Prevent Data Leakage Using

Windows Information Protection

(WIP)

Presenter:

Russell Smith

@smithrussell

Russell Smith

Russell Smith

packtpub.com

Do you prevent users accessing personal

email and cloud storage

Image Credit: Microsoft

Windows Information Protection

versus Data Leakage Protection

• DLP solutions not integrated into the OS

• WIP provides a seamless experience

• No requirement to switch ‘modes’ or use

dedicated apps

• WIP is easy to deploy and manage

Image Credit: Microsoft

Azure Information Protection

• Based on Azure RMS

• Classify, label, and protect data

• Persistent protection

• B2B sharing

Windows Information Protection –

Data Lifecycle

• Provision policy to devices

• Data from corporate resources automatically encrypted

• Enlightened apps can automatically protect, or users can be allowed to define as business or personal

• Protection retained across devices. Azure Rights Management can be used for B2B sharing

• Wipe business data on demand or when device is unenrolled

Windows Information Protection –

Enlightened vs. Unenlightened Apps

• Microsoft Edge

• Internet Explorer 11

• Microsoft People

• Mobile Office apps

• Microsoft Photos

• Groove Music

• Notepad

• Microsoft Paint

• Microsoft Movies & TV

• Microsoft Messaging

• Microsoft Remote

Desktop

Windows Information Protection –

Technology

• Encrypting File System (EFS)

• Mobile Device Management (MDM)

• Microsoft Intune

• System Center Configuration Manager (SCCM)

• 3rd-party MDM solution

Windows Information Protection –

DEMO

• Intune WIP Policy

• Data Recovery Agent (DRA)

certificate

• WIP in action

Windows Information Protection –

Limitations

• Direct Access

• Data-in-transit not protected

• Shared workstations

• Redirected folders

• External storage

PowerBroker for

Windows

Least Privilege and Application Control

for Windows Servers and Desktops

Summary: Why PowerBroker for Windows?

• Asset discovery, application control, risk compliance, Windows event log monitoring included

• Optional: Session monitoring, file integrity monitoringDeep capability

• U.S. Patent (No. 8,850,549) for the methods and systems employed for controlling access to resources and privileges per process

Mature, patented leader

• Tightly integrated with vulnerability management

• Deep reporting and analytics insights for compliance and operations

Centralized reporting, analytics and management

• Privilege and session management on Unix, Linux and Windows

• Privileged password and session management

• Integrate Linux, Unix, and Mac OS X with Microsoft AD

• Real-time auditing of AD, File System, Exchange & SQL

Part of a broad solution family

Va

lida

ted

by c

usto

me

rs a

nd

an

aly

sts

alik

e

Your solution should:

• Elevate privileges to applications, not users, on an as-needed basis without

exposing passwords

• Enforce least-privilege access based on an application’s known vulnerabilities

• Track and control applications with known vulnerabilities or malware to further

protect endpoints

• Monitor event logs and file integrity for unauthorized changes to key files and

directories

• Capture keystrokes and screens when rules are triggered with searchable

playback

Product Demonstration

Poll

Thank you for attending

today’s webinar!