Presentation is loading. Please wait.

Presentation is loading. Please wait.

We have to Share Data - Now What?. The move from need to know to need to share Within Organizations Within Organizations Across Organizations Across Organizations.

Published byJoseph Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "We have to Share Data - Now What?. The move from need to know to need to share Within Organizations Within Organizations Across Organizations Across Organizations."— Presentation transcript:

1 We have to Share Data - Now What?

2 The move from need to know to need to share Within Organizations Within Organizations Across Organizations Across Organizations Across Civilian and Military Across Civilian and Military 5I’s 5I’s Across Govt. and Commercial Across Govt. and Commercial

3 Interest – the wrong type Florida Dept. of Labor: 4,624 files Florida Dept. of Labor: 4,624 files Bureau of the Census: 1,138 Laptops Bureau of the Census: 1,138 Laptops City of Savanna, Georgia: 8,800 files City of Savanna, Georgia: 8,800 files USDA Data Breach: 26,000 files USDA Data Breach: 26,000 files US Navy Data Breach: 28,00 files US Navy Data Breach: 28,00 files TJX Sued for Loss of Consumer Data TJX Sued for Loss of Consumer Data U.S. Department of Veterans Affairs 25.5 million veterans and military personnel U.S. Department of Veterans Affairs 25.5 million veterans and military personnel http://www.privacyrights.org/ar/ChronD ataBreaches.htm#CP http://www.privacyrights.org/ar/ChronD ataBreaches.htm#CP http://www.privacyrights.org/ar/ChronD ataBreaches.htm#CP http://www.privacyrights.org/ar/ChronD ataBreaches.htm#CP

4 4 Risk Management

5 Microsoft Confidential Secure Infrastructure Protection against malware, unauthorized access and evolving threats Managed identities and protected personal information from unauthorized access Protected sensitive data from prying eyes Protected document security throughout its lifecycle Monitoring systems and measuring compliance BitLocker Drive Encryption Encrypting File System Windows Server Rights Management Services (RMS) Office Information Management Services (IRM) Technology Framework for Data Governance Identity & Access Control Data Encryption DocumentManagementDocumentManagement Auditing & Reporting Reporting

6 Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to safeguard digital information Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to safeguard digital information Expiration of content required for many other industry and governmental regulations Expiration of content required for many other industry and governmental regulations Government and Industry Compliance

7 Today’s Policy Expression Today, most communication policies only exist on paperToday, most communication policies only exist on paper Its easy to unintentionally forward e-mails & documentsIts easy to unintentionally forward e-mails & documents Its easy to intentionally share/sell plans w/competitors, press, InternetIts easy to intentionally share/sell plans w/competitors, press, Internet

8 Boundary-Based Technologies 5

9 6

10 Access Control List Yes No Perimeter Today’s Information Protection

11 Microsoft Confidential Windows RMS provides organizations with the tools they need to safeguard confidential & sensitive data Data protected at rest and during collaboration Information Protection Specify not only who has initial access to information but also what they can do with it Policy Enforcement Integrated with SharePoint, Office, XPS, Exchange, Windows Mobile Out-of-box scenarios RMS SDK Partner Ecosystem Customizable Solution 9

12 Document Author can define who do the following: Document Author can define who do the following:  View document  Edit document  Print document  Copy/Paste RMS Gives Authors Control

13 1. On first use, authors receive client licensor certificate from RMS server 2. Author creates content and assigns rights 3. File is distributed to recipient(s) 4. Recipient opens file, and their RMS client contacts server for user validation and to obtain a license 5. Application opens the file and enforces the restrictions How RMS Works

14 Windows RMS Usage Scenarios Control access to sensitive plans Set level of access: view, change, print, etc. Determine length of access Protect Sensitive Files Keep Executive e-mail off the Internet Reduce internal forwarding of confidential information Templates to centrally manage policies Do-Not-Forward Email Safeguard financial, legal, HR content Set level of access: view, print, export View Office 2003 rights protected info Safeguard Intranet Content Keep Internal Information Internal

15 RMS Will NOT … …provide unbreakable, hacker-proof security …provide unbreakable, hacker-proof security …protect against analog attacks …protect against analog attacks

16 Comparing S/MIME and RMS ” When Should I Use Which Technology? Comparing implementation of S/MIME signing, S/MIME encryption, and IRM. Feature S/MIME Signing S/MIME Encryption IRM Authenticates the senderYesNo Authenticates the recipientNoYes Uses two-factor authentication *Yes No Can encrypt contentNoYes Prevents content tamperingYes Offers content expirationNo Yes Controls content viewing, forwarding, saving, modifying, or printing by recipient No Yes Differentiates permissions by recipientNo Yes

17 With IRM turned on in SharePoint Central Admin, define Policies for specific document libraries, such as ‘Project X, Confidential’, ‘Restricted, FOUO, etc. With IRM turned on in SharePoint Central Admin, define Policies for specific document libraries, such as ‘Project X, Confidential’, ‘Restricted, FOUO, etc. Define when policies expire, whether users can print, how often credentials must be validated, etc. Define when policies expire, whether users can print, how often credentials must be validated, etc. Automates and forces the RMS encryption of the files in the specific document library Automates and forces the RMS encryption of the files in the specific document library Users can still create their own policies and upload encrypted documents to other doclibs Users can still create their own policies and upload encrypted documents to other doclibs IRM and SharePoint

18

19 DoD 5015.2 certification Certified May 24, 2007. It is now listed on the JITC product register Certified May 24, 2007. It is now listed on the JITC product registerJITC product registerJITC product register Applies to: Microsoft Office SharePoint Server 2007 Applies to: Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007Microsoft Office SharePoint Server 2007

20 Titus Labs Suite: Message Classification Message Classification  Microsoft Outlook, OWA and Windows Mobile to force the classification of e-mails Document Classification Document Classification  Microsoft Office to force the classification of Office documents (Word, PowerPoint & Excel)

21 Internal Use Confidential Restricted x-header 3 rd party Gateway Confidential Restricted Public Enforcing policy… proper handling… prevent disclosure… Encrypted User A User B Visual (Labels) Non-Visual (MetaData)

22 RMS at Microsoft Example of RMS Templates Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel Corporate RMS templates available from the Permission menu of Outlook, Word, PowerPoint, and Excel Microsoft Confidential Only Microsoft employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft Confidential Read Only Only Microsoft employees can access the message. Allows for View, Reply, Reply All Microsoft FTE Confidential Only Microsoft full-time employees can access the message. Allows for View, Reply, Reply All, Save, Edit, and Forward Microsoft FTE Confidential Read Only Only Microsoft full-time employees can access the message. Allows for View, Reply, and Reply All.

23 Windows RMS Solution Components Server Server  Windows Rights Management Services (RMS)  A Windows Server 2003 information protection service Desktop Desktop  Updates to Windows client  Rights Management APIs for Windows 98SE+  “Rights Management Add-on for Internet Explorer”  RMS-enabled applications  Any application which has utilized the RMS SDK  Office 2003 is the first Enterprise app to implement RMS Software Development Kit Software Development Kit  For both client-based and server-based development

24 Sharing Options for Outsiders

25 DoDDoD MOD Method 1: RMS RMS Trust Trusted User Domains – Allows one RMS instance to trust another Trusted User Domains – Allows one RMS instance to trust another Content authored by users is protected to their domain’s RMS server Content authored by users is protected to their domain’s RMS server Works Best: Works Best:  Both orgs have RMS AD RMS Jason AD 12 AttributesRMS RMS Trust Authenticates toDoD AD Authentication TypeWindows Auth RMS Certificate Issued ByDoD RMS RMS License Issued ByMOD RMS

26 Method 2: Create Temp Accounts Jason authenticates to MOD RMS using windows creds Jason authenticates to MOD RMS using windows creds Works Best: Works Best:  Strong IT staff (and processes) and less number of external users MOD Jason RMS AD 13 AttributesTemp Accounts in AD Authenticates toMOD AD Authentication TypeWindows Auth RMS Certificate Issued ByMOD RMS RMS License Issued ByMODRMS

27 Method 3: AD in the DMZ Jason authenticates to extranet RMS Jason authenticates to extranet RMS RMS RMS trust RMS RMS trust Works Best: Works Best:  Keep internal and external users separate MOD AD RMS AD RMS Jason 14 AttributesExtranet AD Authenticates toMOD Extranet AD Authentication TypeWindows Auth RMS Certificate Issued By MOD RMS RMS License Issued ByMOD RMS

28 MODDoDADRMSAD FS- A FS-R 1 RACCLC WebSSO 4 3 5 6 7 8 9 RACCLC 10 UL 11 12 1. Assume Debra is already bootstrapped 2. Debra sends protected mail to Jason in DoD 3. Jason’s machine contacts RMS server to get bootstrapped 4. Federation agent intercepts request 5. RMS client is redirected to FS-R for home realm discovery 6. RMS client is redirected to FS-A for authentication 7. RMS client is redirected back to FS-R for authentication 8. RMS client makes request to RMS server for bootstrapping 9. WebSSO agent intercepts request, checks authentication, and sends request to RMS server 10. RMS server returns bootstrapping certificates to Jason 11. RMS server returns use license to Jason 12. Jason accesses protected content DebraJason PL 2 24

29 26

30 Resource End (Adatum) Resource End (Adatum)  RMS and all its dependencies  AD Federation server (running on Win2k3 R2 or LH Server)  SSL enabled on new RMS vroots and federation server Account End (Contoso) Account End (Contoso)  AD Federation server (running on Win2k3 R2 or LH Server)  SSL enabled on federation server 27

31 Install ADFS on Windows Server 2003 R2/LH Server using role manager Install ADFS on Windows Server 2003 R2/LH Server using role manager Configure ADFS trust with Account domain Configure ADFS trust with Account domain Create 2 claims-aware applications using ADFS admin tool Create 2 claims-aware applications using ADFS admin tool  RMS Certification  https://RMS/_wmcs/certificationexternal/  RMS Licensing  https://RMS/_wmcs/licensingexternal/ https://RMS/_wmcs/licensingexternal/  For both apps, select UPN and email address 28

32 29

33 Create New Claims-Aware Applications for RMS 30

34 Enable UPN and E-mail Claims 31

35 Configure AD RMS Install RMS using LH Server Manager Install RMS using LH Server Manager  Configure Extranet URLs  Install RMS-ADFS subrole  Automatically installs the ADFS SSO agent  Provide URL of ADFS server Open MMC and add AD RMS snap-in Open MMC and add AD RMS snap-in Under Trust Policies, enable Federated Identity Support Under Trust Policies, enable Federated Identity Support  Configure Certificate validity time for external users 32

36 Set Extranet URL Location in RMS Admin UI 33

37 Install RMS-ADFS Sub-role 34

38 Set properties for Federated Identity Support 35

39 Validate by Browsing to RMS Certification URL 36

40 Configure ADFS (A) Push down the ADFS Home Realm information as a registry key (String) Push down the ADFS Home Realm information as a registry key (String)  HKLM/Software/Microsoft/MSDRM/Federat ion/ FederationHomeRealm 37

41 Important Notices ADFS and RMS external vroots require SSL ADFS and RMS external vroots require SSL Use Internet CA certs for SSL Use Internet CA certs for SSL  Else the root cert has to be trusted on all external client machines ADFS is case sensitive! ADFS is case sensitive!  Note while configuring DNS, Firewall 38

42 Step-by-Step Guide http://www.microsoft.com/downloads/d etails.aspx?FamilyID=518D870C-FA3E- 4F6A-97F5- ACAF31DE6DCE&displaylang=en http://www.microsoft.com/downloads/d etails.aspx?FamilyID=518D870C-FA3E- 4F6A-97F5- ACAF31DE6DCE&displaylang=en http://www.microsoft.com/downloads/d etails.aspx?FamilyID=518D870C-FA3E- 4F6A-97F5- ACAF31DE6DCE&displaylang=en http://www.microsoft.com/downloads/d etails.aspx?FamilyID=518D870C-FA3E- 4F6A-97F5- ACAF31DE6DCE&displaylang=en 39

43 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "We have to Share Data - Now What?. The move from need to know to need to share Within Organizations Within Organizations Across Organizations Across Organizations."

Similar presentations

We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.

We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.

Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Securing Corporate Email & Documents Richard Elphick Titus Labs.

Securing Corporate & Documents Richard Elphick Titus Labs.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Joe Schulman Program Manager, Forefront For Office

Joe Schulman Program Manager, Forefront For Office
Understanding Active Directory

Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 6: Configuring AD RMS

Module 6: Configuring AD RMS
SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.

SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Office 365 Message Encryption – Encrypt messages to any SMTP address Personal account statement from a financial institutions Information Rights Management.

Office 365 Message Encryption – Encrypt messages to any SMTP address Personal account statement from a financial institutions Information Rights Management.
Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.

Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.
Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet.

Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet.

Similar presentations

Ads by Google