Dan GriffinWelcome to the 17th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.

The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.

Better Protection Against Data Loss in Windows 8

The Challenge

JW Secure Informer - article calloutFor a typical business IT department, data access control requirements are a fast-moving target. New line of business scenarios, budget pressure, compliance requirements, cloud computing, and mobile workforce: all of these factors have made it increasingly difficult for IT personnel to support business needs while protecting sensitive data from unauthorized access. And while for some businesses, IT security expenditure is driven simply by a desire to avoid a front page exposé in the Wall Street Journal, the most competitive companies are constantly seeking opportunities to reap new value from their existing data. Additional business value can be realized with existing data in scenarios such as CRM and ERP, for example, and using tools such as cloud storage and mobile devices.

A well-functioning business operation cannot tolerate any security restriction that makes it difficult to meet legitimate business objectives. In an age of smart phones and tablets, all users have become accustomed to data access anywhere and at any time. This puts IT professionals between a rock and a hard place. So, how can we implement nuanced compliance rules, provide data loss prevention, and at the same time allow quick and easy data access anytime, anywhere, to authorized users? That is the goal of Dynamic Access Control in Windows 8.

In short, Dynamic Access Control is designed to make existing authorization tools more expressive. The most common form of access control management today is the security group. In a role-based access control model using security groups, a group will be created for a collection of data. When a user assumes a role that requires access to the data, the user is made a member of the security group for as long as access is needed. This first level of authorization abstraction interposes the role (or group identity) in between the user and the data. But with ever increasing complexity of compliance mandates, the number of security groups has proliferated to the point where a large enterprise user may need to belong to tens to hundreds of groups to accommodate fine-grained control.

An additional complication is the growing number of geographical compliance mandates designed to keep sensitive personal data inside a country’s borders. These mandates are intended to ensure that data transit does not result in relaxation of compliance rules, and are a well-known compliance implementation hurdle in the European Union.

The Solution

The only place where data access can be effectively controlled is at the server where the data resides. But the tradeoff is loss of centralized control of policy. In response to this dichotomy, Dynamic Access Control has been designed to provide solid access control at this most appropriate location while maintaining a central control store for authorization information.

From a business perspective, two primary reasons for centralized control are proof of compliance and ease of management. To meet the first requirement, use a strategy of creating labels to enable the compliance rules to determine if the data needs to be controlled. To meet the second, create central policy based on the compliance category.

With current technologies such as the discretionary access control list (DACL, or just ACL) feature in file systems like NTFS, IT security engineers have long recognized that some compliance rules do not fit the usual user/group attributes. Regulations tell us to prevent data from leaving a political or geographic region, or to attest that the devices that access the data will not inadvertently leak it from the control boundary. These attributes become accessible with Dynamic Access Control—the location and health of the device can be included in the claims delivered to the server that performs the access check together with the policies that need to be enforced.

Let’s explore a scenario. First, suppose that specific data types – personally identifiable information (PII), for example – are determined to impose a compliance requirement: the data can’t leave the European Union, and the data can only be downloaded if the client computer is using hardware disk encryption.

To identify the sensitive data, automation is used to scan existing files and label those that contain PII (see also the Automatic File Classification feature in Windows Server 2012). The IT group then works with an architect to write a policy to ensure that only employees with a privacy-aware attribute are permitted to access the data, and that they may only access it from a secure machine physically located in the European Union and with an encrypted hard drive.

The real magic of Dynamic Access Control happens when it’s used as an enabler for BYOD (Bring Your Own Device). Continuing the scenario above, a corporate user can buy a Windows 8 laptop from any store, anywhere in the world. The user can then download and install an onboarding software agent to join the computer to the company Active Directory domain, to enable the hardware security protection available on the embedded TPM chip, and to finally setup disk encryption.

From that point forward, whenever the computer is booted, it generates a set of test signatures that can be verified by an attestation server. An authorization claim set is created on the new laptop that includes the computer health attestation, a geolocation code, and the user’s identity and attributes. When the user attempts to access Dynamic Access Control-protected data, the claim set is sent to the file server and is validated against the policy. If the claim set meets the policy – the client computer is currently in the European Union, the user is authorized, and disk encryption is enabled – the user is granted data access on the machine. Otherwise, the user is directed to potential remediation steps.

JW Secure has built and deployed onboarding tools for a variety of BYOD compliance scenarios. To learn more, please drop us a line.

The following sites describe more about the new capabilities of Dynamic Access Control in Windows 8 and how you can benefit from it.

Dynamic Access Control: Scenario Overview
How to use central access policies for dynamic access control