Data Leakage Prevention


Published on

Presented by Paul Loonen.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • PII – Personal Identifiable InformationIP – Intellectual PropertyNPI – Non-public Personal Information
  • All of this started with the introduction of claims with WIF and ADFS. This is great because you don’t need to think about authN and authZ.This model was pushed into the core of Windows so that we can give developers the right level of flexibility and granularity to drive applicationsAdditionally, there is the challenge of applying policy. In Win8 we use classification and tagging as a key pivot to apply access control to data
  • Today, ACLs have ACEs that list the SIDs that have access to the resourceExpressions allow need for less groups because you combine anythingBefore Win8, ACLs can only be based on groups, now we can base them on claims, which come from AD
  • Rights Protected Folder Explorer allows you to work with Rights Protected Folders. A Rights Protected Folder is similar to a file folder in that it contains files and folders. However, a Rights Protected Folder controls access to the files that it contains, no matter where the Rights Protected Folder is located. By using Rights Protected Folder Explorer, you can securely store or send files to authorized users and control which users will be able to access those files while they are in the Rights Protected Folder.
  • The drive must be formatted by using either the exFAT, FAT16, FAT32, or NTFS file system.The drive must have at least 64 MB of available disk space.The operating system drive must be protected by BitLocker if you want the drive to be unlocked automatically.BitLocker To Go Reader (bitlockertogo.exe) may be used to unlock FAT-formatted removable drives accessed using a computer running Windows Vista or Windows XP. Once unlocked by the BitLocker To Go Reader you will have read-only access to the files stored on the removable drive. This means you will not be able to modify the drive by adding new files to it or changing the contents of the existing files on the drive. If you plan on using the BitLocker To Go Reader you must use a password as one of your BitLocker key protectors. The BitLocker To Go Reader cannot use credentials from a smart card or from a TPM.
  • Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will manage and update certificate-based data recovery agents only when the identification field is present on a drive and is identical to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
  • Encryption is done at the file-system level – Not at the application level and normal usage is transparent to the user
  • Data Leakage Prevention

    1. 1. Data Leakage Prevention inyour Microsoft InfrastructurePaul LoonenIAM Architect, Verizon Enterprise Solutions
    2. 2. About me• Co-founder• MVP: Microsoft Forefront Identity Manager• MCM Directory• Job Role: IAM Architect @ Verizon Enterprise Solutions•• Blog @• @ploonen (@wintalksbe)
    3. 3. Disclaimer• Focus is on using what you already (may) have …• Everything I say won’t help against this:
    4. 4. Agenda• The Data Leakage Problem• How to approach DLP• Data classification• Protecting Your Data
    5. 5. What is Data Leakage
    6. 6. Information Leakage Is Costly On Multiple Fronts• Cost of digital leakage per year is measured in $ billions• Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386• Non-compliance with regulations or loss of data can lead to significant legal fees,fines and/or jail timeLegal,Regulatory& Financialimpacts• Damage to public image and credibility with customers• Financial impact on company• Leaked e-mails or memos can be embarrassingDamage toImage &Credibility• Disclosure of strategic plans, M&A info potentially lead to loss of revenue, marketcapitalization• Loss of research, analytical data, and other intellectual capitalLoss ofCompetitiveAdvantage
    7. 7. Risk AreasPII• Birth Date• Employee Numbers• Social Security /National Numbers• Credit cardInformation (PCI)• Personal HealthInformationIP• Source Code• Product DesignDocuments• ResearchInformation• Patent Applications• Customer ListsNPI• FinancialInformation• Mergers &Acquisitionsactivities andinformation• Executivecommunication• Legal andRegulatory Matters• Corporate Policies
    8. 8. Do you want to be this people?
    9. 9. How does this happen, by who?• Ex-employees, partners, customers• Over 1/3 due to negligence• Nearly 30% of loss on portable devices• Increasing loss from external collaborationPercentage cause of data breachCost of Data Breach reportPonemon Institute 2010Estimated sources of data breachVerizon Data Breach InvestigationReport 2013
    10. 10. Variety of Misuse ActionsSource: Verizon Data Breach Investigation Report 2013
    11. 11. So, what is DLP?• DLP means different things to different people• Data Loss Prevention• Data Leakage Prevention• Data Loss Protection• DLP is always about protecting information that is sensitive to anorganization• DLP technology is content aware• referred to as deep packet inspection, analyzes the payload contained within a file orsession.• DLP references data in one of three states• Data in motion• Data at rest• Data in use
    12. 12. How to approach DLP
    13. 13. ApproachStrategyAssessmentDataDiscovery &ClassificationEncryption /KeyManagementData-LeakPreventionPost-LeakManagementBusiness case validation, plan forsolution deployment, define andenhance process and policiesLocate and classify sensitive dataon file systems, emails,applications, endpoints, etc.Render sensitive informationunreadable to unauthorizedsourcesEnforce controls and policies toreduce leakage of sensitiveinformation from securednetworks and systemsEnforce controls to protectsensitive data post leak
    14. 14. Data Classification
    15. 15. Managing data on file serversLooking at the problem space for a data repository• One of the largest repositories of data in the organization• Regulatory compliance periodic audits are expensive and laborintensive• Data leakage of sensitive information• Exposure of information due to complexity of granting accesson a need to know basis
    16. 16. File Classification InfrastructureTagging InformationLocation basedManualAutomatic classificationApplicationIn-box contentclassifier3rd partyclassificationplugin// instantiate new classification managerFsrmClassificationManager cls =new FsrmClassificationManager();//get defined propertiesICollection c = cls.EnumPropertyDefinitions(_FsrmEnumOptions.FsrmEnumOptions_None);// inspect each property definitionforeach (IFsrmPropertyDefinition p in c){/*...*/}
    17. 17. File Classification InfrastructureApplying policy based on classificationMatch file to policyClassify fileAccess controlAudit controlRMS EncryptionRetentionOther actions
    18. 18. How do I get “FCI”?File Server Resource ManagerOverview of FSRM:
    19. 19. Where do I get FSRM?PS C:> Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
    20. 20. Configuring Classification with FSRM(the manual way)
    21. 21. Configuring Classification with FSRM
    22. 22. Data Classification Toolkit for WindowsServer 2012• Free download:• Assists you in configuring FCI in yourenvironment• Allows managing Central Access Policy acrossfile servers• Integrates with Dynamic Access Control and ADRMS• Scenario-based• Classification configuration package examplesprovided
    23. 23. Process
    24. 24. Sample Package
    25. 25. Example: NIST
    26. 26. //sidenote• Enable FCI tab in explorer on Windows 8 clients:
    27. 27. Typical Infrastructure• Win8 or Win7SP1 Client with toolkit installed• SQL Server when reporting is required• Reporting DB• DB of file servers running FCI• Limited reporting without SQL Server• Win2k12 DC• Domain functional level must be Win2k12 – thisenables Central Access Policy• Otherwise local file server properties …• File servers running FCI• Win2k8 R2 or Win2k12
    28. 28. Protecting Your DataDynamic Access Control
    29. 29. Dynamic Access Control• Brings existing identity claims model into the Windows platform• WIF, ADFS• Introduce a model to target access and audit policies based ontagging to drive efficient policy enforcement and implement thismodel for files• Bridge the gap between IT & Information Owners usinginformation tagging for files
    30. 30. Expression-based access control policyUser claimsUser.Department = FinanceUser.Clearance = HighACCESS POLICYApplies to: @Resource.Impact == “High”Allow | Read, Write | if (@User.Clearance == “High”) AND (@Device.Managed == True)Device claimsDevice.Department = FinanceDevice.Managed = TrueResource propertiesResource.Department = FinanceResource.Impact = High
    31. 31. Authorization – Updated ACL ModelSupport for Expressionwith ‘AND’/’OR ’ primitivesUser.memberOf (USA-Employees)AND User.memberOf (Finance-Division)AND User.memberOf (Authorization-Project)Support for User Claims from ADUser.Division = ‘Finance’AND User.CostCenter = 20000Support for Static Device Claims fromADUser.Division = ‘Finance’AND Device.ITManaged = TrueTarget Policy based onResource TypeIF (Resource.Impact = ‘HBI’)ALLOW AU Read User.EmployeeType = ‘FTE’• No expressions in ACL• Led to group bloat• ACLs only based on groups• Led to group bloat• No ability to control accessbased on device state• No way to target policy basedon Resource Type• Claims support in ACEs managed as SDDL strings• Added / removed from SDDL strings via standard string manipulation functionsLegacy Windows New in Win2k12 Example
    32. 32. ClaimDefinitionsResource PropertyDefinitionsAccess policy DCFile ServerAllow/DenyEnd UserControl access to information
    33. 33. Protecting Your DataActive Directory Rights Management Services (AD RMS)
    34. 34. What is AD RMS?• Information Protection technology• Aimed at reducing information leakage• Server and client components• Integrated with Windows, Office, Exchange, SharePoint andmore• Based on Symmetric and Public Key Cryptography• Protects data at rest, in transit and in use• Helps enforce corporate data policies• Installed as a server role
    35. 35. How AD RMS Works• Client and user are “activated”• Client creates rights-protected content (offline)• User distributes rights-protected content• Recipient acquires licenses from server to decrypt protectedinformation• Client enforces usage policies
    36. 36. Using IRM to avoid data leakage• Encryption provides protection from unauthorized access• Most effective if it is identity-based• How you manage encryption is essential• Needs to be independent from content management• Must be integrated with ID management• Must be simple to use• Must be strong, reliable and recoverable• Encryption is not enough• Users will misuse information if they can• Even trusted users make mistakes• But if policy is clear and not easily circumvented, legitimate users will followthe policies
    37. 37. AD RMS Highlights• Robust protection• AES 128 bits, RSA 1024 bits, HSM support• Extensive client-side enforcement• Very easy to use• UI integrated with Office products• Authors just select the appropriate option• No action required on consumers of protected information• No significant need for user technical training• Transparent operation• Automated certificate and license management• Small traffic and volume overhead• Low infrastructure cost
    38. 38. Protecting information with AD RMS• Users can manually assign rights over a document• Who can read, print, edit, copy…• Can assign rights to users or groups• Document expiration, programmatic access, other advanced options• Some applications have pre-defined options• E.g. Outlooks “Do Not Forward”• Users can use a pre-built template• Templates reflect the organization’s security policies• Company Confidential• Managers only• Contains private information• Etc.• Templates enforce a pre-defined set of rights• Templates are enforced at time of consumption• Some applications can automatically apply protection
    39. 39. What documents can I protect using ADRMS?• Anything really• AD RMS SDK 2.0 (• Microsoft Office file formats (Word, Excel, PowerPoint)• Many other formats using 3rd party (foxit, Titus, …)• Rights Protected Folder Explorer (“RPFe”)• Controls access to files contained in RPF• Caveat: when file is “extracted” it is no longer protected
    40. 40. Certification & LicensingClient MachinesRMS Components DetailRMS “Root” Certification ClusterIIS, ASP.NETActive Directory• Identity list• Service ConnectionpointRMS Licensing ClusterRMS Web Services:• Publishing• LicensingIIS, ASP.NETLogging DatabaseNLBAdministration:• Service connection point• Policy Templates• Logging SettingsRMS Web Services:• Certification• Publishing• LicensingSQL Server• Configuration• Logging• DirectoryRMS Client + “Lockbox”RMS-enabled applicationsUser Certificate + key pairMachine Certificate + key pairLicensingNLBSQL
    41. 41. Windows RMS Key FlowStandard Publish-and-Consume ScenarioInformationAuthorRecipientRMSServerDatabaseServerActiveDirectory2 3452. Author applies an RMS policy to their file. Theapplication works with the RMS client to create a“publishing license”, encrypts the file, and appendsthe publishing license to it.3. Author distributes file.4. Recipient clicks file to open. The application sendsthe recipient’s credentials and the publish license tothe RMS server, which validates the user andissues a “use license.”5. Application renders file and enforces rights.1. Author automatically receives RMS credentials(“rights account certificate” and “client licensorcertificate”) the first time they rights-protectinformation.1
    42. 42. AD RMS and SharePoint• When content is downloaded from a library…• RMS protection automatically applied• Information still searchable in SharePoint library• SharePoint rights  IRM permissionsRecipientAD RMSSharePoint
    43. 43. AD RMS & Exchange• When users are sending emailsunprotected…• Exchange transport rules apply RMSautomatically• Based on content (what it says) and context(who its going to) analysis• Consume protected email in IE, Firefox andSafariRecipientInformation AuthorADRMSExchange
    44. 44. AD RMS and file shares• When content is saved to a network file share...• Bulk Protection Tool secures all content in certain folders• File Classification Infrastructure (FCI) can automate classification, RMSand move into SharePointAD RMSFile ServerInformationAuthorSharePoint
    45. 45. Protecting Your DataBitlocker To Go
    46. 46. BitLocker vs BitLocker to GoBitLocker• TPM• Operating System• Data Partitions (Fixed)• TPM, Dongle, Pin• Requires System PartitionBitLocker to Go• Data Partition (Removable)• Password, Auto-Unlock, Smartcards• Supports FAT• XP / Vista (Read Only)
    47. 47. BitLocker Group Policy Settings• BitLocker Group Policy settings can• Turn on BitLocker backup to ActiveDirectory• Enable, enforce or disable passwordor smartcard protectors• Enforce a minimum password length• Enforce password complexity• Deny write access to drives not encrypted with BitLocker• Do not allow write access to devices fromother organizations
    48. 48. Data Drive KeyPasswordAuto-UnlockSmartcardsEaseofUseBitLocker offers a spectrum of protection allowingto balance ease-of-use against the threats you aremost concerned withSecurityPros:Ease of use backwardcompatibility BitLockerto go readerCons:Less secure vulnerableto brute force anddictionary attacksPros:Uses a stronger keyCons:Specific to asingle machinePros:Uses much stronger keysCons:Requires hardware notbackward compatibleXXXXX
    49. 49. Active Directory Based RecoveryRequirements• Schema needs to be extended• Windows Server 2008 R2 or later• All DC’s must be Windows Server 2003 SP1 or later
    50. 50. Data Recovery AgentNew Recovery Mechanism• Certificate-based key protector• A certificate containing a public key isdistributed through Group Policy and isapplied to any drive that mounts• The corresponding private key is held by a datarecovery agent in the IT department• Allows IT department to have a way tounlock all protected drives in an enterprise• Saves space in AD – same Key Protectoron all drives
    51. 51. Enforcement• Requiring BitLocker for data drives• When this policy is enforced, all data drives will require BitLockerprotection in order to have write access• As soon as a drive is plugged into a machine, a dialog is displayed tothe user to either enable BitLocker on the device or only have read-only access• The user gets full RW access only after encryptionis completed• Users can alternatively enable BitLocker at a later time
    52. 52. Cross-Organization• This policy will help enterprises manage compliance whena requirement exists to not allow devices to roam outsideof the enterprise• When the "Deny write access to devices configured inanother organization" policy is enabled• Only drives with identification fields matching the computersidentification fields will be given write access• When a removable data drive is accessed it will be checkedfor valid identification field and allowed identification fields• These fields are defined by the "Provide the unique identifiersfor your organization" policy setting• For existing drives:manage-bde -SetIdentifier <drive letter>
    53. 53. Recommendations• Identification fields• Should be set before your deployment if you are planning to use DRAs orthe cross-organization policy• Are automatically set during encryption• Can be set after encryption using Manage-BDE or WMI but this requiresAdministrator rights• Certificates• Deploy the required certificates before enabling BitLocker on data drives• BitLocker To Go Reader• Installed per default but can be managed through group policies• Requires the use of a password• Can be deployed separately using a software distribution tool
    54. 54. More policies that help prevent leakagevia removable drives
    55. 55. Protecting Your DataEncrypting File System
    56. 56. Encrypting File System (EFS)Features• Transparent encryption done at the file-system level• If a folder is marked, every file created or moved into it will beencrypted• File encryption keys can be archived (USB Flash Drive, Fileserver)• There is no “back door”• Keys are protected with the users password on the computer• Data Recovery Agent to allow for recovery of files if user’s keyis lostpage 56
    57. 57. What It Doesn’t Protect or Prevent• It does NOT provide encryption to files that are:• Sent via email• Kept on a separate flash drive/thumb drive/USB drive/floppy disk• Moved over the network via shared folders (CIFS/AFS)• System and page file• It does not prevent• Files moved into folder set to encrypt all files• Files form being deleted• When you are about to move an encrypted file, Windows will warnyou that you will lose your EFS encryption.• Keep in mind that whenever you move a file off of your computer, it isprobably no longer protected by EFS.
    58. 58. Protecting Your DataWhat encryption?
    59. 59. Scenario RMS EFS BitLockerProtect my information outside my direct controlSet fine-grained usage policy on my informationCollaborate with others on protected informationProtect my information to my smartcardUntrusted admin of a file shareProtect information from other users on shared machineLost or stolen laptopPhysically insecure branch office serverLocal single-user file & folder protectionRMS vs EFS vs BitLockerSecure CollaborationProtect YourselfProtect Against Theft
    60. 60. Summary• Think strategy when starting a DLP project• Data classification• Let’s you know what data you have and where it sits• Allows implementing controls on metadata• Protection comes in many shapes• Dynamic Access Control• AD RMS• Bitlocker To Go• Encrypting File System (EFS)• Protection doesn’t stop with one implemented control• Combination of multiple controls will be your ticket• Think about reporting• 3rd party solutions complement Microsoft building blocks
    61. 61. Some References• Verizon Data Breach Investigations Report 2013•• Classification• FCI -• WSRM -• DCT -• DAC•• AD RMS• AD RMS Team Blog:•• RPFe -• Bitlocker to Go•