Dynamic Access Control Thuan NguyenSenior Infrastructure ArchitectBellamys IT International

Security Bootcamp 2012 - 28,29,30/12/2012

About Me

www.thuansoldier.netthuan@outlook.com@nnthuan

Microsoft SharePoint Most Valuable Professional (2011,2012)

Author, Writer, Trainer & Public Speaker

Founder & Editor in Chief of SharePointVN Publisher

Focus on Microsoft Security & Federation Identity, Infrastructure, Methodologies and Architecture.

This presentation explores how Dynamic Access Control in Windows Server 2012 help organizations address challenges data compliance.

Session objectives Data Compliance Understand the new Dynamic Access Control

capabilities built into Windows Server 2012 Demonstration

Windows File Server Solution

Data Compliance Challenges

Windows Platform Investments

Putting it Together

Compliance and Data protection Compliance is generally a response to governmental

regulation, but it can also be a response to industry or internal requirements. The U.S. Health Insurance Portability and

Accountability Act (HIPPA) for health providers Sarbanes-Oxley Act (SOX) The European Union Data Protection Directive U.S. state data breach laws

I’m not talking about in-depth Data compliance and privacy.

Data Compliance Challenges

Can you make sure that only authorized individuals can access confidential data?

Do you have granular control over auditing access? How to reduce the number of security groups your organization has? Deal with regulatory standard?…. There are many questions come up when it comes to data access control.

CSO/CIO department

“I need to have the right

compliance controls to

keep me out of jail”

Infrastructure Support

“I don’t know what data is in

my repositories and how to control it”

Content Owner

““Is my important data appropriately protected and compliant with regulations –

how do I audit this”

Information Worker

“I don’t know if I am

complying with my

organization’s polices”

Microsoft Case Study

Storage growthDistributed Information

Regulatory compliance Data leakage

45%: File based storage CAGR.

MSIT cost $1.6 GB/Month for managed servers.

>70%: of stored data is stale

Cloud cost would be approximately 25 cents GB/Month

Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud…

MSIT 1500 file servers with 110 different groups managing them

Very hard to consistently manage the information.

New and changing regulations (SOX, HIPPA, GLBA…)

International and local regulations.

More oversight and tighter enforcement.

$15M: Settlement for investment bank with SEC over record retention.

246,091,423: Total number of records containing sensitive personal information involved in security breaches in the US since January 2005

$90 to $305 per record (Forrester: in “Calculating the Cost of a Security Breach”)

Dynamic Access Control: In a nutshell

Encryption

Automatic RMS encryption based on document classification.

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Expression-based auditing

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit policies using Global Audit Policies.

Expression-based access conditions

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Data Classification

Data Classification File Classification Infrastructure provides insight into

your data by automating classification processes. File Classification Infrastructure uses classification rules

to automatically scan files and classify them according to the contents of the file.

Some examples of classification rules include: Classify any file that contains the string “SBC12

Confidential” as having high business impact. Classify any file that contains at least 10 social

security numbers as having personally identifiable information.

Data Classification Toolkit

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Example A content classification rule that searches a set of files

for the string “SBC12 Confidential”. If the string is found in a file, the Impact resource property is set to High on the file.

A content classification rule that searches a set of files for a regular expression that matches a social security number at least 10 times in one file. If the pattern is found, the file is classified as having personally identifiable information and the Personally Identifiable Information resource property is set to High.

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Expression-based Access Control

Manage fewer security groups by using conditional expressions

Expression-based access conditions

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Country x 30

Department x 20

Sensitive/Confidential documents

Expression-based access condition

What is Central Access Policy? You can think of Central Access Policies as a

safety net that your organization applies across its servers to enhance the local access policy

User claimsUser.Department = Finance

User.Clearance = High

Access policyApplies to: @File.Impact = High

Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

Active Directory Domain Services

Expression-based access rules

File server

Active Directory Domain Services

Characteristics• Composed of central access rules

• Applied to file servers through Group Policy objects

• Supplement (not replace) native file and folder access control lists from New Technology File System (NTFS)

Central access policiesCorporate file servers

Personally identifiable information policy

Finance policy

User folders

Finance folders

Organizational policies• High business

impact• Personally

identifiable information

High business impact policy

Finance department policies• High business

impact• Personally

identifiable information

• Finance

Active Directory Domain Services

Create claim definitionsCreate file property definitionsCreate central access policy

Group Policy Send central access policies to file servers

File ServerApply access policy to the shared folderIdentify information

User’s computer User tries to access information

Central access policy workflow

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Organization-wide authorization

Departmental authorization

Specific data management

Need-to-know

Central access policy examples

Limit auditing to data that meets specific classification criteria.

Limit auditing by action and by identity

Add contextual information into the audit events.

Expression-based Auditing

Expression-based auditing

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit policies using Global Audit Policies.

Security auditing

Active Directory Domain Services

Create claim typesCreate resource properties

Group Policy Create global audit policy

File Server

Select and apply resource properties to the shared folders

User’s computer

User tries to access information

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business

Audit all vendors when they try to access documents related to projects that they are not working on

Audit policy examples

Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High

Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

Data Encryption Challenges How do I protect sensitive information after it

leaves my protected environment? I cannot get the users to encrypt their sensitive

data.

Process to encrypt a file based on classification

Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.

A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.

On the file server, a rule automatically applies RMS protection to any file classified as high-impact.

The RMS template and encryption are applied to the file on the file server and the file is encrypted.

Classification-based encryption process

1

2

3

4

1

2

3

File server

RMS serverClassification engine

4User

Active Directory Domain Services

DemoDynamic Access Control

23

Demonstration Lab There are two virtual machines that are involved in the

demonstration lab. AD-Srv (Active Directory Domain Controller) File-Srv (File Server)

There are two security groups Finance System Integration

There are two domain users: thuan@sbc12.local (Finance) thang@sbc12.local (System Integration)

Steps Create a new claim

Department Create resources properties and add it to resource property list

Finance Department Create a new central access rule/central policies

Resource Finance Department Exists Resource Finance Department Equals Value Finance

Publish central access policy Configure Group Policy and enable KDC

Install File Server Resource Manager on File server Update-FSRMClassificationPropertyDefinition

Add Central Access Policy to shared folder Validate

Thanks for joining with us