Kimmo Bergius Tietoturvajohtaja

Transcription

1 Kimmo Bergius Tietoturvajohtaja

2 Number of Digital IDs Trendejä Exponential Growth of IDs Identity and access management challenging Increasingly Sophisticated Malware Anti-malware alone is not sufficient B2E mobility B2C B2B Number of variants from over 7,000 malware families (1H07) Internet mainframe client/server Pre-1980s 1980s 1990s 2000s Crime On The Rise Source: Microsoft Security Intelligence Report (January June 2007) Attacks Getting More Sophisticated Traditional defenses are inadequate National Interest Personal Gain Personal Fame Curiosity Largest segment by $ spent on defense Largest area by $ lost Vandal Largest area by volume Thief Trespasser Author Spy Fastest growing segment User GUI Applications Drivers O/S Hardware Physical Examples Spyware Rootkits Application attacks Phishing/Social engineering Script-Kiddy Amateur Expert Specialist

3 Muutosta Tietojenkäsittely ja verkot kaikkialla Kaikki yhteydessä kaikkeen Useita identiteettejä Joustavuus kaikki kaikkialta Resurssien niukkuus Best of Need vs. Best of Breed Tehdäänkö itse vai ulkoistetaanko Compliance miten valvotaan? Uhat muuttuvat Motiivi cool to cash!

4 Viisi kehityskohdetta! Verkon resurssien suojaaminen Liikkuvan käyttäjän yhteydet Identiteetin hallinta Datan suojaaminen Varmenteet

5 Tuoteportfolio Secure the Platform Windows 7/Mobile/Server 2008 R2 Secure the Identity AD ja siihen liittyvät palvelut Secure the Data RMS, EFS, BitLocker Secure the Network NAP Secure the Wireless Server 2008 Secure the Edge ISA/IAG Secure the Communications Forefront Server, OCS, Exchange Secure the Desktops and Servers Forefront Client Security

6 Miksi tarvitaan identiteetin hallintaa? Monia eri paikkoja tallentaa käyttäjään liittyvää tietoa Hakemistot, HR-järjestelmät, tietokannat, jne Monia eri autentikointimenetelmiä Käyttäjätunnus-salasana, älykortit, tokenit, kerberos, jne Single-sign-on-tavoite toteutuuko? Monia eri tapoja käyttää tietoa Tietoturva Tietosuoja

7 Single-Sign-On AD:n käyttö myös muissa ympäristöissä Linux/Unix/Mac OSX Autentikointi Kokoonpanotietojen välitys Vaatii kolmannen osapuolen lisäkomponentteja Näennäinen SSO Hakemistojen integraatio esim. MIISin välityksellä Federaatio Aiemmin ADFS, tulevaisuudessa Geneva

8 Ratkaisuja Hakemistointegraatio Yksi (???) tunnistushakemisto, monia tietohakemistoja Prosessien ja tiedonsiirron parannus Organisaation sisäinen Hakemistofederaatio Sovitaan, sen jälkeen luotetaan Organisaation sisällä tai organisaatioiden välillä Myös Internet-palveluissa

9 Edelleen ongelmaksi jää Useiden autentikointimenetelmien toteuttaminen Sovelluskohtainen toteutus, monia menetelmiä, vaivalloista Autentikointi, sen jälkeen tietojen haku Jälleen sovelluskohtaista Onko tähän ratkaisua?

10 Tokens and Claims Representing identity on the wire A token is a set of bytes that expresses information about an identity This information consists of one or more claims Each claim contains some information about the entity to which this token applies Indicates who created this token and guards against changes Token Claim 1 Claim 2 Claim 3... Claim n Signature Example Claims Name Group Age

11 Acquiring and Using a Token 4) Use claims in token Identity Provider STS Application Identity Library 3) Verify token s signature and check whether this STS is trusted Token 2) Submit token List of Trusted STSs 1) Get token Token Browser or Client User

12 The "Geneva" Technologies Identity Providers ADFS 5) Use claims in token Application STS STS Token STS 1) Access application and learn token requirements Windows Identity Foundation 4) Submit token 3) Get token for selected identity Browser or Client Windows CardSpace Token 2) Select an identity that matches those requirements User

13 Using "Geneva" in an Enterprise Active Directory Domain Services 5) Find claims required by application and create token ADFS STS 6) Receive token 8) Use claims in token 7) Submit token Application Windows Identity Foundation 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity Token Token 2) Access application and learn token requirements Browser or Client 3) Select an identity that matches those requirements Windows CardSpace User

14 Identity Federation Organization X Active Directory Domain Services ADFS STS Organization Y STS Token 5) Use claims in token 3) Get token for selected identity 2) Select an identity that matches those requirements Browser or Client Windows CardSpace User 4) Submit token Token 1) Access application and learn token requirements Application Windows Identity Foundation Trusted STSs: -Organization Y -Organization X

15 Identity Federation (2) 3) Select an identity that matches those requirements Organization X Active Directory Domain Services Token for STS Y 4) Get token for Organization Y STS Windows CardSpace User ADFS STS Browser or Client 2) Access Organization Y STS and learn token requirements 5) Request token for application 6) Issue token for application 7) Submit token 1) Access application and learn token requirements Token for STS Y Token Token Organization Y STS Trusted STSs: -Organization X 8) Use claims in token Application Windows Identity Foundation Trusted STSs: -Organization Y

16 Home USB Drive Independent Consultant Mobile Devices The flow of information has no boundaries Information is shared, stored and accessed outside the control of its owner Host and network security controls aren t sufficient to solve this problem Partner Organization 16

17 Rights Management Services Persistent Protection Encryption + Policy: Access Permissions Use Right Permissions Provides identity-based protection for sensitive data Controls access to information across the information lifecycle Allows only authorized access based on trusted identity Secures transmission and storage of sensitive information wherever it goes policies embedded into the content; documents encrypted with 128 bit encryption Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

18 End User Scenarios Safeguard Sensitive Information with RMS Protect , documents, and Web content Secure s Outlook 2003/2007, Windows RMS Keep corporate off the Internet Prevent forwarding of confidential information Templates to centrally manage policies Secure Documents Office 2003/2007 (Word, PPT, Excel, & InfoPath) SharePoint Server 2007, Windows RMS Control access to sensitive info Set access level - view, change, print... Determine length of access Automatically apply usage policies to documents libraries Log and audit who has accessed docs Secure Intranets IE w/rma, Windows RMS Users without Office 2003 or later can view rights-protected files Enforces assigned rights: view, print, export, copy/paste & time-based expiration

19 How does RMS work? SQL Server Active Directory 1. Author receives a client licensor certificate the first time they rights-protect information RMS Server 2. Author defines a set of usage rights and rules for their file; Application creates a publishing license and encrypts the file 3. Author distributes file 2 Information Author The Recipient 4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a use license 5. Application renders file and enforces rights

20 RMS Solution Components RMS Server Server Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) or later Provides certification and licensing Active Directory directory service Windows Server 2000 or later Provides a well-known unique identifier for each user address property for each user must be populated Database Server Such as Microsoft SQL Server or MSDE Stores configuration data and use license requests RMS client software Client Windows Vista out-of-box Download for Windows XP An RMS-enabled application Required for creating or viewing rights-protected content Microsoft Office 2003 and 2007 Editions includes RMS-enabled applications Word, Excel, PowerPoint, Outlook and Infopath (2007) Office Professional 2003 or 2007 is required for creating or viewing rights-protected content Other Office 2003 or 2007 Editions allows users to view but not create rights-protected content. Rights Management Add-on (RMA) for Internet Explorer 6.0 or later Allows users to view rights-protected content in a browser Enables down-level viewing support for content protected by Office 2003 or 2007

21 What Microsoft and RSA Announced on December 4, 2008 Microsoft and RSA partnering with a Built-In systems approach to protect sensitive information throughout the infrastructure based on content, context, and identity Microsoft building RSA Data Loss Prevention (DLP) classification technology directly into the Microsoft platform and future information protection products RSA integrating Active Directory Rights Management Services (AD RMS) with RSA's DLP Suite Automate the application of AD RMS policies based on data sensitivity Leverage Active Directory (AD) Groups for identity or group aware data loss prevention Microsoft and RSA collaboration enables organizations to: Centrally define information security policy Automatically identify and classify sensitive data anywhere in the infrastructure Use a range of controls to protect data throughout the infrastructure

22 First Step - RSA DLP Suite integrating with Microsoft AD RMS in DLP 6.5 Release (Dec 2008) 1. RMS admin creates RMS templates for data protection Microsoft AD RMS Legal Department View, Edit, Print Outside law firm View Others No Access Legal Contracts RMS 2. RSA DLP admin designs policies to find sensitive data and protect it using RMS RSA DLP Find Legal Contracts Apply Legal Contracts RMS Contracts DLP Policy 3. RSA DLP discovers and classifies sensitive files 4. RSA DLP applies RMS controls based on policy Laptops/desktops Legal department 5. Users request files - RMS provides policy Outside law firm based access File shares SharePoint Others Automate the application of AD RMS protection based on sensitive information identified by RSA DLP Leverage AD Groups for identity or group aware data loss prevention

23 Long term Microsoft and RSA Building Information Protection into Infrastructure Add-on Policies RSA DLP Enterprise Manager Microsoft Information Protection Management RSA Microsoft Endpoint /UC Network Apps FS/CMS Storage Built-in DLP Classification and RMS Controls Microsoft Environment and Applications Complementary Platforms and functionality RSA DLP Endpoint RSA DLP Network RSA DLP Datacenter Common policies throughout infrastructure Built-in approach to protect data based on content, context, identity Future ready: Seamless upgrade path for current DLP customers

24