ilse van criekinge technology advisor microsoft belux session code: unc306

53
Exchange Server 2010 Information Protection and Control Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306

Upload: claud-stanley

Post on 24-Dec-2015

216 views

Category:

Documents


0 download

TRANSCRIPT

Exchange Server 2010 Information Protection and Control

Ilse Van CriekingeTechnology AdvisorMicrosoft BeLuxSession Code: UNC306

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

The High Cost of Data Leakage

“HR executive accidentallye-mails lay-off plan to entire organization.”

“A Wyoming bank sent an e-mail containing sensitive customer data to the wrong mail account, and now wants mail provider to reveal the identity of the account holder who received the data..”

“Public-relations firm faces PR nightmare after unintentionally e-mailing journalists about one of its clients.”

“Secret Service agent sends unencrypted e-mail revealing details of vice presidential tour.”

Information Protection and Control (IPC)

Exchange Server 2010 helps prevent the unauthorized transmission of sensitive information with tools that can automatically:

MONITOR e-mail for specific content, recipients and other attributes

CONTROL distribution with automated, granular polices

PROTECT access to data wherever it travels using rights management

PREVENT• Violations of corporate policy and best practices • Non-compliance with government and industry regulations• Loss of intellectual property and proprietary information • High-profile leaks of private information and customer records • Damage to corporate brand image and reputation

Benefits of Automated Controls

Reduce User Error• Majority of data loss incidents are accidental• Users forget policies or apply incorrect policy

Enable More Consistent Policy• Automation facilitates rapid policy changes across the organization• Critical for internal/external governance and compliance

Improve Efficiency • Offload complex data polices from users • Enable centralized policy creation, execution and management

LESS RESTRICTIVE MORE RESTRICTIVE

• Apply the right level of control based on the sensitivity of the data

• Maximize control and minimize unnecessary user disruptions

Benefits of Granular Controls

Alert “Allow delivery

but add a warning.”

Append “Allow delivery

but add a disclaimer.”

Protect“Allow delivery

but prevent forwarding.”

Redirect“Block delivery and redirect.”

Review “Block delivery until reviewed.”

Block“Do not deliver.”

Modify “Allow delivery

but modify message.”

Classify “Allow delivery

but apply classification.”

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

MailTipsAlert users about potential risks

Apply multiple alerts

Create custom MailTips to prompt policy reminders

Protect sensitive data from accidental distribution

Alert

MailTips - Architecture

Web service in Exchange 2010Supported by

Outlook Web AppMicrosoft Outlook 2010

Triggered whenAdd a recipientAdd an attachmentReply or Reply to allOpen a message, already addressed to recipients, from the Drafts folder

Alert

MailTips - Evaluation

1

4

2

3a

3a

3b3c

Alert

MailTips - Offline SupportOffline Address Book structure expanded

Message delivery restrictionsCustom MailTipsMaximum receive sizeModeration enabledDistribution Group - Total member countDistribution Group - External member count

Not available offlineInvalid internal recipientMailbox fullAutomatic replies

Alert

MailTips - Limits

Individual mailbox MailTips not evaluatedMessage sent to a distribution group (Except external recipient)Messsage sent to more than 200 recipients

Custom MailTips limited to 250 charactersTime out = 10 seconds

Alert

MailTips – Group Metrics

Used to support MailtipsLarge AudienceExternal Recipients

Generated on same Mailbox server as OABFull Group Metrics data generation on SundayAssociated files

GroupMetrics-<date>T<time>.binGroupMetrics-<servername>.xmlChangedGroups.txt

Alert

MailTips – Organizational Settings

Set-OrganizationConfig -MailTipsAllTipsEnabled

-MailTipsLargeAudienceTreshold

-MailTipsExternalRecipientsTipsEnabled

-MailTipsMailboxSourcedTipsEnabled

-MailTipsGroupMetricsEnabled

MailTipsDemo

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

Transport Rules

Conditions

Exceptions

Actions

If the message...Is from a member of the group ‘Executives’And is sent to recipients that are 'Outside the organization' And contains the keyword ‘Merger’

Do the following...Redirect message to: [email protected]

Except if the message...Is sent to ‘[email protected]

• Executed on the Hub Transport Server

• Structured like Inbox rules

• Apply to all messages sent inside and outside the organization

• Configured with simple GUI in Exchange Management Console

Easily enforce granular policies

<< >>

Conditions

Specific Users Detects mail between people, distribution lists

Specific Content Inspects subject, header and body for keywords, regular expressions

Message Properties Inspect message headers and properties or type

Classifications Scans for classifications such as Attorney-Client Privileged

Attachments Scans size, name and content (Office documents)

Classifications Can now also act on No Classifications

Message Types IRM protected, auto-replies, calendaring, voice mail

Supervision Lists Allows/Blocks based on listed recipients

Management Properties Identifies manager and applies policy

User Properties Scans for user attributes (such as department, country)

Conditions When the message contains…

Fine tune rules with detailed criteria

<< >>

Actions

Block Blocks and deletes message and can send non-delivery report

Classify Applies classification such as attorney-client privilege

Modify Adds disclaimer to body or text to subject line

Reroute Adds additional recipients to cc or Bcc line or re-directs

Append Applies disclaimer per each user’s specific attributes

Review Enables review and approval of e-mail before delivery

Protect Applies rights protection to messages, attachments

Actions …do the following…

Apply the appropriate level of control

<< >>

Dynamic Signatures

Signatures integrated with Active Directory attributes

Option of basic text or HTML

Automatically apply signatures per user attributes

Append

Dynamic SignaturesDemo

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

Moderation Review

Moderate based on sender, DL, content

Approve or Reject with option to send response

Moderator can be a specific user or sender’s manager

Enable review and approval of e-mail before delivery

Moderated Transport Message Flow

1 2

34

56b

6a

Moderated Transport

Relies on the Exchange 2010 Approval FrameworkHandles multiple moderated recipientsBypassing moderation

Moderator bypassesOwners of distribution groups and dynamic distribution groups do not bypass by default

Previous versions of Exchange don’t support moderated recipients

Designate Exchange 2010 Hub Transport server as expansion server

Review

Moderated TransportDemo

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

ProtectInformation Rights Management

Persistent protection Protects your sensitive information no matter where it is sentUsage rights locked within the document itselfProtects online and offline, inside and outside of the firewall

Granular control Users apply IRM protection directly within an e-mailOrganizations can create custom usage policy templates such as "Confidential—Read Only"Limit file access to only authorized users

Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an e-mail.

Granular protection that travels with the data

IRM – S/MIME Signing/EncryptionFeature RMS S/MIME

SigningS/MIME

EncryptionVerifies identity of publisher No Yes No

Differentiates permissions by user Yes No No

Prevents unauthorized viewing Yes No Yes

Encrypts protected content Yes No Yes

Offers content expiration Yes No Yes

Controls content reading, forwarding, saving, modifying, or printing by user

Yes No No

Extends protection beyond initial publication location

Yes Yes Yes

Transport Protection Rules

• IRM protection can be triggered based on sender, recipient, content and other conditions

• Office 2003, 2007, and 2010 attachments also protected

Apply RMS policies automatically using Transport Rules

Apply “Do Not Forward” or custom RMS templates

Automatically apply IRMProtect

Outlook Protection RulesProvide users more IRM protection options

IRM protection can still be applied manuallyUser can be granted option to turn off rule for non-sensitive e-mail

Adding recipient or distribution list can trigger IRM protection automatically before sending

Protect

Outlook Protection Rules Protect

Protection RulesDemo

IRM in Outlook Web App

Native support for IRM in OWA eliminates need for Internet Explorer Rights Management add-on

Access to standard and custom RMS templates

Read and reply to protected messages

Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages

Protect

Office documents also protected

Protected Voice MailPrevent forwarding of voice mail

• Integration with AD RMS and Exchange Unified Messaging

• Permissions designated by sender (by marking the message as private) or by administrative policy

Protect

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

Ethical Wall

Zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive informationConfigurable using EMC or EMS

Control

Ethical WallDemo

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

IRM Search

Multi-mailbox search includes option to search IRM-protected items

Conduct full-text search of IRM-protected mail and attachments in Outlook (online) and OWA

Index and search protected items

Protect

Journal Report Decryption

Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Requires Premium Journaling

Archive/Journal

Transport Pipeline Decryption

Enables Hub Transport Agents scan/modify messages IRM-protected by the user in OWAmessages IRM-protected by the user in Outlook 2010messages IRM-protected automatically by Outlook Protection Rules in Outlook 2010

Messages protected in-transit using Transport Protection Rules are not required to be decrypted by the Decryption agent

Protect

Transport Pipeline Decryption

Pipeline Decryption Agent uses Super-User privileges to decryptdecrypts message and attachments protected with same Publishing License

Option to NDR messages that can’t be decryptedLow performance impact

message decrypted at 1st Hub of each forestAgents not prevented from copying decrypted content

Protect

Configuring IRM - Exchange

To enable Transport DecryptionJournal Report DecryptionIRM in OWAIRM for Search

Add the Federated Delivery Mailbox (system mailbox created by Exchange 2010 setup), to the SuperUsers group on the AD RMS cluster

Protect

IRM Decryption - JournalingDemo

Content

IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways

Automatically monitor and control the distribution of sensitive information

Better protect access to data with persistent Information Rights Management

MailTips guide users with automatic alerts before sending

Transport Rules automatically enforce granular polices

Expanded Transport Rule conditions enable more specific policies

New actions: Dynamic Signatures, Moderation, IRM Protection

Apply by policy with Transport Protection Rules, Outlook Protection Rules

Extend user access with IRM in OWA, Outlook, Windows Mobile

Enable search, AV/AS scanning, filtering, journaling of protected mail

Ensure the right level of control is applied to the right messages

Session Takeaways

Related ContentUNC316 Microsoft Exchange Server 2010 Management and Operations

Ilse Van Criekinge11/12/2009 * 17:00 - 18:15

SIA05-IS Secure Messaging Using Active Directory Rights Management Services (AD RMS) and Microsoft Exchange Server 2010

Cristian Mora11/11/2009 * 13:30 - 14:45

SIA304 Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive

11/12/2009 * 17:00 - 18:15

UNC16-HOL Microsoft Exchange Server 2010 Compliance: Information Leakage Protection and Control

UNC Track Call to Action!Learn More!

Related Content at TechEd on “Related Content” SlideAttend in-person or consume post-event at TechEd Online

Check out learning/training resources at Microsoft TechNetExchange Server and Office Communications Server

Check out Exchange Server 2010 atVirtual Launch Experience (VLE) at thenewefficiency.com

Try It Out!Download the Exchange Server 2010 TrialTake a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Unified Communications Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

question & answer

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.