Microsoft IT Strengthens Security with Data Loss Prevention
Published: November 2009
The following content may no longer reflect Microsoft’s current position
or infrastructure. This content should be viewed as reference
documentation only, to inform IT business decisions within your own
company or organization.
The following item provides a more current perspective from Microsoft IT on this topic: Protecting Client Data at Microsoft with System Center Data Protection Manager 2010.
With information residing in a multitude of places, enterprises face growing risks of inadvertent or malicious leaks. The integration of Active Directory Rights Management Services into RSA Data Loss Prevention products provides a very effective solution for Microsoft IT to locate and protect sensitive data.
|Intended Audience||Products & Technologies|
Article, 325 KB Microsoft Word file
IT managers, IT professionals, CIOs, and business decision makers with information security responsibility
Over the years, the Microsoft IT Security team has implemented various technologies to safeguard data stored in hundreds of thousands of personal computers, servers, files shares, Storage Area Networks (SANs), and Microsoft® Office SharePoint® Server sites. This article discusses how the Security team moved from a solution that used the Active Directory® service with early versions of RSA® Data Loss Prevention (DLP) products to a solution that takes advantage of the integration of Active Directory Rights Management Services (AD RMS) into RSA DLP Datacenter. The original solution required IT staff to create and maintain custom classification systems, and then manually notify content owners to update their file-access and classification rules. With the current solution, Microsoft IT can automatically apply targeted and persistent protection according to industry best practices. This improves regulatory compliance as well as freeing up IT time and lowering the risk of a security breach.
The Microsoft IT Security team is part of the greater Information Security organization at Microsoft Corporation. This group is responsible for testing and deploying security solutions to protect data throughout the company. This data includes sensitive and regulated information such as financial, personnel, and marketing information, and is stored on and transferred between a variety of locations including personal computers, cell phones, portable-storage devices, servers, file shares, SANs, and Microsoft Office SharePoint Server sites.
The Data-Protection Challenge
Loss of sensitive data is an operational risk for Microsoft. Today, information resides in more places than ever before, including mobile and personal-storage devices. With employees, partners, customers, and vendors working from home, the office, and the field, enterprises face growing risks of inadvertent or malicious data leaks. For example, an employee might send sensitive information as an attachment to an e-mail message or transmit sensitive information outside the firewall via File Transfer Protocol, possibly allowing the information to be intercepted or to fall into the wrong hands. Furthermore, simply transmitting sensitive data outside the organization can breach regulatory compliance guidelines.
Due to a range of legislative, corporate, and industry regulations that govern the protection of sensitive data, the classification of that data can be a complex process. When defining sensitive data classifications and policies, Microsoft takes these regulations, internal corporate policies, and legal requirements into account. Once the policies and data classifications have been defined, the data must be physically located, placed into the proper classification levels (low, medium, or high business impact), and have the appropriate security settings applied to the data.
For example, data classified as Low Business Impact (LBI) may only require limiting user access permissions, while High Business Impact (HBI) data frequently requires encryption in order to meet regulatory standards. One challenge facing security departments is how to apply encryption efficiently to selected content, taking into consideration how the data will be accessed and by whom. Applying encryption too broadly can be prohibitively expensive in terms of dollars, IT time, and lost productivity due to access issues as well as identity and key management requirements.
The Original Solution
For the original solution, the Security team addressed information security challenges by using DLP products from RSA, the security division of EMC® Corporation. The Security team used:
- RSA DLP Datacenter (formerly Tablus® Content Sentinel) to find and safeguard sensitive data when it was at rest residing in data repositories
- RSA DLP Network to monitor and enforce information-security and regulatory-requirement classification policies on data in motion as it was leaving the Microsoft network
The Security team also used the Windows Server® 2003 Active Directory service to manage user-identity and data-access rights. With Active Directory object user authorization, the type of access granted to objects (such as servers and shared volumes) is determined by the rights assigned to the user and the permissions attached to the objects. An object is a set of attributes that can include shared resources, such as printers, computer accounts, domains, applications, and services.
For the original solution, the Security team had to build and maintain classification systems for file shares and SharePoint sites around the company. Content owners then classified their shares and sites based on the types of documents stored in them. Depending on the classification level that the owners chose, the Security team applied safeguards to those locations and used Active Directory to validate user access and access rules. The Security team scanned for sensitive data using the RSA DLP products and then manually notified the content owners if they needed to update the Active Directory access control lists (ACLs) or other classification rules that controlled users' data-access rights. In other cases, the Security team notified users and then handled the updates themselves.
The New Solution
"With the AD RMS Bulk Protection Tool and the new File Classification Infrastructure (FCI) capabilities in Windows Server 2008 R2, content owners no longer have to classify their file shares or manually encrypt their HBI documents. The solution automatically applies targeted and persistent rights, access policies, and safeguards to data based on sensitivity level, without manual intervention."
To increase efficiency and compliance with information-security policies, the Security team wanted to further automate the solution—especially by automatically and selectively encrypting specific types of data, such as HBI data, instead of relying on content owners to adjust their ACLs and classification rules to restrict access.
The Security team also wanted to do a better job of protecting unencrypted documents. For example, users who had general file-access rights to open and read a Microsoft Office Word document saved on their own storage device could forward that document outside of Microsoft, where Microsoft no longer had control over it. If these users left Microsoft, they would continue to have access to that document. To improve the solution, the Security team needed to implement more advanced technologies.
In December 2008, the technology needed to solve these problems became available when RSA integrated its DLP Datacenter product, version 7.0.2, with AD RMS, which is part of the Windows Server 2008 operating system. With the addition of AD RMS, the Security team can automatically protect sensitive information and allow access based on a predefined set of rights or permissions, such as the ability to view, edit, copy, save, or print documents.
AD RMS helps safeguard digital information from unauthorized use, both online and offline as well as inside and outside the firewall. It accomplishes this by identifying which files should have persistent usage policies and rights management applied to them, and which ones should be encrypted. With persistent protection, these safeguards are part of the data itself. This means that no matter where the data resides, it carries the permissions and restrictions with it.
The process for locating and protecting data with the new solution is as follows:
- The Security team creates AD RMS templates to protect particular types of sensitive data. The templates specify which users, such as Microsoft FTE (full-time employees) should have access to the data and the level of access (view, edit, copy, save, or print) to grant.
- The Security team designs RSA DLP policies to find and protect data of that type using AD RMS.
- RSA DLP Datacenter discovers and classifies sensitive files, and then automatically applies the AD RMS templates to the data at rest wherever it resides in the enterprise.
- When users request files, AD RMS provides policy-based access to the files.
Figure 1 illustrates the process for applying the AD RMS templates and RSA DLP policies.
Figure 1. Protecting HBI data with AD RMS and RSA DLP Datacenter
"DLP solutions coupled with automatic RMS protection enable an enterprise to scan, classify, and protect enormous volumes of information in a timely and regularly scheduled manner. Microsoft employees can stay compliant automatically with data-handling standards that call for encryption of HBI documents—without the expense of applying encryption too broadly."
To ensure that encryption is not applied too broadly, the Security team chose a template that allows users within Microsoft to collaborate on and copy protected content. If the content travels outside of the organization, however, AD RMS safeguards the information by restricting access to current Microsoft employees.
In just six months, the Security team implemented an end-to-end information-security solution and scanned one third of the company's file environment. The solution automatically applies persistent safeguards according to data-sensitivity level for easier and less-costly compliance.
Automated Process, Persistent Protection
With the AD RMS Bulk Protection Tool and the new File Classification Infrastructure (FCI) capabilities in Windows Server 2008 R2, content owners no longer have to classify their file shares or manually encrypt their HBI documents. The solution automatically applies targeted and persistent rights, access policies, and safeguards to data based on sensitivity level, and notifies the owner that no further action is necessary. Sensitive data across the corporation is protected both at rest and as it leaves the corporate network. Automation also reduces the risk that content owners will not properly apply required security policies.
Easier, Less Costly Compliance
DLP solutions coupled with automatic RMS protection enable an enterprise to scan, classify, and protect enormous volumes of information in a timely and regularly scheduled manner. Microsoft employees can stay compliant automatically with data-handling standards that call for encryption of HBI documents—without the expense of applying encryption too broadly.
This is important because Microsoft has many terabytes of data stored at various locations and the costs of encrypting all of that data would far outweigh the benefits. With the RSA DLP Suite and AD RMS, Microsoft knows where the sensitive information is, and the security team can automatically apply specific safeguards to the sensitive files.
The Security team has scanned millions of documents using the new solution and has encrypted thousands of them. The team expects to encrypt tens of thousands of additional documents by the time they have finished running the AD RMS Bulk Protection Tool.
Freed IT Time
With automation, Microsoft IT has been able to free up one-half of one developer's time. Rather than creating and maintaining classification systems for file shares, this developer is free to work on other projects. Microsoft IT expects to receive similar time savings when they deploy the next version of Office SharePoint Server.
By implementing a solution that integrates RSA DLP technology and AD RMS, Microsoft has been able to automate the process of locating sensitive data and applying the appropriate protections to that data. This automation provides greater efficiency and frees up personnel resources. It also provides a greater level of protection for sensitive data.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
© 2009 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.