True Information Security only a click away for anyone"

“True Information Security only

a click away… for anyone"

Agenda

 Where the industry is going vis-à-vis information security (10m)

 By Tim Davies, Principal Program Manager Lead, Microsoft

 Best-practices for information classification and protection (10m)

 By Joe Stocker, Principal Consultant, Catapult Systems

 RightsWATCH for Individuals. Classification & Protection only a click away (15m)

 By Rui Melo Biscaia, Director of Product Management, Watchful Software

Some Quick Guidelines for the Webinar

 You are muted centrally. You don’t need to mute/unmute yourself

 This webinar is being recorded. The recording will be available tomorrow at

www.watchfulsoftware.com

 The Q&A session will be at the end

 You are welcomed to enter questions anytime, using the Questions feature in the

“Where the industry is going

vis-à-vis information security”

Industry trends

The traditional perimeter is rapidly eroding

IT needs continuous data protection that work across ‘classic ‘boundaries’

Consumerization of IT

Users need access, from any device

Externalization of IT

Applications are on-premises and in the cloud

More Data, Stored in More Places

Dispersed enterprise data needs protection

Social Enterprise

Our approach

Protect any file type

Delight with Office docs, PDF, Text, and Images.

Important applications and services are enlightened

Delight with Office docs, PDF, Text, and Images.

CSOs and Services can ‘reason over data’

Delegated access to data with bring-your-own-key

Protect in place, and in flight

Data is protected all the time

Share with anyone

B2B sharing is most important with

B2C on the rise

Meet the varied organizational needs

Protection enforced in the cloud, or on-premises; with

Information Protection – Microsoft Directions

 Strongly rooted in identity management using AD | Azure AD as the basis

 All about borderless networks and collaboration

 Recognized importance of customer choice of deployment topology  Renewed

investment for on-premises RMS

 Information protection integrated further across the Microsoft ecosystem:

 More O365 workload scenarios (OneDrive 4 Business, DLP with RMS, auditing and policy management)

 Enterprise mobile device management with RMS integration

 Broad end user reach in devices/applications (Office/iPad, Window v.Next, 3rd parties with CAD/CAM formats, Adobe, ....)

 Consistent policy and encryption key use extended into core Azure scenarios (customer provided keys used in datacenters as well as docs)

Peeking ahead…..

Q3 ‘14

• Mobile Device Extension for ADRMS 2012 GA • AD RMS migration to Azure RMS toolkit

• Simplified AD to Azure AD Directory Sync (Required properties 113 ~11) • (fun feature for end users….)

Q4 ‘14

• Document tracking + revocation Preview • Departmental Policy Templates

• RMG-NG Preview 1

Q1 ‘15

• Document tracking + revocation GA

• Policies extension ([email protected], *.* authenticated users) • Admin BI/reporting portal (Preview)

• RMG-NG Preview 2 (Azure AD collaboration)

Q2 ‘15

• Multi-factor authentication per document/policy

• Conditional access policies and claims (Workplace Joined, ….)

• Dynamic Policies (Confidential<MyWorkgroup>, Cross-org universal groups) • RMS-NG GA

“Best Practices for an

Information Control Policy”

Access Control Policy Overview

 Should answer the “who” and “how” is authorization for access granted to

systems and business applications.  User Access

 How will users be authenticated: Passwords, biometrics, or Multi-Factor?

 How is access and use monitored?

 Who is responsible for monitoring and reviewing access rights?

 Who is responsible for creating and removing accounts?

User Responsibilities

 How are users educated and made aware of the organization’s information

control policies overall?

 How are users to be educated and made aware of access responsibilities?

 What are users’ responsibilities for access and passwords?

 How will users comply with information control policies?

Best Practice: Separation of Duties

 The same person who creates accounts or assigns privileges should not be the same

person who monitors access to data.

 Privileged accounts should not have the ability to clear access logs.

 The person or system that monitors an event occurred should not be the same

person who is responsible for responding – they should notify only. Otherwise a conflict of interest can occur where over time they take less action.

 Classic Application Specific example: An accountant who creates a vendor in the system should not be the same person who can cut a check to the vendor (they or a friend could pose as that vendor).

 Classic IT example: Software developers accessing production systems

 Consider Role-Based Access Control (RBAC) to sensitive information – ensuring that

Best Practice: Principle of Least Privilege (POLP)

 An end-user should not have ‘full control’ to an entire file share. Instead:

 Information should be categorized,

 Custodians should be identified,

 Access and usage rights should only be granted with those who have a “need to know”

 An end-user should not have local administrator rights to their computer.

 Outsourced maintenance personnel should be restricted to the systems they are

working on.

 Email Administrators should have a helpdesk ticket documenting when they need

to grant themselves access to full access to a mailbox, and access should be removed when the ticket is closed.

 Many modern applications implement POLP through Role Based Access Control

Other Information Control Policy Considerations

 Industry specific

 Gov’t regulations

 Industry specific compliance, ex: EU Safe Harbor, PCI-DSS, ISO, HIPPA, etc

 Markings/disclaimers can help with liability, auditability & compliance

“RightsWATCH for Individuals.

Classification & Protection

only a click away ”

Presenter: Rui Melo Biscaia, Director of Product Management, Watchful Software

The RightsWATCH for Individuals promise

 Data Governance, Classification, Loss

Prevention and Protection in one single package;

 “Plug&Play” installation;

 Immediately begin classifying, tagging

and marking information;

 Encrypt and Protect information

to enhance compliance

to apply policies to decrease liability

to uphold policies

GOVERNANCE

CLASSIFICATION _PREVENTIONLOSS

RightsWATCH for Individuals User Experience

 Simple Standard Interface…

 for Zero learning curve & best-in-class User Experience;

 Industry Standard Information Security

Policy…

 To bring a world-class security model to anyone;

 Content & Context Aware rules built-in…

 For dynamic & policy driven classification;

 Azure RMS- ready

 for controlled access and usage rights over the information;

 Watermarking, Tagging & Marking

Industry Standard Information Security Policy

AZURE RMS CLASSIFICATION

DO NOT FORWARD

Prevents “Copy”, “Print”, “Export” from, and “Forward” an email message

PUBLIC

Default

No restrictions or markings

CONFIDENTIAL

Prevents “Copy”, “Print”, “Export”

Restricted to approved parties

INTERNAL

Triggered by keywords and PII

Footer applied. Metadata tagged

RW4I Information Security Policy

CLASSIFICATION

Default rule

Keywords: “Internal Use Only”; “Internal Information”; “Internal Data”

Metadata: “Category = Internal Use Only”; “Category = Internal Information”; “Category = Internal Information”

Email Subject line: “Internal”

File Size > 10MB

Keywords: "Restricted Access“; "Restricted Information“; "Restricted Data“; "Restricted Use Only“; "Do Not Disclose“

Metadata: “Category = Restricted Use Only; “Category = Restricted Information“; “Category = Restricted Data“

Regular Expressions: (1) US Social Security ; (1) Credit Card

Email Subject Line: "Restricted“; "Sensitive“; "Do Not

No Header, Footer nor Watermarks. Adds Metadata

Email Subject Line: [Classification: Internal]

Email Header: Yes

Office File Header: Internal Use Only

Alert: User is presented with an explanation

Email Subject Line: [Classification: Restricted]

Email Header: Yes

Office File Watermark: “Restricted Information”

Alert: User is presented with an explanation

Awareness: User allowed to change level

Disclaimer: User is asked to acknowledge changing

RULES MARKINGS

PUBLIC

INTERNAL

RW4I Information Security Policy

AZURE

Keywords: "Do Not Forward“

Keywords: "Company Confidential"

Keywords: "Company Confidential View Only"

Email Subject Line: [Protection: Do Not Forward]

Email Header: Yes

Metadata: Yes

Alert: User is presented with an explanation

Email Subject Line: [Protection: Confidential]

Email Header: Yes

Metadata: Yes

Office File Header: Confidential Use Only

Alert: User is presented with an explanation

Email Subject Line: [Protection: View Only]

Email Header: Yes

RULES MARKINGS

DO NOT FORWARD

CONFIDENTIAL

Pick the best #RightsWATCH for you

 Define a Multi-level Security Model

 Role-Based Access Control

 Watermarking & Fingerprinting

 Easy User Experience

 Content & Context Aware Policy Rules

 Apply RMS Access and Usage Rights

 PDF & “other” file types

 Smartphones & Tablets

 Exchange & SharePoint

 Centralized Admin Interface

3 minutes to World-Class Info Security!

Download

RightsWATCH for

Individuals

Enroll in Azure RMS

(for Individuals)

Have your sensitive

data tagged and

protected!

“Questions & Answers”

The recording of this webinar will be available tomorrow at www.watchfulsoftware.com