Data Leakage Prevention

1. Data Leakage Prevention in your Microsoft Infrastructure Paul Loonen IAM Architect, Verizon Enterprise Solutions

2. About me • Co-founder WinTalks.be • MVP: Microsoft Forefront Identity Manager • MCM Directory • Job Role: IAM Architect @ Verizon Enterprise Solutions • paul.loonen@be.verizon.com • Blog @ http://be-id.blogspot.com • @ploonen (@wintalksbe)

3. Disclaimer • Focus is on using what you already (may) have … • Everything I say won’t help against this:

4. Agenda • The Data Leakage Problem • How to approach DLP • Data classification • Protecting Your Data

5. What is Data Leakage

6. Information Leakage Is Costly On Multiple Fronts • Cost of digital leakage per year is measured in $ billions • Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 • Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time Legal, Regulatory & Financial impacts • Damage to public image and credibility with customers • Financial impact on company • Leaked e-mails or memos can be embarrassing Damage to Image & Credibility • Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization • Loss of research, analytical data, and other intellectual capital Loss of Competitive Advantage

7. Risk Areas PII • Birth Date • Employee Numbers • Social Security / National Numbers • Credit card Information (PCI) • Personal Health Information IP • Source Code • Product Design Documents • Research Information • Patent Applications • Customer Lists NPI • Financial Information • Mergers & Acquisitions activities and information • Executive communication • Legal and Regulatory Matters • Corporate Policies

8. Do you want to be this people?

9. How does this happen, by who? • Ex-employees, partners, customers • Over 1/3 due to negligence • Nearly 30% of loss on portable devices • Increasing loss from external collaboration Percentage cause of data breach Cost of Data Breach report Ponemon Institute 2010 Estimated sources of data breach Verizon Data Breach Investigation Report 2013

10. Variety of Misuse Actions Source: Verizon Data Breach Investigation Report 2013

11. So, what is DLP? • DLP means different things to different people • Data Loss Prevention • Data Leakage Prevention • Data Loss Protection • DLP is always about protecting information that is sensitive to an organization • DLP technology is content aware • referred to as deep packet inspection, analyzes the payload contained within a file or session. • DLP references data in one of three states • Data in motion • Data at rest • Data in use

12. How to approach DLP

13. Approach Strategy Assessment Data Discovery & Classification Encryption / Key Management Data-Leak Prevention Post-Leak Management Business case validation, plan for solution deployment, define and enhance process and policies Locate and classify sensitive data on file systems, emails, applications, endpoints, etc. Render sensitive information unreadable to unauthorized sources Enforce controls and policies to reduce leakage of sensitive information from secured networks and systems Enforce controls to protect sensitive data post leak

14. Data Classification

15. Managing data on file servers Looking at the problem space for a data repository • One of the largest repositories of data in the organization • Regulatory compliance periodic audits are expensive and labor intensive • Data leakage of sensitive information • Exposure of information due to complexity of granting access on a need to know basis

16. File Classification Infrastructure Tagging Information Location based Manual Automatic classification Application In-box content classifier 3rd party classification plugin // instantiate new classification manager FsrmClassificationManager cls = new FsrmClassificationManager(); //get defined properties ICollection c = cls.EnumPropertyDefinitions (_FsrmEnumOptions.FsrmEnumOptions_None); // inspect each property definition foreach (IFsrmPropertyDefinition p in c) { /*...*/ }

17. File Classification Infrastructure Applying policy based on classification Match file to policy Classify file Access control Audit control RMS Encryption Retention Other actions

18. How do I get “FCI”? File Server Resource Manager Overview of FSRM: http://technet.microsoft.com/en-us/library/hh831701(v=ws.11)

19. Where do I get FSRM? PS C:> Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

20. Configuring Classification with FSRM (the manual way)

21. Configuring Classification with FSRM

22. Data Classification Toolkit for Windows Server 2012 • Free download: http://technet.microsoft.com/en- us/library/hh204743.aspx • Assists you in configuring FCI in your environment • Allows managing Central Access Policy across file servers • Integrates with Dynamic Access Control and AD RMS • Scenario-based • Classification configuration package examples provided

23. Process

24. Sample Package

25. Example: NIST

26. //sidenote • Enable FCI tab in explorer on Windows 8 clients:

27. Typical Infrastructure • Win8 or Win7SP1 Client with toolkit installed • SQL Server when reporting is required • Reporting DB • DB of file servers running FCI • Limited reporting without SQL Server • Win2k12 DC • Domain functional level must be Win2k12 – this enables Central Access Policy • Otherwise local file server properties … • File servers running FCI • Win2k8 R2 or Win2k12

28. Protecting Your Data Dynamic Access Control

29. Dynamic Access Control • Brings existing identity claims model into the Windows platform • WIF, ADFS • Introduce a model to target access and audit policies based on tagging to drive efficient policy enforcement and implement this model for files • Bridge the gap between IT & Information Owners using information tagging for files

30. Expression-based access control policy User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies to: @Resource.Impact == “High” Allow | Read, Write | if (@User.Clearance == “High”) AND (@Device.Managed == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High

31. Authorization – Updated ACL Model Support for Expression with ‘AND’/’OR ’ primitives User.memberOf (USA-Employees) AND User.memberOf (Finance-Division) AND User.memberOf (Authorization-Project) Support for User Claims from AD User.Division = ‘Finance’ AND User.CostCenter = 20000 Support for Static Device Claims from AD User.Division = ‘Finance’ AND Device.ITManaged = True Target Policy based on Resource Type IF (Resource.Impact = ‘HBI’) ALLOW AU Read User.EmployeeType = ‘FTE’ • No expressions in ACL • Led to group bloat • ACLs only based on groups • Led to group bloat • No ability to control access based on device state • No way to target policy based on Resource Type • Claims support in ACEs managed as SDDL strings • Added / removed from SDDL strings via standard string manipulation functions Legacy Windows New in Win2k12 Example

32. Claim Definitions Resource Property Definitions Access policy DC File Server Allow/ Deny End User Control access to information

33. Protecting Your Data Active Directory Rights Management Services (AD RMS)

34. What is AD RMS? • Information Protection technology • Aimed at reducing information leakage • Server and client components • Integrated with Windows, Office, Exchange, SharePoint and more • Based on Symmetric and Public Key Cryptography • Protects data at rest, in transit and in use • Helps enforce corporate data policies • Installed as a server role

35. How AD RMS Works • Client and user are “activated” • Client creates rights-protected content (offline) • User distributes rights-protected content • Recipient acquires licenses from server to decrypt protected information • Client enforces usage policies

36. Using IRM to avoid data leakage • Encryption provides protection from unauthorized access • Most effective if it is identity-based • How you manage encryption is essential • Needs to be independent from content management • Must be integrated with ID management • Must be simple to use • Must be strong, reliable and recoverable • Encryption is not enough • Users will misuse information if they can • Even trusted users make mistakes • But if policy is clear and not easily circumvented, legitimate users will follow the policies

37. AD RMS Highlights • Robust protection • AES 128 bits, RSA 1024 bits, HSM support • Extensive client-side enforcement • Very easy to use • UI integrated with Office products • Authors just select the appropriate option • No action required on consumers of protected information • No significant need for user technical training • Transparent operation • Automated certificate and license management • Small traffic and volume overhead • Low infrastructure cost

38. Protecting information with AD RMS • Users can manually assign rights over a document • Who can read, print, edit, copy… • Can assign rights to users or groups • Document expiration, programmatic access, other advanced options • Some applications have pre-defined options • E.g. Outlooks “Do Not Forward” • Users can use a pre-built template • Templates reflect the organization’s security policies • Company Confidential • Managers only • Contains private information • Etc. • Templates enforce a pre-defined set of rights • Templates are enforced at time of consumption • Some applications can automatically apply protection

39. What documents can I protect using AD RMS? • Anything really • AD RMS SDK 2.0 (http://www.microsoft.com/en- us/download/details.aspx?id=29893) • Microsoft Office file formats (Word, Excel, PowerPoint) • Many other formats using 3rd party (foxit, Titus, …) • Rights Protected Folder Explorer (“RPFe”) • Controls access to files contained in RPF • Caveat: when file is “extracted” it is no longer protected

40. Certification & Licensing Client Machines RMS Components Detail RMS “Root” Certification Cluster IIS, ASP.NET Active Directory • Identity list • Service Connection point RMS Licensing Cluster RMS Web Services: • Publishing • Licensing IIS, ASP.NET Logging Database NLB Administration: • Service connection point • Policy Templates • Logging Settings RMS Web Services: • Certification • Publishing • Licensing SQL Server • Configuration • Logging • Directory RMS Client + “Lockbox” RMS-enabled applications User Certificate + key pair Machine Certificate + key pair Licensing NLB SQL

41. Windows RMS Key Flow Standard Publish-and-Consume Scenario Information Author Recipie nt RMS Server Database Server Active Directory 2 3 4 5 2. Author applies an RMS policy to their file. The application works with the RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it. 3. Author distributes file. 4. Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the RMS server, which validates the user and issues a “use license.” 5. Application renders file and enforces rights. 1. Author automatically receives RMS credentials (“rights account certificate” and “client licensor certificate”) the first time they rights-protect information. 1

42. AD RMS and SharePoint • When content is downloaded from a library… • RMS protection automatically applied • Information still searchable in SharePoint library • SharePoint rights  IRM permissions Recipient AD RMS SharePoint

43. AD RMS & Exchange • When users are sending emails unprotected… • Exchange transport rules apply RMS automatically • Based on content (what it says) and context (who its going to) analysis • Consume protected email in IE, Firefox and Safari Recipient Information Author AD RMS Exchange

44. AD RMS and file shares • When content is saved to a network file share... • Bulk Protection Tool secures all content in certain folders • File Classification Infrastructure (FCI) can automate classification, RMS and move into SharePoint AD RMS File Server Information Author SharePoint

45. Protecting Your Data Bitlocker To Go

46. BitLocker vs BitLocker to Go BitLocker • TPM • Operating System • Data Partitions (Fixed) • TPM, Dongle, Pin • Requires System Partition BitLocker to Go • Data Partition (Removable) • Password, Auto-Unlock, Smartcards • Supports FAT • XP / Vista (Read Only)

47. BitLocker Group Policy Settings • BitLocker Group Policy settings can • Turn on BitLocker backup to Active Directory • Enable, enforce or disable password or smartcard protectors • Enforce a minimum password length • Enforce password complexity • Deny write access to drives not encrypted with BitLocker • Do not allow write access to devices from other organizations

48. Data Drive Key Password Auto-Unlock Smartcards EaseofUse BitLocker offers a spectrum of protection allowing to balance ease-of-use against the threats you are most concerned with Security Pros: Ease of use backward compatibility BitLocker to go reader Cons: Less secure vulnerable to brute force and dictionary attacks Pros: Uses a stronger key Cons: Specific to a single machine Pros: Uses much stronger keys Cons: Requires hardware not backward compatible XXXXX

49. Active Directory Based Recovery Requirements • Schema needs to be extended • Windows Server 2008 R2 or later • All DC’s must be Windows Server 2003 SP1 or later

50. Data Recovery Agent New Recovery Mechanism • Certificate-based key protector • A certificate containing a public key is distributed through Group Policy and is applied to any drive that mounts • The corresponding private key is held by a data recovery agent in the IT department • Allows IT department to have a way to unlock all protected drives in an enterprise • Saves space in AD – same Key Protector on all drives

51. Enforcement • Requiring BitLocker for data drives • When this policy is enforced, all data drives will require BitLocker protection in order to have write access • As soon as a drive is plugged into a machine, a dialog is displayed to the user to either enable BitLocker on the device or only have read- only access • The user gets full RW access only after encryption is completed • Users can alternatively enable BitLocker at a later time

52. Cross-Organization • This policy will help enterprises manage compliance when a requirement exists to not allow devices to roam outside of the enterprise • When the "Deny write access to devices configured in another organization" policy is enabled • Only drives with identification fields matching the computer's identification fields will be given write access • When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields • These fields are defined by the "Provide the unique identifiers for your organization" policy setting • For existing drives: manage-bde -SetIdentifier <drive letter>

53. Recommendations • Identification fields • Should be set before your deployment if you are planning to use DRAs or the cross-organization policy • Are automatically set during encryption • Can be set after encryption using Manage-BDE or WMI but this requires Administrator rights • Certificates • Deploy the required certificates before enabling BitLocker on data drives • BitLocker To Go Reader • Installed per default but can be managed through group policies • Requires the use of a password • Can be deployed separately using a software distribution tool

54. More policies that help prevent leakage via removable drives

55. Protecting Your Data Encrypting File System

56. Encrypting File System (EFS) Features • Transparent encryption done at the file-system level • If a folder is marked, every file created or moved into it will be encrypted • File encryption keys can be archived (USB Flash Drive, File server) • There is no “back door” • Keys are protected with the users password on the computer • Data Recovery Agent to allow for recovery of files if user’s key is lost page 56

57. What It Doesn’t Protect or Prevent • It does NOT provide encryption to files that are: • Sent via email • Kept on a separate flash drive/thumb drive/USB drive/floppy disk • Moved over the network via shared folders (CIFS/AFS) • System and page file • It does not prevent • Files moved into folder set to encrypt all files • Files form being deleted • When you are about to move an encrypted file, Windows will warn you that you will lose your EFS encryption. • Keep in mind that whenever you move a file off of your computer, it is probably no longer protected by EFS.

58. Protecting Your Data What encryption?

59. Scenario RMS EFS BitLocker Protect my information outside my direct control Set fine-grained usage policy on my information Collaborate with others on protected information Protect my information to my smartcard Untrusted admin of a file share Protect information from other users on shared machine Lost or stolen laptop Physically insecure branch office server Local single-user file & folder protection RMS vs EFS vs BitLocker Secure Collaboration Protect Yourself Protect Against Theft

60. Summary • Think strategy when starting a DLP project • Data classification • Let’s you know what data you have and where it sits • Allows implementing controls on metadata • Protection comes in many shapes • Dynamic Access Control • AD RMS • Bitlocker To Go • Encrypting File System (EFS) • Protection doesn’t stop with one implemented control • Combination of multiple controls will be your ticket • Think about reporting • 3rd party solutions complement Microsoft building blocks

61. Some References • Verizon Data Breach Investigations Report 2013 • http://www.verizonenterprise.com/DBIR/2013/ • Classification • FCI - http://technet.microsoft.com/en-us/library/hh831660.aspx • WSRM - http://technet.microsoft.com/en-us/library/cc732553.aspx • DCT - http://technet.microsoft.com/en-us/library/hh204743.aspx • DAC • http://technet.microsoft.com/en-us/library/hh831717.aspx • AD RMS • AD RMS Team Blog: http://blogs.technet.com/b/rms/ • http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx • RPFe - http://technet.microsoft.com/library/Hh538204.aspx • Bitlocker to Go • http://technet.microsoft.com/en-us/library/dd875547(v=ws.10).aspx

Data Leakage Prevention

Data Leakage Prevention

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Destaque

Destaque(20)

Similar a Data Leakage Prevention

Similar a Data Leakage Prevention(20)

Mais de Microsoft TechNet - Belgium and Luxembourg

Mais de Microsoft TechNet - Belgium and Luxembourg(20)

Último

Último(20)

Data Leakage Prevention

Notas do Editor