Microsoft recently released a big update to RMS that completely changes the landscape of information protection. There are many new features that I’d love to go into details about, but this article will cover what RMS is on a more general level before we dig deeper.
RMS, or Rights Management Services, is Microsoft’s solution for information protection, offering persistent protection, wherever the information it moved or copied.
So how does Microsoft define this persistent protection in RMS? First of all the information is encrypted. But there is also a policy attached to the information that must be followed. The policy defines who can decrypt the information but also what those users can do with it.
Examples of these so called Use Right Permissions are Edit, Print, Copy, Forward etc. These permissions can be granted granularly so that different users can get different permissions on the same document. By default the user who initially applies the protection gets Full Permission, which is required to be able to remove the protection.
The permissions can be applied manually by selecting users/groups and their permissions, or by using Rights Policy Templates, which are predefined permissions. These templates are normally shared by everyone in the company. There are also ways to automatically RMS-protect information without user involvement, either based on the location of the file, actual content in the file/email or recipients of emails.
RMS-aware applications, sometimes also called enlightened (such as Word, Excel, PowerPoint, Outlook, XPS Viewer, SharePoint, Exchange, Foxit PDF) makes the users comply with the current policy by disabling functionality that is not allowed.
Here is an example from Word 2013 where we are not allowed to Print or Save:
Another example where we are not allowed to Copy. Here we also see the yellow information bar that indicates that the document is RMS protected:
If you click the button View Permission… on the information bar you see the permissions that your current account has on the current file:
Even the built-in screenshot functionality in Windows hides RMS-protected information. Here I have Word 2013 with an open RMS-protected document in front of Server Manager when taking a screenshot:
Right about now someone usually points out that you could use a camera to take a picture of the screen:
You could also use some third party screenshot utility that does not understand and/or respect the RMS protection). This is of course true, but remember that only approved and authenticated users can access the protected information in the first place.
Malicious users (that has permission to read but not to export) could also write the information on a piece of paper or use voice dictation to copy the information. They could even remember the information! The Use Right Permissions cannot protect from this (what solution can?), but in reality most information leakage is done by mistake, carelessness or ignorance. RMS can prevent many scenarios around that, such as lost/stolen storage media, use of cloud storage, external mail providers such as Hotmail, Google) or accidental recipients of sensitive emails.
Users are also visually made aware of the permissions and they must go out of their way to circumvent it. They can no longer claim that they didn’t know that they shouldn’t have disclosed information. Also, the knowledge that all attempts to access protected information are logged (both successful and failed) is a great deterrent.
RMS provides a more dynamic protection than other encryption technologies since permissions to access the information is dynamically evaluated by the RMS servers at the time of information consumption (as it is called in RMS). This means that you need to have network access to the RMS servers when you first open a protected document.
If you want to, you can enable the possibility for offline consumption of previously accessed information by allowing local caching of the RMS permissions on the users client. This has the advantage that users gets the ability to work with protected information without access to RMS servers.
You could also require that users have to be evaluated every time they consume the information. The advantage with this option is that you can at any time prevent users access to information that they previously had access to, without changing the document itself!
Imagine a coworker that leaves the company and takes copies of sensitive information with him/her.
Well, disabling that users account (or removing it from the AD group that was granted permission) will prevent the user to have further access to the information. Again, any attempt to access it will also be logged by RMS, which will make attempts traceable (who tried to open what and when).
You can allow Use License caching on some documents (usually valid 1 year) and require online evaluation on other documents every time they are accessed. It all depends on the sensitivity of the information and security versus usability, as it almost always does.
It is very recommended to have a method for classifying information before RMS is implemented. This is not a technology issue, rather a matter for management. If you don’t know what to protect, how do you protect the right information? Protecting everything is usually not a good way to go, but letting each user decide their own classification is not a great option either, since it can create a permission mix that can be hard to manage.
People are often a bit scared when implementing encryption. What if I loose access to the password/certificate? Well, since the permissions are evaluated dynamically, permissions can be added (by RMS administrators) at any time. There is also something called Super Users. Members of this group can access ALL information protected by that RMS implementation. This group should normally be disabled and only activated when required. Some RMS integration however, such as with Exchange, need to use this group.
Ok, that’s it for now. I hope you have gotten a bit more understanding around what RMS is and how it can be used. Future blog entries will cover more details around usage scenarios, different types of implementations (on premise or Azure) and integration with other solutions (Exchange, SharePoint, Fileservers, mobile devices).