Protecting Sensitive Data with AD RMS

Via Windows Server 2008 and Windows Server 2008 R2

The beauty of Active Directory Rights Management Services is the way it spans across a range of Microsoft products. Companies that leverage the Windows client, Windows Server, and the Office productivity suite, but also Exchange Server 2010 can also seamlessly take advantage of AD RMS in order to ensure that their data is safeguarded. Of course Windows Server is the core component, which provides Active Directory and the associated Rights Management capabilities.

With AD RMS, Microsoft is tending to the needs of companies that regard information protection as a security priority. Whether it comes down to mobile and remote worker scenarios, or whether contractors or other unauthorized users have to be kept from accessing sensitive files, or in the eventuality of leaks and data breaches, or simply to protect innovation and intellectual property, the software giant has worked to provide customers with a solution. Of course, AD RMS is only a part of the company’s information protection technology vision, but a key aspect which should be strongly considered by firms looking to protect sensitive information.

Microsoft’s latest product releases, from the second half of 2009, or scheduled to be launched in H1 2010, including Windows Server 2008 R2, Windows 7, and Office 2010 are all designed to let customers benefit from the evolution of AD RMS. I had the chance to send a few questions to Tony Trivison, an exceptional source of insight into Active Directory Rights Management Services, particularly via the AD RMS team blog. You will be able to read the full interview below.

1. Let’s get started. Who are you and what is your role with Microsoft?

Tony Trivison. I’m a programming writer in the Identity and Security Division of Microsoft. More specifically, I’m part of a small team of technical writers responsible for the developer and IT professional documentation for Active Directory – Rights Management Services. We work directly with developers, testers, and managers on the AD RMS product team to keep the documentation up to date as we release new versions of the product. I also contribute to the AD RMS team blog, which the AD RMS product team uses to interact with customers on a regular basis.

2. Tell us a little bit about information protection technology and what Microsoft is doing to address customer needs in this area.

Wow that’s a big question! Microsoft is doing work in all areas of the security space. Much of this work is under the umbrella of the Business Ready Security strategy, which includes secure collaboration, secure messaging, information protection, and so on. Specifically, information protection technology is designed to help safeguard digital information from unauthorized use, both online and offline. We are building information protection software that helps customers protect and manage confidential data in a simple and comprehensive manner.

3. If you had to define Active Directory Rights Management Services from your perspective, how would such a definition sound like?

In a nutshell, when we are talking about information protection, we typically mean the encryption of unstructured data (a file) as it travels from user to user, inside an organization, or through the firewall to recipients outside the organization. AD RMS is a product that Microsoft has built to provide this capability. It’s included as a role in Windows Server. You can find an overview of it on the Windows Server 2008 R2 Website. You can use it to protect (encrypt) files, apply granular permissions to those files, and share them. A key point to keep in mind is that the protection travels with the file, so moving the file doesn’t make it more susceptible to compromise. To illustrate, you cannot open a protected file by simply saving it to a flash-memory drive and attempting to open it with another computer, unless you have been granted permission to do so.

4. What would you say are the top features of AD RMS?

One nice feature of AD RMS is its integration with Active Directory, which enables you to provide granular permissions when you protect a file. For example, let’s say you have a user named Stuart, and he would like to share a Word document with Kim, another user in your organization. With AD RMS, he can specify that only Kim can open the Word document he created. He can also specify what Kim can or cannot do with the document, such as copy/paste, print, and so on.

Another helpful feature is that it allows you to set up templates that can subsequently be chosen by end users to protect information, according to a set of pre-determined rules. Many customers like to set up templates like “Company Confidential” or “Do Not Reply All” so that end-users don’t have to set granular permissions each time they protect a file.

5. Please share with us some of your experiences with customers that have actually leveraged AD RMS in their environment (nothing specific, just the profile of clients that typically require information protection technology).

We have a case study available that discusses the deployment of AD RMS at Dow Corning and how it provided for their information protection needs in a simple and low-cost manner. Additionally, there is another case study available that talks about how Microsoft IT Operations used AD RMS and RSA’s data-loss-prevention solution to classify and protect their sensitive information.

6. In the end, an IT pro will sit behind the wheel of AD RMS in an environment. What can he/she do with this technology?

AD RMS is a server role in Windows Server 2008 and Windows Server 2008 R2, so it’s configured and managed through the Server Manager console. In Windows Server 2003, AD RMS is configured and managed through a Web interface. Once AD RMS is deployed, an IT professional would most likely be working with her management to create templates for her organization, so that end-users can quickly and easily set protection policies on files. For the most part, our hope is that an IT professional won’t have to spend too much time keeping tabs on her AD RMS environment, once it’s deployed and configured.

7. Microsoft is obviously during an extremely fertile period in terms of new product releases with Windows 7, Windows Server 2008 R2 and Exchange Server 2010 already available, and Office 2010 coming in H12010. How are these products connected with AD RMS?

AD RMS has a role in Windows Server 2008 R2, so it’s directly integrated into Windows Server and can be activated, configured, and managed through the Server Manager console. In addition, the AD RMS client is included in Windows 7, making it simple to access documents protected by IRM-enabled applications. Exchange 2010 also has some really neat information protection features that were created using AD RMS technology.

Office 2010 is also specifically built to work with AD RMS, and will support many information protection features. Sorry that I can’t get too specific about these. It would be inappropriate for me to steal their thunder.

8. Let’s talk a bit about remote workers. How does AD RMS function in the context of mobile computers and other mobile devices, especially mobile phones that employees use to access data from outside a company’s network?

Since AD RMS provides persistent protection, content remains protected as it travels to computers outside the corporate network. It isn’t difficult to configure remote access to protected content by configuring a URL for the AD RMS server that is accessible through the internet.

AD RMS is fully supported by Microsoft Exchange 2010 and specifically in Outlook Web Access, making it easy for mobile users to access protected e-mail on any computer.

Users can access protected Microsoft Office documents and e-mail on their Windows Mobile device.  Also, with the help of our partners, users can protect and consume documents and e-mail on other mobile devices, such as on a Blackberry.

9. What type of information does AD RMS help protect? What are the file formats that this technology is designed to play nice with? What are the applications that can be used with AD RMS?

AD RMS is built to work seamlessly with IRM (information rights management) enabled Microsoft Office applications like Word and Excel, so file types such as .docx, .xps (XML Paper Specification) and .xlsx can be protected. It also protects e-mail messages through integration with Exchange and Outlook, as I’ve mentioned previously.

A portion of our customers use the AD RMS software development kit, which is included in the Windows SDK, to protect their own, proprietary file types.

We also have partners that specialize in AD RMS integrated software and services that customers can use to protect and unprotect many common and popular file types, such as PDF.

10. Can you tell us a little about the Active Directory Rights Management Services Bulk Protection Tool

and additional work that Microsoft is doing to simplify AD RMS for customers?

We recently added a post on the AD RMS team blog about the bulk protection tool. It’s a command-line tool that can decrypt multiple AD RMS protected files or encrypt multiple files to a predefined rights-policy template. The team is really excited about it. A few of the guys from the AD RMS team recently presented a webcast where they go into detail regarding the bulk protection tool.

Beyond that, we continue to work on improving our information protection technology and building new features for future versions, but I can’t go into too much detail about those before they’re released.

11. Obviously, AD RMS will continue to evolve. What can current customers look forward to? What next generation features do you think will make the difference when it comes down to winning over customers that are yet undecided to use AD RMS?

Information protection is a fun area to be in, because it’s in a growth phase. We’re working on several important features that help make protection more automatic and invisible from the end-user’s perspective. Specifically, Microsoft has begun a partnership with the RSA Security division of EMC to work together on an approach “to enable organizations to centrally define information security policy [and] automatically identify and classify sensitive data.” You can get a taste of this by looking at some of the Exchange 2010 information protection features, such as transport rules. An IT professional can set up a transport rule that causes automatic protection for all e-mail messages sent from specific senders, or to a specific group, for instance. This example highlights the direction that Microsoft is taking, making it easier for IT pros and managers to administer protection so it’s a seamless part of an organization’s processes.

The Active Directory Rights Management Services Bulk Protection Tool is available for download here.

Windows Server 2008 R2 is available for download here.

Hot right now  ·  Latest news