Securing files on corporate servers appears as a control for cats during the breeding season – if time does not sterilize them, then soon you will have a whole herd of cats. Microsoft is struggling with this problem through Dynamic Access Control, Service, which will be equipped with the upcoming Windows Server 8, created to provide centralized security level domain files and folders on top of existing file permissions.
According to Microsoft, more than 80% of enterprise data located on company servers. In most cases, documentation of content either completely absent or represented poorly, no one can control the keeping of the database and metadata on departmental property. ”System administrators, in fact, have no idea what kind of information stored on their servers,” despite the fact that they set up systems and storage, said Nir Ben-Zvi, project manager at Microsoft, at press conference last week.
The updated version of Active Directory Service Dynamic Access Control combines the security of Kerberos, improved security at the file level and the authentication system, which automatically marks the sensitive data on their content and the author.
“Non-credit card accounts, for example, can be identified and labeled as particularly important,” – says Ben-Zvi. Dynamic Access Control introduces the vocabulary of a Windows server security concept of “claims” (claims), a concept which has long been used in the field of integrated Internet security, but with Microsoft this concept applies to objects, published by Active Directory.
Active Directory 8 determines a claim to files, folders and shared resources, each of which can be sent to other servers in Windows Server 8, inside the organization, along with the request to determine the properties of the file and access policies.
System Dynamic Access Control, based on “four pillars”, beginning with the identification of critical data by manual, automatic or applications based on tagging. For example, an administrator can mark all your Excel documents as confidential and to find content in a Word document, the words “confidential” for additional tagging.
The central access policy based on these “tagged” files using a new tool for Active Directory Administrative Center, working with expressions, which creates conditions for users and the “claims” of devices and tag files and manages the denial of access.
Using a centralized policy automatically (or manually), you can restrict access to files based on various criteria, including user and device division. ”I can use this function with respect to the entire organization, across all departments and repositories,” – says Ben-Zvi, provided that the files are on a Windows Server 8. If not, access control tags are preserved, but the access policy is no longer valid.
The third “kit” DAC – this audit, performed by the use of a centralized policy with respect to different servers with all the same tools and support “claims”, the complement of technological training, which allows you to simulate changes in access policies.
Finally, the last “whale”, which is security Windows Server 8, this data protection, which automatically applies the security model of Microsoft RMS Office documents almost immediately after the documents are tagged, spreading to other, unrelated to the Office, documents.