Introduction

A new "File Classification Infrastructure" service has been introduced into Windows Server 2008 R2. It is used to classify and act upon files based on their business value, and is aimed at reducing administrative burden while increasing policy compliance.

Microsoft say that "Only by enforcing company policies and knowing how storage is utilized can administrators efficiently use their storage and mitigate the risks of data leakage", and that "IT organizations can now define policy that spans across the organization and can better translate business requirements to IT actions."

Description

The File Classification Infrastructure is used to: 

1. Analyse and classify files; and
2. Run tasks informed by the classifications of files.

Classification works by analysing the content of files or their location, and then setting metadata properties to predefined values based on this.

Tasks can be scheduled that take actions based on these metadata properties.

For example, files including the phrase "Commercial-In-Confidence" could be moved to a folder on a different filesystem with more stringent security controls, irrespective of which folder they are in or what type of document they are.

Example process and implementation (use case)

TBD.

1. Evaluate information assets and context
2. Assess impact on business due to  a) unauthorized disclosure,  and b)  loss of data.
3. Determine information sensitivity taxonomy and rules
4. Implement properties (taxonomy) and rules.
5. Monitor outcomes and review implementation.

SharePoint integration

Microsoft notes that "FCI integrates with Microsoft® Office SharePoint® Server 2007 so that file classification properties defined for Microsoft Office files on a file server persist with those files when they are uploaded into SharePoint."

However, this only applies to Office 2007 documents. Documents in other formats are not labelled in such a way using the out-of-the-box functionality in FCI.

One blog post (http://blogs.technet.com/filecab/archive/2009/05/11/classifying-files-ba...) mentions that the property types provided (for example, a "yes/no" field) are a strict subset of those provided by SharePoint. We take this imply that the file classification infrastructure may be futher integrated with SharePoint (possibly SharePoint 2010) in some way. Deeper Integration with SharePoint 2007 is unlikely, but we will keep watching.

Interpretation

Microsoft are starting to move towards the position that different information has different business value, regardless of its physical representation. Historically, Microsoft's classification has been based on the physical representatinon of information: "which drive on which server ?".  In Microsoft's world, actions on files are typically either done in bulk, or at the discretion of anyone with permissions to do something.

A policy-based mechanism is a move away from the 'discretionary' model that Microsoft usually develop, and a move towards what is called mandatory access controls in military security circles. The idea is that irrespective of what a user wants  (or even has permission to do) , there are mandatory policies that exist to ensure consistency and compliance.

Indeed, it is the need for better compliance management that is driving the implementation of this kind of functionality, and the decreased administrative overhead that results is an added benefit.

Custom Development

The file classification infrastructure provides a COM interface based around the use of "managers".

• Report manager - for reports and tasks.
• Classification Manager - gives access to classifiers, rules and properties.  Assign and enumerate properties.
• File groups
• File management

A number of classes are made available. These include:

• FsrmReportManager
• IFsrmCollection
• IFRsrmReportJob

FsrmClassificationManager. (includes CreatePropertyDefinition method)

IFsrmPropertyDefinition.

Remaining questions

Questions that arise:

• Will the file classification infrastructure be used more deeply by future versions of SharePoint?
• Can it be used for access control policies?