6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect, Microsoft Steve Lewis Senior Consultant, Microsoft © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/26/2018 5:24 AM Business Case Application data access is tightly coupled to application platforms Business needs must drive access across platforms in a consistent manner Application data access requirements must drive granular controls for data protection in business terms It is time for the business needs to drive the way content is protected with terms business users and systems understand. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Approach Provide a centralized authorization model 6/26/2018 5:24 AM Approach Provide a centralized authorization model Accessible via enterprise applications Accessible via an API © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Policy Management Components 6/26/2018 5:24 AM Policy Management Components Data Classification Management Tool User Users with attributes Rules Policies defining access privileges and obligations Resources Securable items User Attributes Employee Type Office Citizenship Resource Tags Document Type Creation Office Releasability Controls Rule 1: User.EmployeeType = Resource.Document Type Rule 2: User.Office Contained In Resource.Creation Office Rule 3: User.Citizenship Contained In Resource. ReleasabilityControls OR Resource.ReleaseabilityControls = UNKNOWN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Successful User Access 6/26/2018 5:24 AM Successful User Access Resource Tags Document Type = Engineer Creation Office = Flight Controls Releaseability Controls = UNKNOWN User Attributes Employee Type = Engineer Office = Aerospace, Flight Controls Citizenship = USA Rule 1: User.EmployeeType = Resource.Document Type Rule 2: User.Office Contained In Resource.Creation Office Rule 3: User.Citizenship Contained In Resource. ReleasabilityControls OR Resource.ReleaseabilityControls = UNKNOWN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Failed User Access User Attributes Resource Tags 6/26/2018 5:24 AM Failed User Access User Attributes EmployeeType = Engineer, FTE Office = Aerospace, Flight Controls Citizenship = USA Resource Tags Document Type = Engineer Creation Office = Avionics ReleasabilityControls = UNKNOWN Rule 1: User.EmployeeType = Resource.Document Type Rule 2: User.Office Contained In Resource.Creation Office Rule 3: User.Citizenship Contained In Resource. ReleasabilityControls OR Resource.ReleaseabilityControls = UNKNOWN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

High Level Solution Overview Authorization Policy Enforcement for: Access Control Data Filtering Redaction Masking Encryption Dynamic SoD Controls Data Segregation Data Residency Data Classification Data Loss Prevention Rights Protection Document Quarantine Document Control User Activity 1 Authorized Access 8 2 Intercept Event 7 Enforce Decision AuthZ Request 3 Decision 6 Attribute Sources LDAP Get Attributes 5 4 Evaluate Policies Services

Key Takeaways Consistent Data Categorization and Classification 6/26/2018 5:24 AM Key Takeaways Consistent Data Categorization and Classification Aligning data tagging with user attributes Defined processes to manage attribute life cycle User Attributes must be kept up to date Leverage user attributes from HR or other systems of record Service accounts have identities and need to be managed just like people Provide attributes for service accounts Or Exclude service accounts from policies © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 6/26/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/26/2018 5:24 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.