Dynamic Access ControlPresented by: Jason Kittrell, Regional InstructorMCT,MCSE,CEH,MCITPNew Horizons CLC

January 30, 2014

• Intended Audience• Understanding of what D.A.C. offers

• Next steps

Welcome

• Who is New Horizons?• Presentation: Dynamic Access

Control• Demo• Q & A

Agenda

Who is New Horizons?

New Horizons is a proven, worldwide training provider with flexible learning solutions covering a broad spectrum of topics taught by industry-leading instructors.

Facts to ConsiderLargest International Network • 2,100 Classrooms

• 2,400 Instructors in 56 Countries

• 3 Million Student Days of Training per Year

Flexible, Integrated Learning Methods • ILT – Instructor Led Training

• OLL – Online Live Virtual Delivery

• Private Group Training customized for your

organization

Strong Vendor Partnerships

• Data Compliance Challenges• Understanding the new Dynamic

Access Control built into Windows Server 2012

• Next Steps• Q & A

Introduction

Data Compliance Challenges

Compliance

• Compliance is generally an effect of some form of regulation; governmental or industry driven

• HIPPA

• Sarbanes-Oxley

• European Union Data Protection Directive

• State Laws

Storage growth

Distributed Information

Regulatory compliance

Data leakage

45%: File based storage CAGR.

MSIT cost $1.6 GB/Month for managed servers.

>70%: of stored data is stale

Cloud cost would be approximately 25 cents GB/Month

Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud…

MSIT 1500 file servers with 110 different groups managing them

Very hard to consistentlymanage the information.

New and changing regulations (SOX, HIPPA, GLBA…)

International and local regulations.

More oversight and tighter enforcement.

$15M: Settlement for investment bank with SEC over record retention.

246,091,423: Totalnumber of records containing sensitive personal information involved in security breaches in the US since January 2005

$90 to $305 per record (Forrester: in “Calculating the Cost of a Security Breach”)

Microsoft Case Study

Dynamic Access Control• “Safety Net” for all file server based resources

• Provides Data Classification

• Gives IDM a central management point for access

• Audits access attempts

• Integrates in with AD-RMS

Reasons for Implementing D.A.C.• An inability to achieve the desired security &

compliance results with NTFS alone

• Requirement to have access controls based on attributes rather than ACE entries

The 4 Pillars of Dynamic Access Control

Encryption Automatic RMS

encryption based on document classification.

Data Classification Classify your

documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Expression-based auditing Targeted access

auditing based on document classification and user identity.

Centralized deployment of audit policies using Global Audit Policies.

Expression-based access conditions Flexible access

control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Dynamic Access Control in a Nutshell

• Decisions made only by user security principles or group membership

• Users had to log out before changes to security group membership were gained to their security token

• “Shadow Groups” were often made to mimic attributes

• Security Groups have rules on who can be members of which types of groups

• No way to cross AD trust boundaries• No way to make access decisions off user’s device

Pre-2012: NTFS Permissions

• Selected AD attributes are included in Security Tokens

• Claims can be included directly in files server permissions

• Claims can be consistently issued to all users in the forest

• Claims can be “transformed” across trust boundaries

• Enabled new policy types NTFS alone cannot grant:– Example: Allow WRITE if User.MemberOf(Finance) and

User.EmployeeType=FTE and Device.Managed=TRUE

Windows Server 2012: Expression Based Access

Data Classification File Classification Infrastructure provides insight

into your data by automating classification processes.

File Classification Infrastructure uses classification rules to automatically scan files and classify them according to the contents of the file.

Some examples of classification rules include: Classify any file that contains the string “SBC12

Confidential” as having high business impact. Classify any file that contains at least 10

social security numbers as having personally identifiable information.

Data Encryption Challenges

How do I protect sensitive information after it leaves my protected environment?

I cannot get the users to encrypt their sensitive data.

Process to encrypt a file based onclassification

Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.

A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured.

On the file server, a rule automatically applies RMS protection to any file classified as high-impact.

The RMS template and encryption are applied to the file on the file server and the file is encrypted.

Classification-based encryption process

1

2

3

File server

RMS server

Classification engine

4User

Active DirectoryDomain Services

Want to know more?

• Microsoft Class 20412 Configuring Advanced Windows Server 2012 Services

• Contact your New Horizons Education Consultant• Feedback

Q & A

THANK YOU FOR YOUR TIME