Microsoft expands rights management tool
The software maker announces a new rights management technology for Windows Server 2003 that would restrict the copying, printing or forwarding of confidential data.
The Redmond, Wash.-based company plans to release next week a new test version of Windows Rights Management Services (RMS), which works with Windows Server 2003. Microsoft plans to launch a broader test release during the second quarter.
Microsoft has focused this version of the software on securing data stored on corporate portals and intranets. A later release will expand the security mechanism's scope to documents transmitted over the Internet between companies.
"This is really focused on enterprise, not individual users," said Gartner analyst Ray Wagner. "At the enterprise, they're looking for more control of content." A lot of the time, regulatory compliance is the driving reason behind businesses' desire to manage access to files, he said, noting that it could be used to keep confidential information from getting out.
RMS would give companies tight control over the permissions that apply to their business documents, said Mike Nash, corporate vice president of Microsoft's Security Business Unit. Microsoft's existing permissions technologies work mainly by allowing people on a user list associated with a document to access that document. RMS issues a license that must be authenticated by the server for the user to access the document.
"What we've done here is put persistent protection in the document itself," Nash said. "Even if the file is no longer part of the file system or the infrastructure of the company, the protection is still there as part of the file."
Using RMS, a business could restrict access by user, limit or time-out user access, or prevent the copying and pasting of specific bits of information. Businesses also could prevent important e-mails from being forwarded to nonapproved recipients, such as reporters or competitors.
"What this does is allow customers to better protect their information, from a leak perspective," Nash said.
The introduction of RMS could raise concerns among users that Microsoft--and the larger businesses that install the tool--could act as "Big Brother," constantly monitoring their computer use. However, Wagner said he didn't see anything "intrinsically evil" about the technology. "I'm sure there are people who will say that," he said, but argued that Microsoft is developing RMS "because enterprise customers are asking for it."
Microsoft had planned to announce RMS next week, but apparently changed its plans following Wednesday's accidental posting of Office 2003 Beta 2, or testing version, code on the Microsoft Developer Network (MSDN) Web site. Office 2003 documents come with a new "Permission" button that accesses RMS. So that Office 2003 testers can try out the permissions feature, Microsoft plans to offer a "trial hosted service" concurrent with Beta 2, a Microsoft spokesman said.
Nash used the new Office 2003 Permission feature as an example of RMS in action. "What you see in the case of the Office beta that you have, is just that application taking advantage of that platform capability and exposing it in that button," he said.
Nash described three scenarios where RMS would be most applicable to businesses: Limiting Web content access, protecting documents and preventing e-mail from being forwarded.
In the first scenario, a company might provide on an intranet Web documents that contain confidential information. "You certainly want people using that portal access to that information, but you don't want them to cut and paste that information and then forward it," Nash said. A company could use RMS to prevent unauthorized users from taking such action.
The second scenario would allow companies to post a restricted-access document on an internal file server that would be protected so "only people with the right authorization could get into and look at the file, even when that file gets moved around," Nash said.
At the same time, businesses would have detailed control over rights, giving one user full access while restricting another's save or print access.
"The other thing you can do with Windows Rights Management is control how long that access will last," Nash said. "I could give you the right to view a document up until six o'clock?and then your right-to-view is revoked automatically."
The third scenario would prevent employees from forwarding e-mails to people not authorized to access the information.
"We've seen this is as a big issue in corporations large and small," Nash said. Using Microsoft as an example, he said: "One of the challenges we have had here is the need to be open and share information with employees, but at the same time worry that with such a large number of people in the target base?one of them (might) inadvertently share that information."
To provide this level of rights management for the three scenarios, RMS issues a license certificate containing access permissions when a document is created. So, in the case of a Word document created in Office 2003, the person creating it would use the "permission" button to set or restrict access. The process accesses RMS, which encrypts the file and includes a license for permissions.
But one important protection mechanism could cause headaches for companies that don't implement RMS carefully. A user's computer must be able to access the Windows Server 2003 running RMS on first opening a document to authenticate the rights and decrypt the document. Otherwise, the document cannot be opened. In the future, Microsoft plans to offer an "offline" rights authentication mechanism, but not with this version of RMS.
Other issues affecting the portability of rights associated with documents could cause other problems. Nash claimed that RMS is "platform agnostic"--meaning it will work with any operating system--in that "Windows Rights Management supports industry standards." But for people to be able to access RMS-protected documents on, say, Mac OS X or Linux, the operating systems must use XrML (Extensible Rights Markup Language) in the same way Microsoft does. In that case, "there is the opportunity for interoperability of document interchange," Nash said. Otherwise, the document could not be opened on the non-Windows operating system.
The same restriction in one sense applies to other Windows users. "If you shared the document with another Windows user and that Windows user hadn't installed (RMS), that other Windows user couldn't open the document as well," Nash said.
Gartner's Wagner rebuffed any concerns that Microsoft would use RMS as a means of making companies more reliant on Windows. "In the enterprise, they're already dependent on Windows anyway," he said. "You wouldn't become anymore dependent on Windows than you would be from using Exchange or Office."
If nothing else, Microsoft, which is protective of its own intellectual property, has its own reasons for developing RMS. "There's no question that Microsoft wants to protect (its) own intellectual property, but all companies with intellectual property want to protect it," Wagner said.
As Microsoft continues to refine this version of RMS and its successor, developers' eyes will be on the enterprise.
"We have also provided--for the enterprise--centralized policy control. So it's possible for the enterprise, if they want to, track where these documents are being protected and who's getting access to those things," Nash said.
In the future, Microsoft plans to replace the underlying "platform" with the forthcoming security technology formerly known as Palladium," Nash said. RMS is solely a software technology, whereas Palladium will add hardware security chips as an additional protection and rights management mechanism.