Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet.
-
Upload
martha-poole -
Category
Documents
-
view
253 -
download
0
Transcript of Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet.
• The Business Problem• Windows Rights Management Services
– How RMS address the problem
– Usage Scenarios & Regulation (Sox, HIPPA etc’)
– How RMS Is Working & Demo
– RMS SP2, what’s new?
– RMS Integrated With Office 2007, SharePoint, Mobile
• Related Information • Q&A
Agenda
Information Loss and Liability are a Growing Concern among Organizations…
Source: JupiterMedia,DRM in the Enterpise, May 2004Source: JupiterMedia,DRM in the Enterpise, May 2004Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005
““Enterprises report Enterprises report forwarding of e-mails forwarding of e-mails among their top three among their top three security breaches”security breaches”
– – Jupiter ResearchJupiter Research
““Organizations that manage patient Organizations that manage patient health information, social security health information, social security numbers, and credit card numbers are numbers, and credit card numbers are being forced by government and being forced by government and industry regulations to implement industry regulations to implement minimal levels of security to address minimal levels of security to address leakage of personal information.leakage of personal information.”
–– IDCIDC
Horizontal Horizontal ScenariosScenarios
Information Information Protection: sensitive Protection: sensitive e-mails, board e-mails, board communications, communications, financial data, price financial data, price lists, HR & Legal lists, HR & Legal information information
Corporate Corporate Governance: Governance: Sarbanes Oxley (US)Sarbanes Oxley (US)
Financial ServicesFinancial Services Equity Research, M&AEquity Research, M&A GLB, NASD 2711GLB, NASD 2711
Healthcare & Life ServicesHealthcare & Life Services Research, Clinical TrialsResearch, Clinical Trials HIPAAHIPAA
Manufacturing & High Manufacturing & High TechnologyTechnology
Collaborative Design, DataCollaborative Design, Data
Protection in OutsourcingProtection in Outsourcing
GovernmentGovernment RFP Process, Classified InformationRFP Process, Classified Information HIPAA HIPAA
…Information Leakage is Broadly Reaching
Traditional solutions protect initial access …
Access Control
List Perimeter
No
Yes
Firewall PerimeterFirewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
……but not usagebut not usage
Users without Office 2003 can view rights-protected files
Enforces assigned rights: view, print, export, copy/paste & time-based expiration
Secure IntranetsSecure Intranets IE w/RMA, Windows RMS
Control access to sensitive info Set access level - view, change, print... Determine length of access Log and audit who has accessed
rights-protected information
Secure DocumentsSecure DocumentsWord 2003/7, PowerPoint 2003/7
Excel 2003/7 ,Windows RMS
Keep corporate e-mail off the Internet Prevent forwarding of confidential
information Templates to centrally manage policies
Secure EmailsSecure EmailsOutlook 2003 & 2007
Windows RMS
Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content
End User ScenariosEnd User Scenarios
Section 404-1
SECURITIES AND EXCHANGE COMMISSION 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274
MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS
As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of
1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal
control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement
identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered
public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's
internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report.
Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that
has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms
under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the
certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports .
Sarbanes-Oxley Act of 2002
Companies must implement, Companies must implement, evaluate, and report on controls evaluate, and report on controls
for financial reporting, for financial reporting, operations, and complianceoperations, and compliance
How RMS Enables SOX Compliance
How RMS enables SOX Compliance
How RMS/Microsoft AddressesHow RMS/Microsoft Addresses
ID ID ManagementManagement
Identity management and authentication provided by Active Identity management and authentication provided by Active Directory Directory
AuthorizationAuthorizationProvided by policies in RMS use license - control recipient’s use of Provided by policies in RMS use license - control recipient’s use of contentcontent
Access Access ControlControl
Provided by RMS and RMS-enabled applications based on Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information protection (RSA 128-bit) that travels with the information wherever it goeswherever it goes
AttestationAttestationAvailable through strong authentication (e.g. two factor Available through strong authentication (e.g. two factor authentication w/smart cards) or using S/MIME authentication w/smart cards) or using S/MIME
Prevention of Prevention of ModificationModification
Provided by RMS policy, which protects documents in storage and Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can in transit – document author controls what authorized users can do with content (e.g. view only)do with content (e.g. view only)
MonitoringMonitoringProvided by auditing & logging: RMS creates a log entry for every Provided by auditing & logging: RMS creates a log entry for every action, including instances of document access or attempted action, including instances of document access or attempted accessaccess
Government Hospitals must Government Hospitals must protect patient data through protect patient data through
access controls, user access controls, user authentication, and auditingauthentication, and auditing
How RMS Enables HIPAA Compliance
How RMS enables HIPAA ComplianceRequirementRequirementHow RMS/Microsoft AddressesHow RMS/Microsoft Addresses
AuthenticatioAuthenticationn
Provided by policies in RMS use license - control recipient’s use of Provided by policies in RMS use license - control recipient’s use of contentcontent
Access Access ControlControl
Provided by RMS and RMS-enabled applications based on Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information protection (RSA 128-bit) that travels with the information wherever it goeswherever it goes
Audit Audit ControlsControls
Establish a nonrepudiable audit trail to log every action related to Establish a nonrepudiable audit trail to log every action related to a document’s publication and use licenses. RMS database tracks a document’s publication and use licenses. RMS database tracks who makes a request, when the request was made, which files who makes a request, when the request was made, which files were requested, and the outcome of the requestwere requested, and the outcome of the request
Data Data AuthenticatioAuthentication/Prevention n/Prevention of of ModificationModification
Provided by RMS policy, which protects documents in storage and Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can in transit – document author controls what authorized users can do with content (e.g. view only)do with content (e.g. view only)
EncryptionEncryption(recommend(recommended)ed)
Based on RSA 128-bit encryption (see above)Based on RSA 128-bit encryption (see above)
Companies must use Companies must use information security technology information security technology to secure storage and transport to secure storage and transport
of personal financial dataof personal financial data
How RMS Enables GLBA, 357 Compliance
DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration
21 CFR Part 11 [Docket No. 92N-0251]
-----------------------------------------------------------------------SUMMARY: The Food and Drug Administration (FDA) is issuing regulations
that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records…
Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such
measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use
of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records
and signature systems have the education, training, and experience to perform their assigned tasks. Section 11.10 also addresses the
security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate;
(3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the
operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation
instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated
under their electronic signatures, so as to deter record and signature falsification.
Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document encryption and use of appropriate digital
signature standards to ensure record authenticity, integrity, and confidentiality. Section 11.50 requires signature
manifestations to contain information associated with the signing of electronic records.
Food and Drug Manufacturers must Food and Drug Manufacturers must digitally sign documents used in the digitally sign documents used in the manufacturing process and provide manufacturing process and provide
audit records, protected archival, and audit records, protected archival, and documented access controlsdocumented access controls
FDA ComplianceFDA 21 CFR PART 11
How does RMS work?
Information Information AuthorAuthor
The RecipientThe Recipient
RMS ServerRMS Server
SQL Server Active Directory
2 3
4
5
.2.2Author defines a set of usage Author defines a set of usage rights and rules for their file; rights and rules for their file;
Application creates a “publishing Application creates a “publishing license” and encrypts the filelicense” and encrypts the file
.3.3Author distributes fileAuthor distributes file
.4.4Recipient clicks file to open, the Recipient clicks file to open, the application calls to the RMS server application calls to the RMS server
which validates the user and which validates the user and issues a “use licenseissues a “use license””
.5.5Application renders file and Application renders file and enforces rightsenforces rights
.1.1Author receives a client licensor Author receives a client licensor certificate the first time they certificate the first time they
rights-protect informationrights-protect information
1
Set expiration
dateEnable
print, copypermissions
Add/removeadditional users
Contact forpermissionrequests
Enable viewing via
RMA
SharePoint 2007Protected document libraries– Policy applied at document library level
Protects document on download– Document protected to user– Information searchable on server
Sticky permissions– SharePoint rights IRM permissions
File format specific– Out-of-the-box support for Word, Excel, PowerPoint, InfoPath, and XPS
files
• Client applications– Outlook
– Word
– PowerPoint
– Excel
– InfoPath - new
• Server applications– SharePoint – new
• Windows Mobile– Support Windows Mobile 6
Office 2007
Windows MobileSmartphone and Pocket PC– Optimizations for Mobile platform– RMS API part of Mobile SDK
Pocket Inbox, Word, Excel, and PowerPoint
ContentContentConsumeConsumePublishPublishE-mailE-mail
Word, PowerPoint,Word, PowerPoint,
and Excel and Excel documentsdocuments
YY
YY YY
NN
Related Links:
• http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
• http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx
ההקשבה על רבה תודה[email protected]