Windows Rights Management Services (RMS)

Moshe Zrihen CTO, TrustNet

• The Business Problem• Windows Rights Management Services

– How RMS address the problem

– Usage Scenarios & Regulation (Sox, HIPPA etc’)

– How RMS Is Working & Demo

– RMS SP2, what’s new?

– RMS Integrated With Office 2007, SharePoint, Mobile

• Related Information • Q&A

Agenda

The Business Problem

Information Loss and Liability are a Growing Concern among Organizations…

Source: JupiterMedia,DRM in the Enterpise, May 2004Source: JupiterMedia,DRM in the Enterpise, May 2004Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005

““Enterprises report Enterprises report forwarding of e-mails forwarding of e-mails among their top three among their top three security breaches”security breaches”

– – Jupiter ResearchJupiter Research

““Organizations that manage patient Organizations that manage patient health information, social security health information, social security numbers, and credit card numbers are numbers, and credit card numbers are being forced by government and being forced by government and industry regulations to implement industry regulations to implement minimal levels of security to address minimal levels of security to address leakage of personal information.leakage of personal information.”

–– IDCIDC

Horizontal Horizontal ScenariosScenarios

Information Information Protection: sensitive Protection: sensitive e-mails, board e-mails, board communications, communications, financial data, price financial data, price lists, HR & Legal lists, HR & Legal information information

Corporate Corporate Governance: Governance: Sarbanes Oxley (US)Sarbanes Oxley (US)

Financial ServicesFinancial Services Equity Research, M&AEquity Research, M&A GLB, NASD 2711GLB, NASD 2711

Healthcare & Life ServicesHealthcare & Life Services Research, Clinical TrialsResearch, Clinical Trials HIPAAHIPAA

Manufacturing & High Manufacturing & High TechnologyTechnology

Collaborative Design, DataCollaborative Design, Data

Protection in OutsourcingProtection in Outsourcing

GovernmentGovernment RFP Process, Classified InformationRFP Process, Classified Information HIPAA HIPAA

…Information Leakage is Broadly Reaching

Traditional solutions protect initial access …

Access Control

List Perimeter

No

Yes

Firewall PerimeterFirewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

……but not usagebut not usage

Today’s policy expression…

……lacks enforcement toolslacks enforcement tools

How RMS Address The Problem?

Users without Office 2003 can view rights-protected files

Enforces assigned rights: view, print, export, copy/paste & time-based expiration

Secure IntranetsSecure Intranets IE w/RMA, Windows RMS

Control access to sensitive info Set access level - view, change, print... Determine length of access Log and audit who has accessed

rights-protected information

Secure DocumentsSecure DocumentsWord 2003/7, PowerPoint 2003/7

Excel 2003/7 ,Windows RMS

Keep corporate e-mail off the Internet Prevent forwarding of confidential

information Templates to centrally manage policies

Secure EmailsSecure EmailsOutlook 2003 & 2007

Windows RMS

Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content

End User ScenariosEnd User Scenarios

Usage Scenarios & Regulation (Sox, HIPPA etc’)

Section 404-1

SECURITIES AND EXCHANGE COMMISSION 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274

MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS

As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of

1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal

control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement

identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered

public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's

internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report.

Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that

has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms

under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the

certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports .

Sarbanes-Oxley Act of 2002

Companies must implement, Companies must implement, evaluate, and report on controls evaluate, and report on controls

for financial reporting, for financial reporting, operations, and complianceoperations, and compliance

How RMS Enables SOX Compliance

How RMS enables SOX Compliance

How RMS/Microsoft AddressesHow RMS/Microsoft Addresses

ID ID ManagementManagement

Identity management and authentication provided by Active Identity management and authentication provided by Active Directory Directory

AuthorizationAuthorizationProvided by policies in RMS use license - control recipient’s use of Provided by policies in RMS use license - control recipient’s use of contentcontent

Access Access ControlControl

Provided by RMS and RMS-enabled applications based on Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information protection (RSA 128-bit) that travels with the information wherever it goeswherever it goes

AttestationAttestationAvailable through strong authentication (e.g. two factor Available through strong authentication (e.g. two factor authentication w/smart cards) or using S/MIME authentication w/smart cards) or using S/MIME

Prevention of Prevention of ModificationModification

Provided by RMS policy, which protects documents in storage and Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can in transit – document author controls what authorized users can do with content (e.g. view only)do with content (e.g. view only)

MonitoringMonitoringProvided by auditing & logging: RMS creates a log entry for every Provided by auditing & logging: RMS creates a log entry for every action, including instances of document access or attempted action, including instances of document access or attempted accessaccess

Government Hospitals must Government Hospitals must protect patient data through protect patient data through

access controls, user access controls, user authentication, and auditingauthentication, and auditing

How RMS Enables HIPAA Compliance

How RMS enables HIPAA ComplianceRequirementRequirementHow RMS/Microsoft AddressesHow RMS/Microsoft Addresses

AuthenticatioAuthenticationn

Provided by policies in RMS use license - control recipient’s use of Provided by policies in RMS use license - control recipient’s use of contentcontent

Access Access ControlControl

Provided by RMS and RMS-enabled applications based on Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information protection (RSA 128-bit) that travels with the information wherever it goeswherever it goes

Audit Audit ControlsControls

Establish a nonrepudiable audit trail to log every action related to Establish a nonrepudiable audit trail to log every action related to a document’s publication and use licenses. RMS database tracks a document’s publication and use licenses. RMS database tracks who makes a request, when the request was made, which files who makes a request, when the request was made, which files were requested, and the outcome of the requestwere requested, and the outcome of the request

Data Data AuthenticatioAuthentication/Prevention n/Prevention of of ModificationModification

Provided by RMS policy, which protects documents in storage and Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can in transit – document author controls what authorized users can do with content (e.g. view only)do with content (e.g. view only)

EncryptionEncryption(recommend(recommended)ed)

Based on RSA 128-bit encryption (see above)Based on RSA 128-bit encryption (see above)

Companies must use Companies must use information security technology information security technology to secure storage and transport to secure storage and transport

of personal financial dataof personal financial data

How RMS Enables GLBA, 357 Compliance

DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration

21 CFR Part 11 [Docket No. 92N-0251]

-----------------------------------------------------------------------SUMMARY: The Food and Drug Administration (FDA) is issuing regulations

that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records…

Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such

measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use

of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records

and signature systems have the education, training, and experience to perform their assigned tasks. Section 11.10 also addresses the

security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate;

(3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the

operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation

instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated

under their electronic signatures, so as to deter record and signature falsification.

Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document encryption and use of appropriate digital

signature standards to ensure record authenticity, integrity, and confidentiality. Section 11.50 requires signature

manifestations to contain information associated with the signing of electronic records.

Food and Drug Manufacturers must Food and Drug Manufacturers must digitally sign documents used in the digitally sign documents used in the manufacturing process and provide manufacturing process and provide

audit records, protected archival, and audit records, protected archival, and documented access controlsdocumented access controls

FDA ComplianceFDA 21 CFR PART 11

How RMS Is Working & Demo

How does RMS work?

Information Information AuthorAuthor

The RecipientThe Recipient

RMS ServerRMS Server

SQL Server Active Directory

2 3

4

5

.2.2Author defines a set of usage Author defines a set of usage rights and rules for their file; rights and rules for their file;

Application creates a “publishing Application creates a “publishing license” and encrypts the filelicense” and encrypts the file

.3.3Author distributes fileAuthor distributes file

.4.4Recipient clicks file to open, the Recipient clicks file to open, the application calls to the RMS server application calls to the RMS server

which validates the user and which validates the user and issues a “use licenseissues a “use license””

.5.5Application renders file and Application renders file and enforces rightsenforces rights

.1.1Author receives a client licensor Author receives a client licensor certificate the first time they certificate the first time they

rights-protect informationrights-protect information

1

Apply Permissions to New Email

Add userswith Read

and Changepermissions Verify

aliases& DLs via

ADAdd

advanced permission

s

Set expiration

dateEnable

print, copypermissions

Add/removeadditional users

Contact forpermissionrequests

Enable viewing via

RMA

RMS SP2, what’s new?

SharePoint 2007Protected document libraries– Policy applied at document library level

Protects document on download– Document protected to user– Information searchable on server

Sticky permissions– SharePoint rights IRM permissions

File format specific– Out-of-the-box support for Word, Excel, PowerPoint, InfoPath, and XPS

files

• Client applications– Outlook

– Word

– PowerPoint

– Excel

– InfoPath - new

• Server applications– SharePoint – new

• Windows Mobile– Support Windows Mobile 6

Office 2007

Protected doc library

Windows MobileSmartphone and Pocket PC– Optimizations for Mobile platform– RMS API part of Mobile SDK

Pocket Inbox, Word, Excel, and PowerPoint

ContentContentConsumeConsumePublishPublishE-mailE-mail

Word, PowerPoint,Word, PowerPoint,

and Excel and Excel documentsdocuments

YY

YY YY

NN

RMS Live Demo

Related Info

Related Links:

• http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

• http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx

ההקשבה על רבה תודהmoshe@trustnet.co.il