Mandeep Singh, MCTS

MC ID: 8119907
Agenda
With
Information Leakage Problem Demos
AD RMS History
What’s New in CY09
AD RMS Server Role in Windows Server 2008 R2
Exchange 2010 integration
AD RMS Bulk Protection Tool
RSA DLP 6.5+ integration
Q&A
Business Ready Security
Help securely enable business by managing risk and empowering people

Identity

Highly Secure & Interoperable Platform

from: to:
Block Enable
Cost Value
Siloed Seamless
The Information Workplace
 The Information Workplace
Home

USB Drive

Mobile Devices
Independent
Consultant

Partner
Organization

Companies face growing risks of data

 Information Leakage
Is Costly On Multiple Fronts

Legal, Regulatory, and Financial impacts

Cost of digital leakage per year is measured in $Billions
Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386
Non-compliance with regulations or loss of data can lead to significant legal fees

Damage to Image and Credibility

Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing

Loss of Competitive Advantage

Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market
capitalization
Loss of research, analytical data, and other intellectual capital

Data must be protected, but must remain accessible

Location Based Solutions
Protect Initial Access

Firewall Perimeter
Authorized Authorized
Access Control Users Users
List Perimeter
Location Based Solutions
Protect Initial Access… But Do Not Protect Usage

Firewall Perimeter
Authorized Authorized
Access Control Users Users
List Perimeter

Info
rma
Unauthorized t ion Unauthorized
Users Lea Users
kag
e
AD RMS Is A Content-Based
Solution
Protects the Information Itself – No Matter How It Is
SharedPolicy
And Where It Goes
Policy
Policy

Policy
Active Directory Rights Management
Services
Persistent

Encryption
+ Policy
• Access Permissions (Who)
• Use Right Permissions (What)
AD RMS Workflow
Publishing and Consumption

1. Assume author and recipient are already

bootstrapped with a RAC and CLC
AD DS SQL AD RMS

2. Author creates mail

3. Author protects mail using RAC and CLC

4. Author sends mail to recipient

5 5. Recipient gets use license from RMS

6. Recipient can access content

Author Recipient

4
UL

3
1

2 PL 6 RAC CLC
RAC CLC
 Windows Server 2003
Out-of-band installer for RMS
Server (v1, v1 SP1, v1 SP2)
AD RMS Trust
TUD, WLID
Client
Out-of-band installer for RMS
Client (v1, v1 SP1, v1 SP2) on
Windows XP and WS2003
Microsoft Solutions
Office 2003 (Outlook, Word,
Excel, PowerPoint)
Internet Explorer Add-On (RMA)
Partner Solutions
PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare
Windows Server 2008 Windows Server 2008 R2
AD RMS server role (v2) AD RMS server role (v3)
AD RMS Trust AD RMS Trust
AD FS federation support Publishing org (internal) group
Improved installation and mgmt support for federated users
AD RMS template distribution (Vista Improved installation and mgmt
SP1 and above) through PowerShell
Admin reports Additional admin reports
Different admin roles
Client Client
AD RMS client integrated in Windows AD RMS client integrated in
Vista and WS2008 Windows 7 and WS2008 R2
Microsoft Solutions Microsoft Solutions
Windows Mobile 6 integration Exchange 2010
Office 2007 (+InfoPath) AD RMS Bulk Protection Tool
XPS Viewer WS2008 R2 FCI integration
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1 (Prelicensing)
Partner Solutions
RSA DLP
PDF solution - Foxit
Secure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release
AD RMS Server Role in WS2008
R2
Customer Ask #1
Deployment and Administration
AD RMS Server Role in WS2008
R2
PowerShell
Deployment andsupport for deployment and admin
Administration
Deployment cmdlets available out-of-the box
Admin cmdlets available after the AD RMS server
role has been deployed
Additional admin reports (system health)
AD RMS Administration
AD RMS Server Role in WS2008
R2
Customer Ask #2
AD RMS Server Role in WS2008
R2
WS2008
Secure introduced
External federation support via AD
Collaboration
FS – Need to individually identify external users
when protecting information
WS2008 R2 supports protecting to publishing
org (internal) groups that include external users
– No need to individually identify external users
 External Collaboration via ADFS 1. Assume author is already bootstrapped
AD Contoso Fabrikam AD Bob 2. Alice sends protected mail to
projectX@contoso.com of which Bob at
projectX Fabrikam is a member
3. Recipient contacts RMS Server to get
bootstrapped
ADFS 4. WebSSO agent intercepts request
FS-R ADFS
FS-A
11 5. RMS Client is redirected to FS-R for home
WebSSO realm discovery
6. RMS Client is redirected to FS-A for
4
6 authentication
5
7 7. RMS Client is redirected back to FS-R for
3
8 authentication
10
RMS 8. RMS Client makes request to RMS Server
for bootstrapping
Alice Bob
9. RMS Server returns certificates to recipient
2 10. RMS Client makes request to RMS Server
for use license
PL 11. RMS Server retrieves Bob’s group
12
9 membership from AD and compares to PL
1
13 12. RMS Server returns use license to
RAC CLC RAC CLC UL
recipient
13. Recipient accesses protected content
Exchange 2010 RMS Integration
Themes
Exchange 2010 RMS Integration
Customer Ask #1
Exchange 2010 RMS Integration
Streamline End-user Experience
Prelicensing support enables offline and mobile
access to RMS-protected e-mails – introduced
in Exchange 2007 SP1
Consume and publish RMS-protected e-mails in
OWA – Internet Explorer, Firefox, Safari
Conduct full-text search on RMS-protected e-
mails in OWA
RMS-Protected E-mails in OWA
Exchange 2010 RMS Integration
Streamline End-user Experience: RMS Integration In
OWA: Details
Client Access Server (CAS) uses
Superuser privileges to decrypt
Prelicensed use license (UL) used to determine
rights to enforce
Rights enforcement concerns in the browser
mitigated by enabling the feature for a
specific set of users (at mailbox policy level)
Exchange 2010 RMS Integration
Customer Ask #2
Exchange 2010 RMS Integration
Automatic Protection
Automatically protect e-mails in transit via
Exchange transport rules
Automatically protect e-mails in Outlook 2010
(through an add-in)
Automatically protect private voicemails
through Exchange Unified Messaging (UM)
Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules

• Transport Rule action to apply AD RMS template

to e-mail message
• Based on content and context analysis
• Content analysis: Keywords and RegEx
scanning of e-mails and attachments
• Context examples: From, To
Exchange Transport Rules Based
Automatic RMS-Protection
Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules: Details
Rules agent stamps x-org header in e-mail with
RMS template GUID
Encryption agent applies RMS template to e-
mail and attachments on onRouted Transport
Agent event
Office 2003 and above file formats (Word,
Excel, PowerPoint) and XPS attachments also
get automatically protected
Extensible to other file formats through the IRM
Protector implementation
Exchange 2010 RMS Integration
Automatic Protection: Through Outlook Protection Rules
Outlook 2010 add-in (small-scale rules engine)
Mitigates concerns of Exchange admin or host
accessing sensitive mail
Rules
Context only: Sender’s department, recipient’s
identity, recipient’s scope (internal/external)
Retrieved by add-in from CAS through Exchange
Web Services (EWS) API
Ability to allow/disallow user to override
automatic protection
Outlook 2010 Add-In Protection
Rules
 Exchange 2010 RMS Integration
Automatic Protection: Through Unified Messaging
UM admin can allow incoming voicemails to
be marked as “private”
Private voicemails can be protected using “Do
Not Forward” RMS template preventing
forwarding and copying of voicemail content
Private voicemails supported in OWA and
Outlook 2010

Uses the Encryption/Decryption XSO API to RMS-protect

Exchange Unified Messaging
Protected Voicemails
• RMS-protected based on sender marking voicemail as ‘private’ or through
administrative policy
Exchange 2010 RMS Integration
Customer Ask #3
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration
Enables e-discovery via journal decryption
Enables anti-malware and other scenarios (such
as adding a disclaimer) at hub transport via
transport decryption and re-encryption
 Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Journal Decryption

Journal Report Decryption

Agent
• Attaches clear-text copies of RMS-
protected e-mails and attachments to
journal mailbox
• Requires superuser privileges
•Feature is off by default

Archive/Journal
Exchange Journal Decryption
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Transport Pipeline
Decryption
Enables Hub Transport Agents to scan/modify
RMS-protected e-mails
Pipeline Decryption Agent
Uses superuser privileges to decrypt e-mails
Decrypts e-mail and attachments
Encryption Agent re-encrypts messages
Option to NDR messages that cannot be decrypted
All AD RMS integration agents are implemented as
internal agents
Exchange Transport Decryption and
Re-Encryption
 Exchange 2010 RMS Integration

Exchange RMS integration features require AD RMS Server Role in

WS2008 R2 or WS2008 SP2 + KB973247 hotfix
AD RMS Bulk Protection Tool
Customer Ask
AD RMS Bulk Protection Tool
Details
Command line tool
Bulk decryption
E-Discovery of content for litigation/audit purposes
Bulk encryption
Safeguard existing sensitive information
Can be integrated with WS2008 R2 File
Classification Infrastructure (FCI) to classify and
automatically RMS-protect files on the file server
AD RMS Bulk Protection Tool
Details
Supported file formats
Office 2003 and above (Word, Excel, PowerPoint)
XPS
Extensible to other file formats via IRM protector
implementation
Bulk decryption also available for items within
Outlook PSTs (requires Outlook 2007)
Supported on XP/WS2003 and above
Requires RMS Client v1 SP2 and .NET Framework
2.0 on XP and WS2003
AD RMS Bulk Protection Tool
With WS2008 R2 FCI

4
2 3
1
c

Mgmt Task: Full Time Employee can

FCI Classify
AD RMS Protect
access “marketing.docx”

User creates a file
“marketing.docx” on
Windows server 2008 R2 file
server
c 5
File Classification
Infrastructure (FCI)
classifies file as sensitive
based on content analysis
(keyword/RegEx) and/or
folder location (e.g.,
Business Impact = High)
Automated File Management
Task invokes AD RMS Bulk
Protection Tool to
automatically RMS-protect
the file (restrict access to Full-
Time Employees only)
A malicious user getting
access to the file through an
un-intentional leak is not able
to access file content
AD RMS Bulk Protection Tool
with WS2008 R2 FCI
Partner Solution: RSA DLP
Automatic Protection For Datacenters and Endpoints
Integrated solution to discover and
automatically RMS-protection sensitive data on
endpoints and the datacenter
Requirements
RSA DLP 6.5 and above (RSA DLP Datacenter and
RSA DLP Endpoint Discover products)
AD RMS Server Role in WS2008 and above
 Partner Solution: RSA DLP
How The Integration Works
1. AD RMS admin creates Microsoft AD RMS R&D Marketing
Others
AD RMS templates for Department Department Intellectual
data protection Property (IP)
template
View, Edit, Print View No Access

2. RSA DLP admin selects/ Find ‘IP’ documents

creates policies to find IP Policy
Apply ‘IP’ AD RMS template
sensitive data and protect
it using AD RMS RSA DLP

R&D department
3. RSA DLP discovers and
classifies sensitive files,
and applies AD RMS
protection based on policy Endpoints: Marketing department
Laptops/Desktops

4. Users request files. AD

File Shares SharePoint
RMS provides identity- Others
based access
 Windows Server 2003
Out-of-band installer for RMS
Server (v1, v1 SP1, v1 SP2)
AD RMS Trust
TUD, WLID
Client
Out-of-band installer for RMS
Client (v1, v1 SP1, v1 SP2) on
Windows XP and WS2003
Microsoft Solutions
Office 2003 (Outlook, Word,
Excel, PowerPoint)
Internet Explorer Add-On (RMA)
Partner Solutions
PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare
Windows Server 2008 Windows Server 2008 R2
AD RMS server role (v2) AD RMS server role (v3)
AD RMS Trust AD RMS Trust
AD FS federation support Publishing org (internal) group
Improved installation and mgmt support for federated users
AD RMS template distribution (Vista Improved installation and mgmt
SP1 and above) through PowerShell
Admin reports Additional admin reports
Different admin roles
Client Client
AD RMS client integrated in Windows AD RMS client integrated in
Vista and WS2008 Windows 7 and WS2008 R2
Microsoft Solutions Microsoft Solutions
Windows Mobile 6 integration Exchange 2010
Office 2007 (+InfoPath) AD RMS Bulk Protection Tool
XPS Viewer FCI integration
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1 (Prelicensing)
Partner Solutions
RSA DLP
PDF solution - Foxit
Secure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release