Hi, I’m Tom Gemmell from Microsoft’s privacy strategy team.  I work to implement greater privacy and data governance capabilities in our products. 

As you might imagine, I’m smiling today on account of the newly available Windows Server 2008.  That’s because the product makes available many new capabilities for organizations to better govern and protect the private information they hold and use. 

Taking a step back, it’s worth reviewing why these capabilities are so important to organizations and end-users alike.  The proliferation and broad adoption of Internet and communication technologies that provide so many benefits to commercial, government and end-users alike has also resulted in the generation and accumulation of vast amounts of private information. 

Governance of that information is a tough task, and one that if not performed with confidence is harmful to both real people and to well-meaning organizations.  In this context, governance simply means that an organization applies policy-based controls on collection, use and storage processes. If people can’t trust organizations to protect their information, or if organizations haven’t the tools to meet their expectations or those of government regulators, not only do all parties stand to suffer financial damages but a prime enabler of economic health and growth at personal, organizational, national and global levels will be crippled. 

Trust in the Internet, and associated information technology and communication systems, is crucial to the effective functionality of how many of us have come to conduct our personal lives and business in the modern world.  Windows Server 2008 makes strides to create trust to the benefit of all.  A more detailed case and guidance on creating trust through data governance can be found in our just updated white paper titled Managing and Protecting Personal Information.

Effective data governance requires a methodological approach to securing information – one that encompasses people, processes and technology.  With the availability of Windows Server 2008 we can enjoy new technologies to better implement the data governance processes, policies, and practices needed to be compliant with regulations, and to promote trust and accountability. 

Now, I’d like to provide a sample of specific examples where Windows Server 2008 serves IT organizations data governance needs in four technology areas: secure infrastructure, identity and access control, information protection and auditing and reporting. 

·        Secure infrastructure: Server and Domain Isolation (SDI), another new feature in Windows Server 2008, creates a logical separation of network devices based on policy. SDI limits access to network resources to trusted, managed PCs, thereby reducing the risk of network-borne security threats and safeguarding sensitive data.

·        Identity and access control:  Federated Rights Management Services provides persistent protection for sensitive data; helps reduce risks and support compliance; and provides a platform for comprehensive information protection. Its Read-Only Domain Controller and BitLocker Drive Encryption let the organization more securely deploy Active Directory® Domain Services while restricting replication of the full Active Directory database, to better protect against server theft, corruption or compromise of the system.

·        Information protection:  Combining features in Windows Server 2008 with developer tools and industry security technologies, including encryption, Extensible Rights Markup Language (XrML)-based certificates, and Active Directory authentication, Windows RMS augments any organization’s security strategy by applying persistent usage policies that remain with the information, no matter where it goes. Information Rights Management technology extends the capabilities of RMS into the Microsoft Office system and Microsoft Internet Explorer.

·        Auditing and reporting:  a new global audit policy Audit directory service determines whether events are logged in the Security log when certain operations are carried out on objects in the directory. You can now control what operations to audit by modifying the system access control list (SACL) on an object such as when a successful change is made to an objects attributes.  Also the network policy server (NPS) in can now be used to set audit policies that determine the health of devices connecting to the network.

That’s a start anyway.  So, I’m going to keep smiling for today.  Hope you do too, and as a bonus here’s a heads up that the Windows Server 2008 Security Guide is also now available.  IT and business folks will both find an abundance of additional data governance enabling guidance on using Windows Server 2008 within it.

Thanks

Tom