To safeguard data stored in and transmitted from Microsoft® offices and portable devices around the world, the Microsoft IT Security team used the Active Directory® service to manage data-access rights and early versions of RSA® Data Loss Prevention (DLP) products to locate sensitive data. This solution required IT staff to create and maintain custom classification systems and then manually notify content owners to update their file-access and classification rules. Microsoft IT Security upgraded to Active Directory Rights Management Services in the Windows Server® 2008 operating system, as well as version 7 of DLP Datacenter. Now, Microsoft can automatically apply targeted and persistent protection according to industry best practices for improved regulatory compliance, freeing up IT time and lowering the risk of a security breach.
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Microsoft India - Security and Data Loss Protection Case Study
1. Microsoft IT
Customer Solution Case Study
Microsoft IT Strengthens Security
with Data Loss Prevention Solution
Overview “With the RSA DLP Suite and Active
Country or Region: United States
Industry: IT services Directory Rights Management Services,
we know where the sensitive information
Customer Profile
The Microsoft® IT division is, and we can automatically apply specific
supports the daily computing
operations of Microsoft safeguards just to the files that need
Corporation, which is To safeguard data stored in and transmitted from
headquartered in Redmond,
Washington.
Microsoft® offices and portable devices around
the world, the Microsoft IT Security team used the
Business Situation
Microsoft relied on content
Active Directory® service to manage data-access
owners to adjust access and rights and early versions of RSA® Data Loss
classification settings for
sensitive data in file shares and
Prevention (DLP) products to locate sensitive
on SharePoint® sites; data on data. This solution required IT staff to create and
users’ computers was
vulnerable to security breaches.
maintain custom classification systems and then
manually notify content owners to update their
Solution
Microsoft used its Active
file-access and classification rules. Microsoft IT
Directory® Rights Management Security upgraded to Active Directory Rights
Services and the RSA® Data
Loss Prevention Suite from EMC
Management Services in the Windows Server®
Corporation to automatically 2008 operating system, as well as version 7 of
apply persistent access rights
to data according to its
DLP Datacenter. Now, Microsoft can
sensitivity level. automatically apply targeted and persistent
Benefits
protection according to industry best practices for
• Automated process improved regulatory compliance, freeing up IT
• Persistent protection
• Easier, less costly
time and lowering the risk of a security breach.
compliance
• Tighter information security
• Freed IT time
2.
3. Situation
Microsoft® IT Operations is part of Classifying sensitive data is
the greater Information Security complex, as a range of corporate
organization at Microsoft and industry regulations govern
Corporation. Its Microsoft IT its protection, such as Personally
Security team is responsible for Identifiable Information (PII) and
testing and deploying security Intellectual Property (IP).
solutions that protect the entire Microsoft takes these into
company’s data. The data to be account, along with internal
safeguarded includes financial, corporate policies and legal
personnel, and marketing requirements. Once at-risk data
information, which is stored on has been identified, it must be
and transferred among hundreds physically located, and content
of thousands of personal owners must help classify its
computers, servers, file shares, sensitivity as being low, medium,
Storage Area Networks, and or high business impact (HBI) to
Microsoft Office SharePoint® help ensure the proper level of
Server sites. protection.
Whereas less-sensitive data can
The Data-Protection Challenge be adequately protected by
The challenge is huge. With limiting users’ access, HBI data
information residing in more often requires encryption in order
places, such as mobile devices, to best meet regulatory
and with employees, partners, standards. The challenge is
customers, and vendors working finding a way to efficiently apply
from home, the office, and the encryption just to selected
field, enterprises face growing content, keeping in mind how it
risks of inadvertent or malicious will be used and who will need to
data leaks. For example, whether access it; applying encryption too
intentionally or accidentally, broadly can be prohibitively
sensitive information might be expensive in terms of dollars, IT
sent as an attachment to an e- time, and lost productivity due to
mail message or transmitted access issues and identity and
outside the firewall via File key management.
Transfer Protocol and could be
intercepted. Furthermore, simply The Original Solution
transmitting sensitive data In 2006, Microsoft IT Security
outside the organization can addressed information security by
breach regulatory compliance using two Data Loss Prevention
guidelines. “Loss of sensitive (DLP) products from RSA, the
data is an operational risk for security division of EMC
Microsoft,” says Olav Opedal, Corporation. With RSA® DLP
Senior Program Manager for Datacenter Enterprise 3.2,
Microsoft IT Security. Microsoft IT Security could
4. “If we have an discover and apply safeguards to and used Active Directory to
sensitive data at rest—that is, validate user access and access
external or internal information residing in data rules. Microsoft IT Security
repositories. In 2008, using DLP scanned for sensitive data using
threat, our Network 6.0, the team could the RSA DLP products and then
information is monitor and enforce information- manually notified the content
security and regulatory- owners in cases when they
protected with requirement classification policies should update the Active
on data in motion—that is, Directory access control lists
Active Directory information leaving the Microsoft (ACLs) or other classification
Rights network. rules that controlled users’ data-
access rights. Or, Microsoft IT
Management To manage user-identity and Security sent notifications to the
data-access rights, Microsoft IT end users and, in some cases,
Services.” Security also used the Active handled the updates itself.
Olav Opedal, Senior Program Directory® directory service, part
Manager, Microsoft IT Security of the Windows Server® 2003 To increase efficiency and
operating system. With Active compliance with information-
Directory object user security policies, Microsoft IT
authorization, the type of access Security wanted to further
granted to objects (such as automate the solution—especially
servers and shared volumes) is by automatically and selectively
determined by the rights that are encrypting specific types of data,
assigned to the user and which such as HBI documents, instead
permissions are attached to the of relying on content owners to
objects. An object is a set of adjust their ACLs and
attributes that can include shared classification rules to restrict
resources, such as printers; access.
network user and computer
accounts; and domains, Microsoft IT Security also wanted
applications, and services. to better protect unencrypted
documents. For example, users
This solution required Microsoft IT who had general file-access
Security to build and maintain rights to open and read a
classification systems for file Microsoft Office Word document
shares and SharePoint sites saved on their own storage
around the company. Content device could forward that
owners then classified their document outside of Microsoft,
shares and sites based on the where they no longer had control
types of documents stored in over it. If these users left
them. Depending on the Microsoft, they would continue to
classification the owners chose, have access to that document.
Microsoft IT Security applied To improve the solution, Microsoft
safeguards to those locations
5. IT Security needed more The Microsoft IT team that
advanced technology. manages Active Directory Rights
Management Services simply
creates Rights Management
Solution Services templates that should be
In December 2008, the used to protect particular types
technology needed to solve these of sensitive data (Figure 1). The
problems became available when templates specify which users
RSA integrated its DLP products should have access to the data
with Active Directory Rights and the level of access through
Management Services. With the rights, such as view, edit, and
addition of Rights Management print. Then Microsoft IT Security
Services, Microsoft IT Security designs RSA DLP policies for
can protect sensitive information finding sensitive data of that type,
to specific users according to a and the new solution
predefined set of rights—such as automatically applies the Rights
the rights to view, edit, or print Management Services template
documents—that are applied to the data at rest wherever it
automatically. Rights resides in the enterprise. The
Management Services is part of solution also sends notifications
the Windows Server 2008 to content owners, who no longer
operating system, which need to update their ACLs or
Microsoft upgraded to in early classifications manually. To
2008. ensure that encryption is not
applied too broadly, Microsoft IT
Rights Management Services Security chose a Rights
helps safeguard digital Management Services template
information from unauthorized that allows users to collaborate
use, both online and offline, inside on and copy protected content.
and outside the firewall, by But if the content extends outside
identifying which files should have of the organization, it is
persistent usage policies and safeguarded with Rights
rights management applied to Management Services protection
them, and which ones should also and cannot be opened, viewed,
be encrypted. With persistent edited, or copied, as the content
protection from Rights can only be opened by current
Management Services, these Microsoft employees.
safeguards are part of the data
itself. This means that no matter
where the data resides, it carries
the permissions and restrictions
with it.
6. Figure 1. The five-step process
for protecting HBI documents For Windows Server 2008 R2, instead of requiring content
on files with joint DLP and Microsoft IT Security uses the File owners to classify entire file
Active Directory Rights Classification Infrastructure (FCI) shares.
Management Services to classify HBI files residing on a The Microsoft IT Security team
file server. When used in worked with stakeholders across
conjunction with the File Server the company to shape the new
Resource Manager feature in solution. The stakeholders include
Windows Server 2008 R2, IT staff teams from File Share
can get insight into the Operations, Active Directory
distribution of HBI data, automate Rights Management Services,
the enforcement of document and other Collaboration Services
retention policies, and apply user groups; various technical-support
rights and encryption according tiers; and Microsoft Legal and
to classification—all as part of the business-review groups.
operating system. With the Stakeholder participation was
addition of the Active Directory important because applying
Rights Management Services Rights Management Services to
Bulk Protection Tool, which will be documents would affect
released in late 2009, Microsoft production server service levels
IT Security can fully automate the and other aspects of the IT
identification, monitoring, and infrastructure. Says Opedal, “We
remediation of HBI data on file wanted to ensure that
servers on a per-file basis— infrastructure, operations, and
7. “By building these technical support teams would be can also apply targeted
ready, so service levels would encryption and other safeguards
technologies into stay high. And, without feedback automatically. This automation
and buy-in from stakeholders who has freed up IT resources, and
the infrastructure, are willing to classify data, the Microsoft reports fewer data
we’re creating a technology cannot discover the leaks.
data as effectively.”
solution with fewer Automated Process, Persistent Protection
Microsoft IT Security is also The integration of Rights
tools to buy, taking steps to help safeguard Management Services and RSA
deploy, and data that falls outside the existing DLP reduces cost and increases
rules and definitions it has efficiency. Microsoft IT Security
manage. That’s programmed into RSA DLP can use the solution to centrally
products. “Due to the complex apply targeted and persistent
comprehensive nature of information—for rights, access policies, and
security that’s example, intellectual property— safeguards to data based on
there’s more sensitive data than sensitivity level, without the need
built-in, not added we have written rules for to manually notify content owners
identifying,” says Opedal. “But, or end users. Wherever sensitive
we can assume that if data is data at rest resides—on personal
stored in a highly sensitive site computers, servers, databases,
that that data is also highly applications, and more—and
sensitive.” The team is starting wherever it goes, those
to use the new solution, including permissions stay with it.
the Bulk Protection Tool, to
address this situation. With the Opedal says, “We get automatic,
addition of this tool, the team can persistent, and targeted
fully automate identification, protection of sensitive information
monitoring, and remediation of as the solution scans for it. If we
HBI data on file servers on a per- have an external or internal
file basis, for targeted encryption threat, our information is
and rights management. protected with Active Directory
Rights Management Services.
Now, we can automatically detect
Benefits sensitive information and apply
In just six months, Microsoft IT safeguards, and the system
Security implemented an end-to- notifies the owner that no further
end information-security solution action is necessary. Thanks to
and has scanned one-third of the the Active Directory Rights
company’s file environment. The Management Services Bulk
solution applies persistent Protection Tool and the new FCI
safeguards according to data capabilities in Windows Server
sensitivity level for easier and 2008 R2, content owners no
less-costly compliance. The team longer have to classify their file
8. shares or manually encrypt their
HBI documents.” Automation
also reduces the risk of content
owners not applying policies
properly.
Easier, Less Costly Compliance
Microsoft can help safeguard its
important information by applying
controls based on data
sensitivity, for targeted
protection. Microsoft employees
can stay compliant automatically
with data handling standards that
call for encryption of HBI
documents—without the expense
of applying encryption too
broadly. This is important, as
Microsoft has many terabytes of
stored data. Says Opedal, “If we
were to encrypt all that data, the
cost would outweigh the benefits.
With the RSA DLP Suite and
Active Directory Rights
Management Services, we know
where the sensitive information
is, and we can automatically
apply specific safeguards just to
the files that need them.”
Tighter, More Efficient Information
Security
Microsoft IT Security has scanned
millions of documents using the
new solution and has encrypted
thousands of them. Opedal
expects to encrypt tens of
thousands of additional
documents by the time Microsoft
IT Security has finished running
the Active Directory Rights
Management Services Bulk
Protection Tool.
9. For More Information Freed IT Time Microsoft Server Product
For more information about With automation, Microsoft IT Portfolio
Microsoft products and Security has freed up one half of For more information about the
services, call the Microsoft one developer’s time from Microsoft server product
Sales Information Center at creating and maintaining portfolio, go to:
(800) 426-9400. In Canada, call classification systems for file www.microsoft.com/servers/defa
the Microsoft Canada shares. “That is developer time ult.mspx
Information Centre at (877) that we can use for other
568-2495. Customers in the projects,” says Opedal. “We
United States and Canada who expect to get the same time
are deaf or hard-of-hearing can savings from our SharePoint sites
reach Microsoft text telephone too, once we deploy the next
(TTY/TDD) services at (800) version of Office SharePoint
892-5234. Outside the 50 Server.”
United States and Canada,
please contact your local Future Plans
Microsoft subsidiary. To access In the long term, Microsoft will
information using the World build the RSA Data Loss
Wide Web, go to: Prevention classification
www.microsoft.com technology into the Microsoft
platform and future information
For more information about protection products. The resulting
Microsoft IT products and collaboration is designed to
services, call (800) 426-9400 enable organizations to centrally
or visit the Web site at: define information security policy,
www.microsoft.com automatically identify and classify
sensitive data virtually anywhere
in the infrastructure, and use a
range of controls to protect data
at the endpoints, network, and
data center. “By building these
technologies into the Microsoft
platform,” says Opedal, “we’re
creating a solution with fewer
tools to buy, deploy, and manage.
That’s comprehensive security
that’s built-in, not added on.”
Software and Services • Technologies
• Microsoft Server Product • Active Directory Rights
Portfolio Management Services
• Windows Server 2008 R2
This case study is for informational
purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN
THIS SUMMARY.
Document published September 2009