Preface
In today's complex IT environments, file servers play an increasingly important role, storing tons of data and information and making it available to any individual in an organization. Additionally, all of this data needs to be secure and accessible across varied networks, devices, and applications and needs to enact with strategies like Bring Your Own Device (BYOD), Direct Access, and the different cloud scenarios.
For system administrators, this starts quite often with building groups for controlling access to the company's internal file servers. For example, Jack works on a project called Ikarus and he needs some information from the Marketing department, but Jack is not really a member of that department. Therefore, you are going to build some security groups to solve this request and a complex group scenario starts to exist. Since the groups and their memberships will grow and in each case become more and more complex; just think about the Kerberos token bloat, which brings problems of user authentication.
In addition, it is always a challenge to audit and monitor solutions. You might be familiar with situations such as "Who had access to the sensitive finance information on June 1, 2013?" or the wonderful "Access denied" message that leads a user to come to you to ask you for access to a particular information. Or, immediately you will start searching to provide the Chief Information Security Officer (CISO) of the organization with the right information for evidence or who is the owner of this information to decide whether to give the user the proper access or not.
Furthermore, a common challenge is to decide how to provide infrastructure or services on a cloud. The main reason is that the companies don't really know what information is sensitive and what is not. Classifying the information helps in this case and can allow different cloud scenarios.
Dynamic Access Control (DAC) is a complete end-to-end solution to secure information access and not just another single new feature of the Windows Server 2012. DAC can really help you to solve some daily problems you may face in giving access to data on distributed file servers. These are a few points that we will discuss in this book:
- Classify your information
- Define and implement Access Control Policies based on classification
- Define and implement Central Audit Policies
- Provide additional information protection with Rights Management Services
Dynamic Access Control is the right tool to use if you need control over the data level so that the data stay with the files even if they are leaving the file server. Furthermore, DAC is useful if you care about many attributes, and you need device information for the authorization process in your own or a partner Active Directory forest—at least if you need an automated process to classify information based on attributes or resource properties.