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules: Details
Rules agent stamps x-org header in e-mail with
RMS template GUID
Encryption agent applies RMS template to email and attachments on onRouted Transport
Agent event
Office 2003 and above file formats (Word,
Excel, PowerPoint) and XPS attachments also
get automatically protected
Extensible to other file formats through the IRM
Protector implementation
Exchange 2010 RMS Integration
Automatic Protection: Through Outlook Protection Rules
Outlook 2010 add-in (small-scale rules engine)
Mitigates concerns of Exchange admin or host
accessing sensitive mail
Rules
Context only: Sender’s department, recipient’s
identity, recipient’s scope (internal/external)
Retrieved by add-in from CAS through Exchange
Web Services (EWS) API
Ability to allow/disallow user to override
automatic protection
Outlook 2010 Add-In Protection Rules
Exchange 2010 RMS Integration
Automatic Protection: Through Unified Messaging
UM admin can allow incoming voicemails to
be marked as “private”
Private voicemails can be protected using “Do
Not Forward” RMS template preventing
forwarding and copying of voicemail content
Private voicemails supported in OWA and
Outlook 2010
Uses the Encryption/Decryption XSO API to RMS-protect
Exchange Unified Messaging Protected
Voicemails
•
RMS-protected based on sender marking voicemail as ‘private’ or through
administrative policy
Exchange 2010 RMS Integration
Customer Ask #3
Enable
e-discovery
Allow scanning
of protected
e-mails
• Support in-the-clear archival of RMSprotected e-mails
• Ability to scan RMS-protected emails in transport
• Ability to modify RMS-protected emails in transport
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration
Enables e-discovery via journal decryption
Enables anti-malware and other scenarios (such
as adding a disclaimer) at hub transport via
transport decryption and re-encryption
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Journal Decryption
Journal Report Decryption
Agent
• Attaches clear-text copies of
RMS-protected e-mails and
attachments to journal mailbox
• Requires superuser privileges
•Feature is off by default
Archive/Journal
Exchange Journal Decryption
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Transport Pipeline Decryption
Enables Hub Transport Agents to scan/modify
RMS-protected e-mails
Pipeline Decryption Agent
Uses superuser privileges to decrypt e-mails
Decrypts e-mail and attachments
Encryption Agent re-encrypts messages
Option to NDR messages that cannot be
decrypted
All AD RMS integration agents are implemented
as internal agents
Exchange Transport Decryption and ReEncryption
Exchange 2010 RMS Integration
Streamline enduser experience
• Consume and Publish RMS-protected e-mails in
OWA
• Search RMS-protected e-mails in OWA
Enable automatic
protection
• Through Transport rules
• Through Outlook protection rules
• Through Unified messaging (voicemails)
Integrate
seamlessly with IT
infrastructure
• In-the-clear archival of RMS-protected e-mails
• Ability to scan and modify RMS-protected e-mails
in transport
Exchange RMS integration features require AD RMS Server Role in
WS2008 R2 or WS2008 SP2 + KB973247 hotfix
AD RMS Bulk Protection Tool
Customer Ask
Bulk
decryption
tool
• Recover RMS-protected
documents
• Help in e-discovery efforts
AD RMS Bulk Protection Tool
Details
Command line tool
Bulk decryption
E-Discovery of content for litigation/audit purposes
Bulk encryption
Safeguard existing sensitive information
Can be integrated with WS2008 R2 File
Classification Infrastructure (FCI) to classify and
automatically RMS-protect files on the file server
AD RMS Bulk Protection Tool
Details
Supported file formats
Office 2003 and above (Word, Excel, PowerPoint)
XPS
Extensible to other file formats via IRM protector
implementation
Bulk decryption also available for items within
Outlook PSTs (requires Outlook 2007)
Supported on XP/WS2003 and above
Requires RMS Client v1 SP2 and .NET Framework
2.0 on XP and WS2003
AD RMS Bulk Protection Tool
With WS2008 R2 FCI
4
2
3
1
c
FCI Classify
Mgmt Task:
AD RMS Protect
c
User creates a file
“marketing.docx” on
Windows server 2008 R2
file server
File Classification
Infrastructure (FCI)
classifies file as sensitive
based on content analysis
(keyword/RegEx) and/or
folder location (e.g.,
Business Impact = High)
Full Time Employee can
access “marketing.docx”
5
Automated File
Management Task invokes
AD RMS Bulk Protection
Tool to automatically RMSprotect the file (restrict
access to Full-Time
Employees only)
A malicious user getting
access to the file through
an un-intentional leak is not
able to access file content
AD RMS Bulk Protection Tool
with WS2008 R2 FCI
Partner Solution: RSA DLP
Automatic Protection For Datacenters and Endpoints
Integrated solution to discover and
automatically RMS-protection sensitive data on
endpoints and the datacenter
Requirements
RSA DLP 6.5 and above (RSA DLP Datacenter and
RSA DLP Endpoint Discover products)
AD RMS Server Role in WS2008 and above
Partner Solution: RSA DLP
How The Integration Works
1. AD RMS admin creates
AD RMS templates for
data protection
2. RSA DLP admin selects/
creates policies to find
sensitive data and protect
it using AD RMS
3. RSA DLP discovers and
classifies sensitive files,
and applies AD RMS
protection based on policy
4. Users request files. AD
RMS provides identitybased access
Microsoft AD RMS
R&D
Department
Marketing
Department
Others
View, Edit, Print
View
No Access
Find ‘IP’ documents
IP Policy
Apply ‘IP’ AD RMS template
RSA DLP
R&D department
Marketing department
Endpoints:
Laptops/Desktops
File Shares
SharePoint
Others
Intellectual
Property (IP)
template
Windows Server 2003
Windows Server 2008
Out-of-band installer for RMS
Server (v1, v1 SP1, v1 SP2)
AD RMS Trust
TUD, WLID
Client
Out-of-band installer for RMS
Client (v1, v1 SP1, v1 SP2) on
Windows XP and WS2003
Microsoft Solutions
Office 2003 (Outlook, Word,
Excel, PowerPoint)
Internet Explorer Add-On (RMA)
AD RMS server role (v2)
AD RMS Trust
AD FS federation support
Improved installation and mgmt
AD RMS template distribution (Vista
SP1 and above)
Admin reports
Different admin roles
Windows Server 2008 R2
AD RMS server role (v3)
AD RMS Trust
Publishing org (internal) group
support for federated users
Improved installation and mgmt
through PowerShell
Additional admin reports
Client
Client
AD RMS client integrated in Windows
Vista and WS2008
Microsoft Solutions
Windows Mobile 6 integration
Office 2007 (+InfoPath)
XPS Viewer
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1 (Prelicensing)
AD RMS client integrated in
Windows 7 and WS2008 R2
Microsoft Solutions
Exchange 2010
AD RMS Bulk Protection Tool
FCI integration
Partner Solutions
Partner Solutions
PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare
RSA DLP
PDF solution - Foxit
Secure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release
More Information
AD RMS TechNet TechCenter [Link] and Documentation Roadmap [Link]
Exchange 2010 and AD RMS Integration [Link]
AD RMS Bulk Protection Tool Download [Link]
WS2008 R2 FCI Website [Link]
RSA DLP Website [Link]
MSIT Deployment
AD RMS Deployment [Link]
FCI and AD RMS Bulk Protection Tool Deployment [Link]
RSA DLP and AD RMS Deployment [Link]
Blogs
AD RMS Product Team Blog [Link]
Jason Tyler Blog [Link]
(Jason is a Senior Support Escalation Engineer for AD RMS)
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.