Transcription
Protect Sensitive Data UsingEncryption TechnologiesRavi SankarTechnology Evangelist Microsoft Corporationhttp://ravisankar.spaces.live.com/blog
Where is the User Data Stored?Q: Where is the biggestdata exposure risk?SQL
Clients Documents–Where do users keep their documents? User Profile–Outlook, Sharepoint, Desktop, Temp, IE Per-machine Data–Search index, offline file cache, pagefile Non-standard Locations– ISV & in-house apps
What are the data protectionoptions? BitLocker Drive Encryption Encrypting File System Rights Management Service But don’t forget–Data backup–Data minimizing–Data classification
Each year, hundreds of thousands ofcomputers without appropriatesafeguards are lost, stolen, or improperlydecommissioned around the world
BitLockerTM / EFS in Vista
Disk Layout & Key StorageWhere’s the Encryption Key?Operating System Volume1. SRK (Storage Root Key) contained in TPM2. SRK encrypts the VMK (Volume Master Key).3. VMK encrypts FVEK (Full VolumeEncryption Key) – used for the actual dataencryption.4. FVEK and VMK are stored encrypted on theOperating System Volume.Contains: Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation FileFVEKOperatingSystemVolumeVMK23SRK14System Volume (1.5GB)SystemContains: MBR Boot Manager Boot Utilities
BDE Protection MethodsFactorsBDE Function and RemarksTPM Transparently validates early boot components on OS startupBest ease of useProtects against HW-only attacksVulnerable to some HW attacksTPM PIN User must enter 4-20 digit PIN on OS startupBDE validates PIN and early boot componentsProtects against software-only and many hardware attacksVulnerable to TPM breaking attacksTPM Startup Key Looks for USB flash drive with Startup KeyBDE validates saved key and early boot componentsProtects against many HW attacksProtects against TPM attacksStartup Key Looks for USB with Startup KeyBDE validates saved keyProtects against many HW attacksVulnerable to lost token and pre-OS attacks
BitLocker Scenario 1
BitLocker Scenario 2
BitLocker Scenario 3NormalVs.BitLocker DecommissionNothing*******Reformat driveAdmin wipes driveDelete keys
Encrypting File System Encrypts each file Requires NTFS Smart card support for user/ recovery key
Confidential information is leaked out byaccidental forwarding of e-mails and otherdocuments
Does your policy support enforcement.?
End User Scenarios Safeguard Sensitive Information with RMS Protect e-mail, documents, and Web content Secure EmailsOutlook 2003Windows RMS Secure DocumentsWord 2003, PowerPoint 2003Excel 2003, Windows RMS Keep corporate e-mail off the InternetPrevent forwarding of confidentialinformationTemplates to centrally manage policiesControl access to sensitive infoSet access level - view, change, print.Determine length of accessLog and audit who has accessedrights-protected information UsersSecure IntranetsIE w/RMA, Windows RMSwithout Office 2003 can view rightsprotected files Enforces assigned rights: view, print, export,copy/paste & time-based expiration
Federated Rights ration TrustResourceFederationServerWebSSOTogether AD FS and ADRMS enable users fromdifferent domains tosecurely share documentsbased on federatedidentitiesAD RMS is fully claimsaware and can interpret ADFS claimsOffice SharePoint Server2007 can be configured toaccept federated identityclaims
RMS does not protect againstanalog attacks
Windows Vista/Server 2008Information ProtectionScenariosBitLockerEFSRMSLaptopsBranch office serverLocal single-user file & folder protectionLocal multi-user file & folder protectionRemote file & folder protectionUntrusted network adminRemote document policy enforcementSome cases can result in overlap. (e.g. Multi-user roaming laptops with untrusted network admins)
System Operating System Volume Contains: Encrypted OS Encrypted Page File Encrypted Temp Files Encrypted Data Encrypted Hibernation File System Volume (1.5GB) Contains: MBR Boot Manager Boot Utilities Where's the Encryption Key? 1. SRK (Storage Root Key) contained in TPM 2. SRK encrypts the VMK (Volume Master Key). 3.
