windows rights management services sp1 overview and opportunities roger lawrence senior it...
TRANSCRIPT
Windows Rights Windows Rights Management ServicesManagement ServicesSP1 Overview and OpportunitiesSP1 Overview and Opportunities
Roger LawrenceRoger LawrenceSenior IT ConsultantSenior IT Consultant
Microsoft AustraliaMicrosoft Australia
SOL216
AgendaAgendaThe business problemThe business problem
Windows Rights Management ServicesWindows Rights Management Services
What’s new in SP1What’s new in SP1
Scaling an RMS deploymentScaling an RMS deployment
Product roadmapProduct roadmap
Q&AQ&A
“A public-relations firm is dealing with a public-relations nightmare after unintentionally e-mailing journalists and others documents about one of its clients, Seattle-based Cell Therapeutics.”
- The Seattle Times
In the News…In the News…
“A public-relations firm is dealing with a public-relations nightmare after unintentionally e-mailing journalists and others documents about one of its clients, Seattle-based Cell Therapeutics.”
- The Seattle Times
“Desmond Patrick Kelly, 52, is accused of leaking confidential documents, including a memo by former veterans' affairs minister Danna Vale, in which the Government rejected calls to raise war veterans' pensions by $650 million.”
- The Herald Sun
The U.S. Dept of Justice estimates that intellectual property The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004theft cost enterprises $250 billion in 2004Loss of revenue, market capitalization, and competitive Loss of revenue, market capitalization, and competitive advantageadvantage
The U.S. Dept of Justice estimates that intellectual property The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004theft cost enterprises $250 billion in 2004Loss of revenue, market capitalization, and competitive Loss of revenue, market capitalization, and competitive advantageadvantage
Information Loss is CostlyInformation Loss is CostlyInformation loss – whether via theft or accidental Information loss – whether via theft or accidental leakage – is costly on several levelsleakage – is costly on several levels
Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassingUnintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibilityadversely impact the company’s image and/or credibility
Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassingUnintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibilityadversely impact the company’s image and/or credibility
Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be complex and Bringing a company into compliance can be complex and expensiveexpensiveNon-compliance can lead to significant legal fees, fines Non-compliance can lead to significant legal fees, fines and/or settlementsand/or settlements
Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be complex and Bringing a company into compliance can be complex and expensiveexpensiveNon-compliance can lead to significant legal fees, fines Non-compliance can lead to significant legal fees, fines and/or settlementsand/or settlements
FinancialFinancialFinancialFinancial
Image & Image & CredibilityCredibilityImage & Image &
CredibilityCredibility
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Legal & Legal & Regulatory Regulatory ComplianceCompliance
Information leakage is top-of-mind Information leakage is top-of-mind with Business Decision Makerswith Business Decision Makers
0% 10% 20% 30% 40% 50% 60% 70%
Loss of digital assets, restored
E-mail piracy
Password compromise
Loss of mobile devices
Unintended forwarding of e-mails
20%
22%
22%
35%
36%
63%
“After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach”
Jupiter Research Report, 2004
Virus infection
Traditional solutions protect Traditional solutions protect initial access…initial access…
Access Control List Perimeter
No
Yes
Trusted NetworkTrusted Network
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
……but not ongoing usagebut not ongoing usage
Today’s policy expression…Today’s policy expression…
……lacks enforcement toolslacks enforcement tools
How does RMS address this?How does RMS address this?
Supports development of rich, third-party Supports development of rich, third-party solutions on top of RMS via the RMS Software solutions on top of RMS via the RMS Software Development Kit (SDK)Development Kit (SDK)Provides flexibility to integrate with an Provides flexibility to integrate with an enterprise’s existing internal applicationsenterprise’s existing internal applications
Supports development of rich, third-party Supports development of rich, third-party solutions on top of RMS via the RMS Software solutions on top of RMS via the RMS Software Development Kit (SDK)Development Kit (SDK)Provides flexibility to integrate with an Provides flexibility to integrate with an enterprise’s existing internal applicationsenterprise’s existing internal applications
Encrypts sensitive contentEncrypts sensitive contentProtects inside and outside the trusted networkProtects inside and outside the trusted networkProtects during and after deliveryProtects during and after delivery
Encrypts sensitive contentEncrypts sensitive contentProtects inside and outside the trusted networkProtects inside and outside the trusted networkProtects during and after deliveryProtects during and after delivery
Allows organizations to establish and apply Allows organizations to establish and apply centrally-managed policiescentrally-managed policiesAllows organizations to track the information’s Allows organizations to track the information’s lifecyclelifecycleSupports smartcard authenticationSupports smartcard authentication
Allows organizations to establish and apply Allows organizations to establish and apply centrally-managed policiescentrally-managed policiesAllows organizations to track the information’s Allows organizations to track the information’s lifecyclelifecycleSupports smartcard authenticationSupports smartcard authentication
Augments Existing Augments Existing Technologies to Technologies to
Provide Persistent Provide Persistent ProtectionProtection
Augments Existing Augments Existing Technologies to Technologies to
Provide Persistent Provide Persistent ProtectionProtection
Enforces Enforces Organizational Organizational
PoliciesPolicies
Enforces Enforces Organizational Organizational
PoliciesPolicies
Provides a platform Provides a platform for value-added for value-added
solutionssolutions
Provides a platform Provides a platform for value-added for value-added
solutionssolutions
Common Usage ScenariosCommon Usage ScenariosServer-side ScenariosServer-side Scenarios
Regulatory compliance & IP Regulatory compliance & IP protectionprotectionSecure business process Secure business process automationautomationCentral control of information Central control of information protectionprotection
Client-side ScenariosClient-side Scenarios
Do-not-forward e-mailDo-not-forward e-mailPersistent document protectionPersistent document protectionMixed-version Office Mixed-version Office environmentsenvironments
Platform and Management ScenariosPlatform and Management Scenarios
Centrally define and manage permission templatesCentrally define and manage permission templatesLog and audit who has accessed rights-protected informationLog and audit who has accessed rights-protected informationExtend RMS platform to apply and enforce rights protection on HTML Extend RMS platform to apply and enforce rights protection on HTML content via the Rights Management Add-on for IE (RMA)content via the Rights Management Add-on for IE (RMA)
Users without Office 2003 can view Users without Office 2003 can view rights-protected files via Internet Explorerrights-protected files via Internet ExplorerDoes not provide authoring capabilityDoes not provide authoring capability
Users without Office 2003 can view Users without Office 2003 can view rights-protected files via Internet Explorerrights-protected files via Internet ExplorerDoes not provide authoring capabilityDoes not provide authoring capability
Rights Management Add-on for IE
(RMA)
Client Usage ScenariosClient Usage Scenarios
Reduce internal/external forwarding of Reduce internal/external forwarding of confidential informationconfidential informationKeep sensitive e-mail where it belongsKeep sensitive e-mail where it belongs
Reduce internal/external forwarding of Reduce internal/external forwarding of confidential informationconfidential informationKeep sensitive e-mail where it belongsKeep sensitive e-mail where it belongs
Outlook 2003
Requires RMSRequires RMS
++
Control access to sensitive contentControl access to sensitive contentSet granular permissions per userSet granular permissions per userDetermine length of accessDetermine length of access
Control access to sensitive contentControl access to sensitive contentSet granular permissions per userSet granular permissions per userDetermine length of accessDetermine length of access
Word 2003Excel 2003
PowerPoint 2003
Communicate in Communicate in a Mixed Version a Mixed Version
EnvironmentEnvironment
Communicate in Communicate in a Mixed Version a Mixed Version
EnvironmentEnvironment
Do-Not-Forward Do-Not-Forward E-mailE-mail
Do-Not-Forward Do-Not-Forward E-mailE-mail
Protect Sensitive Protect Sensitive FilesFiles
Protect Sensitive Protect Sensitive FilesFiles
Improved confidentialityImproved confidentialityGreat end-user adoption due to intuitive integration in Great end-user adoption due to intuitive integration in Office 2003Office 2003Strong platform for extended information protection Strong platform for extended information protection solutionssolutions
Improved confidentialityImproved confidentialityGreat end-user adoption due to intuitive integration in Great end-user adoption due to intuitive integration in Office 2003Office 2003Strong platform for extended information protection Strong platform for extended information protection solutionssolutions
Sensitive executive e-mails and internal confidential Sensitive executive e-mails and internal confidential documents needed to be protected for competitive documents needed to be protected for competitive reasonsreasons
Sensitive executive e-mails and internal confidential Sensitive executive e-mails and internal confidential documents needed to be protected for competitive documents needed to be protected for competitive reasonsreasons
Tested RMS/IRM for six months, then conducted pilot Tested RMS/IRM for six months, then conducted pilot evaluationevaluationPositive end-user feedback drove a full rollout of Office Positive end-user feedback drove a full rollout of Office 2003 plus RMS to 19,000 desktops2003 plus RMS to 19,000 desktops
Tested RMS/IRM for six months, then conducted pilot Tested RMS/IRM for six months, then conducted pilot evaluationevaluationPositive end-user feedback drove a full rollout of Office Positive end-user feedback drove a full rollout of Office 2003 plus RMS to 19,000 desktops2003 plus RMS to 19,000 desktops
Case Study: SwisscomCase Study: Swisscom
BenefitBenefitBenefitBenefit
SituationSituationSituationSituation
SolutionSolutionSolutionSolution
“The integration of RMS with Office 2003, combined with the product’s ease of deployment and management, makes it easy for virtually all of Swisscom’s employees to keep their critical documents and information safe – without having to learn a cumbersome set of new technologies.”
Heinz Schär
Member of ManagementSwisscom IT Services AG
Server Usage ScenariosServer Usage ScenariosNew for SP1: New for SP1: RMS offers centrally managed information RMS offers centrally managed information protection when integrated into server-based solutionsprotection when integrated into server-based solutions
Extends protection to managed content stored by Extends protection to managed content stored by document and records management solutions document and records management solutions Enables archival of RMS-protected e-mailsEnables archival of RMS-protected e-mailsProtected content can be securely indexed and searchedProtected content can be securely indexed and searched
Extends protection to managed content stored by Extends protection to managed content stored by document and records management solutions document and records management solutions Enables archival of RMS-protected e-mailsEnables archival of RMS-protected e-mailsProtected content can be securely indexed and searchedProtected content can be securely indexed and searched
Enables workflow engines to extend information Enables workflow engines to extend information protection to business process automationprotection to business process automationApplies rights protection in a centralized wayApplies rights protection in a centralized way
Enables workflow engines to extend information Enables workflow engines to extend information protection to business process automationprotection to business process automationApplies rights protection in a centralized wayApplies rights protection in a centralized way
Enables content inspection gateways to inspect Enables content inspection gateways to inspect RMS-protected content and apply RMS-protection RMS-protected content and apply RMS-protection centrallycentrallyEnables ISVs to develop server-based solutionsEnables ISVs to develop server-based solutions
Enables content inspection gateways to inspect Enables content inspection gateways to inspect RMS-protected content and apply RMS-protection RMS-protected content and apply RMS-protection centrallycentrallyEnables ISVs to develop server-based solutionsEnables ISVs to develop server-based solutions
Enable Enable Regulatory Regulatory
Compliance Compliance & IP Protection& IP Protection
Enable Enable Regulatory Regulatory
Compliance Compliance & IP Protection& IP Protection
Secure Business Secure Business Process Process
AutomationAutomation
Secure Business Secure Business Process Process
AutomationAutomation
Control Control Information Information Protection Protection CentrallyCentrally
Control Control Information Information Protection Protection CentrallyCentrally
Authoring Rights-Protected Authoring Rights-Protected Information with RMS and Word 2003Information with RMS and Word 2003
Creating a Do-Not-Forward e-mail Creating a Do-Not-Forward e-mail with RMS and Outlook 2003with RMS and Outlook 2003
Consuming Rights-Protected Consuming Rights-Protected Information with RMS and Outlook Information with RMS and Outlook 2003 and Excel 20032003 and Excel 2003
Creating a protected PDF file using Creating a protected PDF file using RMS, Liquid Machines, and Adobe RMS, Liquid Machines, and Adobe AcrobatAcrobat
About Liquid MachinesAbout Liquid Machines
Liquid Machines Document Control for Liquid Machines Document Control for Windows RMS – available nowWindows RMS – available now
Extends RMS policy enforcement across Extends RMS policy enforcement across more than 65 applications and file formatsmore than 65 applications and file formats
Policies are enforced as content moves Policies are enforced as content moves between different applicationsbetween different applications
http://www.liquidmachines.comhttp://www.liquidmachines.com
How does RMS work?How does RMS work?
1.1. User tries to publish or User tries to publish or consume contentconsume content
2.2. Application calls into RMS Application calls into RMS Client to create a new Client to create a new sessionsession
1.1. User tries to publish or User tries to publish or consume contentconsume content
1.1. User tries to publish or User tries to publish or consume contentconsume content
2.2. Application calls into RMS Application calls into RMS Client to create a new Client to create a new sessionsession
Machine ActivationMachine Activation
3.3. RMS Client starts RMS Client starts bootstrapping process…bootstrapping process…
Machine ActivationMachine Activation
a.a. RMS Client generates RMS Client generates 1024-bit RSA key pair1024-bit RSA key pair
b.b. Private key secured by Private key secured by CAPICAPI
c.c. Public key stored in security Public key stored in security processor certificate (SPC)processor certificate (SPC)
d.d. SPC signed by clientSPC signed by client
a.a. RMS Client generates RMS Client generates 1024-bit RSA key pair1024-bit RSA key pair
b.b. Private key secured by Private key secured by CAPICAPI
c.c. Public key stored in security Public key stored in security processor certificate (SPC)processor certificate (SPC)
d.d. SPC signed by clientSPC signed by client
Machine ActivationMachine Activation
b.b. Private key secured by Private key secured by CAPICAPI
c.c. Public key stored in security Public key stored in security processor certificate (SPC)processor certificate (SPC)
SPC
Machine ActivationMachine Activation
d.d. SPC signed by clientSPC signed by client
a.a. RMS Client generates RMS Client generates 1024-bit RSA key pair1024-bit RSA key pair
The user’s identity must be The user’s identity must be established on the machine established on the machine by account certification.by account certification.
New for SP1: New for SP1: The RMS The RMS Client is activated without Client is activated without contacting a server or contacting a server or requiring admin privileges.requiring admin privileges.
SPC
Account CertificationAccount Certification
SPC
a.a. RMS Client contacts RMS RMS Client contacts RMS Server with a certification Server with a certification request, sending SPCrequest, sending SPC
b.b. User is authenticatedUser is authenticated
DOMAIN\usernameSID
d.d. E-mail address is retrieved E-mail address is retrieved from ADfrom AD
DOMAIN\[email protected]
e.e. User’s 1024-bit RSA key User’s 1024-bit RSA key pair is generated and stored pair is generated and stored in databasein database
SID
Account CertificationAccount Certification
SPC
c.c. Server validates SPCServer validates SPC
Account CertificationAccount Certification
SPC
SPC
a.a. RMS Client contacts RMS RMS Client contacts RMS Server with a certification Server with a certification request, sending SPCrequest, sending SPC
b.b. User is authenticatedUser is authenticated
d.d. E-mail address is retrieved E-mail address is retrieved from ADfrom AD
e.e. User’s 1024-bit RSA key User’s 1024-bit RSA key pair is generated and stored pair is generated and stored in databasein database
f.f. User’s private key is User’s private key is encrypted with machine encrypted with machine public keypublic key
c.c. Server validates SPCServer validates SPC
DOMAIN\[email protected]
RAC
Account CertificationAccount Certification
SPC
g.g. RAC is created and user’s RAC is created and user’s e-mail address and public e-mail address and public key are addedkey are added
h.h. Server signs RACServer signs RAC
f.f. User’s private key is User’s private key is encrypted with machine encrypted with machine public keypublic key
DOMAIN\[email protected]
SPC
RAC
Account CertificationAccount Certification
i.i. RAC is returned to clientRAC is returned to client
g.g. RAC is created and user’s RAC is created and user’s e-mail address and public e-mail address and public key are addedkey are added
h.h. Server signs RACServer signs RAC
f.f. User’s private key is User’s private key is encrypted with machine encrypted with machine public keypublic key
The user now has a RAC The user now has a RAC that can be used for that can be used for consumption.consumption.
In order to publish, the user In order to publish, the user needs a Client Licensor needs a Client Licensor Certificate (CLC).Certificate (CLC).
RAC
Client EnrollmentClient Enrollment
a.a. RMS Client contacts RMS RMS Client contacts RMS Server for client enrollment, Server for client enrollment, sending RACsending RAC
c.c. Server generates CLC Server generates CLC 1024-bit RSA key pair1024-bit RSA key pair
d.d. CLC private key is CLC private key is encrypted with RAC public encrypted with RAC public keykey
SPC RAC
b.b. RMS Server validates RACRMS Server validates RAC
CLCRAC
Client EnrollmentClient Enrollment
a.a. RMS Client contacts RMS RMS Client contacts RMS Server for client enrollment, Server for client enrollment, sending RACsending RAC
c.c. Server generates CLC Server generates CLC 1024-bit RSA key pair1024-bit RSA key pair
d.d. CLC private key is CLC private key is encrypted with RAC public encrypted with RAC public keykey
e.e. CLC is generated, granting CLC is generated, granting the user the right to publishthe user the right to publish
SPC RAC
b.b. RMS Server validates RACRMS Server validates RAC
f.f. Server information, such as Server information, such as URL and server public key, URL and server public key, is also added to CLCis also added to CLC
CLC
Client EnrollmentClient Enrollment
g.g. Server signs CLCServer signs CLC
SPC RAC
f.f. Server information, such as Server information, such as URL and server public key, URL and server public key, is also added to CLCis also added to CLC
CLC h.h. CLC is returned to clientCLC is returned to client
The client is now ready for The client is now ready for both publishing and both publishing and consumption of protected consumption of protected content.content.
PublishingPublishing
a.a. User creates content using User creates content using RMS-enabled applicationRMS-enabled application
c.c. Application calls into RMS Application calls into RMS Client for publishingClient for publishing
b.b. User specifies recipients, User specifies recipients, rights, and conditions to rights, and conditions to publish content, or chooses publish content, or chooses a templatea template
[email protected], printexpires 30 days
CLCSPC RAC
c.c. Application calls into RMS Application calls into RMS Client for publishingClient for publishing
PL
PublishingPublishing
[email protected], printexpires 30 days
d.d. RMS Client generates 128-RMS Client generates 128-bit AES content keybit AES content key
e.e. Client encrypts contentClient encrypts content
f.f. Client creates publishing Client creates publishing license (PL)license (PL)
CLCSPC RAC
CLCSPC RAC
f.f. Client creates publishing Client creates publishing license (PL)license (PL)
PL
PublishingPublishing
g.g. Rights data and content key Rights data and content key are encrypted by are encrypted by server server public keypublic key from CLC from CLC
[email protected], printexpires 30 days
h.h. Server URL is added to PLServer URL is added to PL
[email protected], printexpires 30 days
i.i. CLC signs PLCLC signs PL
PublishingPublishing
i.i. CLC signs PLCLC signs PL
j.j. The client returns the PL to The client returns the PL to the applicationthe application
k.k. The application can now The application can now package the PL with the package the PL with the contentcontent
PL
[email protected], printexpires 30 days
PL
[email protected], printexpires 30 days
The content can now be The content can now be sent to its recipientssent to its recipients
CLCSPC RAC
The content can now be The content can now be sent to its recipientssent to its recipients
CLCSPC RAC
PublishingPublishing
[email protected], printexpires 30 days
Publisher sends protected Publisher sends protected content to recipient using any content to recipient using any mechanismmechanism
Assume recipient has already Assume recipient has already been bootstrappedbeen bootstrapped
The recipient needs a use The recipient needs a use license in order to access license in order to access the contentthe content
CLCSPC RAC
a.a. Recipient opens document in Recipient opens document in RMS-enabled applicationRMS-enabled application
LicensingLicensing
b.b. Application calls RMS Client Application calls RMS Client to retrieve a use license.to retrieve a use license.
[email protected], printexpires 30 days
c.c. RMS Client sends PL and RMS Client sends PL and RAC to RMS ServerRAC to RMS Server
RAC
d.d. Server validates RAC and PLServer validates RAC and PL
e.e. Data from PL is decryptedData from PL is decrypted
[email protected], printexpires 30 days
[email protected], printexpires 30 days
CLCSPC RAC
RAC
[email protected], printexpires 30 days
LicensingLicensing
f.f. If content was published to a If content was published to a group, server checks group group, server checks group membership in the ADmembership in the AD
[email protected], printexpires 30 days
g.g. If identity in RAC matches PL If identity in RAC matches PL or group membership, server or group membership, server begins constructing use begins constructing use license (UL)license (UL)
e.e. Data from PL is decryptedData from PL is decrypted
h.h. Rights are granted to userRights are granted to user
CLCSPC RAC
[email protected], printexpires 30 days
[email protected], printexpires 30 days
[email protected], printexpires 30 days
RAC
[email protected], printexpires 30 days
LicensingLicensing
i.i. Content key encrypted by Content key encrypted by RAC public keyRAC public key
[email protected], printexpires 30 days
j.j. Encrypted key added to ULEncrypted key added to UL
h.h. Rights are granted to userRights are granted to user
j.j. UL returned to clientUL returned to client
k.k. UL signed by serverUL signed by server
CLCSPC RAC
LicensingLicensing
[email protected], printexpires 30 days
CLCSPC RAC
i.i. Content key encrypted by Content key encrypted by RAC public keyRAC public key
j.j. Encrypted key added to ULEncrypted key added to UL
h.h. Rights are granted to userRights are granted to user
j.j. UL returned to clientUL returned to client
k.k. UL signed by serverUL signed by server
Recipient can now bind the Recipient can now bind the license and open the contentlicense and open the content
[email protected], printexpires 30 days
[email protected], printexpires 30 days
Accessing ContentAccessing Content
[email protected], printexpires 30 days
SPC RAC CLC
SPC UL
[email protected], printexpires 30 days
RAC
Accessing ContentAccessing Content
SPC UL
[email protected], printexpires 30 days
RAC
b.b. RMS Client uses security RMS Client uses security processor to decrypt RAC processor to decrypt RAC private keyprivate key
a.a. Application calls RMS Client Application calls RMS Client to bind license and decrypt to bind license and decrypt contentcontent
c.c. RAC private key decrypts RAC private key decrypts content keycontent key
Accessing ContentAccessing Content
SPC UL
[email protected], printexpires 30 days
RAC
d.d. RMS Client decrypts contentRMS Client decrypts content
c.c. RAC private key decrypts RAC private key decrypts content keycontent key
e.e. Application renders content Application renders content and enforces rightsand enforces rights
What’s New in RMS SP1?What’s New in RMS SP1?Meets operational Meets operational
requirements for high-requirements for high-security, isolated, or security, isolated, or
sensitive environmentssensitive environments
Meets operational Meets operational requirements for high-requirements for high-security, isolated, or security, isolated, or
sensitive environmentssensitive environments
Smartcard authentication supportSmartcard authentication supportOffline server enrollmentOffline server enrollmentFIPS 140 certificationFIPS 140 certification
Smartcard authentication supportSmartcard authentication supportOffline server enrollmentOffline server enrollmentFIPS 140 certificationFIPS 140 certification
Enables centrally Enables centrally managed business managed business
scenariosscenarios
Enables centrally Enables centrally managed business managed business
scenariosscenarios
Server Lockbox security processor enables ISVs Server Lockbox security processor enables ISVs to build RMS-aware server applicationsto build RMS-aware server applicationsArchival systems, content inspection gateways , Archival systems, content inspection gateways , records management, index and search, etc.records management, index and search, etc.
Server Lockbox security processor enables ISVs Server Lockbox security processor enables ISVs to build RMS-aware server applicationsto build RMS-aware server applicationsArchival systems, content inspection gateways , Archival systems, content inspection gateways , records management, index and search, etc.records management, index and search, etc.
Enhances usability & Enhances usability & eases deploymenteases deployment
Enhances usability & Enhances usability & eases deploymenteases deployment
RMS Client no longer requires end-user admin RMS Client no longer requires end-user admin access to activateaccess to activateClient works with standard deployment toolsClient works with standard deployment toolsSupports VPCSupports VPCSupports query-based groupsSupports query-based groups
RMS Client no longer requires end-user admin RMS Client no longer requires end-user admin access to activateaccess to activateClient works with standard deployment toolsClient works with standard deployment toolsSupports VPCSupports VPCSupports query-based groupsSupports query-based groups
SP1 ChangesSP1 Changes DescriptionDescriptionDynamic role-based securityDynamic role-based security Support for Query Based Groups with Support for Query Based Groups with
Exchange 2003Exchange 2003
Enables RMS policies to be applied based on Enables RMS policies to be applied based on dynamic groups, defined by queries of AD for dynamic groups, defined by queries of AD for certain attributescertain attributes
RMS checks recipient’s group membership RMS checks recipient’s group membership against the rights assigned to the contentagainst the rights assigned to the content
Improved Outlook RPC over HTTPImproved Outlook RPC over HTTP Authentication process for RPC over HTTP Authentication process for RPC over HTTP streamlined for a better end-user experiencestreamlined for a better end-user experience
Eases client rolloutEases client rollout Deploy RMS clients without touching desktopsDeploy RMS clients without touching desktops
Removes requirement for end-user admin Removes requirement for end-user admin privilegesprivileges
Supports familiar deployment technologies such Supports familiar deployment technologies such as SMS and GPOas SMS and GPO
Support for phased deploymentSupport for phased deployment RMS v1 and RMS SP1 are interoperable for a RMS v1 and RMS SP1 are interoperable for a smooth transitionsmooth transition
Supports Virtual PCSupports Virtual PC RMS now supports Virtual PC for mixed RMS now supports Virtual PC for mixed customer environmentscustomer environments
Improved tools and guidance with Improved tools and guidance with RMS SP1 ToolkitRMS SP1 Toolkit
Provides improved tools and step-by-step Provides improved tools and step-by-step guidesguides
What’s New in RMS SP1?What’s New in RMS SP1?Enhanced usability and deploymentEnhanced usability and deployment
RMS Client softwareRMS Client software
An RMS-enabled applicationAn RMS-enabled applicationRequired for creating or Required for creating or viewing rights-protected content viewing rights-protected content
Microsoft Office 2003 EditionsMicrosoft Office 2003 Editionsincludes RMS-enabled applications – includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook Word, Excel, PowerPoint, Outlook
Office Professional 2003 is required for Office Professional 2003 is required for creating or viewing rights-protected creating or viewing rights-protected contentcontent
Other Office 2003 Editions allows users Other Office 2003 Editions allows users to view – but not create – rights-to view – but not create – rights-protected content.protected content.
Rights Management Add-on (RMA) for Rights Management Add-on (RMA) for Internet Explorer 6.0Internet Explorer 6.0
Allows users to view rights-protected Allows users to view rights-protected content in IEcontent in IE
Enables down-level viewing support for Enables down-level viewing support for content protected by Office 2003content protected by Office 2003
RMS Solution ComponentsRMS Solution Components
ServerServer
RMS ServerRMS ServerRuns on Windows Server 2003 Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter (Standard, Enterprise, Web or Datacenter Editions)Editions)
Provides certification and licensing Provides certification and licensing
Active DirectoryActive Directory®® directory service directory serviceWindows Server 2000 or laterWindows Server 2000 or later
Provides a well-known unique identifier Provides a well-known unique identifier for each userfor each user
E-mail address property for each user must E-mail address property for each user must be populatedbe populated
Database ServerDatabase ServerMicrosoft SQL Server™ (recommended) Microsoft SQL Server™ (recommended) or MSDEor MSDE
Stores configuration, user keys, and Stores configuration, user keys, and logging datalogging data
ClientClient
ADAD
SQLSQL
Scaling an RMS DeploymentScaling an RMS Deployment
BalancerBalancer
RMSRMS
SSLSSL
FirewallFirewall
79,000 unique users79,000 unique users
23,000 unique users per week23,000 unique users per week
71,000 content licenses issued per week71,000 content licenses issued per week
10 RMS-related helpdesk calls per week10 RMS-related helpdesk calls per weekOverall helpdesk volume is 11,000 calls per weekOverall helpdesk volume is 11,000 calls per week
20% escalated to Tier 2 client support 20% escalated to Tier 2 client support
Median time to certify <1 secondMedian time to certify <1 second
Over 1,000,000 use licenses servedOver 1,000,000 use licenses served
RMS at MicrosoftRMS at MicrosoftFY05 Deployment StatisticsFY05 Deployment Statistics
RMS does not protect against RMS does not protect against analog attacks…analog attacks…
RMS Product RoadmapRMS Product Roadmap
Key ScenariosKey Scenarios
Platform Platform EnhancementsEnhancements
RMS-enabled RMS-enabled Microsoft AppsMicrosoft Apps
TodayToday
• Enterprise information Enterprise information policy expression and policy expression and enforcementenforcement
• Intra-company content Intra-company content exchangeexchange
• Integration with server-Integration with server-based, centrally based, centrally managed solutionsmanaged solutions
• Active Directory Active Directory integrationintegration
• FIPS complianceFIPS compliance
• Smartcard supportSmartcard support
• Office 2003: Outlook, Office 2003: Outlook, Word, PowerPoint, Word, PowerPoint, ExcelExcel
FY07FY07
• Additional client and Additional client and server applicationsserver applications
• Broader external Broader external collaboration scenarioscollaboration scenarios
• Increased security Increased security while maintaining ease while maintaining ease of useof use
• Improved deployment Improved deployment and managementand management
• Modified trust Modified trust infrastructureinfrastructure
• Expanded Expanded authentication supportauthentication support
FY06FY06
• Access protected Access protected content on Windows content on Windows Mobile devicesMobile devices
RMS VersionRMS Version RMSv1 with SP1RMSv1 with SP1 RMSv1 with SP1RMSv1 with SP1
RMS for Windows MobileRMS for Windows Mobile
RMSv2 (Longhorn)RMSv2 (Longhorn)
• Windows Mobile Windows Mobile supportsupport
• Pocket InboxPocket Inbox
ResourcesResources
RMS Website: http://www.microsoft.com/rms
RMS Blog: http://blogs.msdn.com/rms
RMS TechNet Virtual Lab: http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Microsoft Security: http://www.microsoft.com/security
Microsoft IT’s RMS deployment: http://www.microsoft.com/technet/itsolutions/msit/infowork/deprmswp.mspx
RMS SDK on MSDN: http://msdn.microsoft.com/library/en-us/dnanchor/html/rm_sdks_overview.asp
We invite you to participate in ourWe invite you to participate in our online evaluationonline evaluation on CommNet,on CommNet,
accessible Friday onlyaccessible Friday only
If you choose to complete the evaluation online, If you choose to complete the evaluation online, there isthere is no need to complete the paper evaluationno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
