Microsoft India - Security and Data Loss Protection Case Study


Published on

To safeguard data stored in and transmitted from Microsoft® offices and portable devices around the world, the Microsoft IT Security team used the Active Directory® service to manage data-access rights and early versions of RSA® Data Loss Prevention (DLP) products to locate sensitive data. This solution required IT staff to create and maintain custom classification systems and then manually notify content owners to update their file-access and classification rules. Microsoft IT Security upgraded to Active Directory Rights Management Services in the Windows Server® 2008 operating system, as well as version 7 of DLP Datacenter. Now, Microsoft can automatically apply targeted and persistent protection according to industry best practices for improved regulatory compliance, freeing up IT time and lowering the risk of a security breach.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Microsoft India - Security and Data Loss Protection Case Study

  1. 1. Microsoft IT Customer Solution Case Study Microsoft IT Strengthens Security with Data Loss Prevention Solution Overview “With the RSA DLP Suite and Active Country or Region: United States Industry: IT services Directory Rights Management Services, we know where the sensitive information Customer Profile The Microsoft® IT division is, and we can automatically apply specific supports the daily computing operations of Microsoft safeguards just to the files that need Corporation, which is To safeguard data stored in and transmitted from headquartered in Redmond, Washington. Microsoft® offices and portable devices around the world, the Microsoft IT Security team used the Business Situation Microsoft relied on content Active Directory® service to manage data-access owners to adjust access and rights and early versions of RSA® Data Loss classification settings for sensitive data in file shares and Prevention (DLP) products to locate sensitive on SharePoint® sites; data on data. This solution required IT staff to create and users’ computers was vulnerable to security breaches. maintain custom classification systems and then manually notify content owners to update their Solution Microsoft used its Active file-access and classification rules. Microsoft IT Directory® Rights Management Security upgraded to Active Directory Rights Services and the RSA® Data Loss Prevention Suite from EMC Management Services in the Windows Server® Corporation to automatically 2008 operating system, as well as version 7 of apply persistent access rights to data according to its DLP Datacenter. Now, Microsoft can sensitivity level. automatically apply targeted and persistent Benefits protection according to industry best practices for • Automated process improved regulatory compliance, freeing up IT • Persistent protection • Easier, less costly time and lowering the risk of a security breach. compliance • Tighter information security • Freed IT time
  2. 2. Situation Microsoft® IT Operations is part of Classifying sensitive data is the greater Information Security complex, as a range of corporate organization at Microsoft and industry regulations govern Corporation. Its Microsoft IT its protection, such as Personally Security team is responsible for Identifiable Information (PII) and testing and deploying security Intellectual Property (IP). solutions that protect the entire Microsoft takes these into company’s data. The data to be account, along with internal safeguarded includes financial, corporate policies and legal personnel, and marketing requirements. Once at-risk data information, which is stored on has been identified, it must be and transferred among hundreds physically located, and content of thousands of personal owners must help classify its computers, servers, file shares, sensitivity as being low, medium, Storage Area Networks, and or high business impact (HBI) to Microsoft Office SharePoint® help ensure the proper level of Server sites. protection. Whereas less-sensitive data can The Data-Protection Challenge be adequately protected by The challenge is huge. With limiting users’ access, HBI data information residing in more often requires encryption in order places, such as mobile devices, to best meet regulatory and with employees, partners, standards. The challenge is customers, and vendors working finding a way to efficiently apply from home, the office, and the encryption just to selected field, enterprises face growing content, keeping in mind how it risks of inadvertent or malicious will be used and who will need to data leaks. For example, whether access it; applying encryption too intentionally or accidentally, broadly can be prohibitively sensitive information might be expensive in terms of dollars, IT sent as an attachment to an e- time, and lost productivity due to mail message or transmitted access issues and identity and outside the firewall via File key management. Transfer Protocol and could be intercepted. Furthermore, simply The Original Solution transmitting sensitive data In 2006, Microsoft IT Security outside the organization can addressed information security by breach regulatory compliance using two Data Loss Prevention guidelines. “Loss of sensitive (DLP) products from RSA, the data is an operational risk for security division of EMC Microsoft,” says Olav Opedal, Corporation. With RSA® DLP Senior Program Manager for Datacenter Enterprise 3.2, Microsoft IT Security. Microsoft IT Security could
  3. 3. “If we have an discover and apply safeguards to and used Active Directory to sensitive data at rest—that is, validate user access and access external or internal information residing in data rules. Microsoft IT Security repositories. In 2008, using DLP scanned for sensitive data using threat, our Network 6.0, the team could the RSA DLP products and then information is monitor and enforce information- manually notified the content security and regulatory- owners in cases when they protected with requirement classification policies should update the Active on data in motion—that is, Directory access control lists Active Directory information leaving the Microsoft (ACLs) or other classification Rights network. rules that controlled users’ data- access rights. Or, Microsoft IT Management To manage user-identity and Security sent notifications to the data-access rights, Microsoft IT end users and, in some cases, Services.” Security also used the Active handled the updates itself. Olav Opedal, Senior Program Directory® directory service, part Manager, Microsoft IT Security of the Windows Server® 2003 To increase efficiency and operating system. With Active compliance with information- Directory object user security policies, Microsoft IT authorization, the type of access Security wanted to further granted to objects (such as automate the solution—especially servers and shared volumes) is by automatically and selectively determined by the rights that are encrypting specific types of data, assigned to the user and which such as HBI documents, instead permissions are attached to the of relying on content owners to objects. An object is a set of adjust their ACLs and attributes that can include shared classification rules to restrict resources, such as printers; access. network user and computer accounts; and domains, Microsoft IT Security also wanted applications, and services. to better protect unencrypted documents. For example, users This solution required Microsoft IT who had general file-access Security to build and maintain rights to open and read a classification systems for file Microsoft Office Word document shares and SharePoint sites saved on their own storage around the company. Content device could forward that owners then classified their document outside of Microsoft, shares and sites based on the where they no longer had control types of documents stored in over it. If these users left them. Depending on the Microsoft, they would continue to classification the owners chose, have access to that document. Microsoft IT Security applied To improve the solution, Microsoft safeguards to those locations
  4. 4. IT Security needed more The Microsoft IT team that advanced technology. manages Active Directory Rights Management Services simply creates Rights Management Solution Services templates that should be In December 2008, the used to protect particular types technology needed to solve these of sensitive data (Figure 1). The problems became available when templates specify which users RSA integrated its DLP products should have access to the data with Active Directory Rights and the level of access through Management Services. With the rights, such as view, edit, and addition of Rights Management print. Then Microsoft IT Security Services, Microsoft IT Security designs RSA DLP policies for can protect sensitive information finding sensitive data of that type, to specific users according to a and the new solution predefined set of rights—such as automatically applies the Rights the rights to view, edit, or print Management Services template documents—that are applied to the data at rest wherever it automatically. Rights resides in the enterprise. The Management Services is part of solution also sends notifications the Windows Server 2008 to content owners, who no longer operating system, which need to update their ACLs or Microsoft upgraded to in early classifications manually. To 2008. ensure that encryption is not applied too broadly, Microsoft IT Rights Management Services Security chose a Rights helps safeguard digital Management Services template information from unauthorized that allows users to collaborate use, both online and offline, inside on and copy protected content. and outside the firewall, by But if the content extends outside identifying which files should have of the organization, it is persistent usage policies and safeguarded with Rights rights management applied to Management Services protection them, and which ones should also and cannot be opened, viewed, be encrypted. With persistent edited, or copied, as the content protection from Rights can only be opened by current Management Services, these Microsoft employees. safeguards are part of the data itself. This means that no matter where the data resides, it carries the permissions and restrictions with it.
  5. 5. Figure 1. The five-step process for protecting HBI documents For Windows Server 2008 R2, instead of requiring content on files with joint DLP and Microsoft IT Security uses the File owners to classify entire file Active Directory Rights Classification Infrastructure (FCI) shares. Management Services to classify HBI files residing on a The Microsoft IT Security team file server. When used in worked with stakeholders across conjunction with the File Server the company to shape the new Resource Manager feature in solution. The stakeholders include Windows Server 2008 R2, IT staff teams from File Share can get insight into the Operations, Active Directory distribution of HBI data, automate Rights Management Services, the enforcement of document and other Collaboration Services retention policies, and apply user groups; various technical-support rights and encryption according tiers; and Microsoft Legal and to classification—all as part of the business-review groups. operating system. With the Stakeholder participation was addition of the Active Directory important because applying Rights Management Services Rights Management Services to Bulk Protection Tool, which will be documents would affect released in late 2009, Microsoft production server service levels IT Security can fully automate the and other aspects of the IT identification, monitoring, and infrastructure. Says Opedal, “We remediation of HBI data on file wanted to ensure that servers on a per-file basis— infrastructure, operations, and
  6. 6. “By building these technical support teams would be can also apply targeted ready, so service levels would encryption and other safeguards technologies into stay high. And, without feedback automatically. This automation and buy-in from stakeholders who has freed up IT resources, and the infrastructure, are willing to classify data, the Microsoft reports fewer data we’re creating a technology cannot discover the leaks. data as effectively.” solution with fewer Automated Process, Persistent Protection Microsoft IT Security is also The integration of Rights tools to buy, taking steps to help safeguard Management Services and RSA deploy, and data that falls outside the existing DLP reduces cost and increases rules and definitions it has efficiency. Microsoft IT Security manage. That’s programmed into RSA DLP can use the solution to centrally products. “Due to the complex apply targeted and persistent comprehensive nature of information—for rights, access policies, and security that’s example, intellectual property— safeguards to data based on there’s more sensitive data than sensitivity level, without the need built-in, not added we have written rules for to manually notify content owners identifying,” says Opedal. “But, or end users. Wherever sensitive we can assume that if data is data at rest resides—on personal stored in a highly sensitive site computers, servers, databases, that that data is also highly applications, and more—and sensitive.” The team is starting wherever it goes, those to use the new solution, including permissions stay with it. the Bulk Protection Tool, to address this situation. With the Opedal says, “We get automatic, addition of this tool, the team can persistent, and targeted fully automate identification, protection of sensitive information monitoring, and remediation of as the solution scans for it. If we HBI data on file servers on a per- have an external or internal file basis, for targeted encryption threat, our information is and rights management. protected with Active Directory Rights Management Services. Now, we can automatically detect Benefits sensitive information and apply In just six months, Microsoft IT safeguards, and the system Security implemented an end-to- notifies the owner that no further end information-security solution action is necessary. Thanks to and has scanned one-third of the the Active Directory Rights company’s file environment. The Management Services Bulk solution applies persistent Protection Tool and the new FCI safeguards according to data capabilities in Windows Server sensitivity level for easier and 2008 R2, content owners no less-costly compliance. The team longer have to classify their file
  7. 7. shares or manually encrypt their HBI documents.” Automation also reduces the risk of content owners not applying policies properly. Easier, Less Costly Compliance Microsoft can help safeguard its important information by applying controls based on data sensitivity, for targeted protection. Microsoft employees can stay compliant automatically with data handling standards that call for encryption of HBI documents—without the expense of applying encryption too broadly. This is important, as Microsoft has many terabytes of stored data. Says Opedal, “If we were to encrypt all that data, the cost would outweigh the benefits. With the RSA DLP Suite and Active Directory Rights Management Services, we know where the sensitive information is, and we can automatically apply specific safeguards just to the files that need them.” Tighter, More Efficient Information Security Microsoft IT Security has scanned millions of documents using the new solution and has encrypted thousands of them. Opedal expects to encrypt tens of thousands of additional documents by the time Microsoft IT Security has finished running the Active Directory Rights Management Services Bulk Protection Tool.
  8. 8. For More Information Freed IT Time Microsoft Server Product For more information about With automation, Microsoft IT Portfolio Microsoft products and Security has freed up one half of For more information about the services, call the Microsoft one developer’s time from Microsoft server product Sales Information Center at creating and maintaining portfolio, go to: (800) 426-9400. In Canada, call classification systems for file the Microsoft Canada shares. “That is developer time ult.mspx Information Centre at (877) that we can use for other 568-2495. Customers in the projects,” says Opedal. “We United States and Canada who expect to get the same time are deaf or hard-of-hearing can savings from our SharePoint sites reach Microsoft text telephone too, once we deploy the next (TTY/TDD) services at (800) version of Office SharePoint 892-5234. Outside the 50 Server.” United States and Canada, please contact your local Future Plans Microsoft subsidiary. To access In the long term, Microsoft will information using the World build the RSA Data Loss Wide Web, go to: Prevention classification technology into the Microsoft platform and future information For more information about protection products. The resulting Microsoft IT products and collaboration is designed to services, call (800) 426-9400 enable organizations to centrally or visit the Web site at: define information security policy, automatically identify and classify sensitive data virtually anywhere in the infrastructure, and use a range of controls to protect data at the endpoints, network, and data center. “By building these technologies into the Microsoft platform,” says Opedal, “we’re creating a solution with fewer tools to buy, deploy, and manage. That’s comprehensive security that’s built-in, not added on.” Software and Services • Technologies • Microsoft Server Product • Active Directory Rights Portfolio Management Services • Windows Server 2008 R2 This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Document published September 2009