Kimmo Bergius ([email protected]) Tietoturvajohtaja
Trendejä…
Hardware
O/S
Drivers
Applications
GUI
User
Physical
Examples
Spyware
Rootkits
Application
attacks
Phishing/Social
engineering
Attacks Getting More Sophisticated Traditional defenses are inadequate
National Interest
Personal Gain
Personal Fame
Curiosity
Amateur Expert Specialist
Largest
area by
volume
Largest area by
$ lost
Script-Kiddy
Largest segment by
$ spent on defense
Fastest
growing
segment
Author Vandal
Thief
Spy
Trespasser
Crime On The Rise
mainframe
client/server
Internet
mobility
B2E B2C
B2B
Pre-1980s 1980s 1990s 2000s
Num
ber
of D
igital ID
s
Exponential Growth of IDs Identity and access management challenging
0
40 000
80 000
120 000
160 000
Increasingly Sophisticated Malware Anti-malware alone is not sufficient
Number of variants from over
7,000 malware families (1H07)
Source: Microsoft Security Intelligence Report (January – June 2007)
Muutosta… • Tietojenkäsittely ja verkot kaikkialla
• Kaikki yhteydessä kaikkeen
• Useita identiteettejä
• Joustavuus – kaikki kaikkialta
• Resurssien niukkuus
• ―Best of Need vs. Best of Breed‖
• Tehdäänkö itse vai ulkoistetaanko
• Compliance – miten valvotaan?
• Uhat muuttuvat
• Motiivi –‖cool to cash!‖
Viisi kehityskohdetta! • Verkon resurssien suojaaminen
• Liikkuvan käyttäjän yhteydet
• Identiteetin hallinta
• Datan suojaaminen
• Varmenteet
Tuoteportfolio
• Secure the Platform—Windows 7/Mobile/Server 2008 R2
• Secure the Identity – AD ja siihen liittyvät palvelut
• Secure the Data—RMS, EFS, BitLocker
• Secure the Network—NAP
• Secure the Wireless—Server 2008
• Secure the Edge—ISA/IAG
• Secure the Communications— Forefront Server, OCS, Exchange
• Secure the Desktops and Servers— Forefront Client Security
Miksi tarvitaan identiteetin hallintaa?
• Monia eri paikkoja tallentaa käyttäjään liittyvää tietoa
− Hakemistot, HR-järjestelmät, tietokannat, jne…
• Monia eri autentikointimenetelmiä
− Käyttäjätunnus-salasana, älykortit, tokenit, kerberos, jne…
− Single-sign-on-tavoite – toteutuuko?
• Monia eri tapoja käyttää tietoa
• Tietoturva
• Tietosuoja
Single-Sign-On
• AD:n käyttö myös muissa ympäristöissä
− Linux/Unix/Mac OSX
− Autentikointi
− Kokoonpanotietojen välitys
− Vaatii kolmannen osapuolen lisäkomponentteja
• ‖Näennäinen‖ SSO
− Hakemistojen integraatio esim. MIISin välityksellä
• Federaatio
− Aiemmin ADFS, tulevaisuudessa ‖Geneva‖
Ratkaisuja • Hakemistointegraatio
− Yksi (???) tunnistushakemisto, monia tietohakemistoja
− Prosessien ja tiedonsiirron parannus
− Organisaation sisäinen
• Hakemistofederaatio
− Sovitaan, sen jälkeen luotetaan
− Organisaation sisällä tai organisaatioiden välillä
− Myös Internet-palveluissa
Edelleen ongelmaksi jää…
• Useiden autentikointimenetelmien toteuttaminen
− Sovelluskohtainen toteutus, monia menetelmiä, vaivalloista
• Autentikointi, sen jälkeen tietojen haku
− Jälleen sovelluskohtaista
• Onko tähän ratkaisua?
Token
Signature
Example
Claims Name
Group
Age
Claim 1
Claim 2
. . .
Claim n
Claim 3
Tokens and Claims Representing identity on the wire
• A token is a set of bytes that expresses information about an identity
− This information consists of one or more claims
− Each claim contains some information about the entity to which this token applies
Indicates who
created this
token and
guards against
changes
4) Use claims in token
Browser or Client
User
Identity Provider
Acquiring and Using a Token
1) Get token
Token 2) Submit
token
Token
List of Trusted STSs
Application 3) Verify token’s signature and check whether
this STS is trusted Identity Library
STS
5) Use claims in token
Windows CardSpace
Browser or Client
User
4) Submit token
Application
Identity Providers
STS
3) Get token for selected
identity
STS STS
2) Select an identity that matches those
requirements
ADFS
1) Access application and
learn token requirements
Windows Identity
Foundation
Token
Token
The "Geneva" Technologies
ADFS
User
2) Access application and
learn token requirements
Active Directory Domain Services
5) Find claims required by application and create
token
3) Select an identity that matches those
requirements
STS
8) Use claims in token
Application
Windows Identity
Foundation
Windows CardSpace
6) Receive token
Token
7) Submit token
Token
Using "Geneva" in an Enterprise
1) Login to domain and get Kerberos
ticket
4) Present Kerberos ticket
and request token for
selected identity
Browser or Client
2) Select an identity that
matches those requirements
ADFS
Organization X
User
Active Directory Domain Services
Organization Y
STS
Trusted STSs: -Organization Y -Organization X
1) Access application and learn token
requirements
Windows CardSpace
5) Use claims in token
Application
Windows Identity
Foundation
3) Get token for selected identity
Token
4) Submit token Token
Identity Federation
STS
Browser or Client
3) Select an identity that
matches those requirements
ADFS
User
Active Directory Domain Services
1) Access application and learn token
requirements
2) Access Organization Y STS and learn
token requirements
Trusted STSs: -Organization X
Trusted STSs: -Organization Y
STS
Windows CardSpace
8) Use claims in token
Application
Windows Identity
Foundation
6) Issue token for application
Token
7) Submit token
Token
5) Request token for application
Token for STS Y
4) Get token for Organization Y STS
Token for STS Y
Identity Federation (2) Organization X Organization Y
STS
Browser or Client
16
The Information Workplace
Independent
Consultant
Partner
Organization
Home
Mobile Devices
USB Drive
The flow of information has no boundaries
Information is shared, stored and accessed outside the control of its owner
Host and network security controls aren’t sufficient to solve this problem
Rights Management Services
Persistent Protection
+ Encryption Policy: • Access Permissions
• Use Right Permissions
Provides identity-based protection for sensitive data
Controls access to information across the information lifecycle
Allows only authorized access based on trusted identity
Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption
Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery
Users without Office 2003 or later can view rights-protected files
Enforces assigned rights: view, print, export, copy/paste & time-based expiration
Secure Intranets IE w/RMA, Windows RMS
Control access to sensitive info
Set access level - view, change, print...
Determine length of access
Automatically apply usage policies to documents libraries
Log and audit who has accessed docs
Secure Documents
Office 2003/2007 (Word,
PPT, Excel, & InfoPath)
SharePoint Server 2007,
Windows RMS
Keep corporate e-mail off the Internet
Prevent forwarding of confidential information
Templates to centrally manage policies
Secure Emails Outlook 2003/2007,
Windows RMS
Safeguard Sensitive Information with RMS Protect e-mail, documents, and Web content
End User Scenarios
How does RMS work?
Information Author The Recipient
RMS Server
SQL Server Active Directory
2 3
4
5
2. Author defines a set of usage rights
and rules for their file; Application
creates a ―publishing license‖ and
encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the
application calls to the RMS server
which validates the user and issues a
―use license‖
5. Application renders file and enforces
rights
1. Author receives a client licensor
certificate the first time they
rights-protect information
1
RMS client software
Windows Vista out-of-box
Download for Windows XP
An RMS-enabled application
Required for creating or viewing rights-protected content
Microsoft Office 2003 and 2007 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook and Infopath (2007)
Office Professional 2003 or 2007 is required for creating or viewing rights-protected content
Other Office 2003 or 2007 Editions allows users to view—but not create—rights-protected content.
Rights Management Add-on (RMA) for Internet Explorer 6.0 or later
Allows users to view rights-protected content in a browser
Enables down-level viewing support for content protected by Office 2003 or 2007
RMS Solution Components
Server
RMS Server
Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) or later
Provides certification and licensing
Active Directory® directory service
Windows Server 2000 or later
Provides a well-known unique identifier for each user
E-mail address property for each user must be populated
Database Server
Such as Microsoft SQL Server™ or MSDE
Stores configuration data and use license requests
Client
• Microsoft and RSA partnering with a Built-In ―systems‖ approach to protect
sensitive information throughout the infrastructure based on content, context,
and identity
• Microsoft building RSA Data Loss Prevention (DLP) classification technology
directly into the Microsoft platform and future information protection products
• RSA integrating Active Directory Rights Management Services (AD RMS) with RSA's DLP Suite − Automate the application of AD RMS policies based on data sensitivity
− Leverage Active Directory (AD) Groups for identity or group aware data loss prevention
• Microsoft and RSA collaboration enables organizations to:
− Centrally define information security policy
− Automatically identify and classify sensitive data anywhere in the infrastructure
− Use a range of controls to protect data throughout the infrastructure
What Microsoft and RSA Announced on December 4, 2008
First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)
1. RMS admin creates RMS templates for data protection
2. RSA DLP admin designs policies to find sensitive data and protect it using RMS
3. RSA DLP discovers and
classifies sensitive files
4. RSA DLP applies RMS controls based on policy
• Automate the application of AD RMS protection based on sensitive information identified by RSA DLP
• Leverage AD Groups for identity or group aware data loss prevention
Microsoft AD
RMS Legal
Department
Outside law
firm Others
View, Edit,
Print View No Access
Legal Contracts RMS
RSA DLP
Find Legal Contracts
Apply Legal Contracts RMS
Contracts DLP Policy
5. Users request files - RMS provides policy based access
Legal department
Outside law firm
Others
Laptops/desktops
File shares SharePoint
Long term – Microsoft and RSA Building Information Protection into Infrastructure
Add-on
Policies
RSA DLP Enterprise Manager RSA Microsoft
E-mail/UC Endpoint Network Apps FS/CMS Storage
Microsoft Information Protection
Management
Built-in DLP Classification and RMS Controls
Microsoft Environment and Applications
RSA DLP
Endpoint
Complementary Platforms and functionality
RSA DLP
Network
RSA DLP
Datacenter
• Common policies throughout infrastructure
• Built-in approach to protect data based on content, context, identity • Future ready: Seamless upgrade path for current DLP customers
Top Related