Enterprise Data Protection Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure Derek Adam Program Manager This talk is about making them ready for the workplace ID: 275054
Download Presentation The PPT/PDF document "3-662" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
3-662
Enterprise Data Protection: Building Universal Windows Apps That Keep Work and Personal Data Separate and Secure
Derek Adam
Program
ManagerSlide3
This talk is about making them ready for the workplace
Our apps are our babiesSlide4
Respect the stewardship you (might) have
Don’t
reveal company
secrets
Respect boundaries of
access and use terms
Wants things locked up in his domain
Makes rules to try to keep it that way
Understanding the Enterprise customer: IT Administrator
Source: Stroz Friedberg, “On The Pulse: Information Security In American Business,” 2013
W
illy
V
W
onkaSlide5
Want access from personal devices
Prefer as little management as possible
We all make mistakes
Understanding the Enterprise customer: Information Worker
People
Like
You and MeSlide6
Information protection journey
DEVICE PROTECTION
BitLocker enhancements in Windows 8.1
InstantGo
3
rd
party adoption
Protect data when device is lost or stolen
DATA PROTECTIONRights Management Services (RMS)Office Information Rights Management (IRM)Azure AD, Azure Rights Management in 2013Protect data when …..
THE GAP
Accidental data leakage
Enterprise Data ProtectionSlide7
OTHER ATTEMPTS TO FILL THE GAP: PAIN POINTS
Switching modes and between containers
Users change apps to work securely
Experience between mobile and desktop inconsistent
Solutions are an add on to the platform == expensiveSlide8
OUR VISION
Integrate
data protection at the platform
level to protect
corporate data against inadvertent disclosure to unauthorized users and public services through
email
, social media
and
public cloudSlide9
Windows
10 Enterprise Data Protection
Better approach
to
data management
Mobile & Desktop
Corp data identifiable from personal
Protects data at rest, and when roamingPlatform integrated, no
mode switchingOnly IT-Allowed apps see business dataIT controls keys, can remote wipeCommon experience, x-plat supportSlide10
Windows
10 Enterprise Data Protection
Extra Security with
Data Protection Under Lock
Blocks read when screen is
locked
Optional screen lock security policy
System tosses decryption key on lock
Can encrypt new files and dataLogon, unlock restores keys and accessHelps mitigate system level attacksSee session 639 “Microsoft Passport and Windows Hello: Moving beyond passwords and credential theft”Slide11
Business/Personal
One experienceData is isolated
Data is encrypted at rest
Block/audit data exchange
Organization holds keys
Office and OneDrive
APIs for ISVsMDM managed
LynceMail
FacebookOneDrive for BusinessContactsWhatsAppPowerPointCalendar
OneDrivePDF Reader
Photos
Weather
Business Apps & Data
(Managed)
Personal
Apps
& Data
(Unmanaged)
Data exchange is blocked or auditedSlide12
Enterprise Data Protection
1
User enrolls with enterprise MDM or domain join
MDM or
ConfigMgr
provisions policy and encryption keys
User
2
PROVISIONING: KEYS AND POLICIES
Policies:
Enterprise allowed apps
Network policies
App restriction policy
See: “Managing Mobile Devices and Applications in
an Enterprise”
(Session 654)Slide13
Enterprise Data Protection
User
DATA INGRESS
Data from enterprise network is encrypted
E.g. OneDrive
For Business,
Corporate
Exchange
mail,
etc
.Slide14
Enterprise Data Protection
User
Saving to enterprise folder
encryption auto-applied
User option
to save
as corporate
IT can configure unenlightened apps to automatically protect data
Enlightened apps
protect corporate data
(from app to disk)
DATA
EGRESSSlide15
Enterprise Data Protection
User
DATA
EGRESS
Enlightened
apps can maintain protection
App restriction policy:
Can block egress to other apps
Network policy:
Can block egress to non-corporate sites
(Inter-app, or
over network)Slide16
Enterprise Data Protection
User
CROSS PLATFORM DATA SHARING
Readers available for cross-platform editing
Public API for secure sharing
Common MDM
support across Windows, iOS & Android with Microsoft Intune
Common developer experience across platforms
iOS & Android enabled via
Intune App Wrapping Tool for IT Pros
iOS & Android apps enabled via Intune App SDK
Microsoft Intune SDK for iOS & AndroidSlide17
Enterprise Data Protection
User
REVOKE
Unenroll
removes keys, and wipes the inaccessible enterprise data
(On
unenroll
)Slide18
Enterprise Data Protection - DemoSlide19
Enlightening your app for
Enterprise Data ProtectionSlide20
Recognize enterprise data sources
Protect data at rest, in use, in flightFollow policy
Enterprise Enlightened
AppsSlide21
Recognize personal data sources
Let personal data be personalNo policy for personal apps & data
Enterprise Enlightened
AppsSlide22
Something IT and IW can agree on
Competitive advantage: satisfy bothEnterprise Enlightened
AppsSlide23
xmlns:rescap
= "http://schemas.microsoft.com/appx/manifest/foundation/windows10/
restrictedcapabilities
"
<
Capabilities>
<rescap:Capability Name="enterpriseDataPolicy"/> </Capabilities> Declare your app enlightened (WinRT)Add the enterpriseDataPolicy capabilitySlide24
MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID
BEGIN 0x0001
END
Declare your app enlightened (Win32)
Add entry to
resources.rcSlide25
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide26
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide27
Data Ingress – Recognize enterprise files
Namespace:
Windows.Security.EnterpriseData
Class:
FileProtectionManager
Method:
GetProtectionInfoAsyncTakes an IStorageItemReturns protection status and identity string Slide28
FileProtectionInfo
protectionInfo = await
FileProtectionManager.
GetProtectionInfoAsync(FileHandle);if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}
Check fileSlide29
Data Ingress – Recognize enterprise files (Pt.2)
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Method:
IsIdentityManagedIdentity is an email address or domainData managed only when identity managedSlide30
FileProtectionInfo
protectionInfo = await
FileProtectionManager.GetProtectionInfoAsync
(
FileHandle
);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}Check fileSlide31
FileProtectionInfo
protectionInfo = await
FileProtectionManager.GetProtectionInfoAsync
(
FileHandle
);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}Check fileSlide32
FileProtectionInfo
protectionInfo = await
FileProtectionManager.GetProtectionInfoAsync
(
FileHandle
);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}
Check fileSlide33
FileProtectionInfo
protectionInfo = await
FileProtectionManager.GetProtectionInfoAsync
(
FileHandle
);
if ((protectionInfo.Status == FileProtectionStatus.Protected) &&(ProtectionPolicyManager.IsIdentityManaged(protectionInfo.Identity)){ // Enterprise case, so do things like set enterprise mode}if (protectionInfo.Status == FileProtectionStatus.Unprotected){ // Data is personal}if (protectionInfo.Status
== FileProtectionStatus.Revoked){ // Call your revocation handling code}Check fileSlide34
Data Ingress – Enterprise data packages
Namespace:
Windows.ApplicationModel.DataTransfer
Class:
DataPackagePropertySetView
Property:
EnterpriseIdManaged clipboard / share data is taggedProperty is empty string when not managedSlide35
var
enterpriseID
=
shareOperation.data.properties.
enterpriseId
; if (string.IsNullOrEmpty(enterpriseId)){ // Personal}else{ // Enterprise managed}Check data package view properties(clipboard / share)Slide36
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide37
Data Ingress – Check if host is enterprise
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Method:
GetPrimaryManagedIdentityForNetworkEndpointAsyncTakes a host name objectReturns enterprise identity stringEmpty string means personal, not enterpriseSlide38
var
resourceUri = new Uri(
serverNameString
);
//
Check if
URI is an enterprise managed endpoint. string enterpriseId = await ProtectionPolicyManager.GetPrimaryManagedIdentityForNetworkEndpointAsync(new HostName(resourceUri.Host)); if(!string.IsNullOrEmpty(enterpriseId)) { // If the enterprise ID is non-empty, it’s managed. // Make VPN claim, protect download data, etc. // ...}
Check network hostSlide39
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
AND
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
Unwrap
files (if necessary)
OR
Wrap files for transportSlide40
Data Ingress – Unwrap enterprise container files
Namespace:
Windows.Security.EnterpriseData
Class:
FileProtectionManager
Method:
LoadFileFromContainerAsyncTakes a containerized fileMakes a new file with local encryptionSlide41
var
tempFolder
=
ApplicationData.Current.TemporaryFolder
;
var appDataFolder = ApplicationData.Current.LocalFolder; // Get a handle to the downloaded containerized file. var
containerFile = await tempFolder.GetFileAsync("myAppDataFile.dat"); // Import container to encrypted file system
ProtectedContainerImportResult result = await FileProtectionManager.LoadFileFromContainerAsync(containerFile, appDataFolder); StorageFile protectedFile = result.File; Load encrypted container into the file systemSlide42
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide43
Data In Use – Set app mode enterprise
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Method:
TryApplyProcessUIPolicyPuts process into enterprise modeWindows enforces clipboard & share policySlide44
//
Clear enterprise app context so it is personal again.
ProtectionPolicyManager.
ClearProcessUIPolicy
()
Clear UI policy enforcement for the appSlide45
Data In Use – Set app view to enterprise
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Method:
GetForCurrentViewProperty: IdentityPuts AppView
(i.e. window) into enterprise modeWindows enforces clipboard & share policySlide46
private void TagCurrentViewWithEnterpriseId(string enterpriseId)
{
// Note: Empty
enterpriseId
sets mode to personal
ProtectionPolicyManager protectionPolicyManager = ProtectionPolicyManager.GetForCurrentView(); protectionPolicyManager.Identity = enterpriseId; }Set AppView to enterpriseSlide47
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide48
Data In Use – Set network context on thread
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Method:
CreateCurrentThreadNetworkContextMarks thread for enterprise network accessSockets created on the thread get VPNSlide49
//
Set enterprise context to access enterprise network resources// Create
protected
network context
on current thread
ThreadNetworkContext
context = ProtectionPolicyManager.CreateCurrentThreadNetworkContext(entepriseId);var client = new HttpClient(); // Gets VPN for enterpriseIdif(context != null) // Clear context before leaving scope{ context.
Dispose();}// New connections don’t get ‘enterpriseId’ VPN now...Set / Clear enterprise network thread contextSlide50
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide51
Data Egress – Protect enterprise data: Files
Namespace:
Windows.Security.EnterpriseData
Class:
FileProtectionManager
Method:
ProtectAsyncTakes IStorageItem and enterprise ID string
Encrypts file with key tagged to enterprise IDSlide52
//
Protect file to ‘identity’ (Managed email address or domain)
FileProtectionInfo
protectionInfo
= await FileProtectionManager.ProtectAsync(file, identity); // Use standard APIs to read or write from the file.Protect fileSlide53
Data Egress – Protect enterprise data: Buffers
Namespace:
Windows.Security.EnterpriseData
Class:
DataProtectionManager
Method:
ProtectAsyncTakes IBuffer and enterprise ID string
Returns new IBuffer encrypted to enterpriseSlide54
IBuffer
inputBuffer = CryptographicBuffer.ConvertStringToBinary
(
protectedMessage
,
BinaryStringEncoding.Utf8); protectedBuffer = await DataProtectionManager.ProtectAsync(inputBuffer, EnterpriseIdentity);// Best practice: check return statusif (protectedBuffer.ProtectionInfo.Status == Unprotected){
// Protection can fail if app not allowed for EnterpriseIdentity}Protect bufferSlide55
Data Egress – Protect enterprise data: Save UX
Namespace:
Windows.Storage.Pickers
Class:
FileSavePicker
Method:
FileSavePicker (constructor)Property: EnterpriseIdTakes enterprise identity stringSets encryption dropdown to match (if managed)Slide56
private
async void SaveFile_Click(object sender,
RoutedEventArgs
e)
{
var savePicker = new FileSavePicker(); savePicker.EnterpriseId = GetCurrentEnterpriseId(); var file = await savePicker.PickSaveFileAsync(); if (file != null) { // Best practice: // Check status with GetProtectionInfoAsync(file)
} }Set enterprise context for FilePickerSlide57
Enlightening Apps for Enterprise Data Protection
Local (productivity apps)
Network
capable (channel apps
)
Data Ingress
Check for enterprise tag on data
Check if host belongs to the
enterprise
Data In Use
Set mode: Enterprise /
Personal
Turn VPN On / Off
Data Egress
Protect enterprise
data
Block sending to non-enterprise hosts
Event
handling
Revoke: Close &
cleanup
Revoke: Stop enterprise sync
completely
Screen
lock: Close content
Screen unlock: Reopen
content
Screen lock: Stop uploads
Screen
unlock: Resume
uploads
AND
Unwrap files (if necessary)
OR
Wrap files for transportSlide58
Event Handling – Revoke
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Event:
ProtectedContentRevokedRegister your event handler for revokeSlide59
// Register handler for revoke event
ProtectionPolicyManager.
ProtectedContentRevoked
+=
HandleProtectedContentRevoked; void HandleProtectedContentRevoked(Object sender, ProtectedContentRevokedEventArgs args) { MyRevokeCleanupRoutine(); // Clean up files, settings, accounts, creds, etc. // Sync
engines should break enterprise sync relationship. } Handle revoke eventsSlide60
Event Handling – Screen lock / unlock
Namespace:
Windows.Security.EnterpriseData
Class:
ProtectionPolicyManager
Event:
ProtectedAccessSuspending (screen locking) ProtectedAccessResumed (screen unlocked)
Register event handlers for both eventsTip: Close as much enterprise data as possible
Tip: Can’t read enterprise under lock, but Can create new files, buffers, streamsSlide61
//
Register for device lock and unlock
ProtectionPolicyManager.
ProtectedAccessSuspending
+=
HandleProtectedAccessSuspending;ProtectionPolicyManager.ProtectedAccessResumed += HandleProtectedAccessResumed;void HandleProtectedAccessSuspending(Object sender, ProtectedAccessSuspendingEventArgs args) { // Stop enterprise
upload, close enterprise files, etc.} void HandleProtectedAccessResumed(Object sender, ProtectedAccessResumedEventArgs args) { // Resume enterprise upload, reopen enterprise content, etc.
} Handle suspend / resume eventsSlide62
OS Settings and App
Data Roaming…in the Enterprise!Slide63
Windows 10
supports roaming based on AAD as well as MSA accounts
Feature parity to Win 8/8.1 with additional security and management
capabilities
Premium administrative features as part of Enterprise Mobility Suite (EMS)
Data is automatically sync’d with the correct storage cloud (OneDrive/
AzureAD tenant)OS settings roam based on the identity used to sign into WindowsWindows App state roams on the identity used to acquire the appSupported on Windows Phone and Desktop Enterprise Roaming in Windows 10See session 709 “
Single Sign-On with Secure Authentication” by Karanbir SinghSlide64
Security
All enterprise data is encrypted both in transit (TLS) and
at rest in the
cloud (RMS)
Support for both “default” and “premium” key management capabilities
Default: Keys managed in the cloud by Microsoft (free)
Premium: Keys managed in the cloud by the customerManagementAdmin UX is available from the Azure Active Directory portalDefault: On/off switch; data deletion (free)Premium: Security group “allowed list”; user reportsMDM provides admins the ability to turn on/off per device Enterprise Roaming in Windows 10Slide65
General
Guidelines for roaming app dataQuickstart
: Roaming
app data
How to roam data between a Windows Store app and a Windows Phone Store
app
Blog: Roaming your app dataAPIsApplicationData.RoamingFolder | roamingFolder property ApplicationData.RoamingSettings | roamingSettings propertyApplicationData.SignalDataChanged | signalDataChanged method
MSDN Roaming ReferencesSlide66
Windows 10 MDM documentation ONLINE
http://aka.ms/kw2vwj
MDM related sessions @
Ignite
Vladimir
Holostov | Provisioning Windows 10 Devices with New Tools [Link] Jason Githens | Managing Windows 10 with Microsoft Intune and SCCM [Link] Chris Green & Dilip Radhakrishnan | Securing Access to Microsoft Exchange and
SPO with Intune [Link] John Vintzel | Windows 10 Universal App Deployment for Enterprises [Link] Tejas Patel | Using the Business Store Portal with Windows 10 Devices [Link] Yogesh
Mehta | Protecting your data with containers without boxing yourself in [Link] Aman Arneja | Secure Enterprise Network Access and VPN platform enhancements [Link] Nelly Porter | Secure authentication with Windows Hello [Link] Deepak Manohar | Next Generation Malware detection with Windows Defender [Link]MDM ResourcesSlide67
Join the Windows Insider Program …
… and give us feedback!Explore the Enterprise Data Protection samples
Check the Roaming App Data resources
Get your app ready for management!
Call to ActionSlide68
Raise apps that help users
respect enterprise data,and you will be rewarded
Trustworthy apps will be chosenSlide69Slide70