Archive for the ‘Windows Server FCI’ Category

Email Data Loss Prevention and the Windows Server 2008 R2 File Classification Infrastructure

Tuesday, March 2nd, 2010

This is a copy of a blog I wrote jointly with Microsoft. It can be viewed on the Microsoft Windows Server WebLog at

http://blogs.technet.com/windowsserver/archive/2010/02/25/prevent-loss-of-sensitive-information-using-the-windows-server-2008-r2-file-classification-infrastructure.aspx

There has been a lot of talk lately about data breaches costing organizations millions of dollars in fines or lawsuits not to mention the bad publicity and other intangible losses. Data Loss Prevention products are being deployed to try to help organizations minimize these types of incidents. Information classification can be used to prevent data breaches and help organizations with compliance requirements such as PCI, HIIPA, ISO 27001, the Massachusetts Data Protection Law 201 and other similar legislation.

The new File Classification Infrastructure (FCI) in Microsoft Windows 2008 R2 enables organizations to protect data by automatically classifying files and applying policy. FCI includes the ability to define classification properties, automatically classify files based on location and content, and invoke file management tasks such as file expiration and custom commands based on classification. Once the files have been classified, appropriate security can be applied based on the business value of the information. For example, in a PCI environment, FCI based classification can be used to identify files that contain sensitive credit card information, and in a health care environment, FCI based classification can identify files with private health information. Once the files have been classified file management tasks can be used to segment sensitive files onto more secure storage devices, to protect files with encryption, and to assign more restrictive permissions to the files. This helps ensure that information stored on file servers is well secured.

Another concern is email. Email messages or email attachments are a security risk as email cannot easily be controlled. At Titus Labs we’ve extended classification and information protection to the Microsoft Outlook environment. Titus Labs Message Classification can recognize file attachments that have been classified using FCI.

The Titus Labs solution can examine the FCI classifications of Microsoft Office attachments, and can apply policy that can restrict the distribution of sensitive information. Titus Labs’ Safe Recipient policies can be used to:

1. Protect the distribution of email within an organization. By examining all the recipients of an email, the Titus Labs policy can verify via Active Directory whether the recipient is allowed to receive attachments of a given classification. This prevents inadvertent data loss by warning the user that one of the recipients should be removed. For example, in an internal scenario, a financial organization may want to ensure that an employee in corporate finance is restricted from sending files classified as MERGER / ACQUISITION to another employee working as a broker or trader.

2. Protect the distribution of email outside the organization. By examining the domain of each of the recipients, the Titus Labs policy can verify that the domain is listed as trusted in the policy and can warn the user of a possible data breach and warn them or force them to change the recipient list. In the following example, the sender has mistakenly selected the wrong Anne Hollingsworth at an external address. The sender receives a warning because the email contains an attachment that has been classified as CONFIDENTIAL / INTERNAL USE.

Fci_email
Invalid recipient is detected based on classification

This is an example of the power of classification to protect your sensitive information.

Microsoft Windows Server 2008 R2 File Classification Infrastructure (FCI)

Tuesday, August 11th, 2009

Recently Microsoft has announced the File Classification Infrastructure (FCI) that will be part of Windows 2008 R2.  Windows Server 2008 R2 just RTMed a few weeks ago. FCI includes the ability to define classification properties, automatically classify files based on location and content, invoke file management tasks such as file expiration and custom commands based on classification, and produce reports that show the distribution of a classification property on the file server.  The best thing about FCI is that it’s free, as it is included when you purchase Windows Server.

Bringing file classification into the server operating system is definitely an interesting development.  But this is a SharePoint blog, so what does FCI have to do with SharePoint and metadata?  Well, it could potentially be a way to help organizations get more valuable metadata into SharePoint.  But more on that later, first let’s have a closer look at what FCI can do.

FCI is basically a process that can be scheduled on the file system.  It can be used to automatically classify files.  This classification doesn’t usually happen as soon as you save a file, but rather sometime during the day when the process is scheduled.  Microsoft has delivered a number of classification functions with the server such as the ability to apply classification by file folder, or based on the content of the file.  Microsoft has also published the APIs which allow other third parties to extend the classification capabilities, or to provide other file functions such as storage management based on the classifications.  FCI allows organizations to define rules to manage their data more effectively and to decide what should be retained and where should it be stored. This potentially can reduce the cost of storage and mitigates risks for data loss or retention purposes.  For example: the organization might have a policy to expire files that are 10 years old and are not critical to the business. This policy can be translated to use the new file management tasks to expire files across file servers.

Microsoft says that FCI can be used to identify files that:

  • Contain sensitive information and are located on servers with lower security and move the files to servers with higher security.
  • Require different backup schedules and backup the files accordingly.
  • Require different backup solutions based on the sensitivity of the information in the files.

Classification on the file server can be very useful.  But what if a user wants to change a classification that was set by FCI on the server?  For example, based on finding PII in the content, FCI may classify a file as INTERNAL. When a user opens this file in an Office application, they remove the PII and want to re-classify the file. Microsoft does not provide this type of classification on the desktop.  Perhaps this is something that will come in a post Windows 7 operating system?  The desktop classification products offered by TITUS provide this desktop functionality today.

But let’s get back to SharePoint. What value could FCI bring to SharePoint? FCI could be used as a means to populate metadata into Office documents before they are saved into SharePoint.  This could be true for new files, or could be used to add metadata to older files.  Using one of the available classification methods (by folder, by content etc.) a number of files could be classified.  The screenshot below shows an example of a classification rule in FCI.  In this case all documents in the folder will get the same classification.

Classification Rule Definitions

The classification metadata is inserted into the custom properties of the Office document when it is classified.  So this metadata will travel with the document.  The following screenshot shows the metadata of a document called “Test from Alice” in that folder after the rule has been applied. Notice the property name called Classification and its value RESTRICTED.

Test From Alice

When the document(s) is saved to SharePoint all of the metadata is available.  The metadata can be displayed in SharePoint by defining a custom column with the same name as the classification property that was created in FCI. The screenshot shows the document after being uploaded to SharePoint.  Notice a custom column called Classification was added to the SharePoint document library.

When your organization makes the move to Windows Server 2008 R2, have a look at FCI, it’s an easy way to get started in the world of classification.

Charlie