Trying to control file security on enterprise servers is like herding extremely fertile cats; without clamping down on breeding, they're soon too numerous to control. Microsoft addresses this problem with Dynamic Access Control, a feature in the forthcoming Windows Server 8 that introduces centralized, domain-level security for file and folder access that layers atop any existing file system permissions.
According to Microsoft, upwards of 80 percent of corporate data is found on company servers, often will little or no content documentation, custody auditing or departmental ownership metadata. "IT administrators don't actually know what data is on their servers," even though they might have set up the systems and allocated the storage, said Nir Ben-Zvi, a senior program manager at Microsoft, at a press event last week.
Delivered via a new version of Active Directory, Dynamic Access Control works by layering Kerberos security and an enhanced file-level auditing and authentication system that can automatically tag sensitive data based on content and creator.
"Credit card numbers, for instance, can be identified and tagged as high-impact," Ben-Zvi said. Dynamic Access Control introduces claims into the Windows Server security lexicon, a concept long present in the broader realm of federated Internet security, but in Microsoft parlance refers to object assertions issued by Active Directory.
Active Directory 8 defines claims for files, folders and shares; all of which can be sent and applied to other Windows Sever 8 servers across an organization along with file property definitions and access policies.
The four-pillar Dynamic Access Control system begins with identification of high-impact data with manual, automatic or application-based tagging. For instance, administrations might choose to tag all Excel documents as sensitive, and search Word docs for certain words such as "confidential" for additional tagging.
Central access policies are created based on these file tags using a new expression-based tool in Active Directory Administrative Center that sets up access conditions for users and device claims and file tags and handles access-denied remediation.
By applying centralized policies automatically (or manually), access to such files can be restricted by multiple criteria, including user, device and department. "I can apply this all across my organization, across borders and repositories," said Ben-Zvi, provided the files are hosted by a Windows Server 8 server. If not, the access control tags remain, but access policies are no longer enforced.
Part three of DAC is auditing, for which Microsoft provides centralized policies applicable across multiple servers using the same expression-based tool and claim support, plus a staging area that permits policy-change simulations.
The final pillar of Windows Server 8's access security platform is data protection, which automatically applies Microsoft's RMS security model to Office documents with near-real time protection immediately after documents are tagged and is extensible to non-Office documents.
