Chris Louloudakis Technology Specialist – Identity and Access Management Microsoft Australia...
27
Chris Louloudakis Technology Specialist – Identity and Access Management Microsoft Australia [email protected]
-
Upload
henry-johnson -
Category
Documents
-
view
217 -
download
0
Transcript of Chris Louloudakis Technology Specialist – Identity and Access Management Microsoft Australia...
Chris LouloudakisTechnology Specialist –Identity and Access Management Microsoft [email protected]
Agenda
The Business ProblemWindows Rights Management Services
How RMS address the problem
Usage Scenarios
Demo
RMS components
Q&A
What is IDA?What is IDA?
Directory
Directory
Federation
Federation
Smart-Smart-cardscards
SSOSSO
UserUserProvisioningProvisioning
WebWebSSOSSO
Meta-Meta-DirectoryDirectory
Virtual
Virtual
Direct
ory
Direct
ory
OTPOTP
P/WP/WMgmtMgmt
AuditAudit
RBACRBAC
Biom
etric
Biom
etric
AuthN
AuthN
PKIPKI
ESSOESSO
RightsRightsMgmtMgmt
A system of procedures and
policies to manage the
lifecycle and entitlements of
electronic credentials.
A system of procedures and
policies to manage the
lifecycle and entitlements of
electronic credentials.
Information Loss and Liability are a Growing Information Loss and Liability are a Growing Concern among Financial Services Concern among Financial Services organizations…organizations…
11Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 200522Source: JupiterMedia,DRM in the Enterpise, May 2004Source: JupiterMedia,DRM in the Enterpise, May 2004
““Enterprises report Enterprises report forwarding of e-mails forwarding of e-mails among their top three among their top three security breaches”security breaches”– – Jupiter ResearchJupiter Research
““Organizations that manage patient health Organizations that manage patient health information, social security numbers, and credit card information, social security numbers, and credit card numbers are being forced by government and numbers are being forced by government and industry regulations to implement minimal levels of industry regulations to implement minimal levels of security to address leakage of personal information.”security to address leakage of personal information.”
– – IDCIDC
Horizontal Scenarios
Information Protection: sensitive e-mails, board communications, financial data, price lists, HR & Legal information
Corporate Governance: Sarbanes Oxley (US)
Financial Services Equity Research, M&A GLB, NASD 2711
Healthcare & Life Services Research, Clinical Trials HIPAA
Manufacturing & High Technology
Collaborative Design, Data
Protection in Outsourcing
Government RFP Process, Classified Information HIPAA
…Information Leakage is Broadly Reaching
…And Is Costly On Multiple Fronts
Legal, Regulatory & Financial
impacts
Damage to Image &
Credibility
Damage to public image and credibility with customers and citizensFinancial impact on organisationsLeaked e-mails or memos can be embarrassing
Cost of digital leakage per year is measured in $ billionsIncreasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time
Loss of Competitive Advantage
Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital
Traditional solutions protect initial access …
Access Control List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…but not usage
Today’s policy expression…
…lacks enforcement tools
The Premiers Leaked memoThe Premiers Leaked memo
Courtesy of the Herald SunCourtesy of the Herald Sun
Feb 13Feb 13thth @ 8:48 pm @ 8:48 pm
http://www.news.com.au/heraldsun/story/0,21985,21221914-5005961,00.html
How does RMS address this?How does RMS address this?
Provides persistent protection for sensitive dataProvides persistent protection for sensitive dataControls access to sensitive information no matter where it livesControls access to sensitive information no matter where it lives
Secures transmission and storage of sensitive information wherever it goes – Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryptionpolicies embedded into the content; documents encrypted with 128 bit encryption
Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery help prevent misuse after delivery
Helps reduce risks and enables complianceHelps reduce risks and enables complianceHelps organizations comply with access control, audit, and privacy policiesHelps organizations comply with access control, audit, and privacy policies
Allows only authorized access based on Active Directory users/groupsAllows only authorized access based on Active Directory users/groups
Provides Attestation via strong authentication methodsProvides Attestation via strong authentication methods
Includes auditing and tracking capabilitiesIncludes auditing and tracking capabilities
Reduce operational costsReduce operational costsEnables secure sharing of files and posting to shared locations, reducing paper and Enables secure sharing of files and posting to shared locations, reducing paper and delivery timedelivery time
Digital files eliminate need to follow document destruction protocols, saving time Digital files eliminate need to follow document destruction protocols, saving time and expense and expense
Helps automate and streamline information protection across the enterpriseHelps automate and streamline information protection across the enterprise
Provides a platform for comprehensive information protectionProvides a platform for comprehensive information protectionOut-of-the-box support in Office 2003Out-of-the-box support in Office 2003
Flexible and customizable technologyFlexible and customizable technology
Third parties can integrate RMS with client and server-based solutionsThird parties can integrate RMS with client and server-based solutions
Windows RMS provides organizations with the tools Windows RMS provides organizations with the tools they need to safeguard confidential & sensitive data they need to safeguard confidential & sensitive data
Users without Office 2003 can view rights-protected files
Enforces assigned rights: view, print, export, copy/paste & time-based expiration
Secure Intranets
IE w/RMA, Windows RMS
Control access to sensitive info Set access level - view, change, print...
Determine length of access Log and audit who has accessed rights-protected information
Secure Documents
Word 2003, PowerPoint 2003Excel 2003, Windows RMS
Keep corporate e-mail off the Internet
Prevent forwarding of confidential information
Templates to centrally manage policies
Secure Emails Outlook 2003Windows RMS
Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content
End User Scenarios
How does RMS work?How does RMS work?
Information Information AuthorAuthor
The RecipientThe Recipient
RMS ServerRMS Server
SQL ServerSQL Server Active DirectoryActive Directory
22 33
44
55
2.2. Author defines a set of usage Author defines a set of usage rights and rules for their file; rights and rules for their file; Application creates a “publishing Application creates a “publishing license” and encrypts the filelicense” and encrypts the file
3.3. Author distributes fileAuthor distributes file
4.4. Recipient clicks file to open, the Recipient clicks file to open, the application calls to the RMS server application calls to the RMS server which validates the user and which validates the user and issues a “use license”issues a “use license”
5.5. Application renders file and Application renders file and enforces rightsenforces rights
1.1. Author receives a client licensor Author receives a client licensor certificate the first time they certificate the first time they rights-protect information rights-protect information
11
Authoring and Consuming Rights-Protected Information with Office 2003 Professional IRM
RMS client softwareAn RMS-enabled application
Required for creating or viewing rights-protected content
Microsoft Office 2003 Editionsincludes RMS-enabled applications – Word, Excel, PowerPoint, Outlook
Office Professional 2003 is required for creating or viewing rights-protected contentOther Office 2003 Editions allows users to view—but not create—rights-protected content.
Rights Management Add-on (RMA) for Internet Explorer 6.0
Allows users to view rights-protected content in a browser Enables down-level viewing support for content protected by Office 2003
RMS Solution Components
ServerRMS Server
Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions)
Provides certification and licensing
Active Directory® directory serviceWindows Server 2000 or later
Provides a well-known unique identifier for each user
E-mail address property for each user must be populated
Database ServerSuch as Microsoft SQL Server™ or MSDE
Stores configuration data and use license requests
Client
RMS does not protect against analog attacks…
RMS Roadmap Highlights RMS Roadmap Highlights 2006/72006/7
Windows Windows Mobile Mobile H1 2007H1 2007
Windows Windows Mobile Mobile H1 2007H1 2007
Enables consumption and creation of protected Outlook Enables consumption and creation of protected Outlook email on Windows Mobile devices email on Windows Mobile devices Enables consumption of protected attachmentsEnables consumption of protected attachments
Enables consumption and creation of protected Outlook Enables consumption and creation of protected Outlook email on Windows Mobile devices email on Windows Mobile devices Enables consumption of protected attachmentsEnables consumption of protected attachments
Office Office 20072007Office Office 20072007
Microsoft Office SharePoint Server 2007 allows rights Microsoft Office SharePoint Server 2007 allows rights policy to be enforced consistently across the contents of policy to be enforced consistently across the contents of a document library, while contents remain searchablea document library, while contents remain searchableInfoPath 2007 supports RMS protectionInfoPath 2007 supports RMS protectionOutlook RMS improvementsOutlook RMS improvements
Microsoft Office SharePoint Server 2007 allows rights Microsoft Office SharePoint Server 2007 allows rights policy to be enforced consistently across the contents of policy to be enforced consistently across the contents of a document library, while contents remain searchablea document library, while contents remain searchableInfoPath 2007 supports RMS protectionInfoPath 2007 supports RMS protectionOutlook RMS improvementsOutlook RMS improvements
Windows Windows VistaVista
Windows Windows VistaVista
A wide variety of documents, including Office 2007 A wide variety of documents, including Office 2007 documents, can be saved to the new XPS “XML Paper documents, can be saved to the new XPS “XML Paper Specification” document format, which can be RMS-Specification” document format, which can be RMS-protectedprotectedBuilt-in XPS viewer supports RMS protection and Built-in XPS viewer supports RMS protection and consumption of RMS protected XPS documentsconsumption of RMS protected XPS documents
A wide variety of documents, including Office 2007 A wide variety of documents, including Office 2007 documents, can be saved to the new XPS “XML Paper documents, can be saved to the new XPS “XML Paper Specification” document format, which can be RMS-Specification” document format, which can be RMS-protectedprotectedBuilt-in XPS viewer supports RMS protection and Built-in XPS viewer supports RMS protection and consumption of RMS protected XPS documentsconsumption of RMS protected XPS documents
Exchange Exchange “2007”“2007”H1 2007H1 2007
Exchange Exchange “2007”“2007”H1 2007H1 2007
““Pre-licensing” of protected content enables mobility Pre-licensing” of protected content enables mobility scenarios and performance improvementsscenarios and performance improvementsEnables RMS protection of e-mail based on policies Enables RMS protection of e-mail based on policies configured at the Exchange serverconfigured at the Exchange server
““Pre-licensing” of protected content enables mobility Pre-licensing” of protected content enables mobility scenarios and performance improvementsscenarios and performance improvementsEnables RMS protection of e-mail based on policies Enables RMS protection of e-mail based on policies configured at the Exchange serverconfigured at the Exchange server
Longhorn Longhorn ServerServer
20072007
Longhorn Longhorn ServerServer
20072007
RMS integration with Active Directory Federation RMS integration with Active Directory Federation Services (ADFS)Services (ADFS)RMS integration with Active Directory Federation RMS integration with Active Directory Federation Services (ADFS)Services (ADFS)
Microsoft Office Sharepoint Microsoft Office Sharepoint Server 2007Server 2007
Protected Intranet PortalProtected Intranet Portal
RMS in Windows VistaRMS in Windows Vista
For the IT ProfessionalFor the IT ProfessionalRMS Client included in Vista OSRMS Client included in Vista OS
No separate download/deployment requiredNo separate download/deployment required
For the DeveloperFor the DeveloperNew RMS APIs in Windows Presentation New RMS APIs in Windows Presentation FoundationFoundation
Makes RMS-enabling applications easierMakes RMS-enabling applications easier
For the Information WorkerFor the Information WorkerRMS support for new XML Paper Specification RMS support for new XML Paper Specification (XPS) file format, a fixed-layout format similar to (XPS) file format, a fixed-layout format similar to “Electronic Paper”“Electronic Paper”
Enables new scenariosEnables new scenarios
RMS in Windows MobileRMS in Windows Mobile
Author using Office 2003
MobileUser
RMS in Exchange 2007RMS in Exchange 2007
Pre-licensingPre-licensingEasier consumption of rights protected messages on Easier consumption of rights protected messages on mobile devices and better end-user perceived mobile devices and better end-user perceived performanceperformance
Email and RMS use license delivered at the same time to the Email and RMS use license delivered at the same time to the recipient’s inboxrecipient’s inboxNo extra “loop backs” to RMS server when opening mail No extra “loop backs” to RMS server when opening mail means mail opens instantlymeans mail opens instantlyFewer authentication prompts for remote usersFewer authentication prompts for remote users
Automatic, policy-based RMS protectionAutomatic, policy-based RMS protectionConditional RMS protection of messages at the Exchange Conditional RMS protection of messages at the Exchange server, based on administrator-configured rulesserver, based on administrator-configured rules
No need to “trust” end users to remember to protect No need to “trust” end users to remember to protect messagesmessages
Ability to journal in clear text or in protected state, to Ability to journal in clear text or in protected state, to meet privacy, archiving, and discovery requirementsmeet privacy, archiving, and discovery requirements
Infrastructure Optimization Infrastructure Optimization ModelModel
BasicBasic StandardizedStandardized RationalizedRationalized DynamicDynamic
Uncoordinated, Uncoordinated, manualmanualInfrastructureInfrastructureKnowledge not Knowledge not captured captured
Managed IT Managed IT Infrastructure Infrastructure with limitedwith limited automationautomationand knowledge and knowledge capturecapture
Managed and Managed and consolidated ITconsolidated IT InfrastructureInfrastructurewith extensive with extensive Automation Automation
Fully automated Fully automated management, management, Knowledge capture Knowledge capture automated andautomated anduse automateduse automated
CostCostCenter Center
More Efficient More Efficient Cost CenterCost Center
BusinessBusinessEnablerEnabler
StrategicStrategicAssetAsset
CostCost ValueValue
IDA Optimization ModelIDA Optimization ModelBasicBasic StandardizedStandardized RationalizedRationalized DynamicDynamic
No NOS DirectoryNo NOS Directory
No FormalNo FormalLifecycle Lifecycle ProcessesProcesses
Physical Physical ProtectionProtection
User IDs andUser IDs andPasswordsPasswords
No Single Sign-OnNo Single Sign-On
NOS DirectoryNOS DirectoryDeployedDeployed
Directory Data & Directory Data & Workflow ProcessWorkflow ProcessStandardizationStandardization
Encryption-Encryption-Protected ContentProtected Content
Strong PasswordStrong PasswordPolicy Policy enforcementenforcement
Windows SSO forWindows SSO forapplicationsapplications
Directory-BasedDirectory-BasedManagement ofManagement ofDesktops, Desktops, ServersServers& Security & Security SettingsSettings
Metadirectory-Metadirectory-Based User, Based User, GroupGroup& Password& PasswordManagementManagement
Enterprise RightsEnterprise RightsManagement Management
PKI/CertificatePKI/CertificateInfrastructure Infrastructure withwithTwo-FactorTwo-FactorAuthenticationAuthentication
NOS DirectoryNOS DirectoryIntegration withIntegration withEnterprise &Enterprise &MetadirectoryMetadirectory
Broadly Broadly IntegratedIntegratedLifecycleLifecycleManagementManagement
Policy-BasedPolicy-BasedEnterprise Enterprise RightsRightsManagementManagement
Claims-BasedClaims-BasedFederatedFederatedSingle Sign-On &Single Sign-On &Access ControlAccess ControlCostCost
Center Center More Efficient More Efficient Cost CenterCost Center
BusinessBusinessEnablerEnabler
StrategicStrategicAssetAsset
Step 1: “Get your directory house in order”Step 1: “Get your directory house in order”
For More Information…
General RMSwww.microsoft.com/rms
Microsoft IT Deploymenthttp://www.microsoft.com/technet/itsolutions/msit/infowork/deprmswp.mspx
RMS SDK on MSDNhttp://msdn.microsoft.com/library/en-us/dnanchor/html/rm_sdks_overview.asp
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This This presentationpresentation is for informational purposes only. is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.OR IMPLIED, IN THIS SUMMARY.
