Security Advisor

Know Your Rights (Management)

Does Microsoft have the right Digital Rights Management (DRM) solution for you?

Digital Rights Management (DRM) has been around for a while. Microsoft recently released Service Pack 1 for its DRM product, Windows Rights Management Services (RMS), and it finally appears to be a useful tool to help solve some common security problems. Let's explore what DRM can do and whether Microsoft has the right DRM solution for you.

DRM's great strength is that it can control what a user or recipient of corporate data can do with that data.

For example, with DRM you can:

  • Control who can read or print a document, such as a confidential contract
  • Control whether the recipient of an e-mail can forward that e-mail
  • Enforce a document expiration date, after which data that may be outdated can no longer be viewed
  • Prevent recipients from reading an e-mail you've sent, even after the e-mail has arrived in the recipient's inbox

Two major vendors vying to become the market leader for DRM are Microsoft and Adobe. Both offer DRM products designed to appeal to a large number of companies and cover the types of data they commonly create and process. This column will look at Microsoft's Windows Rights Management Service (RMS) in detail, but if you feel that DRM is for you, you may want to also take a look at the products from Adobe or others to see if they better fit your needs.

Why You Need DRM
When you protect a document with DRM, you define what others can do with it. The document is encrypted and the applied permissions or restrictions are attached to it. When another user opens the document, the client application first attempts to obtain a license from a licensing server. If the user has the requested access permissions, the license is granted and the document opens. If the user isn't allowed the requested type of access, no license is created and the document can't be opened.

At first sight, this process seems to add unnecessary complications: After all, file system permissions already allow you to control who can access a document. However, file system permissions are lost when someone copies the document from the server where the permissions were defined.

Imagine a lawyer who copies a confidential contract from the server to a USB stick so he can work on it at home. Now the document exists on the server, the USB stick and a home computer—and the carefully designed file system permissions on the server don't prevent anyone from getting the contract from the USB stick or the home computer.

In contrast, DRM-protected documents are encrypted and the permissions are attached to the document. If the lawyer's company had used DRM to protect the document, only the lawyer would be able to access the document, regardless of where it's copied to. In situations such as this, DRM gives you the ability to create an access control mechanism that travels with the document, instead of being tied to the location where you store the document.

Controlling the type of access is as important as who can access the document. Take the case of forwarding e-mail. Forwarding e-mail and adding additional recipients when you reply to e-mail are common practices. The ease with which you can forward e-mail can enhance corporate communications, but it also increases the risk of spreading confidential information beyond the original list of recipients. You might be able to prevent the forwarding of an e-mail message by asking the recipient to keep the content confidential, but such a request is easily forgotten. Once several recipients have turned the mail into a discussion thread by clicking "Reply All," your original request for confidentiality has become buried at the bottom of a multi-page e-mail that has by now taken on a life of its own. With DRM you can prevent others from forwarding an e-mail to someone who was not an original recipient. You can also prevent others from printing a document or copying text from it into another document.

Microsoft's DRM Components
DRM requires several components to function:

  • The application used to create a document must be able to encrypt it and create the information that defines who can access the document and how.
  • The application used to access the document must be able to decrypt the information and honor the usage restrictions included with the document.

The main applications included with Microsoft Office Professional 2003, such as Word, Excel and Outlook, are designed to perform these functions with RMS. An add-in for IE allows you to view protected content even if you're not running Office Professional 2003, including when you use Outlook Web Access.

If you're using Office 2003, you may have noticed a Permission command on the File menu. As the creator of a document, you can use this command to define access permissions and what type of access is allowed. To prevent users from circumventing restrictions, RMS also requires an OS that understands DRM. For example, a user could copy the contents of a non-printable document to a different application and print the content from there. To make RMS work, you have to update your OS with the RMS client software. Clients running Windows 2000 with Service Pack 4 and later are supported.

The component that holds RMS together is the server infrastructure that makes it possible to create the licenses required to access protected documents. RMS servers create usage licenses, as well as other types of certificates, that allow a user to protect a document. RMS servers also archive issued certificates and perform auditing functions. The server component of RMS is a premium component of Windows 2003 Server that you can download and install on any server running Windows 2003. There's no extra cost for installing this component, but you have to purchase a client license for every user who creates or accesses protected content.

DRM Lite
Microsoft has built DRM capabilities into Office 2003 Professional Edition, and you can use it even without installing RMS. In Office the feature is called "Information Rights Management," and it allows you to restrict access to your documents and e-mails by using a Passport account (both you and the recipient need an account).

To restrict access to a document or e-mail, simply choose Permissions from the File menu while you have a document or e-mail message open. The application will guide you through all required steps, including installation of the required software to authenticate to a Passport server and receiving a certificate from a Microsoft-owned licensing server on the Internet. The recipient of the document or e-mail has to complete a similar process before accessing the document, receiving a use license for the document in the process.

Once you've completed the initial setup, you can experiment with different types of restrictions, such as preventing printing or forwarding, or restricting access to specific users.

The Information Rights Management service is operated by Microsoft as a free trial, and the company says it may shut down this service at some later point. Because of this, you shouldn't depend on it for your company's DRM needs. However, it's an easy and cheap way to explore what DRM has to offer.


What RMS Can Do for You
An RMS server must be online to issue a use license when you access protected content. This may appear like an annoying restriction, but it allows you to ensure that the restrictions with the document are still valid when you access it.

Before an application grants a user the requested access to protected content, it queries an RMS server to check whether the permissions included with the document are still valid or have changed. This allows for a number of interesting scenarios:

  • You can control access based on group membership. Applications enforce this based on group membership when the document is opened, not when the document was created.
  • You can set expiration dates for an e-mail. After this date a user can no longer open the e-mail, even if this user changes the system time on the client computer.
  • You can prevent others from reading an e-mail you've already sent. Because Outlook checks with an RMS server before displaying the message, it can recognize that the usage permissions included with the message have been revoked.

(For those times you want to access protected content while you're not connected to a network, an administrator can allow the caching of usage licenses on client computers.)

Installing RMS is relatively easy, but as with any technology, planning is essential. RMS requires Active Directory, SQL Server for data storage and at least one Windows 2003 server to be your RMS server. Once the RMS server is in place, it issues certificates that allow users to publish content and licenses that enable users to access content.

Implementing RMS also requires some user training, but this is fairly minimal. You can further simplify the process for users by creating permission templates that contain the required settings for certain types of documents, such as "Confidential" or "Management Only." Users can then easily apply such a template to the documents they create without having to worry about specific permissions. Accessing protected content that someone else created requires no user interaction. Users may only notice that certain functions, such as printing, are not available.

What's Not to Like About RMS
As you've seen, RMS can provide a number of important benefits, but there are also some weak spots. The most glaring is that there are many ways to get around the forwarding and printing restrictions. Windows doesn't allow you to copy from or take screen shots of a protected document, but there are third-party screenshot applications that don't honor RMS restrictions. Even if they did, RMS can't provide protection against taking a snapshot of a computer screen with a digital camera—or using a pen to copy the information. This limitation applies to all DRM products in one way or another; however, for most organizations this isn't a real problem.

Few applications currently support RMS. You can use RMS to apply permissions to documents that you create with the core Microsoft Office applications, and there are third-party add-ons to extend RMS to other document formats, such as PDF files, but RMS doesn't protect documents created with applications that aren't RMS-aware.

Providing universal access to RMS capabilities requires you to extend your RMS infrastructure beyond your internal network, and doing so may turn out to be difficult. Enabling users not on the corporate network to publish or work with protected content requires allowing access to an RMS server from the Internet. Allowing this access can increase your security risk, but Microsoft offers ample guidance for configuring your infrastructure to both provide efficient access and minimize these risks.

It's even more difficult to make RMS work across organizations. You have to create trust relationships between your organization and another one before you can give users in the other organization access to protected content and vice versa. Such trust relationships are not likely to become commonplace until RMS is widely adopted. However, most organizations I know today are primarily concerned with protecting internal content. Extending RMS to business partners is not yet a priority.

One of the obstacles to such wide adoption is the cost. RMS requires a license for each user who creates or accesses content, and justifying this cost to management can be a tough sell.

At the same time, more and more companies, especially those in regulated industries such as the medical and financial sectors, may find the cost of implementing RMS cheaper than penalties or financial losses due to unauthorized information disclosure. While it's hard to do such cost estimates, it's no surprise that most companies adopting RMS and other forms of DRM today are those that are subject to clearly defined and expensive penalties for disclosing unauthorized information.

Get Ready Now!
Whether you have an immediate need for DRM or not, you should take a look at the technology to see what it has to offer. I believe that DRM will become part of mainstream security technology soon, and becoming familiar with it now can give you a head start. Microsoft's RMS has a number of attractive features and integrates very well into organizations that use Office for e-mail and most business documents. Even if you don't have the time or resources to fully evaluate RMS right now, I encourage you to preview some of the DRM capabilities built into Microsoft Office, which you can do without installing RMS (see "DRM Lite" for more information).


comments powered by Disqus

Subscribe on YouTube