Exch2010 compliance ngm f inal


Published on

A deck covering Exchange 2010 Information Protection and Compliance that runs to about 25 -30 minutes

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Data losseshttp://news.bbc.co.uk/1/hi/technology/8455123.stmThe new rule is expected to come into force in the UK on 6 April 2010. It has been approved by Jack Straw MP, Secretary of State for Justice. The size of the fine will be determined after an investigation to assess the gravity of the breach. Other factors will include the size and finances of the organisation at fault. Large UK Retailer Leaks Payment Information via EmailPlain text credit card data embedded in order confirmation messageshttp://news.softpedia.com/news/Large-UK-Retailer-Leaks-Payment-Information-via-Email-136724.shtmlSurf Control Surveyhttp://news.bbc.co.uk/1/hi/technology/3809025.stmNearly 40% of workers have received confidential information that was not meant for them according to a poll conducted by e-mail filtering firm SurfControl. Another 15% admit sending confidential information by mistake and 17% of those are unable to retrieve the data. Appeal Win Lets FSA Grab Evidence for SEC http://www.complianceweek.com/blog/glimpses/2010/03/05/appeal-win-lets-fsa-grab-evidence-for-sec/Britain’s Financial Services Authority says it is committed to helping the Securities and Exchange Commission with overseas investigations, after winning an appellate court battle that aimed to block its efforts to obtain confidential evidence for its U.S. friends.
  • Data ProtectionThree stage test1. Check relevant business purpose and laws (HR, Finance) for legal retention period2. Business purposes not covered by law – how long do you need it for operations3. Secondary purposes – to defend legal rights in court – only keeping on a risk basis – must assess risk on a per issue basis – keep this type of dataHR pensionable + 10 yearsFinance - 6 years + 1 to get rid of dataHuman Rights - Lawful business protection Must have policy about monitoring, get sign off – only look at email that’s relevantHealth Insurance Portability and Acountability Act
  • A secondary mailbox that is configured by the administrator Appears alongside a user’s primary mailbox in Outlook or Outlook Web Access. PSTs can be dragged and dropped to the Personal ArchiveMail in primary mailbox can be moved automatically using Retention Policies Archive quota can be set separately from primary mailboxPreserve or improve PST experience for the userPreserve or improve workflow for the user irrespective of regulatory or storage constraintsUsers will only have one Archive in E2010Archive is online onlyMail folders automatically moved to archive by defaultDelete policies are global (they travel with messages as they move to Archive)Explicitly-set policies evaluated on most-specific wins basisPreserve mailbox management experience across primary and archive for the IT ProArchive is associated with a primary mailboxArchive and primary share the same user accountIT-Pro can provision only one archive per user Outlook and OWA should work against the archive exactly the same as the primary
  • Slide Objective: Instructor Notes: We need an automated way to move data from primary to archive and make auto archive better.Let’s talk about records management first. In Exchange Server 2007, we essentially had two policies—the move policy and delete policy. Move Policy simply defines where items will live after a set amount of time. The delete policy defines how long your message will live wherever it is. Exchange Server 2010 will ship with a default set of move policies that define when data will be moved from primary to online archive: 6 months, 1 year, 2 years, or 5 years. Additionally in Exchange Server 2010, you can choose to apply this policy either at the folder level or at an individual message level.
  • Slide Objective: Instructor Notes: When reasonable expectation of litigation exists, organizations are required to preserve e-mail relevant to the case as part of discovery. This expectation can occur well before one knows the specifics of the case and preservation is often broad. Frequently, organizations will preserve all e-mail relating to a specific topic (or all e-mail, period) for certain individuals. In some cases, end users are instructed to carry out the preservation themselves by not deleting certain e-mail. This can lead to insufficient preservation. In other instances, e-mail is copied or moved to an archive. This can increase costs by requiring manual effort to copy items and/or third party products to collect and store e-mail.Exchange Server 2007 scenario: Retention Hold executed through Powershell, placing workload on IT rather than legal team. It stops automatic deletion but does not stop the user from moving or deleting items. Also, users must be informed of Hold manually, through email. This places the burden on the end user to remember what to do and can lead to insufficient preservation if the user forgets. The search capabilities are limited and the process is slow because export-mailbox copies the entire mailbox (regular mail and dumpster) to the destination and then searches it. There’s no way to search the dumpster directly.Exchange Server 2010 scenario: Retention Hold can now be carried out on a per mailbox basis though Exchange Control Panel (ECP) and delegated to non-IT staff using Role-Based Access Control (RBAC). For Exchange Server 2010, as in Exchange Server 2007, Powershell is the mechanism for handling these operations in bulk. This feature makes a copy of both deleted and edited items. It also enables setting of Outlook litigation hold comment for each mailbox to inform the user of the hold. The user continues to read e-mail and soft-delete it when it is no longer needed. Each time an item is soft-deleted or modified (certain message properties only, detail below), a copy is placed in the dumpster. Since the user hardly ever goes to the dumpster, he does not realize that items are no longer purged from it or that he can no longer manually empty it. When the two litigating organizations have agreed on what must be produced, the legal team performs a discovery search that includes the dumpster. If the mailbox is moved, items that are on hold are moved with it (today, dumpster data is lost during move mailbox). So if you have content in the primary mailbox and you have legal retention hold enabled, that content will go into the recoverable items folder. In Exchange Server 2010, we have a recoverable items folder that replaces the dumpster and is available in both locations (architecturally, before dumpster was this query that showed a view of deleted data, but it had a lot of problems in that it wasn’t index-able, it wasn’t portable (move mailbox). And so you can imagine a scenario where you don’t have archive and turn on legal hold – so content will go into your recoverable items folder. If you do have an archive and enable legal hold, then content will go into recoverable items folder of the archive. And so essentially that makes your archive the repository.
  • Most Data leaks are not maliciousMailTipsReply to AllSend to the wrong person same name (int and ext)There are both horizontal examples (executive or sensitive e-mails, board communications, financial data, proprietary operations information, sales data such as price lists, and HRand legal information in addition to corporate governance that goes across many organizations, such as Sarbanes Oxley in the U.S.) as well as examples across multiple verticals….Information ProtectionFinancial Services: In the case of Mergers & Acquisitions, banks have to ensure that the internal M&A deal teams have to keep their workpapers and related information separate & distinct from each other. These ethical boundaries are required because the deal teams are selected with people who have no conflicts of interest in the deal that they are working on to ensure fair treatment of the deal. However, there is no easy way to enforce these walls from a technology perspective. If the information is leaked at the wrong time, there is tremendous financial impact to how the deals get priced. For e.g., typically the markets lower the price of the acquirer but run up the price of the acquire. This can cause a loss of leverage in the deal.Clinical Trials: The drug business is a very complicated process. Pharmaceutical firms spend 100s of millions and decades developing a drug. This is their lifeblood. They cannot have their drug formulae and testing information leak and result in loss of their competitive advantage as well as take a financial beating in the markets. And additional challenge in the healthcare business is privacy. Regulations like HIPAA mandate that information shared between the pharma and the doctors during clinical trials be protected to ensure privacy of the patients in the trials. Penalty for violation include both financial and legal penalties. Thus, these firms need to manage risk but also collaborate freely. There is a need for secure collaboration in this industryManufacturing/High Tech: Collaborative product designGovernment: RFP Process – governments put a lot of their work out to bid via RFPs. The process is sensitive and requires that bids received be protected carefully and not shared with other participants either overtly or by accident. They require solutions to support these ethical boundaries.Regulatory ComplianceGLB: The Gramm-Leach-Bliley Act Safeguards Rule requires companies to prevent unauthorized access of personal information. The California Security Breach Information Act (SB 1386) states that companies must alert customers whenever “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” NASD 2711: Best practices and regulations such as NASD 2711 stipulate that investment banking be run separately from research and trading to ensure trust in the public markets. New technologies that improve communications, such as email, can serve as a conduit of improper communication. This is often referred to as the “Chinese or Ethical Wall” scenarioHIPAA: requires companies to prevent unauthorized access of personal health information (PHI). For example, it is important that information shared between pharmaceutical companies and contract research organizations remain secure. Employers need to ensure that all PHI data exchanged between plan members and plan providers remains secure and confidential.Sarbanes Oxley: The Sarbanes-Oxley Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal controls over financial reporting. Spreadsheets are the most broadly used financial application, however password protection and file-level access controls do not satisfy these requirements. The act requires user authorization, protection of sensitive information from unauthorized access or modification during transmission or storage, and monitoring of user actions.
  • Slide Objective: You need tools to enforce Confidentiality where it is required.Instructor Notes:Many of you may receive e-mails similar to this one in which the author is essentially begging and pleading with the recipient to “do the right thing” with the information—and prior to RMS we saw a lot of these inside Microsoft as well. In this case, while the organization may have a “policy” for what should and should not be done with the information, there are no mechanisms in place to digitally enforce that policy. You cannot rely on the fact that all end-user will apply confidentiality measures where required, even with training.
  • Today an employee may accidentally include sensitive information that belongs to a consumer in an e-mail which is sent in cleartext over the internet. If that data is accidentally emailed the organization may face considerable reputation damage, legal exposure and reduction in company’s market value. To address this the Exchange Server can be configured to encrypt messages that contain personal information or critical business information.Sensitive e-mail can be detected using Transport Rules, by filtering the content of a message (including content of supported attachments). Regular expressions are supported.Internet Confidential and Do Not Forward policies are available out of the box. An RMS infrastructure is required.For example:Ed is a nurse at Northwind Traders, a large hospital. Ed is sending Chris the results of his recent blood test.When Ed’s email reaches the Exchange Server, the server is able to examine the message and determine that personal information is included in the mail.Because personal information is included in the message, the Exchange Server encrypts the message before it leaves the organization.The message that gets to Chris is an encrypted copy of the message.Protect message in transit via Transport Rules actionProtect messages by default at Outlook ClientPrivate Voice message automatically protected by Unified Messaging (UM)
  • Exchange Server 2010 Supported on Windows Server® 2008 Planned support for Windows Server 2008 R2RMS integration features require:RMS on Windows Server 2008 SP2or Windows Server 2008 R2Information rights Management addresses the following essential elements:• Trusted entities: individuals, groups of users, computers, and applications that are trusted participants in an Active Directory RMS system. Helps protect information by enabling access only to properly trusted participants. • Usage rights and conditions: Assign usage rights and conditions define how specific trusted entity can use content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire.• Encryption: Active Directory RMS encrypts information. Only trusted entities that were granted usage rights can unlock or decrypt the information in an Active Directory RMS-enabled application or browser. Some Benefits of RMS:No need to manage a Public Key Infrastructure (PKI):RMS is easier to manage and deployNo requirements for X.509 CertificatesProtection travels with content, even outside of the mailbox Offers persistent protection even outside of the mailbox Users cannot change policy by mistake.Policies are defined centrally by an administrator.
  • Slide Objective: Introduce Transport Rule protection.Instructor Notes: Through Transport Rules we can scan messages in transit and classify as confidential. RMS protection is just another action within Transport rules. It can be combined with any other Transport Rules predicates and actions. It lets you choose which RMS template to use. RMS template can be either an official Rights Policy template created using the Active Directory Rights Management Administrative Console. Or, it can be the built-in policy available out of the box, Do Not Forward. Do Not Forward provides recipients with REPLY, REPLYALL, VIEWRIGHTSDATA, DOCEDIT, VIEW and EDIT rights. RMS protection is applied to supported attachments along with the message (a single Publishing License is created for all). We adopted SharePoint’s RMS protector implementation for Office 2003, Office 2007, Office 14 and XPS documents. There is currently no support for 3rd party protectors (for other file formats such as PDF or EML) If the message cannot be protected due to errors, we non-delivery report (NDR) the message back to the sender.
  • Protection a message with RMS is done through a Transport Rule action, working just like any other Transport Rule action. Multiple actions can be selected.Transport Rules Agent stamps an X-Org (X-MS-Exchange-Organization-RightsProtectMessage) header to the message. The header value is set to the RMS template globally unique identifier (GUID). Message does not get encrypted until it’s processed by the Encryption Agent later on onRouted.New Transport rule action to “RMS protect”Transport Rules support regular expression scanning of attachments in Exchange Server 2010 (Beta)“Internet Confidential” and “Do Not Forward” policies are available out of the box Office 2003, Office 2007, Office 14, and XPS documents are supported for attachment protection
  • In this example, we see an example of a user applying RMS protection when composing a new e-mail.Notice the “Permissions” button (the envelope with a red sign) in the Outlook Web Access interface.Create/Consume RMS protected messages natively, just like OutlookNo client download or installation requiredSupports:Firefox, Safari, Macintosh and WindowsConversation View, Preview paneFull-text search on RMS protected messages
  • Slide Objective: Example of RMS protection in Outlook.Instructor Notes:We see how an RMS protected message looks like to the end-user using Outlook 2007, as already supported using Exchange Server 2007.In this example, the user has received an confidential e-mail that cannot be forward to other recipients. The user may nevertheless reply to the sender.Notice the “Do Not Forward” banner in the message, that informs the user about the rights he has been granted on the content.The message, as well as RMS compatible attachments, will be protected.
  • Slide Objective: Introduce RMS protection with the Exchange Server 2010 Unified Messaging role.Instructor Notes:Using Exchange Server 2010 Unified Messaging, users can mark Voice Mail as “Private” when leaving a message. This option is available through a prompt over the phone.Unified Messaging policies can be created to automatically RMS protection to: All Voice mail, Private Voice Mail only, None.The RMS template that will be applied is “Do Not Forward”. This is not configurable.Using this feature, you can give the assurance to people leaving Voice Mail that the audio content cannot be forwarded to third parties, and will only be accessible to the intended recipient.
  • In this example, you can see a Voice Mail that has been received by an individual, which has been automatically protected by the Unified Messaging server.The message cannot be forwarded by the recipient.Unified Messaging administrators can allow incoming voice mail messages to be marked as “private”Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying contentPrivate voice mail is supported in Outlook 14 and Outlook Web Access (OWA)
  • Slide Objective: Introduce Business-to-Business RMS.Instructor Notes:Today, setting up RMS between two organizations is an involved process. To enable secure messaging using RMS between two separate organizations, both must deploy Active Directory Federation Services (ADFS) and create special trusts between the two organizations. This is an individual process for each partnership and it isn’t supported by Exchange for any of the features discussed today.In Exchange Server 2010, customers can create a single federation using the Microsoft Federation Gateway. This gateway is used by other services, such as the Microsoft Services Connector, as a trust broker between organizations. Exchange includes a built-in wizard to enable federation with the Federation Gateway. Once this wizard is run, Exchange can begin requesting delegation tokens for users within their organization. These tokens, which are SAML based, allow Exchange to give them to partners to authenticate on-behalf-of the users within the enterprise. The next slides show how Exchange uses these to license content on-behalf-of users for OWA.Slide Objective: Provide additional information of supported features for Business to Business scenarios.Instructor Notes:Now that we’ve seen how federation can allow Exchange to access content on-behalf-of a user, it is important to understand what controls we provide to ensure that remote organizations aren’t misusing your sensitive content. For example, as the content owner, Northwind Traders may not want Fabrikam archiving the protected mail in the clear using journal decryption. To mitigate this concern, Northwind Traders can specify on a per-template basis whether 3rd parties can archive that mail content in the clear. This means you can specify that all “Northwind Traders Confidential” data must always be stored in a protected format and cannot be decrypted and stored in a separate archive.Additionally, the web services in RMS that support SAML authentication can be disabled and/or block specific partners from using them. This limits the exposure an organization can have to 3rd parties that want to use federation for authentication purposes.Lastly, all of the RMS features we’ve talked about today work with SAML authentication, meaning they will work if the messages are protected against your internal RMS server or a 3rd party RMS server.
  • Slide Objective: Introduce Outlook Protection rulesInstructor Notes:We’ve seen how a message can automatically be protected at the Transport Rule level. Alternatively, it is possible to have RMS encryption be automatically applied from the Outlook client. The Administrator can define a client-side rule that will be imported by the Outlook client via Autodiscover (i.e. every 24 hours).Filtering can be done on Sender’s department, Recipient’s identity or scope. Rules are defined using PowerShell.Using this method, you can ensure that RMS protection is already applied when the message is reaching the Exchange infrastructure. This supports scenarios where an organization does not necessarily “trust” the Exchange organization, for example when the Exchange infrastructure is hosted/managed by a 3rd party.Outlook 14 is required for this feature.
  • Slide Objective: Example of Outlook Protection RulesInstructor Notes:Here is an example, where a user sends an e-mail that will trigger a Outlook Protection rule.Step 1: theStep 2: the user adds a distribution list to the To line.- Nothing happens at this stage user creates a new messStep 3: the user clicks outside of the “To:” line, and Outlook will then evaluate the client-side rules.As it turns out in this example, there is an Outlook Protection Rule that has been configured to apply a “Microsoft Confidential” RMS template to this message. A banner is therefore displayed in the Outlook client, warning the user that RMS protection is going to be automatically applied.age in Outlook 14.
  • Situation:People send embarrassing e-mails (or worse) to the wrong recipients (think MS email of reporters dossier to that reporter, RNC lobbying efforts though White House accounts, or pharmaceutical email sent out with all recipients names visible); MailTips is designed to make sure your communications are right the first time and to avoid such embarrassing mistakes.Talking Points:Know someone is OOF before you send a message (look at the oof and send to the right person from the start)Be alerted to important issues like external recipients or large lists of people this will be sent toKnow things like booking a room too small for the number of people you’re invitingKnow internal rules that will block your message from being sent before you send it (too many attachments, too big of an attachment, recipient can’t receive the message, and other custom rules defined by the system administrator)Slide Objective:The audience should walk away from this slide seeing that Exchange helps users send more effective messages the first time. It helps them schedule the right size rooms, not send messages to which they will get an OOF response and avoid sending mail to external recipients or large lists of people that might create an embarrassing mistake.
  • Key takeawaysThe integrated e-mail archiving, retention, and discovery capabilities being delivered in Exchange 2010 offer a seamless user experience, leverage existing Exchange infrastructure investments and administrative skills, and helps reduced the need to implement potentially complex and expensive third-party archiving products The personal archive can help centralize PSTs for more efficient discovery while offering a fully integrated user experience directly from a user’s primary mailboxNew retention policies enable users to apply pre-defined policies to both items and folders and work across both the primary mailbox and personal archive Multi-mailbox search and legal hold functions can be delegated to non-IT staff such as compliance officers New actions such as moderation, dynamic signatures and MailTips and automated IRM protection provide a wider range of data control, enabling administrators to better match the right level of control to a scenarioUsing the enhanced transport rule functionality in Exchange 2010, administrators can now effectively identify sensitive content both within an e-mail and any Office file attachments Exchange 2010 features deeper support for Information Rights Management, including the ability to: apply IRM with transport rules, decrypt IRM-protected messages for journaling, filtering, search and transport rule application, read and reply to IRM-protected mail in OWA
  • Exch2010 compliance ngm f inal

    1. 1. Exchange 2010 Protection and Compliance<br />Nathan Winters – Exchange MVP<br />
    2. 2. Exchange 2010 IPC<br />Introduction to Information Protection and Compliance (IPC)<br />The arsenal of Technical Tools!<br />Archiving<br />Multi-Mailbox Search<br />Legal Hold<br />IRM<br />Moderation<br />Enhanced Transport Rule Capabilities<br />MailTips<br />
    3. 3. Why is IPC important?<br />Large UK Retailer Leaks Payment Information via Email<br />The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches.<br />Nearly 40% of workers have received confidential information that was not meant for them!<br />Appeal Win Lets FSA Grab Evidence for SEC <br />
    4. 4. Some of the legal factors<br />Public Sector - Freedom of Information<br />All - Data protection act<br />Finance – Financial Services Authority, SEC, BASEL2<br />RIPA - Regulation of Investigatory Powers Act 2000<br />Human Rights - Lawful business protection <br />Electronic Communications Act – Adding Disclaimers<br />US – SOX, HIPAA etc<br />
    5. 5. What does IPC mean to you?<br />It’s a policy build around the relevant laws for your industry.<br />Based on a bunch of technical tools which we try to automate<br />Monitor email – content, recipients where is it going<br />Know what is happening based on email attributes<br />Retain and Provide<br />Archiving, Retention and Discovery<br />Control and Protection – allow or prevent<br />Granular policies<br />Soft to Hard control<br />
    6. 6. Protection & Control: Soft to Hard<br />Ensure that you target the correct data with the correct policy to maximise usability<br />Retain and Provide mail where required with Archiving, Retention and Discovery<br />
    7. 7. Exchange 2010 Archiving, Retention & DiscoveryBetter mailbox management<br />
    8. 8. Why Archive? A Vicious Cycle of Volume vs. Control<br /><ul><li>PSTs difficult to discovery centrally
    9. 9. Regulatory retention schedules contribute to further volume/ storage issues </li></ul>Increasing storage and back-up costs <br />Users forcedto manage quota<br />Quota management often results in growing PSTs (Outlook auto-archive) <br />
    10. 10. Breaking the CycleWith large mailbox architecture and archiving<br />Large Mailbox Architecture<br /><ul><li> maintains performance
    11. 11. provides option for DAS-SATA storage to reduce costs </li></ul>Archiving<br />simplifies discovery, retention and legal hold <br />Archiving<br />enables simple migration of PSTS back to server <br />
    12. 12. Personal Archive<br />Overview – What is it and where does it live?<br />User goals and assumptions<br />Simple to use – OWA & Outlook<br />IT Pro goals and assumptions<br />Get rid of PSTs!<br />Easy to enable.<br />
    13. 13. Personal ArchiveUser experience<br />User can view, read, navigate, flag and reply to archived mail same as live mail <br />Folder hierarchy from primary mailbox maintained <br />Reply to message in archive puts message in live mail sent items (same as PSTs) <br />User gets conversation view scoped to Archive (same as PSTs)<br />
    14. 14. Personal Archive Search<br />Option to search archive only or both live and archived mail <br />Advanced search options work across live and archived mail<br />12<br />
    15. 15. Message Retention<br />Move Policy: automatically moves messages to the archive<br />Options: 6 months, 1 year, 2 years (default), <br /> 5 years, Never<br />User Impact: Helps keep mailbox under quota<br />Works like Outlook Auto-Archive – without PSTs!<br />Delete Policy: automatically deletes messages<br />User Impact: removes unwanted items<br />Helps keep mailbox under quota<br />Delete policies are Global (they travel to the Archive)<br />Per-item policies take priority over per-item policies <br />
    16. 16. Retention PolicesAt the folder or item level<br />Policies can be applied directly within an email <br />Policies can be applied to all email within a folder<br />Delete <br />policies <br />Archive policies <br />Expiration date stamped directly <br />on e-mail <br />
    17. 17. Legal Hold<br />Hold Policy captures all edits/deletes irrespective of user or admin access.<br />User workflow is unchanged, items captured in hidden folders in Dumpster 2.0. <br />Multi-mailbox search can retrieve items indexed in Dumpster 2.0. <br />ISSUE – Consider that the whole mailbox is put on hold, not just the granular info that you need on hold!<br />
    18. 18. Hold Policy<br />IW is told how to comply (no action needed for e-mail)<br />URL links to additional info<br />
    19. 19. Multi-Mailbox Search Simple, role based GUI<br />Delegate access to search to HR, compliance, legal manager <br />Search all mail items (email, IM, contacts, calendar) across primary mailbox, archives<br />Filtering includes: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, regular expressions, IRM protected items <br />
    20. 20. Multi-MailboxSearch<br />Additional e-discovery features<br />Search specific mailboxes or DLS<br />Export search results to a mailbox or SMTP address<br />Search results organized per original hierarchy <br />Request email alert when search is complete <br />API enables 3rd tool integration with query results for processing <br />
    21. 21. Exchange 2010 Protection and Control<br />
    22. 22. Information LeakageCan be costly on multiple fronts<br />Legal, Regulatory and Financial impacts<br />Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more<br />Damage to public image and credibility with customers<br />Financial impact on company<br />Loss of Competitive Advantage<br />Disclosure of strategic plans<br />Loss of research, analytical data, and other intellectual capital<br />
    23. 23. Message Confidentiality?<br />Enforcement tools are required—content protection should be automated.<br />
    24. 24. Automatic Content-Based Privacy<br />Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.<br />Automatic Content-based Privacy:<br /><ul><li>Transport Rule action to apply RMS template to e-mail message
    25. 25. Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)
    26. 26. Internet Confidential and Do Not Forward Policies available out of box</li></ul>22<br />
    27. 27. What is Rights Management Services?<br />Windows Platform Information Protection Technology<br />Better safeguard sensitive information <br />Protect against unauthorized viewing, editing, copying, printing, or forwarding of information<br />Limit file access to only authorized users<br />Audit trail tracks usage of protected files <br />Persistent protection <br />Protects your sensitive information no matter where it goes<br />Uses technology to enforce organizational policies <br />Authors define how recipients can use their information<br />
    28. 28. Protection via Transport Rules<br />New Transport rule action to “RMS protect”<br />Transport Rules support regular expression scanning of attachments in Exchange Server 2010<br />“Do Not Forward” policy available out of the box <br />Office 2003, Office 2007, Office 2010, and XPS documents are supported for attachment protection<br />Ability to route email for Moderation<br />
    29. 29. Protection via Transport Rules<br />
    30. 30. Rights Management Services Integration in Outlook Web Access<br />
    31. 31. Protected Content in Outlook<br />RMS Protection is applied both to the message itself and to the attachments.<br />Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).<br />
    32. 32. Rights Management Services Integration in Unified Messaging<br />Unified Messaging administrators can allow incoming voice mail messages to be marked as “private”<br />Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content<br />Private voice mail is supported in Outlook 2010 and Outlook Web Application (OWA)<br />
    33. 33. Rights Management Services Integration in Unified Messaging<br />
    34. 34. Business to Business RMSSecurely Communicate with Partners<br />Today customers can communicate using RMS between organizations by deploying ADFS and setting up trusts<br />ADFS requires a separate trust between each partner<br />ADFS isn’t supported by Exchange<br />In Exchange Server 2010, customers can federate with the Microsoft Federation Gateway instead of each partner<br />A single federation point replaces individual trusts<br />Allows Exchange to act on-behalf-of users for decryption<br />Senders can control how their data is accessed by 3rd parties<br />By using federation, RMS can allow organizations and applications to access data on-behalf-of individuals<br />Specifically they can specify whether recipient organizations can archive e-mails in the clear<br />RMS administrator can control which 3rd parties can access data using federated authentication (allow/block list)<br />
    35. 35. Outlook Protection Rules<br />Allows an Exchange administrator to define client-side rules that will protect sensitive content in Outlook automatically<br />Rules can be mandatory or optional depending on requirements<br />Rules look at the following predicates:<br />Sender’s department (HR, R&D, etc.)<br />Recipient’s identity (specific user or distribution list)<br />Recipient’s scope (all within the organization, outside, etc.)<br />Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services<br />
    36. 36. Outlook Protection Rules<br />Step 1: User creates a new message in Outlook 2010.<br />Step 2: User adds a distribution list to the To line.<br />Step 3: Outlook detects a sensitive distribution list (DL) and automatically protects as MS Confidential.<br />Company Confidential - This content is confidential and proprietary information intended for company employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, Print and Forward. Permission granted by: nwinters@gaots.co.uk<br />
    37. 37. Manage Inbox Overload<br />Help Reduce Unnecessary and Undeliverable E-Mail Through New Sender MailTips<br />Remove Extra Steps and E-Mail<br />Limit Accidental E-Mail<br />Reduce Non-Delivery Reports<br />33<br />
    38. 38. Key takeaways<br />Personal Archive gives seamless user experience and removes need for PSTs<br />Deep support for IRM<br />Automation enables ease of use and administration<br />Wide range of granular controls from Soft to Hard<br />