Windows Server 2012 Dynamic Access Control – The power of “And…”
In this blog post, we would like to highlight the work we have done with Independent Software Vendor partners who are adopting key new features we’re delivering in Windows Server 2012. Robert Paige is a program manager in the Windows Server Partner and Customer Ecosystem Team who worked extensively with Independent Software Vendor Partners during the development of Windows Server 2012. He helped to facilitate engagements with many software vendors throughout our development cycle; companies delivering on security, anti-malware, management, virtualization, backup and storage solutions, and everything in between. Their solutions showcased our new technologies and the flexibility to extend and enhance complete end-to-end solutions for our mutual customers. In his series of blogs, he will highlight one of the many new features in this release, Dynamic Access Control.
Principle Group Program Manager, STB Partner and Customer Ecosystem Team
TechEd North America 2012 had its 20th anniversary June 11-14 in Orlando, Florida – those who arrived the day before were treated to an impressive thunder storm to kick things off, estimated to have 4000 lightning strikes in a period of 30 minutes. It wasn’t hard to simply point a camera into the sky and capture the electricity in the air as over 11,000 customers, partners, speakers, and staff arrived. The days ahead proved to be a very successful display of all the hard work we’ve done over the past few years on Windows Server 2012, SQL Server, System Center, Windows Azure and SQL Azure.
This is the first of the Partner Ecosystem Team series of blogs that will be focused on a very exciting feature in Windows Server 2012, Dynamic Access Control. In it, we will be showcasing some partners who are doing innovative work in this scenario, adding to a robust ecosystem of products ready to support it. Dynamic Access Control is a set of Windows capabilities that enable data compliance in partner and Windows-based solutions.
- Add the ability to configure Central Access and Audit Policies in Active Directory. These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control: Who the user is, What device they are using, What data is being accessed. Siddharth Bhai, Program Manager in Active Directory, summed it up in his Deep Dive session of Day 2 summarized the power of authoring security policies in Windows Server 2012. He stressed the power of a simple word, “And” – policies that weren’t possible before are now enabled through the use of ACE conditions that allow multiple groups with Boolean logic. This can effectively reduce security groups from thousands down to single digits, even in very large organizations. Prior to this innovation in Windows Server 2012, using only “or” groups contributed to group bloat and a very difficult to manage policy.
- Integrate claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: “User is from the Finance department” and “User’s security clearance is High”
- Enhance the File Classification Infrastructure to allow business owners and users to identify (tag) their data so that IT administrators are able to target policies based on this tagging. This ability works in parallel with the ability of the File Classification Infrastructure to automatically classify files based on content or any other characteristics
- Integrate Rights Management Services to automatically protect (encrypt) sensitive information on servers so that even when the information leaves the server, it is still protected. In addition, we’ve simplified access auditing to a subset of information that contains more robust, contextual information and flexible reporting.
- There is also a new feature that at runtime can help when a user is denied access to a resource, making it much easier for them to request permissions from the share owner, and giving the administrator a much simpler way to determine exactly why that user did not have the access permissions.
Day 1, Dynamic Access Control Session Highlights (SIA207)
In Day One of the conference, Gunjan Jain joined Nir Ben-Zvi to show attendees the Data Classification Toolkit, which is designed to help reduce the cost and complexity of data compliance, and help organizations consistently identify, classify, and protect data across multiple file servers. Nir Ben-Zvi gave an overview of Dynamic Access Control, and showed five demonstrations of partner solutions by Websense, STEALTHbits Technologies, NextLabs, GigaTrust and RSA Security. The capabilities in Windows Server 2012 in-box do not require these solutions, but the partners were able to extend our technology into their products, ensuring automatic RMS encryption of non-Microsoft document formats, applying central policy to SharePoint servers, and easing migration and assist in policy lifecycle management.
The first partner solution we demonstrated was Websense Data Loss Protection , a DLP solution built on the foundation of Websense data classification expertise, which allows organizations to accurately monitor, identify, classify, and ensure protection and proper use of sensitive information—as it is being authored, without the need for manual intervention. It has hundreds of built in classifiers, which extend FCI to also include proximity analysis and statistical analysis to anticipate the accuracy of the analysis it provides, all helping to tag and enforce the policies that are consistent with Dynamic Access control. Our technology can then use the tags in conjunction with Central Access Policy to control file access.
The next partner solution was from STEALTHbits Technologies, which showed how integrating Dynamic Access Control’s expression based conditional permissions into the StealthAudit Management Platform can help assess and plan a migration to the new capabilities showing the impact of reducing the number of security groups which solves a common problem in today’s enterprises. The solution provides simple analysis of a customer’s existing access permission model to help determine the most effective way to transform the access control to use Windows Server 2012’s new conditional based permissions.
The third partner demonstration was provided by NextLabs, which highlighted their management interface for Dynamic Access Control’s Central Access Policy lifecycle management, compliance policy accelerators, and most important – the ability to apply Dynamic Access Control to protect data on Microsoft SharePoint based on user classification of their documents utilizing Windows Server 2012 File Classification Infrastructure prior to putting them into SharePoint. On a Windows Server 2012 machine, the access is governed by Central Access Policy. When the data is uploaded to SharePoint, the classification properties can be automatically maintained to retain the Dynamic Access Control policy. In this scenario, the document will not even be visible to a user who doesn’t have the correct permissions as established by Windows Server 2012 central access policy. This is very frequent customer ask to be able to apply the same central access policy on the Windows server and extend it automatically and consistently into Microsoft SharePoint; NextLabs makes the lifecycle management to do this easily using the NextLabs Control Center Policy Manager as they showed in their demonstration video.
Another demo by Gigatrust followed, which demonstrated extending Windows Server 2012’s ability to automatically encrypt sensitive information with Windows Rights Management based on document classification -- They enhanced this technology in Gigatrust Protector for SharePoint by extending the ability to encrypt the information and apply central access policies to RMS. The encryption can be applied to a variety of additional document formats beyond Microsoft formats. The protection is persistent; both on the file server and in transit beyond the secure environment, ensuring compliance policy established in Windows Server 2012 can be retained throughout the document lifecycle.
The last demonstration in the session was provided by RSA, The Security Division of EMC, which integrated Windows Server 2012 expression-based auditing event enhancements into their RSA NetWitness product. This demonstration showed how RSA leveraged the improved audit events to give customers even more flexibility in forensic analysis of Windows Server 2012’s improved metadata content and contextual information in audit logs. Analysis of a very large set of events by NetWitness helps administrators to more easily extract only data that is relevant to an investigation, speeding up the process of consuming a large amount of events that are now more easily isolated by the improvements in Windows Server 2012.
As you can see, Windows Server 2012 has made tremendous advancements in file classification, policy management, compliance enforcement, and simplicity for both the user and the administration for customers in both small business environments and the largest of companies. Our Partner and Customer Ecosystem team ensured that the needs of the customers were met by facilitating the Independent Software Vendors in developing ISVs solutions that showcase and augment the exciting new capabilities of Windows Server 2012 Dynamic Access Control. In the coming weeks, we will go into deeper detail about Dynamic Access Control improvements, and highlight even more partners who provided demonstrations for day 2 of TechEd 2012 (SIA341), including Titus, JiJi Technologies, CA, Axiomatics; additionally we will are highlighting Dataglobal TechEd Europe 2012, June 26-29 in Amsterdam.
The TechEd Sessions
· An Overview of Dynamic Access Control (Nir Ben-Zvi, Gunjan Jain)
· Dynamic Access Control Deep Dive (Siddharth Bhai, Matthias Wollnik)
· TechNet manual (Beta): http://technet.microsoft.com/en-us/library/hh831717.aspx
· Data Classification Toolkit (Beta): https://connect.microsoft.com/site715
· Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data)
· Dynamic Access Control at MMS 2012: https://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview
· Nir Ben-Zvi’s Introduction to Windows Server 2012 Dynamic Access Control blog
Senior Program Manager, Partner and Customer Ecosystem Team
Windows Server and Cloud Division