Information Rights Management is the discipline within Information Security and IAM (Identity and Access Management) that allows protecting information right at the source: The single file. Files are encrypted and permissions for using the files are directly applied to the encrypted and packaged file.
This allows protection of documents across their entire lifecycle: At rest, in motion, and in use. Other Information Security technologies might only protect files at rest. Classical file server security can enforce access rights. However, once a user has access, he can do with that file whatever he wants to do. Other technologies protect the file transfer. But all of them fail in securing information across the entire lifecycle. That is where Information Rights Management comes into play.
Information Rights Management – more important than ever before
Information Rights Management (IRM) is more important than ever before. An increasing number of attacks against both on-premise and Cloud IT infrastructures and the uncertainty and concerns regarding the access of governmental agencies to data sent over the Internet and held in the Cloud are driving the need for better Information Security approaches that protect information throughout their lifecycle. In addition, there is an ever-growing number of regulations regarding Privacy, the protection of Intellectual Properties, etc.Information Rights Management is the logical solution for these challenges, as long as documents are concerned, because – as mentioned above – it protects information at rest, in motion, and in use. This depends on the types of applications, requiring applications with built-in support for Information Rights Management or workarounds that at least inhibit certain operations such as printing.
Clearly, Information Rights Management also has its limits. The person photographing the screen still can bypass security. However, using Information Rights Management on a large scale would mean a big step forward for Information Security.
IRM: Not new – so why haven’t we already seen a breakthrough?
Given that IRM is such a logical approach to use for improving Information Security, the obvious question is: Why don’t we already use it? There are several offerings from various vendors, but we are far away from widespread adoption.There are many reasons for that. The most important ones, so far, have been a lack of broad support for various file formats and applications, issues in dealing with external users that need to consume information, and the complexity of implementation. There have been other challenges, but these three are the most relevant ones.
Microsoft to remove the IRM inhibitors
Microsoft, one of the vendors that has been active for years now in the IRM market, is now tackling these inhibitors. The Microsoft RMS (Microsoft Rights Management Services) have been re-designed and enhanced. The Microsoft promise is that “Microsoft RMS enables the flow of protected data on all important devices, of all important file types, and lets these files be used by all important people in a user’s collaboration circle”. Another important capability is what Microsoft calls BYOK – Bring Your Own Key. Companies can manage their own keys in their own HSM (Hardware Security Module) on-premise, however the HSM can be asked to perform operations using that key. This is a complex topic I will cover more in depth in another post. There is also a broad range of implementation models, from doing everything in the cloud to more “cloud hesitant” approaches, serving the needs and addressing the concerns of various types of customers.The Microsoft Rights Management suite is implemented as a Windows Azure service. By moving IRM to the Cloud, Microsoft enables flexible collaboration between various parties, beyond the traditional perimeter of the enterprise. Companies can flexibly collaborate with their business partners.
Moving RMS to the Cloud might raise security concerns. However, the documents themselves are never seen by the Azure RMS service. Azure RMS is responsible for secure key exchange between the involved client devices. It is responsible for requesting authentication and authorization information. This is done by relying on either the federated on-premise AD or Windows Azure AD. Other Identity Providers will be added over time, including Microsoft Account (aka LiveID) and Google IDs. Furthermore, Windows Azure AD provides flexibility for federating with external parties.
This flexibility is also the answer to the challenge of supporting all users within a collaboration circle. Windows Azure RMS does not rely on the on-premise Active Directory (and ADFS-based federation) solely, but is far more flexible in onboarding and managing RMS users. Users from external partners can self-sign-on once they receive an RMS-protected document.
The second challenge always has been the management of file types and applications. Microsoft RMS supports “RMS-enlightened applications” (i.e. ones that have built-in support for RMS), a free RMS App that runs on various operating system platforms and supports various standard formats such as JPG, TXT, and XML, and finally a wrapping approach to protect file types that are not supported by the other two approaches. Furthermore, Microsoft has started building a significant ecosystem with various partners supporting environments such as CAD systems or documents exported from SAP environments. Based on these changes, RMS works well on a broad range of devices and for all relevant file types, including native support for the PDF format in the Microsoft-provided PDF reader.
With Azure RMS and all the new features in Microsoft RMS setup and management of RMS becomes far easier than ever before – including policy management and usability for end users.
Thus, Microsoft provides answers to all three challenges mentioned at the beginning of this note: Dealing with all types of users; dealing with all types of file formats and applications; and reducing the complexity of IRM and specifically their own RMS.
There are some good sources for further information:
- Presentation on RMS
- Another presentation on RMS
- Microsoft RMS website
- Microsoft Technet blog on Microsoft RMS
This is only my first post on this subject, further posts will follow.