Microsoft IT Strengthens Security with Data

Loss Prevention
Published: November 2009; Updated March 2011
With information residing in a multitude of places, enterprises face growing risks of
inadvertent or malicious leaks. The integration of Active Directory Rights
Management Services into RSA Data oss !revention products provides a very
e"ective solution for Microsoft #T to locate and protect sensitive data.
Introduction
Over the years, the Microsoft ! "ecurity team has impleme#ted various tech#olo$ies to
safe$uard data stored i# hu#dreds of thousa#ds of perso#al computers, servers, files shares,
"tora$e %rea Net&or's ("%Ns), a#d Microsoft* Office "harePoi#t* "erver sites+ !his article
discusses ho& the "ecurity team moved from a solutio# that used the %ctive ,irectory*
service &ith early versio#s of -"%* ,ata .oss Preve#tio# (,.P) products to a solutio#
that ta'es adva#ta$e of the i#te$ratio# of %ctive ,irectory -i$hts Ma#a$eme#t "ervices
(%, -M") i#to -"% ,.P ,atace#ter+ !he ori$i#al solutio# re/uired ! staff to create a#d
mai#tai# custom classificatio# systems, a#d the# ma#ually #otify co#te#t o&#ers to update
their file0access a#d classificatio# rules+ 1ith the curre#t solutio#, Microsoft ! ca#
automatically apply tar$eted a#d persiste#t protectio# accordi#$ to i#dustry best practices+
!his improves re$ulatory complia#ce as &ell as freei#$ up ! time a#d lo&eri#$ the ris' of a
security breach+
Situation
!he Microsoft ! "ecurity team is part of the $reater #formatio# "ecurity or$a#i2atio# at
Microsoft 3orporatio#+ !his $roup is respo#sible for testi#$ a#d deployi#$ security solutio#s
to protect data throu$hout the compa#y+ !his data i#cludes se#sitive a#d re$ulated
i#formatio# such as fi#a#cial, perso##el, a#d mar'eti#$ i#formatio#, a#d is stored o# a#d
tra#sferred bet&ee# a variety of locatio#s i#cludi#$ perso#al computers, cell pho#es,
portable0stora$e devices, servers, file shares, "%Ns, a#d Microsoft Office "harePoi#t "erver
sites+
The Data-Protection Challenge
.oss of se#sitive data is a# operatio#al ris' for Microsoft+ !oday, i#formatio# resides i# more
places tha# ever before, i#cludi#$ mobile a#d perso#al0stora$e devices+ 1ith employees,
part#ers, customers, a#d ve#dors &or'i#$ from home, the office, a#d the field, e#terprises
face $ro&i#$ ris's of i#adverte#t or malicious data lea's+ 4or e5ample, a# employee mi$ht
se#d se#sitive i#formatio# as a# attachme#t to a# e0mail messa$e or tra#smit se#sitive
i#formatio# outside the fire&all via 4ile !ra#sfer Protocol, possibly allo&i#$ the i#formatio# to
be i#tercepted or to fall i#to the &ro#$ ha#ds+ 4urthermore, simply tra#smitti#$ se#sitive data
outside the or$a#i2atio# ca# breach re$ulatory complia#ce $uideli#es+
Intended Audience
! ma#a$ers, ! professio#als, 3Os, a#d
busi#ess decisio# ma'ers &ith i#formatio#
security respo#sibility
Products & Technologies
1i#do&s "erver 2006 a#d 1i#do&s
"erver 2006 -2
Microsoft Office "harePoi#t "erver
%ctive ,irectory -i$hts Ma#a$eme#t
"ervices
-"% ,.P ,atace#ter 7+0+2
-"% ,.P Net&or' 7+0+2
,ue to a ra#$e of le$islative, corporate, a#d i#dustry re$ulatio#s that $over# the protectio# of
se#sitive data, the classificatio# of that data ca# be a comple5 process+ 1he# defi#i#$
se#sitive data classificatio#s a#d policies, Microsoft ta'es these re$ulatio#s, i#ter#al
corporate policies, a#d le$al re/uireme#ts i#to accou#t+ O#ce the policies a#d data
classificatio#s have bee# defi#ed, the data must be physically located, placed i#to the proper
classificatio# levels (lo&, medium, or hi$h busi#ess impact), a#d have the appropriate
security setti#$s applied to the data+
4or e5ample, data classified as .o& 8usi#ess mpact (.8) may o#ly re/uire limiti#$ user
access permissio#s, &hile 9i$h 8usi#ess mpact (98) data fre/ue#tly re/uires e#cryptio# i#
order to meet re$ulatory sta#dards+ O#e challe#$e faci#$ security departme#ts is ho& to
apply e#cryptio# efficie#tly to selected co#te#t, ta'i#$ i#to co#sideratio# ho& the data &ill be
accessed a#d by &hom+ %pplyi#$ e#cryptio# too broadly ca# be prohibitively e5pe#sive i#
terms of dollars, ! time, a#d lost productivity due to access issues as &ell as ide#tity a#d
'ey ma#a$eme#t re/uireme#ts+
The Original Solution
4or the ori$i#al solutio#, the "ecurity team addressed i#formatio# security challe#$es by
usi#$ ,.P products from -"%, the security divisio# of :M3* 3orporatio#+ !he "ecurity team
used:
-"% ,.P ,atace#ter (formerly !ablus* 3o#te#t "e#ti#el) to fi#d a#d
safe$uard se#sitive data &he# it &as at rest residi#$ i# data repositories
-"% ,.P Net&or' to mo#itor a#d e#force i#formatio#0security a#d
re$ulatory0re/uireme#t classificatio# policies o# data i# motio# as it &as leavi#$ the
Microsoft #et&or'
!he "ecurity team also used the 1i#do&s "erver* 200; %ctive ,irectory service to ma#a$e
user0ide#tity a#d data0access ri$hts+ 1ith %ctive ,irectory ob<ect user authori2atio#, the type
of access $ra#ted to ob<ects (such as servers a#d shared volumes) is determi#ed by the
ri$hts assi$#ed to the user a#d the permissio#s attached to the ob<ects+ %# ob<ect is a set of
attributes that ca# i#clude shared resources, such as pri#ters, computer accou#ts, domai#s,
applicatio#s, a#d services+
4or the ori$i#al solutio#, the "ecurity team had to build a#d mai#tai# classificatio# systems
for file shares a#d "harePoi#t sites arou#d the compa#y+ 3o#te#t o&#ers the# classified their
shares a#d sites based o# the types of docume#ts stored i# them+ ,epe#di#$ o# the
classificatio# level that the o&#ers chose, the "ecurity team applied safe$uards to those
locatio#s a#d used %ctive ,irectory to validate user access a#d access rules+ !he "ecurity
team sca##ed for se#sitive data usi#$ the -"% ,.P products a#d the# ma#ually #otified the
co#te#t o&#ers if they #eeded to update the %ctive ,irectory access co#trol lists (%3.s) or
other classificatio# rules that co#trolled users= data0access ri$hts+ # other cases, the "ecurity
team #otified users a#d the# ha#dled the updates themselves+
Microsoft IT Strengthens Security with Data Loss Prevention Page 2
The New Solution
!o i#crease efficie#cy a#d complia#ce &ith i#formatio#0security policies, the "ecurity team
&a#ted to further automate the solutio#>especially by automatically a#d selectively
e#crypti#$ specific types of data, such as 98 data, i#stead of relyi#$ o# co#te#t o&#ers to
ad<ust their %3.s a#d classificatio# rules to restrict access+
!he "ecurity team also &a#ted to do a better <ob of protecti#$ u#e#crypted docume#ts+ 4or
e5ample, users &ho had $e#eral file0access ri$hts to ope# a#d read a Microsoft Office 1ord
docume#t saved o# their o&# stora$e device could for&ard that docume#t outside of
Microsoft, &here Microsoft #o lo#$er had co#trol over it+ f these users left Microsoft, they
&ould co#ti#ue to have access to that docume#t+ !o improve the solutio#, the "ecurity team
#eeded to impleme#t more adva#ced tech#olo$ies+
# ,ecember 2006, the tech#olo$y #eeded to solve these problems became available &he#
-"% i#te$rated its ,.P ,atace#ter product, versio# 7+0+2, &ith %, -M", &hich is part of the
1i#do&s "erver 2006 operati#$ system+ 1ith the additio# of %, -M", the "ecurity team ca#
automatically protect se#sitive i#formatio# a#d allo& access based o# a predefi#ed set of
ri$hts or permissio#s, such as the ability to vie&, edit, copy, save, or pri#t docume#ts+
%, -M" helps safe$uard di$ital i#formatio# from u#authori2ed use, both o#li#e a#d offli#e
as &ell as i#side a#d outside the fire&all+ t accomplishes this by ide#tifyi#$ &hich files
should have persiste#t usa$e policies a#d ri$hts ma#a$eme#t applied to them, a#d &hich
o#es should be e#crypted+ 1ith persiste#t protectio#, these safe$uards are part of the data
itself+ !his mea#s that #o matter &here the data resides, it carries the permissio#s a#d
restrictio#s &ith it+
!he process for locati#$ a#d protecti#$ data &ith the #e& solutio# is as follo&s:
1+ !he "ecurity team creates %, -M" templates to protect particular types of se#sitive
data+ !he templates specify &hich users, such as Microsoft 4!: (full0time employees)
should have access to the data a#d the level of access (vie&, edit, copy, save, or pri#t)
to $ra#t+
2+ !he "ecurity team desi$#s -"% ,.P policies to fi#d a#d protect data of that type usi#$
%, -M"+
;+ -"% ,.P ,atace#ter discovers a#d classifies se#sitive files, a#d the# automatically
applies the %, -M" templates to the data at rest &herever it resides i# the e#terprise+
?+ 1he# users re/uest files, %, -M" provides policy0based access to the files+
Microsoft IT Strengthens Security with Data Loss Prevention Page 3
With the AD RMS Bulk Protection Tool
and the new File Classification
Infrastructure (FCI ca!a"ilities in
Windows Ser#er $%%& R$' content
owners no lon(er ha#e to classif) their
file shares or *anuall) encr)!t their
+BI docu*ents, The solution
auto*aticall) a!!lies tar(eted and
!ersistent ri(hts' access !olicies' and
safe(uards to data "ased on sensiti#it)
le#el' without *anual inter#ention,-
4i$ure 1 illustrates the process for applyi#$ the %, -M" templates a#d -"% ,.P policies+
Figure 1. Protecting HI data with AD !"S and !SA D#P Datacenter
!o e#sure that e#cryptio# is #ot applied too broadly, the "ecurity team chose a template that
allo&s users &ithi# Microsoft to collaborate o# a#d copy protected co#te#t+ f the co#te#t
travels outside of the or$a#i2atio#, ho&ever, %, -M" safe$uards the i#formatio# by
restricti#$ access to curre#t Microsoft employees+
ene$its
# <ust si5 mo#ths, the "ecurity team impleme#ted a# e#d0to0e#d i#formatio#0security
solutio# a#d sca##ed o#e third of the compa#y=s file e#viro#me#t+ !he solutio# automatically
applies persiste#t safe$uards accordi#$ to data0se#sitivity level for easier a#d less0costly
complia#ce+
Auto%ated Process& Persistent Protection
1ith the %, -M" 8ul' Protectio# !ool a#d the #e& 4ile 3lassificatio# #frastructure (43)
capabilities i# 1i#do&s "erver 2006 -2, co#te#t o&#ers #o lo#$er have to classify their file
shares or ma#ually e#crypt their 98 docume#ts+ !he solutio# automatically applies tar$eted
a#d persiste#t ri$hts, access policies, a#d safe$uards to data based o# se#sitivity level, a#d
#otifies the o&#er that #o further actio# is #ecessary+ "e#sitive data across the corporatio# is
protected both at rest a#d as it leaves the corporate #et&or'+ %utomatio# also reduces the
ris' that co#te#t o&#ers &ill #ot properly apply re/uired security policies+
'asier& #ess Costl( Co%)liance
,.P solutio#s coupled &ith automatic -M" protectio# e#able a# e#terprise to sca#, classify,
a#d protect e#ormous volumes of i#formatio# i# a timely a#d re$ularly scheduled ma##er+
Microsoft employees ca# stay complia#t automatically &ith data0ha#dli#$ sta#dards that call
for e#cryptio# of 98 docume#ts>&ithout the e5pe#se of applyi#$ e#cryptio# too broadly+
Microsoft IT Strengthens Security with Data Loss Prevention Page 4
D.P solutions cou!led with
auto*atic RMS !rotection ena"le an
enter!rise to scan' classif)' and
!rotect enor*ous #olu*es of
infor*ation in a ti*el) and re(ularl)
scheduled *anner, Microsoft
e*!lo)ees can sta) co*!liant
auto*aticall) with data/handlin(
standards that call for encr)!tion of
+BI docu*ents0without the
e1!ense of a!!l)in( encr)!tion too
"roadl),-
!his is importa#t because Microsoft has ma#y terabytes of data stored at various locatio#s
a#d the costs of e#crypti#$ all of that data &ould far out&ei$h the be#efits+ 1ith the -"%
,.P "uite a#d %, -M", Microsoft '#o&s &here the se#sitive i#formatio# is, a#d the security
team ca# automatically apply specific safe$uards to the se#sitive files+
roader Co*erage
!he "ecurity team has sca##ed millio#s of docume#ts usi#$ the #e& solutio# a#d has
e#crypted thousa#ds of them+ !he team e5pects to e#crypt te#s of thousa#ds of additio#al
docume#ts by the time they have fi#ished ru##i#$ the %, -M" 8ul' Protectio# !ool+
Freed IT Ti%e
1ith automatio#, Microsoft ! has bee# able to free up o#e0half of o#e developer=s time+
-ather tha# creati#$ a#d mai#tai#i#$ classificatio# systems for file shares, this developer is
free to &or' o# other pro<ects+ Microsoft ! e5pects to receive similar time savi#$s &he# they
deploy the #e5t versio# of Office "harePoi#t "erver+
Conclusion
8y impleme#ti#$ a solutio# that i#te$rates -"% ,.P tech#olo$y a#d %, -M", Microsoft has
bee# able to automate the process of locati#$ se#sitive data a#d applyi#$ the appropriate
protectio#s to that data+ !his automatio# provides $reater efficie#cy a#d frees up perso##el
resources+ t also provides a $reater level of protectio# for se#sitive data+
For "ore In$or%ation
4or more i#formatio# about Microsoft products or services, call the Microsoft "ales
#formatio# 3e#ter at (600) ?2@09?00+ # 3a#ada, call the Microsoft 3a#ada i#formatio#
3e#tre at (600) 9;;0?7A0+ Outside the A0 U#ited "tates a#d 3a#ada, please co#tact your
local Microsoft subsidiary+ !o access i#formatio# throu$h the 1orld 1ide 1eb, $o to:
http:BB&&&+microsoft+com
http:BB&&&+microsoft+comBtech#etBitsho&case
C 2009 Microsoft 3orporatio#+ %ll ri$hts reserved+
!his docume#t is for i#formatio#al purposes o#ly+ M3-O"O4! M%D:" NO 1%--%N!:", :EP-:"" O-
MP.:,, N !9" "UMM%-F+ Microsoft, %ctive ,irectory, "harePoi#t, 1i#do&s, a#d 1i#do&s "erver are
either re$istered trademar's or trademar's of Microsoft 3orporatio# i# the U#ited "tates a#dBor other cou#tries+
!he #ames of actual compa#ies a#d products me#tio#ed herei# may be the trademar's of their respective
o&#ers+
Microsoft IT Strengthens Security with Data Loss Prevention Page 5