Share Protected Content with Azure Rights Management

Share protected content with Azure Rights Management

Overview Technical Article

Microsoft France

Published: September 2013 (Updated: October 2014)

Version: 1.0b

Author: Philippe Beraud, Arnaud Jumelet (Microsoft France)

For the latest information on RMS, please see

www.microsoft.com/rms

Copyright © 2014 Microsoft Corporation. All rights reserved.

Abstract: Organizations share information. The Microsoft Azure Rights Management service (Azure RMS) offering helps organizations keep their information secure, both inside and outside of the organization, by protecting sensitive documents both at rest and in motion with unprecedented ease.

The Azure Rights Management service indeed enables the flow of protected data on all important devices (not just Windows PCs), of all important file types (not just Microsoft Office documents), and lets these files be used by all important people in a user’s collaboration circle (not just within the user’s organization). In short, users can now share securely any content with anyone, i.e. with any business user or with any individuals. Anyone can sign up for free Microsoft Rights Management for individuals. This offer lets the authenticated users consume (and produce protected) content on the device of their choice.

This document provides information about the Rights Management sharing applications to share protected content on all important devices and the Rights Management for individuals to enable anyone to share protected content.

Table of Contents

Feedbacks 3

Introduction 4

Objectives of this paper 5

Non-objectives of this paper 6

Organization of this paper 6

About the audience 6

Sharing protected content on computers and all important devices 7

Leveraging the Microsoft RMS enlightened applications 7

Leveraging the Rights Management sharing applications 9

Sharing protected content with anyone 25

Feedback

For any feedback or comment regarding this document, please send a mail to .

Introduction

Every day, information workers use e-mail messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.

Ever more powerful devices, converging technologies and the widespread use of the Internet have replaced in mobility situation what were (controlled and managed) laptops in past years. Today, information workers are highly interconnected and, with the consumerization of IT, more and more of them are using the device of their choice to access e-mails and work-related documents from just about anywhere. This raises new challenges for security. With the time, the type, volume and sensitivity of information that is exchanged has changed significantly. Mailboxes have transformed into repositories containing large amounts of potentially sensitive information. Furthermore, as of today, information workers are not just more mobile than ever before, but they are also more demanding on external collaboration. Users indeed expect to be able to collaborate seamlessly with any business user not only within the organization but also outside.

Considering the above, information leakage can be a serious threat to organizations. Leaks of confidential information can result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more. Consequently, IT needs to make sure that proper policies and technologies are in place with specifically the ability to protect and control access to sensitive corporate files from:

1. A broad base of the internal employees.
2. A collection of organizations or individuals the organizations and/or the information author choose to collaborate with.
3. Various exposure risks data is subject to notably when stored on non-managed devices, or in the cloud.

Each of these capabilities poses different challenges. These challenges demand effective Information Protection and Control (IPC) systems, which are not only secure but are also easy to apply, whether it’s to e-mail messages sent or documents (of all types) accessed from various devices, inside an organization or outside the organization to business partner organizations/individuals.

Note IPC is also known as a different set of names including: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc. All of these categories aim to prevent an accidental and unauthorized distribution of sensitive information.

Protect is «Prove who you are» before granting access. The document is unlocked (in fact decrypted) if the user is authorized to access it. Control is «limit the usage of the information». Control goes a step further by granting people access while removing their abilities (for example, to edit, copy, or print) in accordance to usage policy.

One should note that IPC is available for more than a decade but only few organizations are using this kind of solution. This can be explained by previous lack of interest of Business Decision Makers or by the complexity generally observed when deploying such a far-reaching solution. Also user’s expectation is high and they are not tolerating any downtime. Users would not be satisfy if the protected document they are trying to read couldn’t be open because an Information Protection element is not responding or if it isn’t supported on their devices. Deploying on-premises IPC can be challenging and/or require significant knowledge to be done right. This was notably the case for Microsoft Active Directory Right Management Services (AD RMS)[1], an information protection technology that enables AD RMS-enabled applications such as Microsoft Office to protect digital content from unauthorized use, both online and offline, inside and outside of the organization’s boundaries.

Unlike AD RMS, the Azure Rights Management service provides for everyone a Software as a Service (SaaS) information protection solution that work across classic boundaries.

The Azure Rights Management service is included in the Office 365 Enterprise[2] E3 and E4 plans. It can also be purchased as a standalone with these plans: Office 365 Enterprise E1, Office 365 Enterprise K1, Exchange Online Plan 1, Exchange Online Plan 2, and Exchange Online Kiosk.

The Azure Rights Management service can be purchased standalone for use with the on-premises infrastructure thanks to Rights Management connector.

As a highly scalable and available cloud-based IPC solution run by Microsoft in data centers strategically located around the world, the Azure Rights Management service enables organizations of any size to minimize the effort required to implement an effective IPC to sustain the collaboration inside and outside of the organization’s boundaries.

Regardless of how the Azure Rights Management service is purchased by organizations (Office 365 SKUs or stand-alone SKU), by leveraging Azure Active Directory (Azure AD), the Azure Rights Management service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration.

In this context, Microsoft RMS enlightened applications along with the Microsoft Rights Management sharing applications enable users to share protected content with any file format not only on computers but also on most popular mobile devices. The user experience is fast and straightforward.

As of today, information workers are not just more mobile than ever before, they also more demanding on external collaboration. Thus, users expect to be able to collaborate securely with any business user even those who don’t have signed up yet for the Azure Rights Management service. Thanks to the free Microsoft Rights Management for individuals, anyone can sign up for Azure Rights Management service and start collaborating on protected documents.

Objectives of this paper

This document provides information about Microsoft RMS enlightened applications and how they can be used to share and collaborate on sensitive corporate data. This paper also presents the Microsoft Rights Management sharing application that are available on all important devices.

Furthermore, by following the steps outlined in this document you should be able to share with anyone (any business user or any individual) thanks to the free Microsoft Rights Management for individuals offer.

Non-objectives of this paper

This document doesn’t offer a full description of the Azure Rights Management service offerings. It rather simply focusses on key aspects in the context of this paper that aims at providing the readers an understanding on how to collaborate with anyone on all important devices.

Note For an overview of the NEW Azure Rights Management services offerings, see the whitepaper Azure Rights Management services[3], the online documentation[4] as well as the posts on the RMS Team blog[5].

Organization of this paper

To cover the aforementioned objectives, this document is organized by themes, which are covered in the following sections:

§  Sharing on Computers and all important devices

§  Sharing with anyone

About the audience

This document is intended for IT professionals and system architects who are interested in understanding the various options for protecting and controlling information assets in their environment based on the Azure Rights Management service’s foundation and how to leverage the related capabilities.

Sharing protected content on computers and all important devices

The proliferation of consumer devices (smartphones, tablets and PCs) and ubiquitous information access is driving the organization to define a new model in which employees use their own devices to access sensitive corporate data. The model must be flexible enough while at the same time guarantees that sensitive corporate data are protected from unauthorized access regardless whether the user’s device is managed or not, etc.

To increase productivity, users ask for a secure and consistent way to access and share sensitive information from their devices.

Microsoft is delivering a solution on all important devices through the Azure Rights Management service. The Azure Rights Management service gives the capacity to make sensitive corporate information available to users on all important devices while protecting information during storage or in transit. Dispersed enterprise data can now be protected in a consistent way.

Once a document is protected, even if it is copied on a USB Key, stored on your laptop or on your mobile device, stored in any cloud provider’s storage of your choice, the document carries the same protection. The protection travels with the information whether it has been protected either locally or in the Cloud.

In other words, with the Azure Rights Management service, you can ensure that encryption is implemented for data-at-rest, data-in-transit and data-in-use (encryption-in-use is a capability that must be included in the application processing the data).

The Azure Rights Management service goes further than classical encryption technology by adding policies. That why, the Azure Rights Management service is fundamentally an effective Information Protection and Control (IPC) solution. One should stress that the Azure Rights Management service never has access to the data. The Azure Rights Management service is file transport and file storage agnostic. It operates on (all type of) files only when they are ‘activated’ (protected, opened/consumed) as notably described later in the next section.

Leveraging the Microsoft RMS enlightened applications

As time evolves, users now want to access corporate data (e-mails, Office documents, PDF documents, pictures, etc.) from anywhere from their devices. They also want a consistent user experience to access sensitive data from their devices, including a simplified sign-on process when accessing such information.

On should note that accessing or sharing a protected document is best experienced within an RMS enlightened application.

RMS enlightened applications enable individuals to protect and consume content. Content is protected by using encryption and must be decrypted before it can be consumed. When the file is protected, the individual applies permissions to the file such as the ability to print or edit. The application will need to honor these rights.

Such an application leverages for that purpose the RMS SDK 2.1[6] and above. The RMS SDK facilitates most of the protection flows and all initialization. It indeed takes care of all the underlying details about the environment and topologies, document expiration, certificate renewals, policy updates and more. Furthermore, if the application must honor the permission enforcement requested of it, the SDK makes enforcing the rights easier by providing APIs to control permissions such as printing, saving, forwarding, etc.

Note For additional details on permissions, see the MSDN articles AD RMS developer concepts[7] and Built-in Rights Usage Restriction Reference[8].

The RMS SDK protects the data within the runtime environment they are executing. This is normally a computers (Windows or Mac OS/X) or a mobile device (Windows RT, Windows Phone, iOS, or Android).

Note As of this writing, there is no specific support for Linux or Blackberry. The RESTful API support of the RMS SDK can be leveraged for that purpose. If there’s a platform that is missing and you consider critical, then you can contact the product team:

Those runtimes use the RMS SDK to interact with the Azure Rights Management service:

1. The Azure Rights Management service, when responding to client SDK requests, is responsible for the secure encryption key interchange with the SDK in order to protect the data without the data going to the Azure Rights Management service.
2. Once protected, the Azure Rights Management service plays key roles in document consumption:

1. The user must be authenticated. The Azure Rights Management service requests an authorization token from the appropriate identity provider. Generally, this is the on-premises federated identity infrastructure, such AD with AD FS, or the Azure AD organization’s tenant as part of Office 365 or as a stand-alone service but support for Microsoft Account (a.k.a. Live IDs) and Google IDs is seek to be introduced.
2. The user must be authorized. The Azure Rights Management service serves as a unified policy decision point and a policy enforcement point to follow policies established by your organization. This is done by having Azure Rights Management service process the document policy associated with a protected document and then decide if the recipient should be granted permission to view the document.
3. Every use must be logged. All user activity, successful or not, is logged in Azure Rights Management service’s logs enabling your IT staff to audit access.

Mobile device applications use the new lightweight Microsoft Rights Management SDK (RMS SDK) 4.0 with the latest mobile client, and benefit from Microsoft-provided user interfaces for consumption and protection behaviors. This not only saves time to build protection support, but it also provides a consistent protection user experience (UX) as the UX is integrated into the SDK itself.

Note The RMS SDK 4.0 is a simplified, next-generation API that enables a lightweight development experience in building or upgrading device apps with information protection via the RMS service, whether it is an on-premises AD RMS cluster with the mobile device extension or Azure RMS.