Embed Size (px)
Citation preview
Percentage cause of data breach
Cost of Data Breach report
Ponemon Institute 2010
Estimated sources of data breach
Global State of Information Security Survey
PriceWaterhouseCoopers 2010
Independent
Consultant
Partner
Organization
Home
Mobile Devices
USB Drive
Information Author
Recipient
External Users
Mobile Devices
USB Drive
Information Author
Recipient
External Users
Mobile Devices
USB Drive
Information Author
Recipient
External Users
Mobile Devices
USB Drive
Information Author
Recipient
External Users
Mobile Devices
USB Drive
•
•
•
•
•
•
•
•
•
Policy Policy
Policy
Policy
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Scenario RMS EFS BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Scenario RMS EFS BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Scenario RMS EFS BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Scenario RMS EFS BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Scenario RMS EFS BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Information Author The Recipient
AD RMS Server
Database Server Active Directory
Rights Management Service Workflow
Information Author The Recipient
AD RMS Server
Database Server Active Directory
1. Author receives a Client Licensor
Certificate the “first time” they
rights-protect information
1
Rights Management Service Workflow
Information Author The Recipient
AD RMS Server
Database Server Active Directory
2
2. Author defines a set of usage
rights and rules for their file;
Application creates a “Publishing
License” and encrypts the file
1. Author receives a Client Licensor
Certificate the “first time” they
rights-protect information
1
Rights Management Service Workflow
Information Author The Recipient
AD RMS Server
Database Server Active Directory
2 3
2. Author defines a set of usage
rights and rules for their file;
Application creates a “Publishing
License” and encrypts the file
3. Author distributes file
1. Author receives a Client Licensor
Certificate the “first time” they
rights-protect information
1
Rights Management Service Workflow
Information Author The Recipient
AD RMS Server
Database Server Active Directory
2 3
4
2. Author defines a set of usage
rights and rules for their file;
Application creates a “Publishing
License” and encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the
application calls to the RMS
server which validates the user
and issues a “Use License.”
1. Author receives a Client Licensor
Certificate the “first time” they
rights-protect information
1
Rights Management Service Workflow
Information Author The Recipient
AD RMS Server
Database Server Active Directory
2 3
4
5
2. Author defines a set of usage
rights and rules for their file;
Application creates a “Publishing
License” and encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the
application calls to the RMS
server which validates the user
and issues a “Use License.”
5. Application renders file and
enforces rights
1. Author receives a Client Licensor
Certificate the “first time” they
rights-protect information
1
Rights Management Service Workflow
34
41
MSIPC: A New RMS SDK
MSIPC: Motivation
/* Do nothing */
MSDRM (old) MSIPC (new)
Developer Cost
Programming
API surface 84 functions 20 functions
Programming task:
RMS bootstrapping (acquire RAC, CLC) 1000 lines of code
Automatic
Programming task:
Decrypting protected content 900 lines of code 3 function calls (IpcGetKey, IpcQueryLicense,
IpcDecrypt)
Programming task:
Identity selection Must build custom certificate picker
Automatic
Threading model Asynchronous only -- developers must understand
multi-threading concepts to use our API Synchronous only
Building
Generating RMS application binaries Must enter into RMLA legal agreement
with Microsoft
Generate .MCF files
Securely store production key
No tools to help debug errors in the
app certification process (which are
common!)
• (Planned) Standard codesigning
Testing
Test environment Must install and test in all supported
topologies/environments
Platform abstracts topology and
environment
••
•
•
•
••
•
•
50
Container-based generic file protection
Fall-back solution for protecting data at rest through RMS crypto and access policies
Apply RMS protection to a folder containing any file type (*.jpg, *.pdf, *.anything) Strong identity-based protection on container, at rest or in motion
No enforcement of usage restrictions while files are in use
Explorer application for RPF No application integration required
Create RPF container files
Edit folders and files
Extract files from the container
Prerequisites: Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2
operating system
Microsoft .NET Framework 4.0
It is based on MSIPC!
Protection Process: Create a new protected file (in essence a ZIP file with
another extension)
Drag and drop unprotected files into it
Assign a policy
Share it
Consumption process Double click on the protected package
Double click on the files inside it
If the user has rights, files open in their native applications (without usage restrictions!)
Experience similar to sharing files through a .ZIP file
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
GFP Explorer
Beta available from Microsoft Connect: http://connect.microsoft.com/directory/security/
No application-level policy enforcement
Once the application gets the data, no restrictions are applied
No single-click opening of documents
User has to open the file, then open the documents
No ability to apply policy from within an application
No integration with Exchange Transport Protection, Prelicensing, OWA, or protection inheritance from email
No FCI integration
No support in Mobile Devices
Only available for Windows 7 and Windows Vista
Native protection support is always preferable!
Cloud hosted RMS integration with:
• RMS enabled Client applications
• Office 365 Messaging and other workloads
• Support for B2B and B2C DLP scenarios
RMS Platform
• Enhanced external collaboration scenarios
Support for Cloud
• Cross premise support for RMS on-premises and Exchange Online
RMS Platform
• Crypto: 2048-bit key support
• New RMS Client SDK (MSIPC)
• Container level generic file protection
• Deployment and Manageability enhancements in Windows 8
Applications
• Office 2003-2010
• Mac Office 2011
• FCI (WS08 R2)
• Windows Mobile 6.5
• Windows Phone 7
Secure email / messaging
• Exchange 2007+
Secure collaboration
• SharePoint 2007+
• UAG 2010 SP1
RMS Platform
• Windows Client
• Windows Server
