Steve Angell
Senior Consultant
Companies today go to great lengths to protect their digital information. Information Owners deploy numerous technologies with the intent of safeguarding data. These include: Identification and Authorization mechanisms, Firewalls, Encryption, and Intrusion Detection systems just to name a few. However, they are typically left with a large element of trust being placed with employees to do the right thing. Once users have been granted access to data, the control of how data is handled becomes increasingly difficult. To make matters worse, in the past few years the amount of data the average company stores has increased by at least 50% annually while regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm Leach Bliley Act (GLBA) now require businesses to take additional measures to protect digital information. This all adds up to one simple fact. Companies must be able to control sensitive information beyond the capabilities of conventional protection technologies.
Historically, access control lists (ACLs) have been used to limit access to specific users either based on location, such as with a firewall, or by business need as in with Directory Services rights and permissions. While this technology still serves a major purpose in protecting information the limitation lies in the fact that once a user, authorized or not, is past these controls the need for additional protective measures is required. In most cases, this additional measure of protection has been provided via encryption. Public Key Infrastructure (PKI) combined with S/MIME and EFS are a tremendous benefit for protecting data both at rest and while in transit. However, once an authorized user decrypts this data all protection is nullified and at risk of exposure. Total information protection requires the ability to control how data is handled by authorized entities after they have been authenticated. As an Information Owner how would you like to be able to protect your data even after it has left the boundaries of your network?
Microsoft Active Directory Rights Management Services, or AD RMS, provides persistent information protection. Not only is information encrypted but RMS also controls usage rights for specific users or groups of users. Better still, once the RMS policy is projected to a document or email, the protection remains throughout the life of the data. RMS policy can define a user’s, or group’s, ability to view, modify, copy or even print the information contained in a rights protected file or email. What about portable media or laptops? Do you worry about information being copied to USB drives, laptops or other portable devices that leave the boundaries of your corporate network? With AD RMS you can protect information that is saved to portable devices. Once AD RMS policy has been placed on the information it remains to protect your information outside the borders of traditional control. For the most sensitive data, policy can even require that communication to the AD RMS server be established before information can be accessed, effectively preventing offline access to highly sensitive information.
As you consider Active Directory Rights Management Services keep the following benefits in mind:
Protection from “Information Leakage” - The term “Information Leakage” refers to the exposure of data by authorized individuals either accidentally or maliciously. With traditional ACLs you can allow read only but users would still be able to print or even copy data to another file where they can choose how the data is protected. Rights Management provides enforcement of additional controls that protects your information. Once users are given access to data how do you control what happens to that data?
Protection of Information sent to external parties – Once information leaves your network how can you control how this information is used? AD RMS includes mechanisms that provide the means to protect information you may need to send to external parties while maintaining control over how this information is used and handled.
Ability to create pre-defined policy templates – Templates allow AD RMS administrators to pre-define controls that match corporate standards for how different information types should be handled. For example, Information classified as “Confidential” may require “read only” rights for all employees. A template can be created that applies read only rights to data which is then automatically available to all users that will enforce this policy when applied to a document.
Apply Rights Management Policies to an abundance of file formats – Beyond Microsoft AD RMS enabled applications and Exchange, third party vendors now provide tools that extend RMS capabilities to over 400 different formats. Microsoft also provides an AD RMS Software Development Kit to enable corporations to build AD RMS protection functionality into their own applications.
Works with existing Information Protection Technologies – Microsoft Active Directory Rights Management Services was designed to provide an additional layer of a Defense in Depth Strategy. It will integrate into your existing environment without the need to replace or remove existing controls. One common question asked is “Does AD RMS require PKI to function?” The answer is no. AD RMS utilizes XrML certificates to perform encryption and policy enforcement as opposed to the x.509 certificates utilized with PKI. However, AD RMS works just fine in environments where PKI is deployed and will compliment your existing encryption program.
Microsoft Rights Management Services is not a new technology - Originally available as a downloadable addition to Windows 2003 Server, RMS has been around for several years. With the release of Windows 2008 Server, Microsoft has renamed RMS to “Active Directory Rights Management Services”. With Windows Server 2008 R2 the following are some of the enhancements to Rights Management Services for Windows Server 2003:
- Active Directory Rights Management Services is now a Role rather than an installed application
- MOSS 2007 Integration has been added to allow RMS policy to be applied to documents as they are downloaded from the SharePoint Server
- Exchange 2010 provides the ability to both consume (read) and publish (create) RMS protected email using Outlook Web Access
- When using Exchange 2010 administrators now have the ability to project RMS policy to email and voicemail based on filtering using transport rules
- File Classification Infrastructure Integration with Rights Management Services
- Protection for voicemail with Unified Messaging
- Bulk Protection Tool that allows for bulk encryption, decryption and RMS policy projection to sensitive data
- The ability to discover, classify and apply RMS policy to data utilizing AD RMS and RSA Data Loss Prevention Integration Solution.
- Powershell administration
- XPS file support is now included
So what are the requirements for introducing Active Directory Rights Management into your environment? Well the requirements are fairly basic. First you will need an Active Directory Domain with AD Controllers running at least Windows 2000 Server SP3. All AD RMS servers require servers running Windows Server 2008 (R2 is preferred) and access to a database server running Microsoft SQL Server 2005 or 2008. The exact number and configuration of AD RMS servers will vary depending on your particular needs and the size of your organization. Client computers should be running Windows XP[1], Windows Vista or Windows 7. For users to consume and publish RMS protected information you will need RMS enabled applications such as Microsoft Office 2007 Ultimate, Enterprise, Professional, or Office 2003 Professional[2]. To provide Rights Management protection for email Exchange 2007 or 2010 is recommended although Exchange 2003 does support some AD RMS functionality.
In closing, there are many benefits derived from deploying Microsoft Active Directory Rights Management. Yet these benefits are best realized when coupled with a solid Information Security Strategy that aligns with your business needs. Let us discuss your Information Security Strategy with you and help you decide whether or not AD RMS will help you achieve your goals. Need help developing an Information Security Strategy? We can assist you in developing a strategy that aligns with business goals, mitigates risks and satisfies regulatory and contractual compliance requirements. We look forward to hearing from you.
Active Directory Rights Management Services is a key component in the Identity and Access Management practice at InfraScience. For information on other Identity and Access Management solutions please visit the InfraScience Identity and Access Management section of our website located here and please, feel free to contact us today to discuss how AD RMS fits into your information protection initiatives.