Intelligent Dynamic Access Control (DAC) for Windows Server 2012

Written by Bernd Hoeck on Monday, 21 May 2012. Posted in Basics

Alternative method for access control

Intelligent Dynamic Access Control (DAC) for Windows Server 2012
Windows Server 2012 offers an alternative to current access control for files on directory or group level with a new, supplemental approach: Dynamic Access Control (DAC). DAC offers as an advancement of so called Claims Based Access Controls the possibility to rule access on files through classification more efficiently and more precisely.

One very interesting aspect of the DAC is that the classification information is saved with the file itself so that it is directly available for all applications including the operating system. This allows ruling access to all files safer and more precisely without additional effort. Up to now the protection of a file was related to the storage location, in the future this information is saved directly with the file. If the file is moved intentionally or accidentally into a less protected directory, the previous protection remains. As an additional advantage rules for the access can be defined for the first time enterprise-wide and independently from the structure of the file systems.

Examples for rules:

  • Files, which are classified as „confidential level 2" are only accessible for the ADgroup „HighConfidential".
  • Files, which are classified as belonging to the project „Phoenix" are only accessible for the ADgroup „project team Phoenix".
  • This eliminates a great risk: When a file was saved in the wrong location all security mechanisms became ineffective. With the help of DAC and classification your files are always protected. DAC is for a good reason a euphoric welcomed trend in the field of information security.

Handling of existing files is the major obstacle

dg classification closes this gap: Due to the enterprise-wide, rule-based and automated classification of files – including all existing files – all files in an enterprise are immediately available for DAC. dg classification allows the enterprise-wide definition of classification rules and supports attribute-based as well as content-based classification.
  • Advantages of Dynamic Access Control and classification with dg classification
  • More efficiency: DAC allows for the first time ruling access rights efficiently on file level
  • More security: DAC allows protecting files independently of the storage location
  • More compliance: DAC allows allocating enterprise-wide access rights very precise
  • Less effort: DAC allows classification of the entire existing database
Due to the high performance especially of the attribute-based classification, the classification can occur iteratively in any numbers of cycles. Every time a new classification rule is defined it is automatically executed in the background on all involved file servers. As the content-based classification requires much more resources, it is only applied to files, which are absolutely required. The unique combination of both approaches delivers a method, which is also realizable in enterprises.

A simple example

The administration of files, such as project shares, which have to be accessible for internal as well as external employees, is much easier now. To ensure that external employees had access to the project data but no access to financial documents, it was necessary in the past to maintain two different directory structures in the hope that users save files at the right location. With DAC and the automated classification this abuse is remedied. It is possible to save financial files together with all other files and they are automatically protected by classification from access of external employees. Due to the automatic classification mistakes by users are excluded.

Concrete implementation of DAC

The IT administration has little time and few resources for long-term and work intense change processes. dataglobal developed in cooperation with Microsoft an implementation concept for DAC, which is based on existing processes and allows a soft change to DAC. The parallel use of the classical Access Control processes, which are based on AD and Share/folder structures makes it easy to start. New access rights, which are based on the classification of files, can successively be added.

About the Author

Bernd Hoeck

Bernd Hoeck

Bernd is Vice President Marketing at dataglobal. He is an expert on information management and he holds an degree in Comupter Science from University of Manchester. He also founded bloodsugarmagic a well known think tank on strategic marketing, positioning and story building.

Leave a comment

You are commenting as guest.