Archive for the ‘Windows Server FCI’ Category

RSA 2012 Wrap Up and Observations – Identity is Critical for Authorization

Thursday, March 8th, 2012

Reflecting on the incredible conference that was RSA 2012 last week, you can easily see how Identity has become critical to implementing real-world authorization scenarios in many businesses and government/military departments. There were many hot topics at RSA this year including: Cloud, Mobile and of course APTs (advanced persistent threats). With 22,000 attendees it was easy to get overwhelmed with the myriad of sessions and solution providers. However, Identity or using aspects of a user’s identity specifically for authorizing access to information or resources was everywhere. I gave session at RSA this year entitled Using Claims for Authorization in SharePoint, MS Outlook, Windows 8 and the Cloud. Thanks to everyone that attended. Keep reading to access my presentation deck from that session.
(more…)

Posted in SharePoint, SharePoint 2010 News, SharePoint and Claims, SharePoint metadata, SharePoint security, Windows Server FCI | No Comments »

RSA 2012 – Authorizing BYOD with Claims?

Saturday, February 25th, 2012

The RSA 2012 Conference is upon us and, being the world’s premiere computer security conference, there will be lots of talk about cyber threats, malware, hacking, new APTs (advanced persistent threats) as well as security strategies. We expect that this year we’ll hear about how protecting our sensitive information and systems is impacted by mobile devices and the cloud. In the days of “BYOD” (bring your own device) this becomes especially important. On Thursday March 1 at 11:30am, I’ll be giving a briefing session on Using Claims for Authorization in SharePoint 2010, MS Outlook, Windows 8 and the Cloud. The session will be located in the Briefing Center located in the front of the 2100 aisle of the exhibition floor.
(more…)

Posted in Document Classification, Message Classification, SharePoint, SharePoint 2010 News, SharePoint and Claims, SharePoint labeling, SharePoint metadata, SharePoint security, Windows Server FCI | No Comments »

Using File Classifications to Set SharePoint Security

Friday, June 11th, 2010

Many organizations have security initiatives underway to classify their information. This can include information like Microsoft Office documents, PDFs and other file types. Once the infromation has been classified, the enterprise can use the classification metadata to make sure that the information is properly protected. Government and military organizations have been classifying information for decades, but classification of information is now being adopted in commercial organizations. Finance is a vertical where classification of information is quickly taking hold. Financial organizations typically deal with a lot of customer / privacy infromation that must be protected. There are also a myriad of regulatory compliance issues which apply to financial instritutions mandating them to protect (e.g. insider information) certain information.

Many organizations use a very simple set of classifications such as PUBLIC, INTERNAL, CONFIDENTIAL. Information can be classified in a number of different ways. Getting the user to classify infromation on creation (enabled by products like our Titus Labs Document Classification) is one way. Using an automated approach to classification such as the one offered by the Microsoft File Classification Infrastructure is another way. Both approaches have advantages and disadvantages. Automated approachs will never be as accurate, but they are useful for older already existing files.

Now we get to the SharePoint part. Wouldn’t it be great to be able to automatically have SharePoint permissions assigned to documents based on their assigned classification? This is exacatly what some of our customers have asked us for. Once the infromation has been classified, the application (in this case SharePoint) should be able to leverage the classification metadata to protect the information automatically. You shouldn’t have to set the permissions manually once the information has already been classified. The classification metadata created by both the Titus Labs Document Classification application and Microsoft FCI can easily be transferred into SharePoint. All you have to do is create a custom SharePoint column called Classification, or whatever the classification property is called, and when a document that has been classified is uploaded into SharePoint, the classification metadata will appear. Once the classification metadata is in SharePoint your library might look something like this:

Now that the classification metadata is in SharePoint all we need to do is set the permissions automatically based on the classification. This can be done using the Titus Labs Metadata Security for SharePoint product. Using the product we can build metadata security rules. For example we can build a rule that will assign read permissions to only the R&D team when the document is classified as CONFIDENTIAL. Here is what the rule would look like in the Metadata Security product:

Metadata Security Rule for Classification CONFIDENTIAL

Once the rule is applied all current documents and all new documents saved to this SharePoint library that have a classification of CONFIDENTIAL will have the, R&D group Read permission, automatically assigned.

We can also assign metadata rules for the other classifications like PUBLIC and INTERNAL. Once this is done, all documents dropped into SharePoint will have security permissions automatically assigned.

Posted in Document Classification, SharePoint, SharePoint metadata, Windows Server FCI | No Comments »

Email Data Loss Prevention and the Windows Server 2008 R2 File Classification Infrastructure

Tuesday, March 2nd, 2010

This is a copy of a blog I wrote jointly with Microsoft. It can be viewed on the Microsoft Windows Server WebLog at

http://blogs.technet.com/windowsserver/archive/2010/02/25/prevent-loss-of-sensitive-information-using-the-windows-server-2008-r2-file-classification-infrastructure.aspx

There has been a lot of talk lately about data breaches costing organizations millions of dollars in fines or lawsuits not to mention the bad publicity and other intangible losses. Data Loss Prevention products are being deployed to try to help organizations minimize these types of incidents. Information classification can be used to prevent data breaches and help organizations with compliance requirements such as PCI, HIIPA, ISO 27001, the Massachusetts Data Protection Law 201 and other similar legislation.

The new File Classification Infrastructure (FCI) in Microsoft Windows 2008 R2 enables organizations to protect data by automatically classifying files and applying policy. FCI includes the ability to define classification properties, automatically classify files based on location and content, and invoke file management tasks such as file expiration and custom commands based on classification. Once the files have been classified, appropriate security can be applied based on the business value of the information. For example, in a PCI environment, FCI based classification can be used to identify files that contain sensitive credit card information, and in a health care environment, FCI based classification can identify files with private health information. Once the files have been classified file management tasks can be used to segment sensitive files onto more secure storage devices, to protect files with encryption, and to assign more restrictive permissions to the files. This helps ensure that information stored on file servers is well secured.

Another concern is email. Email messages or email attachments are a security risk as email cannot easily be controlled. At Titus Labs we’ve extended classification and information protection to the Microsoft Outlook environment. Titus Labs Message Classification can recognize file attachments that have been classified using FCI.

The Titus Labs solution can examine the FCI classifications of Microsoft Office attachments, and can apply policy that can restrict the distribution of sensitive information. Titus Labs’ Safe Recipient policies can be used to:

1. Protect the distribution of email within an organization. By examining all the recipients of an email, the Titus Labs policy can verify via Active Directory whether the recipient is allowed to receive attachments of a given classification. This prevents inadvertent data loss by warning the user that one of the recipients should be removed. For example, in an internal scenario, a financial organization may want to ensure that an employee in corporate finance is restricted from sending files classified as MERGER / ACQUISITION to another employee working as a broker or trader.

2. Protect the distribution of email outside the organization. By examining the domain of each of the recipients, the Titus Labs policy can verify that the domain is listed as trusted in the policy and can warn the user of a possible data breach and warn them or force them to change the recipient list. In the following example, the sender has mistakenly selected the wrong Anne Hollingsworth at an external address. The sender receives a warning because the email contains an attachment that has been classified as CONFIDENTIAL / INTERNAL USE.

Fci_email
Invalid recipient is detected based on classification

This is an example of the power of classification to protect your sensitive information.

Tags: , , , ,
Posted in Windows Server FCI | No Comments »

New File Share to SharePoint Migration Utility from Microsoft

Tuesday, December 15th, 2009

Microsoft is releasing a new Powershell script to allow customers to upload files directly from a file share to a SharePoint document library. In addition, the script will allow files that have metadata to carry that metadata into SharePoint. The script was developed by the group responsible for the Windows Server 2008 R2 File Classification Infrastructure and supports both SharePoint 2007 and SharePoint 2010. If you are not familiar with the File Classification infrastructure, it allows organizations to assign classification metadata to files on a Windows Server 2008 R2 file server. For more on File Classification infrastructure see one of my earlier posts on this topic.

The business reason behind the script is that a lot of organizations still have thousands of documents on server file shares. At some point these organizations will want to migrate those files into SharePoint to make them more available for collaboration, and to facilitate management of the files. FCI allows organizations to assign metadata to all the files on a file server, and this new script will enable transfer of the files and the associated metadata into SharePoint.

The combination of FCI and SharePoint overcomes a major hurdle in using the full power of SharePoint -populating files with metadata. Metadata allows users to filter and search information in SharePoint in a much more powerful way, especially with SharePoint 2010 features such as navigation hierarchies and key filters. Many customers say they can get their files into SharePoint, but they have no idea how to assign metadata to all these files. FCI along with this new script allows organizations to overcome this hurdle.

Getting metadata into SharePoint provides benefits for user search and file disposition and can also be used to strengthen security via products like our Metadata Security for SharePoint.

The new script is called FciSharePointUpload.ps1 and is available from Microsoft at this download site.

The script provides two options:

Option 1: Upload a file to a SharePoint Library – SharePoint 2007, SharePoint 2010.

FciSharePointUpload.ps1 –file <file path> -url <target site> -libPath <relative library path> [-name <target name>] [-sourceAction {keep|delete|url}] [-targetAction {overwrite|skip|fail}] [-propertyAction {copy|ignore}] [-user <user name> -password <password>]

Option 2: Upload a file to SharePoint using the official file web service that is coupled with a content organizer (e.g.: Record center) – SharePoint 2010 only.

FciSharePointUpload.ps1 –useOfficialFileWebService –file <file path> -url <target site> [-name <target name>] [-contentType <content type name>] [-sourceAction {keep|delete|url}] [-propertyAction {copy|ignore}] [-user <user name> -password <password>] [-additionalProperties] <property list>

The parameters are as follows:

  • file: path to the file to upload (required)
  • url: URL to the SharePoint site (required). Example: -url “http://sharepoint/sites/mariant”
  • libPath: relative path to the document library within the site (required), Example: -path “Shared Documents”
  • name: name of the target file (optional). If not specified, it defaults to the source file name as specified by the “file” argument. Example: -name Test.docx
  • contentType: name of the content type to use for the document (optional). If not specified, defaults to “Document”
  • sourceAction: indicates how to handle the source file after a successful upload (optional) – 1) keep – leave the file in place (default) 2) delete: delete the file;3)url: replace the file with a shortcut to the uploaded document’s URL
  • targetAction: specifies how to handle existing destination documents (optional) – 1) overwrite, replace (default) , 2) skip: leave existing version and continue , 3) fail: return error
  • ropertyAction: specifies FCI property transfer mode (optional) – 1) copy: transfer properties (default) , 2) ignore: do not transfer properties, let SharePoint choose defaults
  • user: user name to use for authentication (optional). The argument is ignored if “password” is not specified.
  • password: password to use for authentication (optional). The argument is ignored if “user” is not specified.
  • additionalProperties: list of extra properties to use for the document (optinal). The argument is followed by a space-separated list of strings. Each group of three strings is interpreted as the name, type and value of the property to add, in this order. The list size must be a multiple of three. These additional properties are always used, regardless of the propertyAction argument value. Example: -additionalProperties PII Boolean True BusinessImpact Choice High

Here is an example I created. I created a file share called "Merger". I then tagged all the files in this share with metadata property called CorpClassification, and a value of "CONFIDENTIAL" using FCI (you can't actually see the metadata in the file system).

FCIScript1

I then created a column called CorpClassification in a SharePoint library called Merger, and using the script I copied these three files into the SharePoint library. As you can see the metadata has been transferred with the files.

FCIScript2

Be careful when creating the property and column type in FCI and SharePoint. These have to match up as per the script requirements, or the script will not work. In my case, the FCI property was of type "Choice", this means I had to create a column of type Choice – Checkboxes in SharePoint. If I tried to define any other column type (e.g Choice – Dropdown) the script will not work.

Tags: , , , , , , , , ,
Posted in SharePoint 2010 News, Windows Server FCI | No Comments »

Owner Based Classification

Wednesday, December 9th, 2009

We just released our new Windows Server 2008 R2 File Classification Infrastructure (FCI) solutions earlier this week. These solutions enhance FCI capabilities to classify and add metadata to files stored on Windows Server 2008 R2 file shares. This is a great way to get metadata on files before transferring them into SharePoint.

One of our new offerings, Owner Based Classification for FCI, allows organizations to assign metadata to files based on the role of the person that created the file. File classification is the critical first step in managing the sheer volume of unstructured data on file servers. To simplify the classification process, it is useful to start with an intelligent default based on file attributes such as the document’s owner’s role within the organization.

FCI provides out-of-the-box functionality to classify files based on location and content. Organizations can extend FCI’s capabilities by using Titus Labs Owner-based Classification to classify files based on user role. For example, organizations can automatically classify Executive users’ files as “High Sensitivity”, or HR staff files as “HR Restricted”.

Some of the Benefits of Owner Based Classification

  • Enables automatic file classification based on the document owner’s role. This ensures that all documents start with an intelligent default.
  • Applies classifications to thousands of documents at once. If the classification labels change, there is no need for users to manually re-classify the files because the updates occur automatically.
  • Once assigned to files, the file and metadata can be transferred to SharePoint.
  • Interoperates with Titus Labs Document Classification to enable users to change classifications applied by FCI.
  • Generates classification metadata that can be used by other solutions to prevent data leakage. For example, the metadata can be used by Titus Labs Message Classification to prevent internal documents from slipping out in external emails.

To view a short 5 minute demonstration of Owner Based Classification have a look at our new video. Here

Tags: , , ,
Posted in SharePoint metadata, Windows Server FCI | No Comments »

Extensions to Windows Server 2000 R2 File Classification Infrastructure

Wednesday, December 2nd, 2009

We are just about to release the final versions of some new products for Windows Server 2008 R2 File Classification Infrastructure (FCI). We covered these briefly in an earlier post when they were beta.

One of the products, Document Marking for FCI is very similar to our Document Marking for SharePoint product. The former can insert headers footers and watermarks into Word 2007 documents based on classification metadata inserted by FCI, and the latter can insert headers footers and watermarks into Office documents based on classification metadata in SharePoint custom columns. In my last post I talked about how document marking can be very important for certain government and military applications that require document marking for sensitive or classified information.

Here is a quick scenario on how this could be used with FCI:

  1. An organization has a number of files stored on a Windows File Server. The organization would like to insert classification based headers and footers into these documents for compliance or government regulation requirements.
  2. The organization can use FCI to classify and insert classification metadata into all the files. The classification can be based on the folder location, the file’s content, or on who created the file.
  3. Once the classification metadata has been created, the Titus Labs Document Marking for FCI product can be used to automatically insert classification based headers and footers on the documents. for example, if a document has been classified as CONFIDENTIAL by FCI, the Document Marking will insert CONFIDENTIAL into the header and footer of all of the pages in the document.

Have a look at our new video to learn more about how this works:

http://www.youtube.com/watch?v=nf1G1dR8QvQ

Tags: , , , ,
Posted in SharePoint Document marking, SharePoint metadata, Windows Server FCI | No Comments »