SIA323: Business Ready Security: Securely Collaborate with ...
SESSION CODE: SIA-323 Business Ready Security: Securely Collaborate with Partners and Employees Using SharePoint, Microsoft Forefront, and Active Directory Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation Agenda Business Ready Security Collaboration Scenarios Information Protection Anywhere Access Cross organizational collaboration Summary Business Needs and IT Challenges Simplify user experience for collaboration Provide secure access to applications Difficulty in extending business resources Multiple locations and devices from anywhere Prevent sensitive information from leaking Protect from threats
BUSINESS Needs Agility and Flexibility Increasing volume of sensitive information Financially motivated evolving threats IT Needs Control Business Ready Security Identity Management Pro Protect everywhere, access anywhere s ces Ac tec tio n Help securely enable business by managing risk and empowering people
Integrate and extend security across the enterprise Highly Secure & Interoperable Platform Simplify the security experience, manage compliance Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless Business Ready Security Solutions Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint
Current Situation Limited collaboration impacts user productivity Sensitive information is sent via email since partners do not have access to collaboration site ON PREMISES Limited to no access Limited to no access Malware on non-trusted machines Collaboration Scenarios Protecting information Anywhere Access to collaboration services External Collaboration ON PREMISES Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information Protect Information Automatically Automatically secure secure sensitive sensitive
R N A L (t ru (n on -t ru st ed ) organizations organizations Integrated Integrated malware malware protection protection EX TE st ed )
N A L Works Works online online and and offline, offline, across across ON-PREMISES EX TE R documents documents with with AD AD RMS RMS Ensure Ensure only only authorized authorized usage usage through persistent
policies through persistent policies We We store store lots lots of of sensitive sensitive information information in in SharePoint SharePoint libraries, libraries, which which can can be be selectively selectively configured configured to to apply apply rights rights protection protection to to documents documents when when theyre theyre downloaded downloaded Setting Setting everything everything up up only only took
took about about five five minutes. minutes. Christian Arpino, IT Administrator Christian Arpino, IT Administrator Source: Food Distributor Deploys Enterprise Rights Management to Help Protect Sensitive Data. Microsoft case study, February 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001482 Overview of AD RMS Components Active Directory Authentication Service Discovery Group Membership SQL Server RMS Server Certification Configuration data Logging Cache Licensing Templates MOSS 2007 Workstaton
Document Libraries with IRM RMS Lockbox Client API Exchange Server 2007/2010 Templates Pre-licensing Fetching Content filtering Keyword filtering Clients and Servers compatible with RMS SharePoint IRM Workflow 1. Author publishes content into SharePoint Server AD RMS Server 3 1 2 3. SharePoint requests credentials (the first time), then protects the file according to the permissions on the document library
4 5 Author using Office 2010/2007/2003 2. Recipient requests document from SharePoint. The Recipient 4. SharePoint sends protected file to recipient 5. The RMS-enabled application renders file and enforces rights Protect Sensitive Information Protect Documents from Malware Competitors Solutions Microsoft Solution Defense in Depth Single Engine Multiple Engines 38times timesfaster fasterresponse response
38 An AV-Test of consumer antivirus products revealed: On average, Forefront engine sets provided a response in Automatic EngineUpdates Updates 3.1 hours or less. Automatic Engine Single-engine vendors provided responses in 5 days, 4 days, and 6 days respectively. Eliminatessingle singlepoint pointofoffailure failure Eliminates Forefront Forefront Security Security for for SharePointgives SharePointgives us us an an extra extra layer layer of of protection protection for
for our our SharePoint SharePoint environment in ways that no other product can match. environment in ways that no other product can match. -- Tom Tom Booth, Booth, Sr. Sr. Collaboration Collaboration Engineer Engineer Source: SAS Gains Extranet Benefits with Confidence Security Solution Makes it Easy. Microsoft case study, March 2007. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=201164 Forefront Protection for SharePoint 2010 SharePoint is a great place to store information but when it is on the Extranet you might want to keep a tighter control. Normal malware filtering is turned on of course but in addition, Woodgrove wants to block all docs that contain budget details Examining Antimalware Engine configurations Configure keyword filtering DEMO
Provide More Secure, Anywhere Access ED T S UD TR IREC (n on -t ru s SharePoint SharePoint R L N SS N A L VP (t ru st ed ) L SS N VP
Restricted, Restricted, policy-based policy-based access access to to EX TE TE R N A L Simplified, Simplified, always-on always-on access access Consolidated Consolidated secure secure portal portal to to simplify remote access simplify remote access C ES
S EX A C te d) T Using Using Intelligent Intelligent Application Application Gateway, Gateway, employees employees can can connect connect easily, easily, which which means means that that our our important important customer information is
accessible for them wherever they are. customer information is accessible for them wherever they are. -- Raymond Raymond Provily, Provily, Manager Manager of of Facilities Facilities Source: Easy, Integrated Solution Gives Workers Remote Access, Improved Productivity. Microsoft case study, July 2007 http://www.microsoft.com/emea/partnersolutionmarketplace/CaseStudyDetail.aspx?casestudyid=4000000405 Addressing Access Security Single point of control for access policies Access control based on user identity, role & endpoint device Built-in security policies to choose from for endpoint security enforcement Inactivity timeouts and re-authentication Filter inbound requests (App Firewall) Overlay granular access control to specific sites and features Pre-defined control over uploads, downloads, edits, etc. Clean up cache and temp files when session terminated
Forefront UAG Providing Secure Access Employee at Woodgrove Bank is travelling and needs to check on project data and later also upload new information to project site. Differentiated Secure Access to SharePoint Configuring end point scanning in UAG Controlling access based on Employee Type (FTE gets access to Remote Desktop) DEMO External Collaboration applications applications using using a a single single identity identity Collaboration Collaboration across across organizations organizations O NPR EM Ability Ability to to move move seamlessly seamlessly between
between IS ES Empower Empower Business Business ORY ACTIVE DIRECT ICES RV SE N TIO RA and SAML 2.0 FEDE WS-* No No need need to to manage manage external external accounts accounts Simplified Simplified and and flexible flexible claims-based claims-based
federation federation EX TE R N AL Common Common authentication authentication controls controls for for building building custom custom applications applications /C U ST O M ER PA RT
N ER Empower Empower IT IT S Access Access claims claims are are arbitrated arbitrated by by digital digital tokens, tokens, which which mean mean that that users users won't won't necessarily necessarily need need to to supply supply Web Web sites
sites with with personal personal information information to to conduct conduct transactions. transactions. Information Information Weekly, Weekly, April April 2009 2009 Source: RSA: Microsoft Pushes 'Geneva' In War On Passwords. Information Week, April 2009. http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=216600105&pgno=2&queryText= Extended Collaboration with Single Sign On Single user access model with single sign on (SSO) and easy to setup federation to on-premise and cloud services Helps provide consistent security with user access model externalized from applications Based on industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) Corporate User SharePoin t
Exchange Web App AD DS ClaimsAware app AD FS Shared identity with partners and cloud services Boost cross-organizational Partner efficiency Share rights-protected messages Improved support for SharePoint as a claims-aware application ClaimsAware Application CLOUD SERVIC
ES AD RMS and AD FS Collaboration Scenarios Trey Engineering Woodgrove AD 1. 2. AD 3. AD FS Relying Party AD FS Identity Provider 5. WebSS 9 O 4 6. 7. 6
UL 11 Assume author is already bootstrapped Author sends protected email to recipient at Trey Engineering post to Extranet Sharepoint Recipient contacts Published Woodgrove RMS server to get bootstrapped WebSSO agent intercepts request RMS client is redirected to FS-RP for home realm discovery through TMG or UAG RMS client is redirected to FS-IP for authentication RMS client is redirected back to FS-RP for authentication RMS client makes request to RMS server for bootstrapping WebSSO agent intercepts request, checks authentication, and sends request to RMS server RMS server returns bootstrapping certificates to recipient RMS server returns use license to recipient Recipient accesses protected content Extending Collaboration to Partners Charlie at Trey Engineering needs to access Woodgrove Bank Extranet Configure Trey Engineering AD Federation Services 2.0 Examine how group membership in Trey Engineering becomes access right on Woodgrove Bank Extranet Rights Management integrated with SharePoint Malware protection Updating access to SharePoint sites
Role changes on Trey Engineering DEMO Collaboration Scenarios Protecting information Anywhere Access to collaboration services External Collaboration ON PREMISES Track Resources Business Ready Security www.microsoft.com/brs Test it your self virtual environment Bing: BRS Demo Environment http://www.microsoft.com/downloads/details.aspx?FamilyID=726f943e-d107-4b4d-a86e-dfb605e30ce5&displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=726f943e-d107-4b4d-a86e-dfb605e30ce5&displaylang=en Secure Collaboration: www.microsoft.com/forefront/en/us/secure-collaboration.aspx Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial Resources Sessions On-Demand & Community
Learnin g Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn Complete an evaluation on CommNet and enter to win! Sign up for TechEd 2011 and save $500 starting June 8 June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. JUNE 7-10, 2010 | NEW ORLEANS, LA
Motif Example. The central idea of the co-existence of good and evil in Harper Lee's To Kill a Mockingbird is supported by several motifs. Lee strengthens the atmosphere by a motif of Gothic details i.e. recurrent images of gloomy and...
The Problem of Evil in M. E. Dyson's Come Hell or High Water In his final chapter, "Supernatural Disasters? Theodicy and Prophetic Religion," Dyson asks how "…one can maintain that God has all the power and goodness in the world...
Housing/shelter. assistance. 100. Most frequently reported unmet needs for ancillary services* *Percentages calculated from entire 2013 study population (n=210); ... Adhere to the NHAS and increase the proportion of persons linked to care.
Natives originally settled in Canada when they crossed the land bridge from Asia to North America thousands of years ago. The people of Canada today originally immigrated there for many reasons. Most trace their roots back to English and French...
Cellular and asexual reproduction from mitosis. Sexual reproduction from meiosis. Mitosis: the process of cell division. that results in growth and/or cell replacement of all cells of the body, * with the exception of egg cells and sperm cells
Groundwater Substitution. Farmers sell (transfer) their surface water. Pump groundwater to offset loss of surface water. Controversial because pumping can affect other users. ... DEVELOPMENT OF LOCAL GRID REFINEMENT METHODS FOR INVERSE GROUNDWATER MODELING
Newtonian Mechanics 20 September 2006 Course Outline Naked-eye astronomy Crash course in physics Our solar system The stars Structure and history of the universe Course Outline Naked-eye astronomy Crash course in physics Our solar system The stars Structure and history...
Earning Management: examine total accruals, working capital accruals and abnormal accruals, as well as special items and share repurchases Future Operating Performance: long-term earnings growth forecasts, realized future return on assets and the frequency of firms that continue to have...
Ready to download the document? Go ahead and hit continue!