Air Products wanted better control over employee access to data stored on file servers in Microsoft Office SharePoint and in applications. It turned to Windows Server 2012 and Dynamic Access Control as a potential solution to gain a powerful
and flexible way of managing access to those resources. It expects to improve corporate data security and reduce its approximately 35,000 security groups by about one-third.
Air Products serves customers in many industries, including food and beverage, health and personal care, energy, and transportation. Air Products atmospheric gases, process and specialty gases, performance materials, equipment, and technologies help
customers become more productive, energy efficient, and sustainable.
Air Products employees generate large quantities of sensitive data and use a plethora of computers and devices to access their information. It is challenging for system administrators to ensure the security of corporate data and to comply with various regulations
in different countries. IT staff members use Active Directory Domain Services, the directory service that is an integral feature of the Windows Server operating system, to define employees’ access to resources. This requires setting up a new security group
for every unique combination of user attributes and information access need.
Additionally, each file server required a unique user group membership for employee access. As a result of the file server/share security group requirements, combined with other applications that require large numbers of security groups, some employees’
security tokens would exceed their default maximum size. This situation incurred extra work for IT staffers who administer user access.
||We researched strategies to apply role-based access control methodologies for years. With Windows Server 2012 and Dynamic Access Control, we can make progress toward that goal in a cost-effective way.
| Ron Reiss
Manager for Global IT Security Engineering, Air Products
“This is a difficult system to manage for the size and global reach of our company. Consequently, we had between 30,000 and 40,000 security groups,” says Ron Reiss, Manager for Global IT Security Engineering at Air Products. “Our critical security groups are
tightly controlled, but we have many instances where employees have more access rights than they need. As is typical in most companies, we are very efficient at provisioning access, but less so at deprovisioning access privileges. As a result, we face concerns
over losing control of confidential information and intellectual property.”
Air Products wanted a more flexible way to manage access to information based on specific employee attributes that aligned better with the company’s business and compliance needs.
In January 2012, Air Products joined the Microsoft Rapid Deployment Program (RDP) for the Windows Server 2012 operating system and worked with Microsoft Services to evaluate Dynamic Access Control, a built-in file system authorization mechanism. The
IT staff can use Dynamic Access Control to grant access to file server data using claims-based authentication and Active Directory domain controllers. A claim is an assertion about an employee or computing device that expresses logical relationships—for example,
“User is from the Human Resources department in France.” IT staffers can also create central file access and audit policies at the domain level.
“We wanted to evaluate how Dynamic Access Control could simplify how we manage employee access to data and how to tie that into Active Directory Rights Management Services,” says Reiss. “Microsoft Services was very helpful in setting up our proof-of-concept
scenario.” In June 2012, the IT team deployed a server running the domain controller role and a file server in its test environment.
“We created a US test user and a US file server and used Dynamic Access Control to enact a roles-based claim saying that if you are based in the United States and are in the Marketing department, you can access this file,” says Paul Reilly, IT Security Analyst
at Air Products. “Until now, we had not been able to define user access this way, which is why we set up new security groups all the time. It was straightforward to set up the scenario using the Active Directory Administrative Center. Then we replicated the
scenario in our integration domain, which is a copy of our production domain.”
Air Products will gradually deploy centralized file access policies through Dynamic Access Control in 2013. “We need to start meta-tagging information and building a new file classification infrastructure before we introduce a claims-based access model,”
Air Products expects that IT staff will use Dynamic Access Control to centrally manage access to information and more closely meet the company’s global infrastructure and complex compliance needs. “We researched strategies to apply role-based access
control methodologies for years,” says Reiss. “With Windows Server 2012 and Dynamic Access Control, we can make progress toward that goal in a cost-effective way.”
Instead of setting up a new security group for every unique combination of user attributes and information access needs, IT staff can define claims-based employee access privileges using Dynamic Access Control in combination with Active Directory attributes
to automatically make access control decisions at the domain level.
“We expect to reduce the number of security groups by about one-third,” says Reiss. “That’s because we can use expressions to define claims per employee, per device. We’ll reduce employee over-provisioning and, most importantly, greatly enhance our ability
to control data security.”
Air Products also expects to reduce IT labor in managing data access. Dynamic Access Control works with the company’s work-force repository, which proactively manages every employee’s attributes within Active Directory.
“Windows Server 2012 and Dynamic Access Control are powerful tools that can be leveraged to restrict employee access to shared data by country, department, and role,” concludes Reiss. “This claims-based approach is a more flexible, efficient, and secure
way to translate business requirements into information access policies.”
For more information about other Microsoft customer successes, please visit: