it can be found here - TITUS

Enabling Claims for Authorization 

in SharePoint, MS Outlook, Windows 8 

and the Cloud 

Antonio Maio 

Senior Product Manager 

Blog: www.titus.com/blog 

Twitter: @AntonioMaio2

Agenda 

• Introduction 

• Claims and Why they are Important 

• Authorization 

• Secure Information Sharing Considerations 

• Authorization with Claims 

• Microsoft SharePoint 2010 

• Microsoft Outlook 

• Windows 8 Server 

• Considerations for the Cloud 

• Benefits and Conclusion 

WWW.TITUS.COM | © TITUS. ALL RIGHTS RESERVED |

What is a Claim 

• Metadata about a user 

• User Attributes (AD or LDAP attributes) 

• Trusted User Attributes 

• Claims are Trusted Assertions That I Make 

• Retrieved from a trusted identity provider 

• Packaged/Signed in a standards-based way (ex. SAML) 

• Take my identity across network boundaries in a trusted 

and secure way 


Authorization 

• What is Authorization 

• Determining what users are allowed to access and do 

• Accomplished through policy enforcement 

• Using Claims… 

• Authorization can be specific to the user 

• Authorization can be dynamic – ex. changes in a user’s 

security clearance 

• Authorization can include environmental attributes (device, 

current time, GEO location, connection type, etc.) 

• Alternative to security groups – Groups do Not Scale 


Secure Information Sharing Considerations 

• User Identity or Trusted Claims 

• Who am I, What’s my clearance level, etc… 

• Privacy is important – only check required claims 

• Leverage Metadata 

• What’s the classification on this Document/Email/Communication 

• Tells you what data to protect 

• Automation is Critical 

• Ensures access control policies are consistently applied 

• Environmental Data 

• Device, Time of day, Geo-location, Connection type 


Authorization with Claims 

Microsoft SharePoint 2010 with ADFS 2.0 

• Assigning Permissions to Content – Enforces Access Control 

• Can assign Users or Groups (with a permission level) 

• Can assign Claims (with a permission level) – New to SharePoint 2010 

• Applies to any items or containers (library, list, site, etc…) 

• This means: if user logs in with specific claims and content has the 

identical claim assigned 

• User gets access to the content (at the assigned permission level) 

• SharePoint 2010 checks that claims match assigned permissions 

• What does this look like 




Bob 

Name 

Citizenship 

Place of Birth 

Department 

Clearance 

Bob 

USA 

Washington DC 

Research 

Confidential 

Policy: 

User.clearance = Confidential AND 

Doc.classification = Confidential (or lower) 




Alice 

Name 

Citizenship 

Place of Birth 

Department 

Clearance 

Alice 

USA 

San Diego, CA 

Finance 

Internal 

Policy: 

User.clearance = Internal AND 

Doc.classification = Internal (or lower) 

Automatic Access Control policies 

enforced through… 

TITUS Metadata Security 

for Microsoft SharePoint 




Format: SAML or 

WS-Fed 

Token with 

Claims 

Claims Rule 

Claims Rule 

… 

SharePoint 

2010 

Custom Claims Provider 

Custom Claims Provider 

… 

Secure Token Server 

(STS) 

EX. Active Directory 

Federation Services 

(ADFS version 2.0) 

Trusted Identity Provider 

(could we within corporate network or 

over internet) 

Database or 

Directory 

Ex. Active Directory 

Client System 

Ex. web browser 



Microsoft Outlook 

• Retrieve Claims for the Sender 

of an Email 

• Allows us to enforce policies on 

emails 

• User Claims to Determine if User 

is Permitted to Send that Email 

• Evaluated upon clicking Send 

• Permits us to present 

remediation options 

Stop that Data Leak Before it Happens 



Microsoft Outlook 

• Policies relate to: 

• Classification of the Email 

• Body/Subject Content 

• Attachments – Classification, Metadata or Content 

• Recipients 

• Encryption (RMS, S/MIME), etc… 

• Ex. Sending a classified email is only be permitted by a user with 

‘Secret’ clearance or above, and doing so requires S/MIME 

encryption 

• Not configurable through Microsoft Outlook 

• Requires custom add-in… 

TITUS Message Classification 



Microsoft Windows 8 Server 

• Dynamic Access Control 

New Centralized Access Control in Windows 8 File Server 

• Goal: New Ways to Control Access to Data and Achieve Regulatory 

Compliance 

• Windows Authentication, Authorization & Auditing - Built in Support for Claims 

• Flexibility in Enforcing Business Policies within Windows 

• Apply Access Control Policies to Sensitive Content on File Servers 

• Classification is a key element in applying fine grained policies to files 

in Windows 8 

• Access Control Policies and Audit Policies 




• Dynamic Access Control Policies 

• Based on classification or metadata (resources) assigned to files 

• Based on claims in the user’s token (Kerberos) 

• Result: Security Trimmed View of File Server Data Specific to the User 

• Policies are defined/stored in AD 

• Defined using AD Administrative Center (ADAC) 

• Policies are pushed through GPO to file servers 

• Policies Applies To 

• Files and Folders on the Windows 8 File Server 

• Windows 8 client is not required 

• Ex. Financial doc’s can only be accessed by people in Finance Dept 




Build 8102 




Build 8102 




Build 8102 




Build 8102 



Microsoft Windows 8 Servers 

• New Auditing Capabilities 

• Define Centralized Audit Policies that apply across file servers 

• Helps reduce voluminous data found by current auditing capabilities 

• Simplify data mining by only auditing what you care about 

• Ex. Show me all the documents classified as ‘confidential’ that were 

accessed by my Finance dept 

• Policy Change Simulation/Staging 

• Test policy changes and view effects before deploying 

• Zero impact to current operations while viewing the effect of policies 

• Device Claims 

• Ex. “IT Managed” claim can delineate between personal and corp devices 


Claims and Authorization 

Considerations for the Cloud 

• Claims and Classification are a key part of policies – allow policies to 

be fine grained, specific and dynamic 

• Fine grained policies applied to information are necessary to secure 

Cloud applications 

• Federation becoming more prevalent 

• External users access my cloud app’s with their own identities 

• Becoming more prevalent - B2B still early, but it is coming 

• Need: Fine grained policies enforced on data within Cloud 

applications 

• Ex. SharePoint Online, Outlook with Exchange Online, etc. 


Benefits and Conclusion 

• Claims and Classification Enable Enterprise-Grade Authorization 

• Policies are Specific to the User and the Information… and to the device 

• Policies are applied Dynamically 

• Automation allows policies to be applied Consistently 

• Consider all Aspects of the Enterprise 

• Enterprise Content Management – SharePoint 

• Messaging – MS Outlook 

• File Servers – Windows 8 Server 

• Cloud – along with Federation across organizations 

• Infrastructure and Planning Required 

• Plan your policies with business stakeholders… Keep Simple to Start! 

• Connect with TITUS to bring Claims Based Authorization 

to Your Environment 


Thank You 

See TITUS at Booth #1847 at RSA2012 

Antonio Maio 

Senior Product Manager 

Blog: www.titus.com/blog 

Twitter: @AntonioMaio2

it can be found here - TITUS

Create successful ePaper yourself

Delete template?

Save as template?