Professional Documents
Culture Documents
MC ID: 8119907
Agenda
With
Information Leakage Problem Demos
AD RMS History
What’s New in CY09
AD RMS Server Role in Windows Server 2008 R2
Exchange 2010 integration
AD RMS Bulk Protection Tool
RSA DLP 6.5+ integration
Q&A
Business Ready Security
Help securely enable business by managing risk and empowering people
Identity
from: to:
Block Enable
Cost Value
Siloed Seamless
The Information Workplace
The Information Workplace
Home
USB Drive
Mobile Devices
Independent
Consultant
Partner
Organization
Firewall Perimeter
Authorized Authorized
Access Control Users Users
List Perimeter
Location Based Solutions
Protect Initial Access… But Do Not Protect Usage
Firewall Perimeter
Authorized Authorized
Access Control Users Users
List Perimeter
Info
rma
Unauthorized t ion Unauthorized
Users Lea Users
kag
e
AD RMS Is A Content-Based
Solution
Protects the Information Itself – No Matter How It Is
SharedPolicy
And Where It Goes
Policy
Policy
Policy
Active Directory Rights Management
Services
Persistent
Encryption
+ Policy
• Access Permissions (Who)
• Use Right Permissions (What)
AD RMS Workflow
Publishing and Consumption
4
UL
3
1
2 PL 6 RAC CLC
RAC CLC
Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
Out-of-band installer for RMS AD RMS server role (v2) AD RMS server role (v3)
Server (v1, v1 SP1, v1 SP2) AD RMS Trust AD RMS Trust
AD RMS Trust AD FS federation support Publishing org (internal) group
TUD, WLID Improved installation and mgmt support for federated users
AD RMS template distribution (Vista Improved installation and mgmt
SP1 and above) through PowerShell
Admin reports Additional admin reports
Different admin roles
* Each consecutive release on this slide includes features from the prior release
AD RMS Server Role in WS2008
R2
Customer Ask #1
Deployment and Administration
AD RMS Server Role in WS2008
R2
PowerShell
Deployment andsupport for deployment and admin
Administration
Deployment cmdlets available out-of-the box
Admin cmdlets available after the AD RMS server
role has been deployed
Additional admin reports (system health)
AD RMS Administration
AD RMS Server Role in WS2008
R2
Customer Ask #2
AD RMS Server Role in WS2008
R2
WS2008
Secure introduced
External federation support via AD
Collaboration
FS – Need to individually identify external users
when protecting information
WS2008 R2 supports protecting to publishing
org (internal) groups that include external users
– No need to individually identify external users
External Collaboration via ADFS 1. Assume author is already bootstrapped
AD Contoso Fabrikam AD Bob 2. Alice sends protected mail to
projectX@contoso.com of which Bob at
projectX Fabrikam is a member
3. Recipient contacts RMS Server to get
bootstrapped
ADFS 4. WebSSO agent intercepts request
FS-R ADFS
FS-A
11 5. RMS Client is redirected to FS-R for home
WebSSO realm discovery
6. RMS Client is redirected to FS-A for
4
6 authentication
5
7 7. RMS Client is redirected back to FS-R for
3
8 authentication
10
RMS 8. RMS Client makes request to RMS Server
for bootstrapping
Alice Bob
9. RMS Server returns certificates to recipient
2 10. RMS Client makes request to RMS Server
for use license
PL 11. RMS Server retrieves Bob’s group
12
9 membership from AD and compares to PL
1
13 12. RMS Server returns use license to
RAC CLC RAC CLC UL
recipient
13. Recipient accesses protected content
Exchange 2010 RMS Integration
Themes
Exchange 2010 RMS Integration
Customer Ask #1
Exchange 2010 RMS Integration
Streamline End-user Experience
Prelicensing support enables offline and mobile
access to RMS-protected e-mails – introduced
in Exchange 2007 SP1
Consume and publish RMS-protected e-mails in
OWA – Internet Explorer, Firefox, Safari
Conduct full-text search on RMS-protected e-
mails in OWA
RMS-Protected E-mails in OWA
Exchange 2010 RMS Integration
Streamline End-user Experience: RMS Integration In
OWA: Details
Client Access Server (CAS) uses
Superuser privileges to decrypt
Prelicensed use license (UL) used to determine
rights to enforce
Rights enforcement concerns in the browser
mitigated by enabling the feature for a
specific set of users (at mailbox policy level)
Exchange 2010 RMS Integration
Customer Ask #2
Exchange 2010 RMS Integration
Automatic Protection
Automatically protect e-mails in transit via
Exchange transport rules
Automatically protect e-mails in Outlook 2010
(through an add-in)
Automatically protect private voicemails
through Exchange Unified Messaging (UM)
Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules
Archive/Journal
Exchange Journal Decryption
Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Transport Pipeline
Decryption
Enables Hub Transport Agents to scan/modify
RMS-protected e-mails
Pipeline Decryption Agent
Uses superuser privileges to decrypt e-mails
Decrypts e-mail and attachments
Encryption Agent re-encrypts messages
Option to NDR messages that cannot be decrypted
All AD RMS integration agents are implemented as
internal agents
Exchange Transport Decryption and
Re-Encryption
Exchange 2010 RMS Integration
4
2 3
1
c
c 5
User creates a file File Classification Automated File Management
“marketing.docx” on Infrastructure (FCI) Task invokes AD RMS Bulk
Windows server 2008 R2 file
classifies file as sensitive Protection Tool to
server
based on content analysis automatically RMS-protect
(keyword/RegEx) and/or the file (restrict access to Full-
folder location (e.g., Time Employees only)
A malicious user getting
Business Impact = High)
access to the file through an
un-intentional leak is not able
to access file content
AD RMS Bulk Protection Tool
with WS2008 R2 FCI
Partner Solution: RSA DLP
Automatic Protection For Datacenters and Endpoints
Integrated solution to discover and
automatically RMS-protection sensitive data on
endpoints and the datacenter
Requirements
RSA DLP 6.5 and above (RSA DLP Datacenter and
RSA DLP Endpoint Discover products)
AD RMS Server Role in WS2008 and above
Partner Solution: RSA DLP
How The Integration Works
1. AD RMS admin creates Microsoft AD RMS R&D Marketing
Others
AD RMS templates for Department Department Intellectual
data protection Property (IP)
template
View, Edit, Print View No Access
R&D department
3. RSA DLP discovers and
classifies sensitive files,
and applies AD RMS
protection based on policy Endpoints: Marketing department
Laptops/Desktops
* Each consecutive release on this slide includes features from the prior release