Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Nathan Winters Exchange 2010 protection and compliance

2.358 visualizaciones

Publicado el

Nathan Winters

  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Nathan Winters Exchange 2010 protection and compliance

  1. 1.
  2. 2. Nathan Winters<br />MVP Exchange Server<br />MMMUG –<br />Exchange 2010 Protection and Compliance<br />
  3. 3. Exchange 2010 IPC<br />Introduction to Information Protection and Compliance (IPC)<br />The arsenal of Technical Tools!<br />Archiving<br />Multi-Mailbox Search<br />Legal Hold<br />IRM<br />Moderation<br />Enhanced Transport Rule Capabilities<br />MailTips<br />Demonstration Scenarios<br />
  4. 4. Why is IPC important?<br />Large UK Retailer Leaks Payment Information via Email<br />The Information Commissioner’s Office will be able to issue fines of up to £500,000 for serious data security breaches.<br />Nearly 40% of workers have received confidential information that was not meant for them!<br />Appeal Win Lets FSA Grab Evidence for SEC <br />
  5. 5. Some of the legal factors<br />Public Sector - Freedom of Information<br />All - Data protection act<br />Finance – Financial Services Authority, SEC, BASEL2<br />RIPA - Regulation of Investigatory Powers Act 2000<br />Human Rights - Lawful business protection <br />Electronic Communications Act – Adding Disclaimers<br />US – SOX, HIPAA etc<br />
  6. 6. What does IPC mean to you?<br />It’s a policy build around the relevant laws for your industry.<br />Based on a bunch of technical tools which we try to automate<br />Monitor email – content, recipients where is it going<br />Know what is happening based on email attributes<br />Retain and Provide<br />Archiving, Retention and Discovery<br />Control and Protection – allow or prevent<br />Granular policies<br />Soft to Hard control<br />
  7. 7. Retain and Provide mail where required with Archiving, Retention and Discovery<br />Protection & Control: Soft to Hard<br />Ensure that you target the correct data with the correct policy to maximise usability<br />
  8. 8. <ul><li>Personal Archive
  9. 9. Retention Policy
  10. 10. Legal Hold
  11. 11. Multi-Mailbox Search</li></ul>Archiving, Retention & Discovery<br />
  12. 12. Exchange 2010 Archiving, Retention & DiscoveryBetter mailbox management<br />
  13. 13. World Today: Email Repositories<br />Organization Archive<br /><ul><li> Keeps all E-mail
  14. 14. Allows Org Control
  15. 15. Optimized for Search</li></ul>PSTs<br /><ul><li> Circumvents Quota
  16. 16. Highly Portable</li></ul>Mailbox<br /><ul><li>Highly Available
  17. 17. Rich Client Access</li></ul>Personal Archive<br /><ul><li> Circumvent Quota
  18. 18. Allows Org Control</li></ul>End User Access<br />Personal Archive<br />(TBs)<br />Outlook PSTs<br />(GBs)<br />Exchange<br />(MBs)<br />Org Archive<br />(PBs)<br />Backup<br />Backup<br />Replicated Backups<br />Replicated Backups<br /><ul><li>Backups uncommon and difficult
  19. 19. Users do manual backups
  20. 20. IT does unsupported backups
  21. 21. Replication Only Choice
  22. 22. Datasets Require Replication
  23. 23. Replication Common
  24. 24. Backups Less Common
  25. 25. Tape/Disk Backups Common
  26. 26. Item Level BackupsCommon</li></li></ul><li>PSTs present a problem<br />IT Pro<br /><ul><li>Storage of old email on expensive SAN inefficient
  27. 27. Hard to discover content for legal request
  28. 28. Hard to prevent changes to content for legal hold
  29. 29. Management for Backup and Recovery expensive</li></ul>End User<br /><ul><li>Only Stored on one machine
  30. 30. Corruption increases when stored on network share
  31. 31. No access through browser
  32. 32. Requires management by end user
  33. 33. Stability/responsiveness is an issue with large PST files</li></li></ul><li>Why Archive? A Vicious Cycle of Volume vs. Control<br /><ul><li>PSTs difficult to discovery centrally
  34. 34. Regulatory retention schedules contribute to further volume/ storage issues </li></ul>Increasing storage and back-up costs <br />Users forcedto manage quota<br />Quota management often results in growing PSTs (Outlook auto-archive) <br />
  35. 35. Breaking the CycleWith large mailbox architecture and archiving<br />Large Mailbox Architecture<br /><ul><li> maintains performance
  36. 36. provides option for DAS-SATA storage to reduce costs </li></ul>Archiving<br />simplifies discovery, retention and legal hold <br />Archiving<br />enables simple migration of PSTS back to server <br />
  37. 37. Large Mailbox Lower Costs, Better Performance<br />
  38. 38. Personal Archive<br />Oveview – What is it and where does it live?<br />User goals and assumptions<br />Simple to use – OWA & Outlook<br />IT Pro goals and assumptions<br />Get rid of PSTs!<br />Easy to enable.<br />
  39. 39. Message RetentionOverview<br />Move Policy: automatically moves messages to the archive<br />Options: 6 months, 1 year, 2 years (default), <br /> 5 years, Never<br />User Impact: Helps keep mailbox under quota<br />Works like Outlook Auto-Archive – without PSTs!<br />Delete Policy: automatically deletes messages<br />User Impact: removes unwanted items<br />Helps keep mailbox under quota<br />Delete policies are Global (they travel to the Archive)<br />Per-item policies take priority over per-item policies <br />
  40. 40. Legal HoldOverview<br />Hold Policy captures all edits/deletes irrespective of user or admin access.<br />User workflow is unchanged, items captured in hidden folders in Dumpster 2.0. <br />Multi-mailbox search can retrieve items indexed in Dumpster 2.0. <br />ISSUE – Consider that the whole mailbox is put on hold, not just the granular info that you need on hold!<br />
  41. 41. <ul><li>Personal Archive
  42. 42. Retention Policy
  43. 43. Legal Hold
  44. 44. Multi-Mailbox Search</li></ul>Demo<br />
  45. 45. Archive Management Add-Remove-View Archive<br />Adding the archive requires a simple checkbox in the new-mailbox wizard<br />Archive can be disabled together or separate from the mailbox<br />Archive auto-discover requires no Outlook restart to activate archive <br />19<br />
  46. 46. Archive Management Set Quota<br />Select archive quota to change default settings <br />The default quota warning for the Archive is 10 GB<br />
  47. 47. Personal ArchiveUser experience<br />User can view, read, navigate, flag and reply to archived mail same as live mail <br />Folder hierarchy from primary mailbox maintained <br />Reply to message in archive puts message in live mail sent items (same as PSTs) <br />User gets conversation view scoped to Archive (same as PSTs)<br />
  48. 48. Personal Archive Search<br />Option to search archive only or both live and archived mail <br />Advanced search options work across live and archived mail<br />22<br />
  49. 49. Retention PolicesAt the folder or item level<br />Policies can be applied directly within an email <br />Policies can be applied to all email within a folder<br />Delete <br />policies <br />Archive policies <br />Expiration date stamped directly <br />on e-mail <br />
  50. 50. Preserve: Message RetentionArchive and Delete policies<br />Policies can be applied directly within an email <br />Policies can be applied to an entire folder<br />Delete policies <br />Archive policies <br />Expiration date stamped directly <br />on e-mail <br />
  51. 51. Set Explicit Move Policy on a Folder<br />Outlook OWA<br />User selects 5 Years from set of Policies<br />User selects 5 Years from set of Policies<br />
  52. 52. Set Move Policy on an ItemNo delete policy<br />Outlook OWA<br />User selects 5 Years from set of Policies<br />User selects 5 Years from set of Policies<br />
  53. 53. Set Move Policy on a FolderWith delete policy<br />User selects 10 Years from set of Delete Policies<br />User selects 5 Years from set of Policies<br />Outlook OWA<br />User selects 5 Years from set of Policies<br />User selects 5 Years from set of Move Policies<br />
  54. 54. Set Move Policy on an ItemWith delete policy<br />Outlook OWA<br />User selects 5 Years from set of Policies<br />User selects 5 Years from set of Move Policies<br />User selects 5 Years from set of Move Policies<br />User selects 10 Years from set of Move Policies<br />
  55. 55. Multi-Mailbox Search Simple, role based GUI<br />Delegate access to search to HR, compliance, legal manager <br />Search all mail items (email, IM, contacts, calendar) across primary mailbox, archives<br />Filtering includes: sender, receiver, expiry policy, message size, sent/receive date, cc/bcc, regular expressions, IRM protected items <br />
  56. 56. Multi-MailboxSearch<br />Additional e-discovery features<br />Search specific mailboxes or DLS<br />Export search results to a mailbox or SMTP address<br />Search results organized per original hierarchy <br />Request email alert when search is complete <br />API enables 3rd tool integration with query results for processing <br />
  57. 57. Legal Hold<br /><ul><li>Show the user
  58. 58. Issue that the hold mailbox is placed on hold not just the relevant info</li></li></ul><li>Preserve: Hold PolicyIW Experience<br />IW is told how to comply (no action needed for e-mail)<br />URL links to additional info<br />
  59. 59. Preserve: Hold PolicyIT Pro Experience<br />Comment and URL tell the IW how to comply<br />Comment and URL tell the IW how to comply<br />Specify how long items are kept<br />
  60. 60. <ul><li>Information Rights Management
  61. 61. MailTips
  62. 62. Moderation
  63. 63. Enhanced Transport Rules</li></ul>Protection and Control<br />
  64. 64. Exchange 2010 Protection and Control<br />
  65. 65. Information LeakageCan be costly on multiple fronts<br />Legal, Regulatory and Financial impacts<br />Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more<br />Damage to public image and credibility with customers<br />Financial impact on company<br />Loss of Competitive Advantage<br />Disclosure of strategic plans<br />Loss of research, analytical data, and other intellectual capital<br />
  66. 66. Message Confidentiality?<br />Enforcement tools are required—content protection should be automated.<br />
  67. 67. Automatic Content-Based Privacy<br />Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages.<br />Automatic Content-based Privacy:<br /><ul><li>Transport Rule action to apply RMS template to e-mail message
  68. 68. Transport Rules support Regex scanning of attachments in Exchange 2010 (including content)
  69. 69. Internet Confidential and Do Not Forward Policies available out of box</li></ul>38<br />
  70. 70. What is Rights Management Services?<br />Windows Platform Information Protection Technology<br />Better safeguard sensitive information <br />Protect against unauthorized viewing, editing, copying, printing, or forwarding of information<br />Limit file access to only authorized users<br />Audit trail tracks usage of protected files <br />Persistent protection <br />Protects your sensitive information no matter where it goes<br />Uses technology to enforce organizational policies <br />Authors define how recipients can use their information<br />
  71. 71. Protection via Transport Rules<br />New Transport rule action to “RMS protect”<br />Transport Rules support regular expression scanning of attachments in Exchange Server 2010<br />“Do Not Forward” policy available out of the box <br />Office 2003, Office 2007, Office 2010, and XPS documents are supported for attachment protection<br />
  72. 72. Outlook Protection Rules<br />Allows an Exchange administrator to define client-side rules that will protect sensitive content in Outlook automatically<br />Rules can be mandatory or optional depending on requirements<br />Rules look at the following predicates:<br />Sender’s department (HR, R&D, etc.)<br />Recipient’s identity (specific user or distribution list)<br />Recipient’s scope (all within the organization, outside, etc.)<br />Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services<br />
  73. 73. Transport Pipeline Decryption<br />Enables Hub Transport agents to scan/modify RMS protected messages<br />Required for Antivirus scanning, Transport Rules or 3rd party agents<br />Decryption Agent <br />Decrypts message and attachments, using RMS super-user privileges<br />Only decrypts once per forest, on the first Hub, to improve performance<br />Option to non-deliver (NDR) messages that can’t be decrypted<br />Encryption Agent<br />Re-encrypts messages, message forks and NDRs with original Publishing License<br />
  74. 74. How does it work?Transport Decryption<br />AD RMS<br />Active Directory<br />2. On first use, Exchange does an SCP lookup for the RMS server.<br />3. Exchange requests a RAC and CLC for the “shared identity” account. These are saved and re-used. The RAC is a super-user RAC.<br />1. Mail marked for protection or an already protected mail item.<br />Hub Transport<br />6. Process message is sent to next hop or delivered to the recipient.<br />4. Incoming IRM mail is decrypted so all agents have access to the decrypted content.<br />5. At the end of the agent pipeline the message is re-encrypted, including any changes made by agents.<br />Decryption<br />Encryption<br />Transport Rules<br />Journaling<br />Forefront Security for Exchange<br />3rd Party Agents<br />
  75. 75. How does it work?<br />Outlook Protection Rules<br />AD RMS<br />1. Administrator defines a set of Outlook Protection Rules. These are exposed via a web service to clients.<br />3. The first time a rule triggers the user is asked to get a RAC and CLC from RMS.<br />Client Access (OWA)<br />2. When the user connects to Exchange via CAS, the rules are automatically downloaded. They are then frequently updated on the client based on administrator changes.<br />4. The message is protected before the user sends. <br />User can override (if rule allows). <br />
  76. 76. Streamlined End-User ExperiencePrevent RMS Protection from getting in user’s way<br />Pre-licensing enables offline and mobile access to RMS protected messages<br />IRM Feature Parity between Outlook and Outlook Web App<br />Conduct full-text search on RMS protected messages in Outlook Web Access<br />Built-in ability to create/consume RMS protected messages with Windows Mobile 6.x<br />
  77. 77. <ul><li>Information Rights Management
  78. 78. MailTips
  79. 79. Moderation
  80. 80. Enhanced Transport Rules</li></ul>Demo<br />
  81. 81. Protected Content in Outlook<br />RMS Protection is applied both to the message itself and to the attachments.<br />Saved attachments retain the relevant protection (e.g. rights to view, print or copy content).<br />
  82. 82. Protection via Transport Rules<br />
  83. 83. Outlook Protection Rules<br />Allows an Exchange administrator to define client-side rules that will protect sensitive content in Outlook automatically<br />Rules can be mandatory or optional depending on requirements<br />Rules look at the following predicates:<br />Sender’s department (HR, R&D, etc.)<br />Recipient’s identity (specific user or distribution list)<br />Recipient’s scope (all within the organization, outside, etc.)<br />Rules are automatically retrieved from Exchange using Autodiscover and Exchange Web Services<br />
  84. 84. Outlook Protection Rules<br />Step 1: User creates a new message in Outlook 2010.<br />Step 2: User adds a distribution list to the To line.<br />Step 3: Outlook detects a sensitive distribution list (DL) and automatically protects as MS Confidential.<br />Company Confidential - This content is confidential and proprietary information intended for company employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, Print and Forward. Permission granted by:<br />
  85. 85. Rights Management Services Integration in Outlook Web Access<br />
  86. 86. Manage Inbox Overload<br />Help Reduce Unnecessary and Undeliverable E-Mail Through New Sender MailTips<br />Remove Extra Steps and E-Mail<br />Limit Accidental E-Mail<br />Reduce Non-Delivery Reports<br />52<br />
  87. 87. Journal<br />
  88. 88. Journal Report Decryption<br />
  89. 89. Rights Management Services Integration in Unified Messaging<br />Unified Messaging administrators can allow incoming voice mail messages to be marked as “private”<br />Private voice mail can be protected using “Do Not Forward”, preventing forwarding or copying content<br />Private voice mail is supported in Outlook 2010 and Outlook Web Application (OWA)<br />
  90. 90. Rights Management Services Integration in Unified Messaging<br />
  91. 91. Business to Business RMSSecurely Communicate with Partners<br />Today customers can communicate using RMS between organizations by deploying ADFS and setting up trusts<br />ADFS requires a separate trust between each partner<br />ADFS isn’t supported by Exchange<br />In Exchange Server 2010, customers can federate with the Microsoft Federation Gateway instead of each partner<br />A single federation point replaces individual trusts<br />Allows Exchange to act on-behalf-of users for decryption<br />Senders can control how their data is accessed by 3rd parties<br />By using federation, RMS can allow organizations and applications to access data on-behalf-of individuals<br />Specifically they can specify whether recipient organizations can archive e-mails in the clear<br />RMS administrator can control which 3rd parties can access data using federated authentication (allow/block list)<br />
  92. 92. <ul><li>AD RMS Setup
  93. 93. MailTips
  94. 94. Enhanced Transport Rules</li></ul>Demo<br />
  95. 95. Features SummaryExchange 2010 Protection and Compliance<br />
  96. 96. Key takeaways<br />Personal Archive gives seamless user experience and removes need for PSTs<br />Deep support for IRM<br />Automation enables ease of use and administration<br />Wide range of granular controls from Soft to Hard<br />
  97. 97. Text Microsoftto 60300<br />Or<br />Tweet #uktechdays<br />Questions?<br />
  98. 98. For resources, decks and video:<br /><br />or my blog<br />
  99. 99. Related Content<br />Web link -<br />Web link -<br />Breakout sessions<br />
  100. 100. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />