Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet.

Published byMartha Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet."— Presentation transcript:

1 Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet

2 The Business Problem Windows Rights Management Services –How RMS address the problem –Usage Scenarios & Regulation (Sox, HIPPA etc’) –How RMS Is Working & Demo –RMS SP2, what’s new? –RMS Integrated With Office 2007, SharePoint, Mobile Related Information Q&A Agenda

3 The Business Problem

4 Information Loss and Liability are a Growing Concern among Organizations… Source: JupiterMedia,DRM in the Enterpise, May 2004 Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005 “Enterprises report forwarding of e-mails among their top three security breaches” – Jupiter Research “Organizations that manage patient health information, social security numbers, and credit card numbers are being forced by government and industry regulations to implement minimal levels of security to address leakage of personal information. “Organizations that manage patient health information, social security numbers, and credit card numbers are being forced by government and industry regulations to implement minimal levels of security to address leakage of personal information.” –IDC – IDC

5 Horizontal Scenarios Information Protection: sensitive e-mails, board communications, financial data, price lists, HR & Legal information Information Protection: sensitive e-mails, board communications, financial data, price lists, HR & Legal information Corporate Governance: Sarbanes Oxley (US) Corporate Governance: Sarbanes Oxley (US) Financial Services Equity Research, M&A Equity Research, M&A GLB, NASD 2711 GLB, NASD 2711 Healthcare & Life Services Research, Clinical Trials Research, Clinical Trials HIPAA HIPAA Manufacturing & High Technology Collaborative Design, Data Collaborative Design, Data Protection in Outsourcing Protection in Outsourcing Government RFP Process, Classified Information RFP Process, Classified Information HIPAA HIPAA …Information Leakage is Broadly Reaching

6 …And Is Costly On Multiple Fronts Legal, Regulatory & Financial impacts Damage to Image & Credibility Damage to public image and credibility with customers Financial impact on company Leaked e-mails or memos can be embarrassing Cost of digital leakage per year is measured in $ billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time Loss of Competitive Advantage Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital

7 Traditional solutions protect initial access … Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not usage

8 Today’s policy expression… …lacks enforcement tools

9 How RMS Address The Problem?

10 Users without Office 2003 can view rights- protected files Enforces assigned rights: view, print, export, copy/paste & time-based expiration Secure Intranets IE w/RMA, Windows RMS Control access to sensitive info Set access level - view, change, print... Determine length of access Log and audit who has accessed rights-protected information Secure Documents Word 2003/7, PowerPoint 2003/7 Excel 2003/7, Windows RMS Keep corporate e-mail off the Internet Prevent forwarding of confidential information Templates to centrally manage policies Secure Emails Outlook 2003 & 2007 Windows RMS Safeguard Sensitive Information with RMS Protect e-mail, documents, and Web content End User Scenarios

11 Usage Scenarios & Regulation (Sox, HIPPA etc’)

12 Section 404-1 SECURITIES AND EXCHANGE COMMISSION 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274 MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports. Sarbanes-Oxley Act of 2002 Companies must implement, evaluate, and report on controls for financial reporting, operations, and compliance How RMS Enables SOX Compliance

13 How RMS enables SOX Compliance How RMS/Microsoft Addresses ID Management Identity management and authentication provided by Active Directory Authorization Provided by policies in RMS use license - control recipient’s use of content Access Control Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information wherever it goes Attestation Available through strong authentication (e.g. two factor authentication w/smart cards) or using S/MIME Prevention of Modification Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can do with content (e.g. view only) Monitoring Provided by auditing & logging: RMS creates a log entry for every action, including instances of document access or attempted access

14 Government Hospitals must protect patient data through access controls, user authentication, and auditing How RMS Enables HIPAA Compliance

15 How RMS enables HIPAA Compliance Requirement How RMS/Microsoft Addresses Authentication Provided by policies in RMS use license - control recipient’s use of content Access Control Provided by RMS and RMS-enabled applications based on public/private key exchange. RMS protects sensitive information from unauthorized access by applying encryption-based protection (RSA 128-bit) that travels with the information wherever it goes Audit Controls Establish a nonrepudiable audit trail to log every action related to a document’s publication and use licenses. RMS database tracks who makes a request, when the request was made, which files were requested, and the outcome of the request Data Authentication/ Prevention of Modification Provided by RMS policy, which protects documents in storage and in transit – document author controls what authorized users can do with content (e.g. view only) Encryption (recommended) Based on RSA 128-bit encryption (see above)

16 Companies must use information security technology to secure storage and transport of personal financial data How RMS Enables GLBA, 357 Compliance

17 DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration 21 CFR Part 11 [Docket No. 92N-0251] ----------------------------------------------------------------------- SUMMARY: The Food and Drug Administration (FDA) is issuing regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records… Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer- generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks. Section 11.10 also addresses the security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate; (3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated under their electronic signatures, so as to deter record and signature falsification. Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality. Section 11.50 requires signature manifestations to contain information associated with the signing of electronic records. Food and Drug Manufacturers must digitally sign documents used in the manufacturing process and provide audit records, protected archival, and documented access controls FDA Compliance FDA 21 CFR PART 11

18 How RMS Is Working & Demo

19 How does RMS work? Information Author The Recipient RMS Server SQL Server Active Directory 2 3 4 5 2.Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file 3.Author distributes file 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 5.Application renders file and enforces rights 1.Author receives a client licensor certificate the first time they rights-protect information 1

20 Apply Permissions to New Email

21

22

23

24

25 Add users with Read and Change permissions Verify aliases & DLs via AD Add advanced permission s

26 Set expiration date Enable print, copy permissions Add/remove additional users Contact for permission requests Enable viewing via RMA

27

28

29 RMS SP2, what’s new?

30 SharePoint 2007 Protected document libraries –Policy applied at document library level Protects document on download –Document protected to user –Information searchable on server Sticky permissions –SharePoint rights  IRM permissions File format specific –Out-of-the-box support for Word, Excel, PowerPoint, InfoPath, and XPS files

31 Client applications –Outlook –Word –PowerPoint –Excel –InfoPath - new Server applications –SharePoint – new Windows Mobile –Support Windows Mobile 6 Office 2007

32 Protected doc library

33

34

35

36

37

38

39

40

41

42

43 Windows Mobile Smartphone and Pocket PC –Optimizations for Mobile platform –RMS API part of Mobile SDK Pocket Inbox, Word, Excel, and PowerPoint ContentConsumePublish E-mail Word, PowerPoint, and Excel documents Y YY N

44 RMS Live Demo

45 Related Info

46 Related Links: http://www.microsoft.com/windowsserver 2003/technologies/rightsmgmt/default.msp x http://www.microsoft.com/windowsserver 2003/technologies/rightsmgmt/default.msp x http://www.microsoft.com/windowsserver 2003/evaluation/overview/technologies/rm enterprise.mspx http://www.microsoft.com/windowsserver 2003/evaluation/overview/technologies/rm enterprise.mspx

47 תודה רבה על ההקשבה moshe@trustnet.co.il

Download ppt "Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.

We have to Share Data - Now What? Jon R. Wall Security / IA Microsoft.
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.

SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Microsoft Confidential Solution Overview: Foxit Software Corporation’s PDF Security Suite.

Microsoft Confidential Solution Overview: Foxit Software Corporation’s PDF Security Suite.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
From Compliance to Competitive Advantage Eric Karofsky AMR Research

From Compliance to Competitive Advantage Eric Karofsky AMR Research
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Understanding Active Directory

Understanding Active Directory
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
© 2011 Autodesk Securing AutoCAD IP in the era of WikiLeaks Presenter: Rahul Kopikar Co-Founder, Seclore Technology.

© 2011 Autodesk Securing AutoCAD IP in the era of WikiLeaks Presenter: Rahul Kopikar Co-Founder, Seclore Technology.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Chapter 13 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Human Resources Processes: Personnel and Payroll in Service Industries.

Chapter 13 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Human Resources Processes: Personnel and Payroll in Service Industries.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

Similar presentations

Ads by Google