Thursday, June 08, 2006

What is Rights Management Services (RMS)?

Worried about the confidential company data landing in wrong hands? If yes, Rights Management Services is the answer. The objective of RMS for Windows 2003 is to control access to the data whether it is online or offline, inside or outside the firewall. So even if the sensitive data finds its way to the wrong hands, the data still cannot be accessed rendering it useless.

This is independent of domain memberships or operating systems. So even if I am the administrator of a given computer or a domain and I receive a file or mail which is RMS protected, no matter what I do as an administrator, I would not be able to access it.

OK, so the working of RMS requires three components:

1) RMS running on Windows 2003 and Active Directory
2) Applications supporting RMS, for example, Microsoft Exchange and Outlook
3) Policies in place to provide the right level of access to the right people.

The way in which RMS controls access to the data is by sticking the access information with the data. So unlike a file secured by NTFS, which loses all security information as soon as it is copied to a FAT or FAT32 partition, or sent to someone by mail, RMS protects the data even if it is handed over to someone without access by mail or by a pen drive.

Using RMS is a pretty simple task. Any user who wants to protect a message from being accessed by an unauthorized user, or let’s say the sender wants to restrict what the recipient of the message can and cannot do. For example, the sender wants to restrict the recipient from printing the message and also the recipient should not be able to forward it. The sender would like to allow the recipient to reply to the message though. This can be done by the sender himself by using few simple clicks in his Outlook client. So not only does RMS prevents data from reaching the wrong hands, it also controls effectively what actions the intended recipient can and cannot do.

A couple of examples below from Microsoft:

  • A company manager has access to the online sales system. She pulls up sales information about last quarter's unit sales using her browser. Because the information is sensitive, specific restrictions have been applied to the report: She cannot print, copy, or paste the data. RMS helps the company protect its sensitive quarterly sales data from accidental or deliberate leaks before its official earnings announcement.
  • A CEO needs to send an e-mail message that contains confidential information about an upcoming reorganization to his executive staff. In Microsoft Office Outlook 2003, he selects a template to specify that recipients can only read the e-mail message, and that they cannot copy, paste, edit, or forward the information. The recipients receive the e-mail message in Outlook 2003, with the usage policies automatically applied to the message. The CEO has a new level of confidence that this sensitive information will be viewed only by his executive staff.

Below are some screenshots on how this can be done from the client end.
Figure 1 below displays the option from MS Excel from where RMS can be initiated.

Figure 1

Figure 2 shows the various level of rights and user selection that can be done for a RMS client. The user opted for permission needs to be a valid user in the AD.

Figure 2

The user receiving this document also needs to have the RMS client installed on his machine in order to open the protected data.

RMS is also pretty straightforward to setup in the back end. All it requires is Windows 2003 Server, SQL Database and Active Directory. This combined with the client end application supporting RMS is enough for RMS to work.

Microsoft provides the SDK for software developers to provide the RM capability in their products.

The component of RMS which is embedded in MS Office products is called as ‘Information Rights Management’ or IRM.

RMS is based on public key cryptography, using digital certificates to identify users and determine their access rights. The RMS server issues the certificates. When an internal RMS server is set up in the organization, it uses Windows authentication for issuance of the certificates.


Post a Comment

<< Home

Free Website Counter
Free Web Counter Technology Blogs by Indian Bloggers Technology Blog Top Sites