Microsoft Rights Management

Microsoft Rights ManagementDan PlastinaTranslation to <language> by <translator(s)>

Organizations share information. The Microsoft Rights Management services (RMS) offering helps organizations keep their information secure, both inside and outside of the organization, by protecting documents both at rest and in motion. Information protection is critical and, at this time, Microsoft is redoubling its investment in RMS. This document outlines our newest feature set, with a strong emphasis on the July preview deliverables. The following links complement this document with further information:

and WCA-B321
and

Microsoft RMS enables the flow of protected data on all important devices, of all important file types, and lets these files be used by all important people in a user’s collaboration circle. Yes, RMS will now protect any file type (not just Microsoft Office documents), let you access them on many devices (not just Windows PCs), and enable sharing with other organizations (not just within your organization). Furthermore ITPros can perform simple, planned deployments of RMS or, if not deployed by the ITPro, Information workers (IWs) can adopt RMS on their own (dubbed ‘RMS for Individuals’) for free.

The Microsoft Rights Management suite is implemented as a Windows Azure service. For brevity, we reference it within as Azure RMS so as not to confuse with Windows Server AD Rights Management Services (aka ADRMS). It comprises a set of RMS applications that work on all your common devices, a set of software development kits, and related tooling. By leveraging Windows Azure Active Directory, the Azure RMS service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration. The other organization(s) may be existing Azure RMS customers but if not, they can use a free Azure ‘RMS for Individuals’ capability.

This offering is in preview as of July 29 followed by general availability in October. Follow our blog at blogs.technet.com/b/rms for details. Also visit the updated site.

The Elephant in the Room

There is no escaping the recent news. If you’ve not yet seen Microsoft’s blog on this matter, please take a moment to read it now. In this section we’re going to ask that you consider this complex problem in layers and not idiomatically; please don’t ‘throw the baby out with the bathwater’. Specifically, the ability to protect and limit access to sensitive files from:

A) A broad base of your own internal employees

B) A collection of organizations you choose to collaborate with

C) Various exposure risks you are subject to when stored in the cloud

Each of these capabilities poses different challenges and it’s clearer now than ever that no solution can address every possible aspect of data protection in every possible situation. Fortunately, you can solve some of your data protection challenges now.

Let us begin with a few very facts about Microsoft’s Azure-hosted Rights Management service:

Azure RMS is at the core of the Rights Management suite and relies on Windows Azure services.
A document is protected by RMS without the document being sent to the Azure service.
Viewing or sharing protected documents is enabled without the documents themselves being sent to the Azure service.
Sharing a file occurs without the document being relayed via the Azure RMS service.

Shared amongst all of the above statements: The Azure RMS service never sees your data. This is a common misunderstanding about the RMS technology stack, and we want to set the record straight: Actual customer content is never accessible to RMS data protection services, nor to anyone compelling the service to do something on their behalf.

Let’s dive in deeper with a diagram of the fictional US company Contoso, who is sharing data. It is a very accommodating company that shares data via the four modern data storage models:

1) The document is kept on premise. A presumption here is that the company has full control over its security perimeter, something that may not always be true. This caveat aside, the document is generally considered as being most private (note: we did not say ‘most secure’).

2) The document is shared with a second party named Fabrikam, a fictional company. The document is shared, in private, via what both parties deem to be a secure means (e.g. email, USB storage).

3) The document resides in any cloud provider’s SaaS application. From there, it is shared with others.

4) The document resides in any cloud provider’s storage. From there, it is shared with others.

In all four of these cases (1/2/3/4 above) the ITPro at Contoso, not Microsoft, was in charge of making storage location and transfer transport policy choices (though we all know the users often make their own choices). While those location and policy choices do have exposure related consequences, none of them result in the Azure RMS service having access to the data. Microsoft RMS is file transport and file storage agnostic. It operates on files only when they are ‘activated’ (protected, opened/consumed).

Tying this back with the A/B/C challenges above, the RMS offer is highly adept at handling the protection at rest needs of scenario A (protection within the organization) and scenario B (protection of a private communication between organizations).

For scenario C (data stored in the cloud; storage models 3 and 4 above) the considerations are more complex given that data has left the trusted perimeter of Contoso and the partially-trusted perimeter of Fabrikam. There is now a new actor that must provide a trusted storage perimeter in the eyes of the Security Officer. The media frenzy over data protection has turned this into a statement of distrust for the cloud but, the savvy readers know well that the problem is far more subtle than this narrow view. We, the RMS team, often talk with customers whose own perimeter has been challenged by ‘unwanted guests’. In this context one ITPro recently said to us, “You have far more to lose (your reputation; your many Saas/IaaS customers) than I do so, I must recognize the effort that you must be investing into establishing cloud security and trust”. This ITPro was spot on, we are investing a huge effort.

The Microsoft RMS components are scrutinized closely as they play a critical role in the overall secure document protection framework. Specifically, they enable the following:

A) The client SDKs protect the data within the runtime environment they are executing. This is normally a PC (Windows or Mac) or a mobile Device (Windows RT, Windows Phone, iOS, or Android). The device can also be a Windows server service (e.g. Exchange) or a solution provider’s value-add offering (e.g. Data Leakage Prevention). Those runtimes use the RMS SDK to interact with the Azure RMS service.

B) The Azure RMS server, when responding to client SDK requests, is responsible for the secure encryption key interchange with the SDK in order to protect the data without the data going to the Azure RMS service.

C) Once protected, the Azure RMS service plays key roles in document consumption:

The user must be authenticated – Azure RMS requests an authorization token from the appropriate identity provider. Generally this is federated on-premise AD or Windows Azure AD but we’ll seek to shortly offer support for Microsoft Account (aka LiveID) and Google IDs.
The user must be authorized – Azure RMS serves as a unified policy decision point and a policy enforcement point to follow policies established by your organization. This is done by having the RMS software process the document policy associated with a protected document and then decide if should be granted permission to view the document.
Every use must be logged – All user activity, successful or not, is logged in Azure RMS logs enabling your IT staff to audit access. We are now working with third parties to render distilled report and/or dashboards from these logs.

We hope that this section offered insight into the assurances we provide and the empowerment you have in making key choices. Let’s now move on to describing RMS.

Promises of the new Microsoft Rights Management services

Users:

I can protect any file type
I can consume protected files on devices important to me
I can share with anyone
Initially, I can share with any business user
I can eventually share with any individual (e.g. MS Account, Google IDs in CY14)
I can sign up for a free RMS capability if my company has yet to deploy RMS

ITPro:

I can keep my data on-premise if I don’t yet want to move to the cloud
I am aware of how my protected data is treated
I can control my RMS ‘tenant key’ from on-premise
I can rely on Microsoft in collaboration with Partners for complete solutions

These promises combine to create two very powerful scenarios:

1) Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it.

2) ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal cloud drive).

The next few sections will describe the various capabilities and experiences.

Users and their Document Protection Experience

The below screen shots are from applications made available to those who are accepted into the preview. If you want to start looking at Azure RMS, please request participation in the preview.

Documents are now very well supported by RMS. There are several important dimensions:

Users can protect any document type. The RMS API used by the RMS App or RMS-enlightened applications will do its best to protect the file in the most suitable format.
Native RMS-enlightened applications: DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF
The free ‘RMS App’, an enlightened application itself: TXT, XML, JPG, JPEG, TIFF, GIF, BMP
Generically protected files are ‘wrapped’ and launched in the registered application.
E.g. A Photoshop™ file becomes MyDrawing.PSD.PFILE. This protection offers access control without additional usage restrictions. Despite the lack of usage restrictions, you should not underestimate the value of authorization, education, and the ability to expire content.
The user can publish or consume protected documents on Windows for computers, Windows for tablets, Windows for phones, iOS, Android, and Apple OSX. Web sites and other operating systems can participate in the RMS ecosystem via RESTful service APIs.
Users can share these protected documents with users in their organizations, other organizations (B2B), users who act as individuals (B2I; support for Microsoft Account and Google IDs comes later)
Consumption of rights protected content is free. (More below on pricing)

Protecting a document is best experienced within an RMS-enlightened application. As application developers utilize our new SDK, they will be providing a consistent user experience (UX) as the UX is integrated into the SDK itself. Outside of an RMS-enlightened application, the user can protect a document by using the RMS App’s integration in Windows and Apple OSX, as well as via Office toolbar extensions. Generally stated, the capability is either Protect in place or Share Protected, with a special affordance for capturing protected photos from mobile devices that have cameras.

Protect (in place): This flow will protect the file in place. The user can then take other actions to share the file, if need be. This flow is most suitable for personal or cloud-drive file protection flows. The user will be given the choice of protecting with an organizational template, a previously saved user template, or create a new ad-hoc template.
Share Protected: This flow will protect a copy of the selected file leaving the original file in its prior state (which could also be protected). This flow has the user addressing the document to people (email addresses) and selecting related permissions. Upon sending, an unprotected email will be sent with the protected document. The user can customize the email before it is sent.
Share Protected (Camera): This flow will soon be available on mobile devices. The user will be permitted to take picture and accept or retake it. Once selected, the above ‘Share Protected’ flow will apply and a protected JPG image will be attached.

Here is a visual example of sharing a sensitive file:

While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application)

Note: An astute reader will notice that we added a button here instead of reusing what already present in Office. Stated plainly, we needed to alter fundamental behaviors such as user interface, underlying RMS SDK support, and authentication. This new entry point mirrors the user interface you will see in the core OS views, as well as ISV applications.

You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications:

When you are done with addressing and selecting permissions, you invoke SEND. An email will be created that is ready to be sent but you can edit it first:

Users and their Document Consumption Experience

In due time, the recipient of the above email simply opens the attachment to view it. This attachment, depending on the file type, will invoke the correct application. As of the RMS preview, your system will launch one of Word, Excel or PowerPoint for those respective files, the Foxit PDF Reader for protected PDFs, or the RMS App for text, images, or generically protected files (PFILEs).

If the user has an RMS-aware identity, they will be able to log in. Here you see an email with a PJPG (protected JPG). Upon opening, the user is asked to log in and then the image is rendered.

Note: In the July Preview, the mobile applications are not publicly available. We are prevented from getting them into your hands until such time they have been accepted by the respective app stores. We ask that you trust us as we used them to produce the above screen captures. The store distribution acceptance process is underway and all will be released by/before our October general availability date.

Finally, in terms of enabling broad reach, recipients not in an RMS-supported organization can register for Microsoft Rights Management for individuals. This self-service offering permits early department-level adoption of the RMS services with limited need for IT support. It is a free offer. This offer lets the user consume and produce RMS protected content. The sign up process is simple:

1) The user is asked for their organizational email name: . At this time several checks are made before an ad-hoc RMS account is created. In particular we check to see if the parent organization already has a Windows Azure Active Directory tenant, if the user already had an account, etc. Failing all these important checks, the user is given an ad-hoc account for free. The below ITPro section offers more insight here as well as other IT-oriented advice.

2) To validate the user’s ownership of the cited ID, they are sent an email (Not shown below).

3) Once ownership is proven, the user is asked to provide a display name, a password, and country in order for their account to be provisioned. These self-service RMS for Individuals accounts will be re-validated on a monthly basis for users.

4) The user is prompted to install the RMS application upon completion. The RMS application requires administrative permissions in order to be installed and it is required to be installed in order to consume protected content in older versions of Microsoft Office.

In visual form: (Cropped to fit)

Try this live at Sign up for real or use the demo flow (<name>@contoso.com)

Users and their Email experience

An important class of information is email. Users can both consume and protect email within enlightened email clients and servers. Microsoft Outlook 2013, when backed by Exchange 2013, works with the Azure RMS offers out-of-the-box and offers fantastic new innovations that enable automatic RMS protection. The RMS connector (covered below) also enables Microsoft Exchange on premise offers to work with Azure RMS. Exchange Online, as part of the Office 365 suite, works directly with Azure hosted RMS. This suite of offers enables a very usable means to protect email within your company.

These email offers are no subject to the RMS for Individuals offers – they are capabilities of the RMS-enlightened application. RMS itself does not offer any email protection capability.

ITPro and their Experiences

In a few short pages this section can’t begin to do justice to all the moving parts within. We’ve recorded two 75min videos that we believe do a far better job: WCA-B322 and WCA-B321. We’ll instead focus here on offering a quick overview. The site also hosts much related information.