it can be found here - TITUS
it can be found here - TITUS
it can be found here - TITUS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Enabling Claims for Authorization<br />
in SharePoint, MS Outlook, Windows 8<br />
and the Cloud<br />
Antonio Maio<br />
Senior Product Manager<br />
Blog: www.t<strong>it</strong>us.com/blog<br />
Tw<strong>it</strong>ter: @AntonioMaio2
Agenda<br />
• Introduction<br />
• Claims and Why they are Important<br />
• Authorization<br />
• Secure Information Sharing Considerations<br />
• Authorization w<strong>it</strong>h Claims<br />
• Microsoft SharePoint 2010<br />
• Microsoft Outlook<br />
• Windows 8 Server<br />
• Considerations for the Cloud<br />
• Benef<strong>it</strong>s and Conclusion<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
What is a Claim<br />
• Metadata about a user<br />
• User Attributes (AD or LDAP attributes)<br />
• Trusted User Attributes<br />
• Claims are Trusted Assertions That I Make<br />
• Retrieved from a trusted ident<strong>it</strong>y provider<br />
• Packaged/Signed in a standards-based way (ex. SAML)<br />
• Take my ident<strong>it</strong>y across network boundaries in a trusted<br />
and secure way<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization<br />
• What is Authorization<br />
• Determining what users are allowed to access and do<br />
• Accomplished through policy enforcement<br />
• Using Claims…<br />
• Authorization <strong>can</strong> <strong>be</strong> specific to the user<br />
• Authorization <strong>can</strong> <strong>be</strong> dynamic – ex. changes in a user’s<br />
secur<strong>it</strong>y clearance<br />
• Authorization <strong>can</strong> include environmental attributes (device,<br />
current time, GEO location, connection type, etc.)<br />
• Alternative to secur<strong>it</strong>y groups – Groups do Not Scale<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Secure Information Sharing Considerations<br />
• User Ident<strong>it</strong>y or Trusted Claims<br />
• Who am I, What’s my clearance level, etc…<br />
• Privacy is important – only check required claims<br />
• Leverage Metadata<br />
• What’s the classification on this Document/Email/Communication<br />
• Tells you what data to protect<br />
• Automation is Cr<strong>it</strong>ical<br />
• Ensures access control policies are consistently applied<br />
• Environmental Data<br />
• Device, Time of day, Geo-location, Connection type<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft SharePoint 2010 w<strong>it</strong>h ADFS 2.0<br />
• Assigning Permissions to Content – Enforces Access Control<br />
• Can assign Users or Groups (w<strong>it</strong>h a permission level)<br />
• Can assign Claims (w<strong>it</strong>h a permission level) – New to SharePoint 2010<br />
• Applies to any <strong>it</strong>ems or containers (library, list, s<strong>it</strong>e, etc…)<br />
• This means: if user logs in w<strong>it</strong>h specific claims and content has the<br />
identical claim assigned<br />
• User gets access to the content (at the assigned permission level)<br />
• SharePoint 2010 checks that claims match assigned permissions<br />
• What does this look like<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft SharePoint 2010 w<strong>it</strong>h ADFS 2.0<br />
Bob<br />
Name<br />
C<strong>it</strong>izenship<br />
Place of Birth<br />
Department<br />
Clearance<br />
Bob<br />
USA<br />
Washington DC<br />
Research<br />
Confidential<br />
Policy:<br />
User.clearance = Confidential AND<br />
Doc.classification = Confidential (or lower)<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft SharePoint 2010 w<strong>it</strong>h ADFS 2.0<br />
Alice<br />
Name<br />
C<strong>it</strong>izenship<br />
Place of Birth<br />
Department<br />
Clearance<br />
Alice<br />
USA<br />
San Diego, CA<br />
Finance<br />
Internal<br />
Policy:<br />
User.clearance = Internal AND<br />
Doc.classification = Internal (or lower)<br />
Automatic Access Control policies<br />
enforced through…<br />
<strong>TITUS</strong> Metadata Secur<strong>it</strong>y<br />
for Microsoft SharePoint<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft SharePoint 2010 w<strong>it</strong>h ADFS 2.0<br />
Format: SAML or<br />
WS-Fed<br />
Token w<strong>it</strong>h<br />
Claims<br />
Claims Rule<br />
Claims Rule<br />
…<br />
SharePoint<br />
2010<br />
Custom Claims Provider<br />
Custom Claims Provider<br />
…<br />
Secure Token Server<br />
(STS)<br />
EX. Active Directory<br />
Federation Services<br />
(ADFS version 2.0)<br />
Trusted Ident<strong>it</strong>y Provider<br />
(could we w<strong>it</strong>hin corporate network or<br />
over internet)<br />
Database or<br />
Directory<br />
Ex. Active Directory<br />
Client System<br />
Ex. web browser<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Outlook<br />
• Retrieve Claims for the Sender<br />
of an Email<br />
• Allows us to enforce policies on<br />
emails<br />
• User Claims to Determine if User<br />
is Perm<strong>it</strong>ted to Send that Email<br />
• Evaluated upon clicking Send<br />
• Perm<strong>it</strong>s us to present<br />
remediation options<br />
Stop that Data Leak Before <strong>it</strong> Happens<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Outlook<br />
• Policies relate to:<br />
• Classification of the Email<br />
• Body/Subject Content<br />
• Attachments – Classification, Metadata or Content<br />
• Recipients<br />
• Encryption (RMS, S/MIME), etc…<br />
• Ex. Sending a classified email is only <strong>be</strong> perm<strong>it</strong>ted by a user w<strong>it</strong>h<br />
‘Secret’ clearance or above, and doing so requires S/MIME<br />
encryption<br />
• Not configurable through Microsoft Outlook<br />
• Requires custom add-in…<br />
<strong>TITUS</strong> Message Classification<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
• Dynamic Access Control<br />
New Centralized Access Control in Windows 8 File Server<br />
• Goal: New Ways to Control Access to Data and Achieve Regulatory<br />
Compliance<br />
• Windows Authentication, Authorization & Aud<strong>it</strong>ing - Built in Support for Claims<br />
• Flexibil<strong>it</strong>y in Enforcing Business Policies w<strong>it</strong>hin Windows<br />
• Apply Access Control Policies to Sens<strong>it</strong>ive Content on File Servers<br />
• Classification is a key element in applying fine grained policies to files<br />
in Windows 8<br />
• Access Control Policies and Aud<strong>it</strong> Policies<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
• Dynamic Access Control Policies<br />
• Based on classification or metadata (resources) assigned to files<br />
• Based on claims in the user’s token (Ker<strong>be</strong>ros)<br />
• Result: Secur<strong>it</strong>y Trimmed View of File Server Data Specific to the User<br />
• Policies are defined/stored in AD<br />
• Defined using AD Administrative Center (ADAC)<br />
• Policies are pushed through GPO to file servers<br />
• Policies Applies To<br />
• Files and Folders on the Windows 8 File Server<br />
• Windows 8 client is not required<br />
• Ex. Financial doc’s <strong>can</strong> only <strong>be</strong> accessed by people in Finance Dept<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
Build 8102<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
Build 8102<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
Build 8102<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Server<br />
Build 8102<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Authorization w<strong>it</strong>h Claims<br />
Microsoft Windows 8 Servers<br />
• New Aud<strong>it</strong>ing Capabil<strong>it</strong>ies<br />
• Define Centralized Aud<strong>it</strong> Policies that apply across file servers<br />
• Helps reduce voluminous data <strong>found</strong> by current aud<strong>it</strong>ing capabil<strong>it</strong>ies<br />
• Simplify data mining by only aud<strong>it</strong>ing what you care about<br />
• Ex. Show me all the documents classified as ‘confidential’ that were<br />
accessed by my Finance dept<br />
• Policy Change Simulation/Staging<br />
• Test policy changes and view effects <strong>be</strong>fore deploying<br />
• Zero impact to current operations while viewing the effect of policies<br />
• Device Claims<br />
• Ex. “IT Managed” claim <strong>can</strong> delineate <strong>be</strong>tween personal and corp devices<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Claims and Authorization<br />
Considerations for the Cloud<br />
• Claims and Classification are a key part of policies – allow policies to<br />
<strong>be</strong> fine grained, specific and dynamic<br />
• Fine grained policies applied to information are necessary to secure<br />
Cloud applications<br />
• Federation <strong>be</strong>coming more prevalent<br />
• External users access my cloud app’s w<strong>it</strong>h their own ident<strong>it</strong>ies<br />
• Becoming more prevalent - B2B still early, but <strong>it</strong> is coming<br />
• Need: Fine grained policies enforced on data w<strong>it</strong>hin Cloud<br />
applications<br />
• Ex. SharePoint Online, Outlook w<strong>it</strong>h Exchange Online, etc.<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Benef<strong>it</strong>s and Conclusion<br />
• Claims and Classification Enable Enterprise-Grade Authorization<br />
• Policies are Specific to the User and the Information… and to the device<br />
• Policies are applied Dynamically<br />
• Automation allows policies to <strong>be</strong> applied Consistently<br />
• Consider all Aspects of the Enterprise<br />
• Enterprise Content Management – SharePoint<br />
• Messaging – MS Outlook<br />
• File Servers – Windows 8 Server<br />
• Cloud – along w<strong>it</strong>h Federation across organizations<br />
• Infrastructure and Planning Required<br />
• Plan your policies w<strong>it</strong>h business stakeholders… Keep Simple to Start!<br />
• Connect w<strong>it</strong>h <strong>TITUS</strong> to bring Claims Based Authorization<br />
to Your Environment<br />
WWW.<strong>TITUS</strong>.COM | © <strong>TITUS</strong>. ALL RIGHTS RESERVED |
Thank You<br />
See <strong>TITUS</strong> at Booth #1847 at RSA2012<br />
Antonio Maio<br />
Senior Product Manager<br />
Blog: www.t<strong>it</strong>us.com/blog<br />
Tw<strong>it</strong>ter: @AntonioMaio2