Chapter 7. Data access and protection

At this point you have already implemented the identity solution that will be used for your mobile workforce. You also implemented device management giving you control of user-owned devices as well as company-owned devices. While these are critical components of Enterprise Mobility Suite (EMS), there is still one more pillar that must be addressed: data access and protection. Since data is at the center of your solution, and ultimately companies that are embracing mobility want to keep their data secure, it is vital to understand the ramifications of this last pillar before implementing it.

This chapter discusses how to leverage some built-in capabilities available in Windows Server 2012 R2 in combination with the last component of EMS, called Azure Rights Management Services (RMS), to build the proper data access and protection solution to embrace mobility.

The Windows operating system includes multiple capabilities that can and should be used for data protection. As is described in Chapter 2, you must apply a defense-in-depth strategy for data protection and part of this strategy is to leverage capabilities that are natively available in Windows Server and Windows client devices. Throughout this section of the book, you will learn about these key capabilities that are natively available in Windows that should also be leveraged as part of your enterprise mobility strategy for data protection.

After you finish identifying these capabilities, you will learn how Azure RMS should be used to enhance data access and protection for your enterprise mobility adoption.

Dynamic Access Control (DAC) enables IT administrators to perform data governance across file servers to control who can access information and it enables administrators to audit who has accessed information. To perform this task, DAC uses a Windows authorization and audit engine that can process conditional expressions and central policies. It also leverages Kerberos authentication support for user claims and device claims. While this feature was first introduced in Windows Server 2012, it leverages capabilities that were first introduced in Windows Server 2008 R2, such as File Classification Infrastructure (FCI) and conditional access permission entry. The key factor in Windows Server 2012 R2 is that FCI is claims-aware; this allows FCI to present resource properties as classification properties.

IT administrators use central access policies to create access policies that apply to Windows Server 2012 file servers that are using Group Policy. Each central access policy object can contain one or more central access rules. These rules are used to translate the policies you require into expressions. All rules created in the Central Access Policy page are stored in Windows Server Active Directory, which enables the organization to have a centralized approach to manage authorization on Windows Server 2012 file servers. To plan central access policy deployment, refer to http://technet.microsoft.com/en-us/library/hh831366.aspx#BKMK_1_2.

Starting in Windows Server 2012 and Windows 8, another layer of decision was introduced to evaluate conditional expressions. Considering that there are multiple conditional expressions, the results of all conditional expressions must evaluate to true for Windows to consider the entry for this permission and apply the proper authorization. Table 7-1 shows how this looks when compared to the traditional access-control entries.

TABLE 7-1 Additional security with Conditional Access Control

In Windows Server 2012, a featured called Web Application Proxy was introduced to enable IT Administrators to securely publish applications that are located on-premises. Ideally, you should always deploy Web Application Proxy in conjunction with Active Directory Federation Services (AD FS) to enable conditional access and also Single Sign-On (SSO) capabilities. In Chapter 3 and Chapter 4, you installed Web Application Proxy as part of the Azure AD Connect Wizard configuration, but this role can be installed separately using Server Manager.

FIGURE 7-1 Typical topology for publishing on-premises apps using Web Application Proxy

By using the Windows Server 2012 R2 featured called Work Folders, IT administrators enforce users to securely store and access work files on personal computers and devices in addition to corporate PCs. IT administrators will be able to maintain control over corporate data by storing the files on centrally managed file servers; they also can specify security policies to instruct user PCs and devices to encrypt Work Folders and use a lock screen password. By leveraging this built-in feature, you can protect data at rest at the user’s device location. If the user is setting up Work Folders using Windows 8, he will be notified about these policies, as shown in Figure 7-2.

FIGURE 7-2 The notification that appears when a user is setting up work folders using Windows 8

The infrastructure to support this functionality is shown in Figure 7-3. It enables both mobile users coming from outside of the corporate network and users who are using domain-joined computers located on-premises.

FIGURE 7-3 Infrastructure to support work folders for internal and external users

You can integrate the DAC feature that was previously described in this chapter with AD RMS to enhance your security by applying data classification for mobile users while they are accessing resources located on-premises. By using content scanning and classification policies, the AD RMS Server is able to verify if the content that is being accessed has rights management policies that must be applied to it and if there are it will execute these policies. You can also perform this task in a folder located in the file server, which can also be the location where the users that are storing their Work Folders data to access from their devices. The infrastructure for this solution is presented in the diagram shown in Figure 7-4.

FIGURE 7-4 Infrastructure to support the integration between DAC, Work Folders and AD RMS

Mobile devices using the Windows Phone 8.1 operating system will natively have device encryption enabled based on BitLocker technology. This technology is used to encrypt the internal storage using Advanced Encryption Standard (AES) 128-bit encryption. By leveraging this capability, IT administrators can certify that the data is always protected from unauthorized users, even when unauthorized users have physical control of the phones. Companies that are using Exchange ActiveSync Mailbox Policies can enable the Require Device Encryption policy to prevent users from disabling device encryption on their devices.

Azure RMS is the closest protection of the data because, when you apply an Azure RMS template to the data, the rights stay with the file itself, regardless of where the file is located. This guarantees that the data is protected in place and in flight, in other words: it is protected all the time. IT administrators will remain in control of company data even when the data is shared with those outside of the organization. Although there are many flavors of RMS, the intent of this section is to focus on Azure RMS because this is the one that comes with EMS. (The available subscriptions for RMS are described at http://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedSubscriptions.)

The Azure RMS service requires storage for the high-value tenant keys at the core of RMS. The Microsoft Key Management Service (KMS) used by Azure RMS stores these RMS tenant keys in a highly secure manner by using industry-proven, Federal Information Processing Standards (FIPS)-compliant Hardware Security Modules (HSMs)¹. However, for companies that want to keep control of their keys, they can also use the Bring Your Own Key (BYOK) capability available in Azure RMS. (This functionality will be described in more detail later in this chapter.) Figure 7-5 shows a diagram the components that will be consuming the data protection capability provided by Azure RMS.

¹ Azure RMS uses Thales HSMs to protect tenant keys. For more information, visit https://www.thales-esecurity.com/msrms/cloud.

FIGURE 7-5 Azure RMS can be leveraged by on-premises services and also SaaS applications

With Azure RMS, you can protect not only Microsoft Office files but also other types of files, which are called generic files. When a generic file is protected using Azure RMS, an encapsulation is added to the file using pfile (protected file). This means that if the file has the TXT extension, the protected version will have the PTXT extension². Another layer of security is also provided by including the authentication, which is used to verify whether a user is authorized to open the file.

² To see a list of supported files, visit http://technet.microsoft.com/en-US/library/d9992e30-f3d1-48d5-aedc-4e721f7d7c25(v=ws.10)#BKMK_SupportFileTypes.

While the key focus of Azure RMS is to protect data handled by the end user, you can also integrate Azure RMS with servers located on on-premises servers. For example, if you have an Exchange Server 2013 on-premises server and you want to protect email messages by using Azure RMS, you need to use the Azure RMS connector to act as a communication relay between Exchange Server 2013 on-premises and Azure RMS.

The data that will be protected by Azure RMS is encrypted at the application level and, once it is protected, it includes in the file’s header the policy that defines the authorized use for that data. When a protected document is used by a legitimate user or is processed by an authorized service, the data in the document is decrypted and the rights that are defined in the policy are enforced. Figure 7-6 shows how this process occurs for a user who wants to protect a document located in the on-premises file server by leveraging Azure RMS.

FIGURE 7-6 Azure RMS can be used to protect files located on-premises

In the particular scenario shown in Figure 7-6, the protection of the file could be simply done by applying one Azure RMS policy that was previously created by the IT administrator and published for the users. Figure 7-7 shows an example of a custom policy called “BYOD Policy” that is available using Microsoft Word after this application retrieves the templates from Azure RMS.

FIGURE 7-7 Document created using Microsoft Word with Azure RMS policy available to protect the data

When another user tries to open this file, she will see that this particular BYOD Policy was applied and this BYOD Policy was previously created with custom settings. When she verifies the permissions by clicking the View Permission button, she will be able to see what privileges she has on this file, as shown in Figure 7-8.

FIGURE 7-8 The user will be able to see what privileges she has to the file once the policies are applied

---

Real World: Anatomy of a rights-protected document

Azure RMS service works along with the client software to encrypt each document. This allows the protection and rights to travel with the document itself. The following diagram represents an RMS-aware document.

The following is a step-by-step example of how the file is built/encrypted using Azure RMS:

1. The client creates a random symmetric key (content key).

2. The client takes the body of the document it wants to protect and encrypts it with the content key. It ends up with an encrypted version of the original document, and it still has the content key used to encrypt it.

3. The client has a local copy of the Server Licensor Certificate (SLC) with its public key. It uses this public key to encrypt the content key, which means that this encrypted content key will be readable only by the service whose SLC was used.

4. The client then creates a list of rights expressing who can do what on the document.

5. After creating a list of rights, the client takes the encrypted content key (encrypted with the SLC), the public part of its own CLC, and the list of rights created before, encrypts them with the SLC’s public key along with some other information (such as the URL of the Licensing URL that should be used to acquire a license to consume the document), and builds what we call the Publishing License (PL) with them. This PL is then encrypted with the SLC’s public key so only the service will be able to decrypt it. The client also takes the private key from the user’s Client Licensor Certificate (CLC) and signs the encrypted object.

6. This is embedded into the original content encrypted with the content key to create a protected document. The content key is also stored encrypted with the CLC’s public key so the author can also decrypt the content without having to acquire a license.

To work around this, there are two hybrid document formats that are essentially the same as the format above, but the content is a generic container for the encrypted document (much like a .zip file). This format is known as the PFILE format. In this scenario, the Rights Management Sharing App (available on iOS and Android as well as a Windows Phone) acts as the Rights Management (RM) Aware application and decrypts the file for another application on the mobile device to open. For this to work, the user protecting the document must encrypt it in the PFILE format.

The downside to this format is that once the document is decrypted, the user has a fully decrypted document. If everything was kept in a native format of an RM Aware application, you can, for example, give the user view rights without rights to modify the file. Also, at the time of this writing, the Rights Management Sharing Application for Windows must be installed on the sending/encrypting machine to protect in this format. Another variation on the PFILE format is the PPDF format. The Rights Management Sharing Application can use this format to include not only the original protected document but also a PDF rendering of the document. This allows further flexibility in that you don’t need the corresponding application to read the document (you will if you actually want to modify it).

Eddie Bowers
Senior Support Escalation Engineer, CSS Azure RMS Support Team

---

Centralized in the cloud topology (Microsoft manages the master key)

Hybrid topology (company manages the master key)

When you activate an EMS subscription and start using Azure RMS, the default tenant key topology used is fully cloud based. In this topology, Azure RMS generates the tenant key and manages most aspects of the tenant key lifecycle. The advantage of this option is the simplicity of configuration and the low administrative overhead of maintenance. The entire process is transparent for the company; the IT administrator doesn’t even know that there is a tenant key in place. In this topology, you simply sign up for Azure RMS and the rest of the entire key-management process is automatically handled by Microsoft. Figure 7-9 shows this topology.

FIGURE 7-9 Tenant key management centralized in the cloud with no administrative overhead on-premises

This centralized topology is the default topology; it is appropriate for companies that don’t want to have an extra layer of administrative tasks to perform on-premises. However, some companies with more restrictive security policies or compliance requirements, or companies that are more skeptical about allowing the cloud provider to manage their protection key, might want to evaluate the hybrid topology. In the hybrid topology, the company is responsible for generating the master key on-premises, securing the key, and performing the appropriate level of backup for this key. (These are administrative tasks that you don’t have to deal with when you adopt the centralized topology.) After the key is generated on-premises, it needs to be securely transferred to the Microsoft HSM used by Azure RMS. The key can be transferred either in person by contacting Microsoft Customer Service and Support (CSS) or it can be transferred over the Internet. After this transference is performed, Azure RMS will use this key to protect company data. Figure 7-10 shows this topology.

FIGURE 7-10 In the hybrid topology, the company is responsible for generating and maintaining the key

The adoption of this hybrid topology means that the company will bring its own key to be used by Azure RMS; this process is also known as Bring Your Own Key (BYOK). One key requirement to adopting BYOK is that the company must have access to a Thales HSM and have a local personal with enough knowledge to operate the Thales HSM³. Another factor that will impact the decision on which topology the company should use to adopt Azure RMS is the available operations for key lifecycle. Table 7-1 compares these two options.

³ For more information about how to use an on-premises (local) Thales nShield® HSM to generate cryptographic key for Azure RMS, visit http://aka.ms/AzureRMSHSM.

TABLE 7-2 Comparison of key options

For fault-tolerance purposes, the Azure RMS connector should be installed in at least two computers located on-premises. Although it is not required to have a dedicated computer to install the Azure RMS connector, you should not install the Azure RMS connector in your resource servers, such as Exchange Server, SharePoint Server, or a File Server with FCI. You should also plan to use HTTPS to secure the communication from on-premises servers using the Azure RMS connector with Azure RMS in the cloud. Ensure that each server that has the connector installed has a valid server authentication certificate and that they trust the root Certificate Authority (CA) that issued the certificate. In this setup, each server that has the RMS connector insta lled will have a certificate that contains the name that you will use for the connector (for example, rmsconnector.blueyonderairlines.com) and this name should be defined in the DNS. Figure 7-11 shows this topology.

FIGURE 7-11 Components that are involved in an infrastructure that supports the Azure RMS connector

In the example shown in Figure 7-11, the Web Application Proxy has an HTTPS publishing rule for AD FS federation connectivity with Azure AD. The use of Web Application Proxy in this scenario is not a requirement as long as you have another solution to securely publish your on-premises applications. The diagram also shows two servers with Azure RMS connector for fault-tolerant and load-balancing purposes. It is important to mention that once you have both servers configured, you can use any IP-based load balancer to enable the Azure RMS connector clients (Exchange Server, SharePoint, and File Server) to see this Azure RMS connector as a single entity. If you choose to use the Network Load Balancing (NLB) feature available in Windows Server, you need to configure the Affinity to None and the Distribution Method to Equal.

To use Azure RMS logging, you need to create an Azure Storage account using your Azure subscription and use Windows PowerShell for Azure RMS to configure this storage. (For information on installing Windows PowerShell for Azure RMS, go to http://technet.microsoft.com/en-us/library/jj585012.aspx.) Azure RMS will write the logs in this Azure Storage account that you created by using a series of blobs. Each blob will contain one or more log records that will be using W3C extended log format. You can use the Azure Administrative Portal to see these logs or you can download these logs using Windows PowerShell for your on-premises servers. Figure 7-12 shows a diagram of this distribution.

FIGURE 7-12 Key components for enabling and reviewing Azure RMS logs

Figure 7-13 shows an example of how this log format appears in the management portal.

FIGURE 7-13 Example of the Azure RMS log format

If you decide to download the log files form Azure Storage to your on-premises server, ensure that the destination server is in a secure location, the storage that these logs will be saved is encrypted, and that only authorized users will have access to it. Logging can reveal many of the user’s behaviors and therefore should not be open to everyone in the organization. If necessary, you can delegate access to your RMS logs by sharing your storage account name and access key. There are many scenarios in which the IT administrator might want to share access to these logs with other administrative users or with a developer who is using this storage as part of his app development. Although it might sound risky to share your account name and access key, this is a safe procedure because this storage is dedicated to your RMS logs, which means that even though other users will have access to the key, they can’t use this key to access any other storage in the management portal.