You've heard that when you send an email message to someone, you're sending it to the whole world because you never know how often it will be forwarded. Imagine the exposure your company risks when employees email confidential financial information, medical records, marketing strategies, or legal documents. According to a PricewaterhouseCoopers survey of business-technology managers, intellectual property theft cost businesses between $53 billion and $59 billion from July 1, 2000 to June 30, 2001.
To secure companies' sensitive information, Windows Server 2003 introduced Windows Rights Management Services (RMS). I surveyed some of our readers to find out what you think about this technology and whether you're using it, then shared the results with Angela Pan and Mario Juarez, product managers in Microsoft's Security Business and Technology Division, to get their response to what you said.
RMS Overview
Angela summarized RMS's functionality for me. RMS helps businesses keep their most sensitive information within the organization and lets content owners control how their content is used--who can open and modify a certain document, how long users can access it, and so on. (For more detailed information about RMS, go to http://www.microsoft.com/windows
server2003/technologies/rightsmgmt/default.mspx.)
If management asks why your company needs RMS, how should you answer? According to Angela, you'd begin at a point you can both agree on: You need to make sure that your business's information is protected from unintended recipients and unauthorized use. RMS lets you prevent accidental distribution and control what people can do with the information. Further, that protection remains with the file wherever it goes--if someone gains access to a diskette that contains RMS-protected information, that person must have a valid use license against that file in order to read it.
Many respondents to our survey raised the concern that RMS works only with Windows 2003 and can't interoperate with legacy and other systems. One reader hasn't implemented RMS because it's "not effective with cross-platform use, complicated, and obscure." Angela addressed this concern: "RMS is a service of Windows Server 2003, so it does require Windows Server 2003. You need RMS-enabled applications on top of the platform. RMS is a platform technology in which any application that becomes RMS-enabled can utilize the benefits. Although RMS itself needs to run on Windows 2003, the rest of your infrastructure can run on Windows 2000. However, Angela confirmed that RMS doesn't currently interoperate with other platforms, such as Linux.
Mario reminded me that Microsoft provides both client and server RMS software development kits (SDKs), so that any application cand be RMS-enabled. Angela added that you can also use the SDKs to "rights-protect Web portal information."
Implementation and Use
When I asked about implementation, Angela said, "One of the goals of RMS is that it's easy to deploy. You can roll it out by GPO and SMS to get the client bits out." She added, "RMS is an Active Directoryintegrated technology, so if your users have group email attributes in Active Directory, you can publish rights against groups." Thus, you can rights-protect a document against a group, and everybody within that group will have the same rights to that document.
Using RMS templates, you can define exactly what a policy means--for example, "company confidential" might mean that only full-time employees can access data, or it might mean that specific people have specific access rights to the data. Angela explained, "When a user applies that policy, it is enforced by the technology. Because RMS is integrated into Office 2003, the policy is integrated in daily work practices."
How might an end user take advantage of RMS? Angela gave herself as an example. "When we were launching RMS, I had price lists I had to protect. I had marketing plans. I had press communication, and I wanted to make sure it wasn't leaked to a competitor before the right time. So I would create the document and apply the policies specifying that members of my team were the only people who could consume this information. I would also set an expiration date so that after a certain date, this information was no longer valid" and even authorized users could no longer read the expired document.
The notion of content expiration touched on another question our readers raised: People are concerned about being able to retrieve data after users' rights to view it have expired. Mario put that concern to rest. "The author of the document still owns the document. So if the author decides someone still needs this content, it's simply a matter of reassigning the rights." What happens if a content owner leaves the company or you need to access a protected document that has expired rights--is doing so possible? Mario replied, "Absolutely yes. The document will not self-destruct and leave no record at all. It's still there."
"RMS has a 'super user' function, Angela interjected. "By using the super-user key, you can open any piece of content. We recommend that the super-user key be held by corporate legal counsel or someone pretty senior who can make the decision to open any content."
Why Not Use Existing Security?
Several readers believe that their current methods for protecting content are easier to use than RMS and less expensive to implement and maintain. One reader said, "We are using NTFS (ACL) sharing for data files and group policies to assign permission for standalone and domain-level access."
Angela replied, "Access control lists allow certain people access to a particular share. Once you have access to the share, you access all content on that share and save a copy locally onto your drive. The moment you take that content out of the firewall--maybe put it on a USB drive--that content is in the clear. You can do whatever you want with that piece of content." She added, "RMS gives you persistent file-level protection, which means you can still have access control lists in your security strategy. By adding RMS, even when you pull a protected document down from the share and put it on a USB drive, you know that only authorized people have access to that file."
Previous
Register
