Kimmo Bergius ([email protected]) Tietoturvajohtajadownload.microsoft.com/documents/UK/Finland/post/... · First Step - RSA DLP Suite integrating with Microsoft AD RMS in

Kimmo Bergius ([email protected]) Tietoturvajohtaja

Trendejä…

Hardware

O/S

Drivers

Applications

GUI

User

Physical

Examples

Spyware

Rootkits

Application

attacks

Phishing/Social

engineering

Attacks Getting More Sophisticated Traditional defenses are inadequate

National Interest

Personal Gain

Personal Fame

Curiosity

Amateur Expert Specialist

Largest

area by

volume

Largest area by

$ lost

Script-Kiddy

Largest segment by

$ spent on defense

Fastest

growing

segment

Author Vandal

Thief

Spy

Trespasser

Crime On The Rise

mainframe

client/server

Internet

mobility

B2E B2C

B2B

Pre-1980s 1980s 1990s 2000s

Num

ber

of D

igital ID

s

Exponential Growth of IDs Identity and access management challenging

0

40 000

80 000

120 000

160 000

Increasingly Sophisticated Malware Anti-malware alone is not sufficient

Number of variants from over

7,000 malware families (1H07)

Source: Microsoft Security Intelligence Report (January – June 2007)

Muutosta… • Tietojenkäsittely ja verkot kaikkialla

• Kaikki yhteydessä kaikkeen

• Useita identiteettejä

• Joustavuus – kaikki kaikkialta

• Resurssien niukkuus

• ―Best of Need vs. Best of Breed‖

• Tehdäänkö itse vai ulkoistetaanko

• Compliance – miten valvotaan?

• Uhat muuttuvat

• Motiivi –‖cool to cash!‖

Viisi kehityskohdetta! • Verkon resurssien suojaaminen

• Liikkuvan käyttäjän yhteydet

• Identiteetin hallinta

• Datan suojaaminen

• Varmenteet

Tuoteportfolio

• Secure the Platform—Windows 7/Mobile/Server 2008 R2

• Secure the Identity – AD ja siihen liittyvät palvelut

• Secure the Data—RMS, EFS, BitLocker

• Secure the Network—NAP

• Secure the Wireless—Server 2008

• Secure the Edge—ISA/IAG

• Secure the Communications— Forefront Server, OCS, Exchange

• Secure the Desktops and Servers— Forefront Client Security

Miksi tarvitaan identiteetin hallintaa?

• Monia eri paikkoja tallentaa käyttäjään liittyvää tietoa

− Hakemistot, HR-järjestelmät, tietokannat, jne…

• Monia eri autentikointimenetelmiä

− Käyttäjätunnus-salasana, älykortit, tokenit, kerberos, jne…

− Single-sign-on-tavoite – toteutuuko?

• Monia eri tapoja käyttää tietoa

• Tietoturva

• Tietosuoja

Single-Sign-On

• AD:n käyttö myös muissa ympäristöissä

− Linux/Unix/Mac OSX

− Autentikointi

− Kokoonpanotietojen välitys

− Vaatii kolmannen osapuolen lisäkomponentteja

• ‖Näennäinen‖ SSO

− Hakemistojen integraatio esim. MIISin välityksellä

• Federaatio

− Aiemmin ADFS, tulevaisuudessa ‖Geneva‖

Ratkaisuja • Hakemistointegraatio

− Yksi (???) tunnistushakemisto, monia tietohakemistoja

− Prosessien ja tiedonsiirron parannus

− Organisaation sisäinen

• Hakemistofederaatio

− Sovitaan, sen jälkeen luotetaan

− Organisaation sisällä tai organisaatioiden välillä

− Myös Internet-palveluissa

Edelleen ongelmaksi jää…

• Useiden autentikointimenetelmien toteuttaminen

− Sovelluskohtainen toteutus, monia menetelmiä, vaivalloista

• Autentikointi, sen jälkeen tietojen haku

− Jälleen sovelluskohtaista

• Onko tähän ratkaisua?

Token

Signature

Example

Claims Name

Group

Age

Claim 1

Claim 2

. . .

Claim n

Claim 3

Tokens and Claims Representing identity on the wire

• A token is a set of bytes that expresses information about an identity

− This information consists of one or more claims

− Each claim contains some information about the entity to which this token applies

Indicates who

created this

token and

guards against

changes

4) Use claims in token

Browser or Client

User

Identity Provider

Acquiring and Using a Token

1) Get token

Token 2) Submit

token

Token

List of Trusted STSs

Application 3) Verify token’s signature and check whether

this STS is trusted Identity Library

STS


Windows CardSpace

Browser or Client

User

4) Submit token

Application

Identity Providers

STS

3) Get token for selected

identity

STS STS

2) Select an identity that matches those

requirements

ADFS

1) Access application and

learn token requirements

Windows Identity

Foundation

Token

Token

The "Geneva" Technologies

ADFS

User

2) Access application and

learn token requirements

Active Directory Domain Services

5) Find claims required by application and create

token

3) Select an identity that matches those

requirements

STS


Application

Windows Identity

Foundation

Windows CardSpace

6) Receive token

Token

7) Submit token

Token

Using "Geneva" in an Enterprise

1) Login to domain and get Kerberos

ticket

4) Present Kerberos ticket

and request token for

selected identity

Browser or Client

2) Select an identity that

matches those requirements

ADFS

Organization X

User


Organization Y

STS

Trusted STSs: -Organization Y -Organization X

1) Access application and learn token

requirements

Windows CardSpace


Application

Windows Identity

Foundation

3) Get token for selected identity

Token

4) Submit token Token

Identity Federation

STS

Browser or Client

3) Select an identity that

matches those requirements

ADFS

User


1) Access application and learn token

requirements

2) Access Organization Y STS and learn

token requirements

Trusted STSs: -Organization X

Trusted STSs: -Organization Y

STS

Windows CardSpace


Application

Windows Identity

Foundation

6) Issue token for application

Token

7) Submit token

Token

5) Request token for application

Token for STS Y

4) Get token for Organization Y STS

Token for STS Y

Identity Federation (2) Organization X Organization Y

STS

Browser or Client

16

The Information Workplace

Independent

Consultant

Partner

Organization

Home

Mobile Devices

USB Drive

The flow of information has no boundaries

Information is shared, stored and accessed outside the control of its owner

Host and network security controls aren’t sufficient to solve this problem

Rights Management Services

Persistent Protection

+ Encryption Policy: • Access Permissions

• Use Right Permissions

Provides identity-based protection for sensitive data

Controls access to information across the information lifecycle

Allows only authorized access based on trusted identity

Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption

Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

Users without Office 2003 or later can view rights-protected files

Enforces assigned rights: view, print, export, copy/paste & time-based expiration

Secure Intranets IE w/RMA, Windows RMS

Control access to sensitive info

Set access level - view, change, print...

Determine length of access

Automatically apply usage policies to documents libraries

Log and audit who has accessed docs

Secure Documents

Office 2003/2007 (Word,

PPT, Excel, & InfoPath)

SharePoint Server 2007,

Windows RMS

Keep corporate e-mail off the Internet

Prevent forwarding of confidential information

Templates to centrally manage policies

Secure Emails Outlook 2003/2007,

Windows RMS

Safeguard Sensitive Information with RMS Protect e-mail, documents, and Web content

End User Scenarios

How does RMS work?

Information Author The Recipient

RMS Server

SQL Server Active Directory

2 3

4

5

2. Author defines a set of usage rights

and rules for their file; Application

creates a ―publishing license‖ and

encrypts the file

3. Author distributes file

4. Recipient clicks file to open, the

application calls to the RMS server

which validates the user and issues a

―use license‖

5. Application renders file and enforces

rights

1. Author receives a client licensor

certificate the first time they

rights-protect information

1

RMS client software

Windows Vista out-of-box

Download for Windows XP

An RMS-enabled application

Required for creating or viewing rights-protected content

Microsoft Office 2003 and 2007 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook and Infopath (2007)

Office Professional 2003 or 2007 is required for creating or viewing rights-protected content

Other Office 2003 or 2007 Editions allows users to view—but not create—rights-protected content.

Rights Management Add-on (RMA) for Internet Explorer 6.0 or later

Allows users to view rights-protected content in a browser

Enables down-level viewing support for content protected by Office 2003 or 2007

RMS Solution Components

Server

RMS Server

Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) or later

Provides certification and licensing

Active Directory® directory service

Windows Server 2000 or later

Provides a well-known unique identifier for each user

E-mail address property for each user must be populated

Database Server

Such as Microsoft SQL Server™ or MSDE

Stores configuration data and use license requests

Client

• Microsoft and RSA partnering with a Built-In ―systems‖ approach to protect

sensitive information throughout the infrastructure based on content, context,

and identity

• Microsoft building RSA Data Loss Prevention (DLP) classification technology

directly into the Microsoft platform and future information protection products

• RSA integrating Active Directory Rights Management Services (AD RMS) with RSA's DLP Suite − Automate the application of AD RMS policies based on data sensitivity

− Leverage Active Directory (AD) Groups for identity or group aware data loss prevention

• Microsoft and RSA collaboration enables organizations to:

− Centrally define information security policy

− Automatically identify and classify sensitive data anywhere in the infrastructure

− Use a range of controls to protect data throughout the infrastructure

What Microsoft and RSA Announced on December 4, 2008

First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008)

1. RMS admin creates RMS templates for data protection

2. RSA DLP admin designs policies to find sensitive data and protect it using RMS

3. RSA DLP discovers and

classifies sensitive files

4. RSA DLP applies RMS controls based on policy

• Automate the application of AD RMS protection based on sensitive information identified by RSA DLP

• Leverage AD Groups for identity or group aware data loss prevention

Microsoft AD

RMS Legal

Department

Outside law

firm Others

View, Edit,

Print View No Access

Legal Contracts RMS

RSA DLP

Find Legal Contracts

Apply Legal Contracts RMS

Contracts DLP Policy

5. Users request files - RMS provides policy based access

Legal department

Outside law firm

Others

Laptops/desktops

File shares SharePoint

Long term – Microsoft and RSA Building Information Protection into Infrastructure

Add-on

Policies

RSA DLP Enterprise Manager RSA Microsoft

E-mail/UC Endpoint Network Apps FS/CMS Storage

Microsoft Information Protection

Management

Built-in DLP Classification and RMS Controls

Microsoft Environment and Applications

RSA DLP

Endpoint

Complementary Platforms and functionality

RSA DLP

Network

RSA DLP

Datacenter

• Common policies throughout infrastructure

• Built-in approach to protect data based on content, context, identity • Future ready: Seamless upgrade path for current DLP customers