Chris Louloudakis Technology Specialist – Identity and Access Management Microsoft Australia
Agenda The Business Problem Windows Rights Management Services How RMS address the problem Usage Scenarios Demo RMS components Q&A
What is IDA? Directory Federation Smart-cards SSO UserProvisioning WebSSO Meta-Directory VirtualDirectory OTP P/WMgmt Audit RBAC BiometricAuthN PKI ESSO RightsMgmt Directory Services Strong Authentication Federated Identity Information Protection Identity Lifecycle Management A system of procedures and policies to manage the lifecycle and entitlements of electronic credentials.
Information Loss and Liability are a Growing Concern among Financial Services organizations… 1 Source: Worldwide Secure Content Management Forecast: The Emergence of Outbound Content Compliance, March Source: JupiterMedia,DRM in the Enterpise, May 2004 “Enterprises report forwarding of s among their top three security breaches” – Jupiter Research “ Organizations that manage patient health information, social security numbers, and credit card numbers are being forced by government and industry regulations to implement minimal levels of security to address leakage of personal information.” – IDC
Horizontal Scenarios Information Protection: sensitive s, board communications, financial data, price lists, HR & Legal information Corporate Governance: Sarbanes Oxley (US) Financial Services Equity Research, M&A GLB, NASD 2711 Healthcare & Life Services Research, Clinical Trials HIPAA Manufacturing & High Technology Collaborative Design, Data Protection in Outsourcing Government RFP Process, Classified Information HIPAA …Information Leakage is Broadly Reaching
…And Is Costly On Multiple Fronts Legal, Regulatory & Financial impacts Damage to Image & Credibility Damage to public image and credibility with customers and citizens Financial impact on organisations Leaked s or memos can be embarrassing Cost of digital leakage per year is measured in $ billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time Loss of Competitive Advantage Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital
Traditional solutions protect initial access … Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not usage
Today’s policy expression… …lacks enforcement tools
The Premiers Leaked memo Courtesy of the Herald Sun Feb 13 8:48 pm ,00.html ,00.html
How does RMS address this? Provides persistent protection for sensitive data Controls access to sensitive information no matter where it lives Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery Helps reduce risks and enables compliance Helps organizations comply with access control, audit, and privacy policies Allows only authorized access based on Active Directory users/groups Provides Attestation via strong authentication methods Includes auditing and tracking capabilities Reduce operational costs Enables secure sharing of files and posting to shared locations, reducing paper and delivery time Digital files eliminate need to follow document destruction protocols, saving time and expense Helps automate and streamline information protection across the enterprise Provides a platform for comprehensive information protection Out-of-the-box support in Office 2003 Flexible and customizable technology Third parties can integrate RMS with client and server-based solutions Windows RMS provides organizations with the tools they need to safeguard confidential & sensitive data
Users without Office 2003 can view rights-protected files Enforces assigned rights: view, print, export, copy/paste & time-based expiration Secure Intranets IE w/RMA, Windows RMS Control access to sensitive info Set access level - view, change, print... Determine length of access Log and audit who has accessed rights-protected information Secure Documents Word 2003, PowerPoint 2003 Excel 2003, Windows RMS Keep corporate off the Internet Prevent forwarding of confidential information Templates to centrally manage policies Secure s Outlook 2003 Windows RMS Safeguard Sensitive Information with RMS Protect , documents, and Web content End User Scenarios
How does RMS work? Information Author The Recipient RMS Server SQL Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file 3.Author distributes file 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 5.Application renders file and enforces rights 1.Author receives a client licensor certificate the first time they rights-protect information 1
Authoring and Consuming Rights-Protected Information with Office 2003 Professional IRM
RMS client software An RMS-enabled application Required for creating or viewing rights-protected content Microsoft Office 2003 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook Office Professional 2003 is required for creating or viewing rights-protected content Other Office 2003 Editions allows users to view—but not create—rights-protected content. Rights Management Add-on (RMA) for Internet Explorer 6.0 Allows users to view rights-protected content in a browser Enables down-level viewing support for content protected by Office 2003 RMS Solution Components Server RMS Server Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) Provides certification and licensing Active Directory ® directory service Windows Server 2000 or later Provides a well-known unique identifier for each user address property for each user must be populated Database Server Such as Microsoft SQL Server™ or MSDE Stores configuration data and use license requests Client
RMS does not protect against analog attacks…
RMS Roadmap Highlights 2006/7 Windows Mobile H Enables consumption and creation of protected Outlook on Windows Mobile devices Enables consumption of protected attachments Office 2007 Microsoft Office SharePoint Server 2007 allows rights policy to be enforced consistently across the contents of a document library, while contents remain searchable InfoPath 2007 supports RMS protection Outlook RMS improvements Windows Vista A wide variety of documents, including Office 2007 documents, can be saved to the new XPS “XML Paper Specification” document format, which can be RMS- protected Built-in XPS viewer supports RMS protection and consumption of RMS protected XPS documents Exchange “2007” H “Pre-licensing” of protected content enables mobility scenarios and performance improvements Enables RMS protection of based on policies configured at the Exchange server Longhorn Server 2007 RMS integration with Active Directory Federation Services (ADFS)
Office 2007 and RMS Detail New Office SharePoint Server 2007 capabilities Apply IRM protection consistently across document library IRM policy automatically protects content Departmental control over information protection Policies configured by workspace owner, not central IT Content is searchable in document library Content is RMS protected upon viewing and downloading New RMS options exposed Embargo period Offline viewing allowed, but must re-license after “N days” Requires Office 2007 Server Premium SKU But works with Office 2003 / RMS SP1 clients New Office 2007 client capabilities Infopath becomes RMS enabled Improvements to IRM protected Outlook behavior Reply with context allows protected thread RMS icon instead of “attachment” icon in message list
Microsoft Office Sharepoint Server 2007 Protected Intranet Portal
RMS in Windows Vista For the IT Professional RMS Client included in Vista OS No separate download/deployment required For the Developer New RMS APIs in Windows Presentation Foundation Makes RMS-enabling applications easier For the Information Worker RMS support for new XML Paper Specification (XPS) file format, a fixed-layout format similar to “Electronic Paper” Enables new scenarios
RMS in Windows Mobile Author using Office 2003 Mobile User
RMS in Exchange 2007 Pre-licensing Easier consumption of rights protected messages on mobile devices and better end-user perceived performance and RMS use license delivered at the same time to the recipient’s inbox No extra “loop backs” to RMS server when opening mail means mail opens instantly Fewer authentication prompts for remote users Automatic, policy-based RMS protection Conditional RMS protection of messages at the Exchange server, based on administrator-configured rules No need to “trust” end users to remember to protect messages Ability to journal in clear text or in protected state, to meet privacy, archiving, and discovery requirements
Infrastructure Optimization Model BasicStandardizedRationalizedDynamic Uncoordinated, manual Infrastructure Knowledge not captured Managed IT Infrastructure with limited automation and knowledge capture automation and knowledge capture Managed and consolidated IT Infrastructure Infrastructure with extensive Automation Fully automated management, Knowledge capture automated and use automated Cost Center More Efficient Cost Center Business Enabler Strategic Asset Cost Value
IDA Optimization Model BasicStandardizedRationalizedDynamic No NOS Directory No Formal Lifecycle Processes Physical Protection User IDs and Passwords No Single Sign-On NOS Directory Deployed Directory Data & Workflow Process Standardization Encryption- Protected Content Strong Password Policy enforcement Windows SSO for applications Directory-Based Management of Desktops, Servers & Security Settings Metadirectory- Based User, Group & Password Management Enterprise Rights Management PKI/Certificate Infrastructure with Two-Factor Authentication NOS Directory Integration with Enterprise & Metadirectory Broadly Integrated Lifecycle Management Policy-Based Enterprise Rights Management Claims-Based Federated Single Sign-On & Access Control Cost Center More Efficient Cost Center Business Enabler Strategic Asset Step 1: “Get your directory house in order”
For More Information… General RMS Microsoft IT Deployment p.mspx RMS SDK on MSDN us/dnanchor/html/rm_sdks_overview.asp
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.