Exchange Server 2010 Information Protection and Control

NameTitleMicrosoft Corporation

The High Cost of Data Leakage

“HR executive accidentallye-mails lay-off plan to entire organization.”

“College staff member accidentally e-mails attachment containing personal information of 15,794 graduates.”

“Public-relations firm faces PR nightmare after unintentionally e-mailing journalists about one of its clients.”

“Secret Service agent sends unencrypted e-mail revealing details of vice presidential tour.”

Information Protection and Control (IPC)

Exchange Server 2010 helps prevent the unauthorized transmission of sensitive information with tools that can automatically:

MONITOR e-mail for specific content, recipients and other attributes

CONTROL distribution with automated, granular polices

PROTECT access to data wherever it travels using rights management

PREVENT• Violations of corporate policy and best practices • Non-compliance with government and industry regulations• Loss of intellectual property and proprietary information • High-profile leaks of private information and customer

records • Damage to corporate brand image and reputation

Benefits of Automated Controls

Reduce User Error• Majority of data loss incidents are accidental• Users forget policies or apply incorrect policy

Enable More Consistent Policy• Automation facilitates rapid policy changes across the

organization• Critical for internal/external governance and compliance

Improve Efficiency • Offload complex data polices from users • Enable centralized policy creation, execution and

management

LESS RESTRICTIVE MORE RESTRICTIVE

• Apply the right level of control based on the sensitivity of the data

• Maximize control and minimize unnecessary user disruptions

Benefits of Granular Controls

Alert “Allow

delivery but add a

warning.”

Append “Allow

delivery but add a

disclaimer.”

Protect“Allow

delivery but prevent

forwarding.”

Redirect“Block

delivery and

redirect.”

Review “Block

delivery until

reviewed.”

Block“Do not deliver.”

Modify “Allow

delivery but modify message.”

Classify “Allow

delivery but apply

classification.”

MailTipsAlert users about potential risks

Apply multiple alerts

Create custom MailTips to prompt policy reminders

Protect sensitive data from accidental distribution

Alert

Transport Rules

Conditions

Exceptions

Actions

If the message...Is from a member of the group ‘Executives’And is sent to recipients that are 'Outside the organization' And contains the keyword ‘Merger’

Do the following...Redirect message to: arleneh@contoso.com

Except if the message...Is sent to ‘shanek@contoso.com

• Executed on the Hub Transport Server

• Structured like Inbox rules

• Apply to all messages sent inside and outside the organization

• Configured with simple GUI in Exchange Management Console

Easily enforce granular policies

<< >>

Conditions

Specific Users Detects mail between people, distribution lists

Specific Content Inspects subject, header and body for keywords, regular expressions

Message Properties Inspect message headers and properties or type

Classifications Scans for classifications such as Attorney-Client Privileged

Attachments Scans size, name and content (Office documents)

Classifications Can now also act on No Classifications

Message Types IRM protected, auto-replies, calendaring, voice mail

Supervision Lists Allows/Blocks based on listed recipients

Management Properties

Identifies manager and applies policy

User Properties Scans for user attributes (such as department, country)

Conditions When the message contains…

Fine tune rules with detailed criteria

<< >>

Actions

Block Blocks and deletes message and can send non-delivery report

Classify Applies classification such as attorney-client privilege

Modify Adds disclaimer to body or text to subject line

Reroute Adds additional recipients to cc or Bcc line or re-directs

Append Applies disclaimer per each user’s specific attributes

Review Enables review and approval of e-mail before delivery

Protect Applies rights protection to messages, attachments

Actions …do the following…

Apply the appropriate level of control

<< >>

Dynamic Signatures

Signatures integrated with Active Directory attributes

Option of basic text or HTML

Automatically apply signatures per user attributes

Append

Moderation Review

Moderate based on sender, DL, content

Approve or Reject with option to send response

Moderator can be a specific user or sender’s manager

Enable review and approval of e-mail before delivery

ProtectInformation Rights Management

• Persistent protection − Protects your sensitive information no matter where it is

sent− Usage rights locked within the document itself− Protects online and offline, inside and outside of the firewall

• Granular control − Users apply IRM protection directly within an e-mail− Organizations can create custom usage policy templates

such as "Confidential—Read Only"− Limit file access to only authorized users

Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an e-mail.

Granular protection that travels with the data

Transport Protection Rules

• IRM protection can be triggered based on sender, recipient, content and other conditions

• Office 2003, 2007, and 2010 attachments also protected

Apply RMS policies automatically using Transport Rules

Apply “Do Not Forward” or custom RMS templates

Automatically apply IRMProtect

Outlook Protection RulesProvide users more IRM protection options

IRM protection can still be applied manually

User can be granted option to turn off rule for non-sensitive e-mail

Adding recipient or distribution list can trigger IRM protection automatically before sending

Protect

IRM in Outlook Web App

Native support for IRM in OWA eliminates need for Internet Explorer Rights Management add-on

Office documents also protected

Access to standard and custom RMS templates

Read and reply to protected messages

• Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages

Protect

Protected Voice Mail

“Do Not Forward” template

Prevent forwarding of voice mail

• Integration with AD RMS and Exchange Unified Messaging

• Permissions designated by sender (by marking the message as private) or by administrative policy

Protect

IRM Search

Multi-mailbox search includes option to search IRM-protected items

Conduct full-text search of IRM-protected mail and attachments in Outlook (online) and OWA

Index and search protected items

Protect

Protected messages sent to transport server

Messages and attachments decrypted to enable content filtering, transport rules

Infected messages and spam can be filtered

Messages are re-encrypted and delivered

IRM DecryptionEnable scanning, filtering, journaling

Journaled messages include decrypted clear-text copy

Protect

Protection and Control ScenariosScenarios Examples Supporting Exchange 2010 Features

Ethical WallRestrict e-mail between analysts and brokers

• Transport rules to block mail between specific users or groups

Supervision Manager required to sign-off on mail to sensitive partner

• Send to manager for approval• MailTips for moderated recipients

HR PolicyInappropriate content • Filter for keywords and block, redirect,

modify

Privacy

HIPAA (health data) GLBA (financial data) PIPEDA (Canada) PCI (Worldwide)

• Apply MailTips to alerts for external recipients

• Apply IRM protection to control access• Monitor for credit card numbers and

other personally identifiable information (PII)

Signatures EUPD 2003/58/EC• Append disclaimer that includes name,

title, department, etc.

Automatically monitor and control the distribution of sensitive information

Better protect access to data with persistent Information Rights Management

MailTips guide users with automatic alerts before sending

Transport Rules automatically enforce granular polices

Expanded Transport Rule conditions enable more specific policies

New actions: Dynamic Signatures, Moderation, IRM Protection

Apply by policy with Transport Protection Rules, Outlook Protection Rules

Extend user access with IRM in OWA, Outlook, Windows Mobile

Enable search, AV/AS scanning, filtering, journaling of protected mail

Ensure the right level of control is applied to the right messages

IPC with Exchange Server 2010

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Internet Explorer, Outlook, Windows Mobile, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this

presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.