Business needs, purpose, and benefits
In today's complex IT environments, file servers play an increasingly vital role. We store tonnes of data and information on them, which is distributed for many individuals in an organization. Additionally all of this data needs to be secure, accessible across varied networks, devices, and applications, and needs to enact with strategies like Bring Your Own Device (BYOD), Direct Access, and different Cloud solutions.
To hold the costs down while meeting the security requirements is always a challenge for those responsible.
The main challenges for data owners or file server administrators are as follows:
- The numbering and management of security groups needs to be reduced as illustrated in the simple example consisting of the Account—Global Groups—Domain Local Groups—Permissions principles shown in the following diagram:
The idea of the following list is to show a part of the current challenges with respect to managing, securing, and maintaining information. Feel free to extend the list infinitely for your notes:
- Central access and audit management of business and compliance needs
- Building enhanced authentication and authorization scenarios (for example, BYOD)
- Sensitive information needs to be protected wherever it goes
- The productivity of information workers should not be affected
- The content owners should be responsible for their information
- To provide access-denied assistance messages to provide a managed end-to-end scenario
So the million-dollar question is, "How can Dynamic Access Control help you to address and solve these requirements?".
Dynamic Access Control provides you with the following enhanced ways to control and manage access in your distributed file server environment:
- Classification: Identify and classify your information based on their content. There are four ways to tag information; by location, manually, automatically, and using application APIs.
- Control access: Build up the precise definitions of the right person, with the right permission, at the right time, from the defined device. Usage of the Central Access Policy (CAP) will help you to address the following common security policies, compliance (general, organization-wide, departmental, specific-data) and the need-to-know principle.
- Compliance: This is a response to governmental regulations, but it can also be a response to industrial or organizational requirements:
- U.S. Health Insurance Portability and Accountability Act (HIPPA)
- Sarbanes-Oxley Act (SOX)
- U.S. data breach laws
- Basel I/II/III, U.S.-EU Safe Harbor Framework, EU Data Protection Directive
- PCI, NIST SP 800-53/122
- Japanese Personal Information Protection Act
- Policy staging: This allows you to control changes to CAPs by comparing current settings against new settings by firing event log entries into the system log. Information can be analyzed using Event Viewer or by connecting with System Center Operations Manager.
- Access denied remediation: In current environments, you get just a very simple access-denied message, which is not very helpful for the helpdesk or the user. DAC provides additional information and the opportunity to send information that is more useful to the data owner.
- Audit: Defining policies based on information security, organizational and departmental requirements for reporting, analysis, and forensic investigation. Central Audit Policies form the key answer provided by Dynamic Access Control for those requirements.
- Protection: Dynamic Access Control integrates with Active Directory Rights Management Services (AD RMS) for classification-based automatic encryption of sensitive tagged information. This option helps in any transmission aspect to protect the content against any unauthorized person.
Now that you have had a little recap about the business needs, the purpose, and the benefits of Windows 2012 Dynamic Access Control, we can dive into the technical details.