Alternative method for access control
Windows Server 2012 offers an alternative to current access control for files on directory or group level with a new, supplemental approach: Dynamic Access Control (DAC). DAC offers as an advancement of so called Claims Based Access Controls the possibility to rule access on files through classification more efficiently and more precisely.
One very interesting aspect of the DAC is that the classification information is saved with the file itself so that it is directly available for all applications including the operating system. This allows ruling access to all files safer and more precisely without additional effort. Up to now the protection of a file was related to the storage location, in the future this information is saved directly with the file. If the file is moved intentionally or accidentally into a less protected directory, the previous protection remains. As an additional advantage rules for the access can be defined for the first time enterprise-wide and independently from the structure of the file systems.
Examples for rules:
- Files, which are classified as „confidential level 2" are only accessible for the ADgroup „HighConfidential".
- Files, which are classified as belonging to the project „Phoenix" are only accessible for the ADgroup „project team Phoenix".
- This eliminates a great risk: When a file was saved in the wrong location all security mechanisms became ineffective. With the help of DAC and classification your files are always protected. DAC is for a good reason a euphoric welcomed trend in the field of information security.
Handling of existing files is the major obstacledg classification closes this gap: Due to the enterprise-wide, rule-based and automated classification of files – including all existing files – all files in an enterprise are immediately available for DAC. dg classification allows the enterprise-wide definition of classification rules and supports attribute-based as well as content-based classification.
- Advantages of Dynamic Access Control and classification with dg classification
- More efficiency: DAC allows for the first time ruling access rights efficiently on file level
- More security: DAC allows protecting files independently of the storage location
- More compliance: DAC allows allocating enterprise-wide access rights very precise
- Less effort: DAC allows classification of the entire existing database