Introduction to Windows Server 2012 Dynamic Access Control

We constantly strive to reduce the steps required for you to get your job done.  One of the reasons Windows Server 2012 is a such great release is that we spent so much time listening to our customers and understanding their scenarios and concerns.  When development teams start from a technology/feature mindset, it can be hard to work across groups because helping another team usually means that you have to give up something you wanted to do.  We were able to achieve a very high level of technology integration and cross-group cooperation because we all shared a common understanding of our customers and their scenarios.  Teams were eager to help each other succeed in delivering those scenarios.  When you have lots of teams working together towards a common goal, you can really change the game and tackle some really hard problems.  Today’s blog is a good illustration of that.

Anyone that has been involved in securing data or accessing data security knows that the traditional security models and mechanisms are not always flexible enough to address today’s concerns and scenarios.  Whether it’s compliance requirements, increased business impact of disclosed data, or management of the sheer scale of data – it is clear that the capabilities provided by the current access control mechanism can be improved so that it is easier for administrators and users to address these challenges.  A number of teams worked together to deliver Windows Server 2012’s Dynamic Access Control.  I think you’ll find that it, like so many other things in Windows Server 2012, is just what you were asking for.

If you haven’t downloaded the beta yet, take some time to read this blog and watch some of the videos it points to and then schedule some time on your calendar to download the beta and try it out.

I’m very excited to introduce to you the new Dynamic Access Control feature set.

I’ll start with a brief introduction and insight into the planning process, discuss the new Central Access Policy model and describe the end-to-end File Server solution that we built into Windows Server 2012. I will also touch on how we enable an incremental deployment model so that you do not need to move your entire environment to Windows Server 2012 in order to use the feature set. I will touch on work with partners in this area, too.

You can find a Dynamic Access Control overview demo here.

Introduction

In today’s complex IT environments data is being created on distributed systems at a staggering rate and accessed through a plethora of devices. Compliance with regulatory standards and the need to secure leakage of business critical and personal data present major challenges for businesses and corporate IT. The key pillars for data compliance and leakage prevention are controlling who has access to information and having the ability to report who actually accessed specific information.

Not surprisingly, this was the exact situation that we observed when we started planning for Windows Server 2012 a few years ago. A few of the points that we repeatedly heard from customers during the planning period included:

• Centrally manage access to information based on business and compliance needs
• Access to information needs to be audited for compliance and analysis purpose
• Sensitive information should be protected wherever it goes
• Content owners should be responsible for their information – IT admins are not librarians
• Maintaining information worker productivity is key

We then looked at the different personas within an organization and how they participate in meeting the regulatory and business requirements for data compliance, in order to provide the right set of technologies and solutions that help address the data compliance challenge.

The range of personas involved starts with the CSO/CIO office that identifies the business and regulatory compliance needs. It continues with the IT administrators that manage the systems and the business owners that control the actual information. Last, the organization would like to keep the impact on the information worker to a minimum (ideally with no impact at all).

To help organizations reach their data compliance, we eventually focused on the following areas:

• Identify the information that needs to be managed to meet business and compliance requirements
• Apply appropriate access policies  to information
• Audit access to information
• Encrypt information

These focus areas were then translated to a set of Windows capabilities that enable data compliance in partner and Windows-based solutions.

• Add the ability to configure Central Access and Audit Policies in Active Directory. These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:

• Who the user is
• What device they are using, and
• What data is being accessed

• Integrate claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: “User is from the Finance department” and “User’s security clearance is High”
• Enhance the File Classification Infrastructure to allow business owners and users to identify (tag) their data so that IT administrators are able to target policies based on this tagging. This ability works in parallel with the ability of the File Classification Infrastructure to automatically classify files based on content or any other characteristics
• Integrate Rights Management Services to automatically protect (encrypt) sensitive information on servers so that even when the information leaves the server, it is still protected.

Central Access Policies

One can look at Central Access Policies as a safety net that an organization applies across its servers. These safety net policies enhance (but do not replace) the local access policy (e.g. Discretionary ACL) that is applied to the information. For example, if a local DACL on a file allows access to a specific user but a Central Policy restricts access to the same user, the user will not be able to get access to the file (and vice versa.)

The initiative to deploy and enforce a Central Access Policy may come for different reasons and from multiple levels of the organization:

• Compliance policy: This policy relates to compliance and business requirements and is targeted at protecting the right access to information that is being managed. For example: Allow only a specific group of people access to information that falls under the “US-EU Safe Harbor” regulation.
• Departmental authorization policy: Each department in an organization has some special data handling requirements that they would like to enforce. This is very common in distributed organization. For example: The finance department  wants to limit all access to finance information only to the finance employees.
• Need to know policy: This is a policy that ensures that access is allowed on a need-to-know basis. Examples include:

• Vendors should be able to access and edit only files that pertain to the project that they are working on.
• In financial institutions, information walls are important so that analysts do not access brokerage information and brokers do not access analysis information.

Central Audit Policies

Central Audit Policy is a powerful tool to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. Industry standards such as SOX, HIPPA, PCI, etc. require organizations to follow a strict set of rules related to information security and privacy.  Security audits help establish the presence (or absence) of such policies and thereby prove compliance (or non-compliance) with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy and deter irresponsible behavior by creating a trail of user activity that you can use for forensic analysis.

Windows Server 2012 enables administrators to author audit policies using expressions that take into account what information users are accessing and who the user is so that an organization can target audit to specific information wherever it resides. This opens the doors to richer, more targeted and easy-to-manage audit policies. It enables scenarios that until now were either impossible or too difficult to enable. For example you can now easily author audit policies such as the ones listed below:

• Audit everyone who does not have a high security clearance and yet tries to access “high impact” information.
• Audit all vendors when they try to access documents related to projects that they are not working on.

This helps regulate the volume of audit events and limit them to only the most relevant information/users so that you can monitor access to information across multiple servers without generating an unmanageable volume of audit events.

In addition, the information tagging is recorded in the audit events so that event collection mechanism can provide contextual reports such as: Who accessed all the “high impact” information in the last three months.

The File Server solution

Based on this infrastructure we built a full end-to-end Windows-based solution for Windows Server 2012 Active Directory, Windows Server 2012 File Server and Windows 8 client. This solution allows you to:

• Identify data using automatic and manual classification of files.
• Control access to files across file servers by applying safety net Central Access Policies. For example, you can control who can access health information within the organization.
• Audit access to files on file servers by using Central Audit Policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information during the last three months.
• Encrypt data by automatically applying Rights Management Services (RMS) encryption for sensitive Microsoft Office documents. For example: you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

In order to support deployment across multiple file servers in the organization, we are also providing the Data Classification Toolkit that enables configuration and reporting across multiple servers.
The current Beta for the Data Classification Toolkit is available for download here.

The concept of incremental deployment

One of the core design principles of Dynamic Access Control is incremental deployments. You can start using the feature set as soon as possible to solve targeted business problems for information access and audit.

You can use most of the Dynamic Access Control capabilities with the Windows Server 2012 File Server and an upgraded Active Directory domain schema. Adding a minimal number of Windows Server 2012 domain controllers will enable user claims and so on. Each part of the system that you upgrade provides you with more capabilities but it is up to you to set the pace.

Partner solutions

Partner solutions and line of business applications can further use the Windows infrastructure investments for Dynamic Access Control, providing great value for organizations that use Active Directory. A few examples of partner solutions that we have already demoed at the //build/ conference last year include:

• Data Leakage Prevention (DLP) integration for automatic content classification
• Central audit analysis
• Rights Management Services (RMS) authorization using Central Access Policies
• Many others…

We plan to show many additional partner integrated solutions in the upcoming TechEd US conference (Jun. 11-14, 2012) Twitter hashtag #MSTechEd

A few additional resources that you might find useful:

TechNet manual (Beta): http://technet.microsoft.com/en-us/library/hh831717.aspx

Data Classification Toolkit (Beta): https://connect.microsoft.com/site715

Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data)

Dynamic Access Control at MMS 2012: https://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview