Every day, information workers use e-mail messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.
Ever more powerful devices, converging technologies and the widespread use of the Internet have replaced in mobility situation what were (controlled and managed) laptops in past years. Today, information workers are highly interconnected and, with the consumerization of IT, more and more of them are using the device of their choice to access e-mails and work-related documents from just about anywhere. This raises new challenges for security. With the time, the type, volume and sensitivity of information that is exchanged has changed significantly. Mailboxes have transformed into repositories containing large amounts of potentially sensitive information. Furthermore, as of today, information workers are not just more mobile than ever before, but they are also more demanding on external collaboration. Users indeed expect to be able to collaborate seamlessly with any business user not only within the organization but also outside.
Considering the above, information leakage can be a serious threat to organizations. Leaks of confidential information can result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more. Consequently, IT needs to make sure that proper policies and technologies are in place with specifically the ability to protect and control access to sensitive corporate files from:
Each of these capabilities poses different challenges. These challenges demand effective Information Protection and Control (IPC) systems, which are not only secure but are also easy to apply, whether it's to e-mail messages sent or documents (of all types) accessed from various devices, inside an organization or outside the organization to business partner organizations/individuals.
Note IPC is also known as a different set of names including: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc. All of these categories aim to prevent an accidental and unauthorized distribution of sensitive information.
Protect is « Prove who you are » before granting access. The document is unlocked (in fact decrypted) if the user is authorized to access it. Control is « limit the usage of the information ». Control goes a step further by granting people access while removing their abilities (for example, to edit, copy, or print) in accordance to usage policy.
One should note that IPC is available for more than a decade but only few organizations are using this kind of solution. This can be explained by previous lack of interest of Business Decision Makers or by the complexity generally observed when deploying such a far-reaching solution. Also user's expectation is high and they are not tolerating any downtime. Users would not be satisfy if the protected document they are trying to read couldn't be open because an Information Protection element is not responding or if it isn't supported on their devices. Deploying on-premises IPC can be challenging and/or require significant knowledge to be done right. This was notably the case for Microsoft Active Directory Right Management Services (AD RMS), an information protection technology that enables AD RMS-enabled applications such as Microsoft Office to protect digital content from unauthorized use, both online and offline, inside and outside of the organization's boundaries.
Unlike AD RMS, the Azure Rights Management service provides for everyone a Software as a Service (SaaS) information protection solution that work across classic boundaries.
The Azure Rights Management service is included in the Office 365 Enterprise E3 and E4 plans. It can also be purchased as a standalone with these plans: Office 365 Enterprise E1, Office 365 Enterprise K1, Exchange Online Plan 1, Exchange Online Plan 2, and Exchange Online Kiosk.
The Azure Rights Management service can be purchased standalone for use with the on-premises infrastructure thanks to Rights Management connector.
As a highly scalable and available cloud-based IPC solution run by Microsoft in data centers strategically located around the world, the Azure Rights Management service enables organizations of any size to minimize the effort required to implement an effective IPC to sustain the collaboration inside and outside of the organization's boundaries.
Regardless of how the Azure Rights Management service is purchased by organizations (Office 365 SKUs or stand-alone SKU), by leveraging Azure Active Directory (Azure AD), the Azure Rights Management service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration.
In this context, Microsoft RMS enlightened applications along with the Microsoft Rights Management sharing applications enable users to share protected content with any file format not only on computers but also on most popular mobile devices. The user experience is fast and straightforward.
As of today, information workers are not just more mobile than ever before, they also more demanding on external collaboration. Thus, users expect to be able to collaborate securely with any business user even those who don't have signed up yet for the Azure Rights Management service. Thanks to the free Microsoft Rights Management for individuals, anyone can sign up for Azure Rights Management service and start collaborating on protected documents.
This document provides information about Microsoft RMS enlightened applications and how they can be used to share and collaborate on sensitive corporate data. This paper also presents the Microsoft Rights Management sharing application that are available on all important devices.
Furthermore, by following the steps outlined in this document you should be able to share with anyone (any business user or any individual) thanks to the free Microsoft Rights Management for individuals offer.
This document doesn't offer a full description of the Azure Rights Management service offerings. It rather simply focusses on key aspects in the context of this paper that aims at providing the readers an understanding on how to collaborate with anyone on all important devices.
Note For an overview of the NEW Azure Rights Management services offerings, see the whitepaper Azure Rights Management services, the online documentation as well as the posts on the RMS Team blog.
To cover the aforementioned objectives, this document is organized by themes, which are covered in the following sections:
This document is intended for IT professionals and system architects who are interested in understanding the various options for protecting and controlling information assets in their environment based on the Azure Rights Management service's foundation and how to leverage the related capabilities.
The proliferation of consumer devices (smartphones, tablets and PCs) and ubiquitous information access is driving the organization to define a new model in which employees use their own devices to access sensitive corporate data. The model must be flexible enough while at the same time guarantees that sensitive corporate data are protected from unauthorized access regardless whether the user's device is managed or not, etc.
To increase productivity, users ask for a secure and consistent way to access and share sensitive information from their devices.
Microsoft is delivering a solution on all important devices through the Azure Rights Management service. The Azure Rights Management service gives the capacity to make sensitive corporate information available to users on all important devices while protecting information during storage or in transit. Dispersed enterprise data can now be protected in a consistent way.
Once a document is protected, even if it is copied on a USB Key, stored on your laptop or on your mobile device, stored in any cloud provider's storage of your choice, the document carries the same protection. The protection travels with the information whether it has been protected either locally or in the Cloud.
In other words, with the Azure Rights Management service, you can ensure that encryption is implemented for data-at-rest, data-in-transit and data-in-use (encryption-in-use is a capability that must be included in the application processing the data).
The Azure Rights Management service goes further than classical encryption technology by adding policies. That why, the Azure Rights Management service is fundamentally an effective Information Protection and Control (IPC) solution. One should stress that the Azure Rights Management service never has access to the data. The Azure Rights Management service is file transport and file storage agnostic. It operates on (all type of) files only when they are 'activated' (protected, opened/consumed) as notably described later in the next section.
As time evolves, users now want to access corporate data (e-mails, Office documents, PDF documents, pictures, etc.) from anywhere from their devices. They also want a consistent user experience to access sensitive data from their devices, including a simplified sign-on process when accessing such information.
On should note that accessing or sharing a protected document is best experienced within an RMS enlightened application.
RMS enlightened applications enable individuals to protect and consume content. Content is protected by using encryption and must be decrypted before it can be consumed. When the file is protected, the individual applies permissions to the file such as the ability to print or edit. The application will need to honor these rights.
Such an application leverages for that purpose the RMS SDK 2.1 and above. The RMS SDK facilitates most of the protection flows and all initialization. It indeed takes care of all the underlying details about the environment and topologies, document expiration, certificate renewals, policy updates and more. Furthermore, if the application must honor the permission enforcement requested of it, the SDK makes enforcing the rights easier by providing APIs to control permissions such as printing, saving, forwarding, etc.
Note For additional details on permissions, see the MSDN articles AD RMS developer concepts and Built-in Rights Usage Restriction Reference.
The RMS SDK protects the data within the runtime environment they are executing. This is normally a computers (Windows or Mac OS/X) or a mobile device (Windows RT, Windows Phone, iOS, or Android).
Note As of this writing, there is no specific support for Linux or Blackberry. The RESTful API support of the RMS SDK can be leveraged for that purpose. If there's a platform that is missing and you consider critical, then you can contact the product team: askIPteam@microsoft.com
Those runtimes use the RMS SDK to interact with the Azure Rights Management service:
Mobile device applications use the new lightweight Microsoft Rights Management SDK (RMS SDK) 4.0with the latest mobile client, and benefit from Microsoft-provided user interfaces for consumption and protection behaviors. This not only saves time to build protection support, but it also provides a consistent protection user experience (UX) as the UX is integrated into the SDK itself.
Note The RMS SDK 4.0 is a simplified, next-generation API that enables a lightweight development experience in building or upgrading device apps with information protection via the RMS service, whether it is an on-premises AD RMS cluster with the mobile device extension or Azure RMS.
Its APIs use standard programming languages and models for each operating system so, they are easy and familiar to work with. The RMS SDK 4.0 provides support in mobile devices (Android, iOS, Mac OS X, Windows Phone, and Windows RT.
For additional information on the RMS SDK 4.0, see the eponym MSDN page Microsoft Rights Management SDK 4.0.
The Rights Management sharing application (see next section) constitutes a good illustration of the UX that the SDK provides.
Windows desktop based RMS enlightened applications utilize the RMS SDK v2.1, which doesn't yet offer built-in consumption and protection flows. (This will change in a near future.)
As of this writing, the following applications and services natively support the Azure Rights Management services:
Note Office Mobile for iPhone and Office Mobile for Android are now available for Office 365 subscribers, but doesn't support yet RMS protected Office files
Microsoft is delivering a cross-platform sharing application that is available on all important devices: the Rights Management sharing application. This sharing application constitutes the easiest way to shared protected content across computers and important devices without compromising the security.
This sharing application is available on computers (Windows and Mac OS/X) and also on the most popular mobile devices (Windows RT, Windows Phone, iOS, and Android).
The sharing application can be download from the Microsoft Rights Management Download Center: Windows Desktop, Window Phone, iPhone and iPad, Android, and Mac OS/X - No link yet – still pending review by Apple store.
Note For additional information, see the Microsoft TechNet article Rights Management sharing application user guide.
This location is referenced during the Rights Management for Individuals signup flow, and more especially in the subsequent confirmation e-mail (see Section § Sharing protected content with anyone).
This cross-platform sharing application is also available through all the appropriate popular application stores, e.g. App Store, Google Play and Windows Store.
IT Professionals can download the installation packages (64-bit and 32-bit versions) of the Rights Management sharing application for Windows from the Microsoft download center for automatic deployment and thus make use of the ITPro-oriented silent setup options. The Windows version of the Rights Management sharing application indeed supports a scripted installation, which makes it suitable for enterprise deployments via the Azure Rights Management service preparation tool aadrmprep.exe.
Note For additional information, see the Microsoft TechNet article Rights Management sharing application administrator guide.
Note The Rights Management sharing application for Windows is not only reserved for those subscribing to the Microsoft Right Management cloud-hosted service offering but also available for organizations already using an AD RMS infrastructure on their premises.
To install a Rights Management sharing application on your computer or your device, proceed with the following steps:
Note You must have administrative privileges for installing the sharing application on a computer. The AD RMS Client 2.1 is indeed installed as part of the sharing application installation package.
The setup experience is somehow similar on other devices whilst depending on the device.
On Windows computers, the Rights Management sharing application is available for computers running at least Windows 7 or newer version.
It provides the following capabilities:
The Rights Management sharing application is a user-driven application that helps protecting and consuming any file format. It uses the power of the File API, which supports automated protection and enhances the protection ecosystem by protecting all file formats.
The Rights Management sharing application for computers provides, depending of the level of integration possible with the file format, two different levels of protection:
When authorization is granted, the content is rendered in accordance to the defined usage rights policy in RMS-enlightened applications (see Section § Leveraging the Microsoft RMS enlightened applications). In practice, the protected content is rendered in either the Microsoft Rights Management sharing application (for protected text and image files) or the associated application (for all other supported file formats):
Before protected content access is unlock, a user must be successful authenticated and authorized. When authorization is granted, the content is accessible and a central audit logging is also recorded by the Azure Rights Management service.
Note The Microsoft Rights Management sharing application is registered into the system to handle PFILE extension.
Note The ability to protect natively or using the generic protection is configurable by an administrator.
The user can protect a document by using the Rights Management sharing application's integration in Windows and Mac OS/X, as well as via the Microsoft Office Ribbon extensions (see below). Generally stated, the capability is either:
To protect in place a file from the Windows Explorer, proceed with the following steps:
Set the slider to restrict Address and select the appropriate permissions (see below) and click Apply.
To share protected a file from the Windows Explorer, proceed with the following steps:
An e-mail has been created that is ready to be sent but you can edit it first. The recipient(s) can view the file, and can simply sign up for a free Microsoft Rights Management account as needed (see Section § Sharing protected content with anyone).
As previously outlined, the Rights Management sharing application for Windows add a Share Protected button on the Microsoft Office Ribbon, which enables to share a protected copy of the document with others. Related Rights Management add-ins for Excel, PowerPoint and Word are stored in the following folder: C:\Program Files (x86)\Microsoft RMS Office Addins.
To protect and share a document from Word 2013, for example, proceed with the following steps:
A share protected dialog appears.
An e-mail has been created that is ready to be sent but you can edit it first. The recipient(s) can view the file, and can simply sign up for a free Rights Management account as needed (see Section § Sharing protected content with anyone).
The general use of RMS templates enables an organization to define and implement information policies that are consistent across the organization. When implementing automatic rules leveraging RMS templates, then protection applies to everybody in the company across the board.
Templates reduce the effort of determining who should be assigned user rights and what types of rights the intended consumer should receive from the publisher. Furthermore, when modifications to a template occur, all past, present, and future content based on that template will inherit the new rights when a use license is issued.
If the feature that requires a new use license with every access is used with a template, the organization can dynamically change rights policies after the document is published or sent by e-mail. This way, the organization retains the option to further restrict or loosen control on one or more users at any time.
Azure Rights Management service's administrators design and control the content of the templates. They can easily modify the template definitions of approved consumers and the rights that are assigned to those users within a rights-protected document.
Important note The Azure Rights Management service contains by default two templates built-in. At the time of this writing, the capability to create additional templates is not yet present.
The last and up-to-date version of a RMS template resides in the Cloud and is always used when a use license is created so that the most recent policy set by the Microsoft RMS administrator is enforced. Each RMS client must download the templates that it will use.
These local versions of the templates do not need to be updated every time the Azure Rights Management service's administrator updates the template, because the Azure Rights Management service's tenant uses its own copy when it evaluates the rights that the template specifies. However, templates still must be available locally for a user to select them when he or she performs offline publishing, as it's the case for Office applications.
Note If the AD RMS Client 2.1 is bootstrapped against an AD RMS on-premises installation, then the Microsoft Rights Management sharing application will show the on-premises templates.
As seen previously, with RMS templates, it's quick and easy to apply protection on documents that are only access by people working inside the organization. Whenever you want to collaborate with other organizations or with individuals outside, you will share protected documents by applying custom RMS permissions. Custom RMS permission allows to grant people access (individuals inside or outside the organization) on a protected document while controlling their ability to use the document (for example edit, copy, or print).
With the Rights Management sharing application, a document owner can apply permissions to a file through customized combinations of permissions assigned to each specified individual identified with corresponding e-mail address.
Below is a description of supported Rights Management permissions along with their definitions:
Allow consumption on all devices
Mobile devices users will need to install the Microsoft Rights Management sharing application to view the protected file. The file is added to a container which is then encrypted so that the file is protected. The sharing application on the device verifies that users have access to the file and then allows them to view the file on their devices (and even using device-specific applications like Pages on an iPad).
Users must login every time they open this file
This right sets the use license to expire immediately after the protected content has been accessed. As a result, the consumer must have online access to the Azure Rights Management service to get another use license every time the document is opened.
Content expires on
This right expires the consumer's ability to open a protected document at a date that the publisher set.
Please note that:
Below is a description of various Rights Management roles along with their definition.
View: this right enables the consumer to read a protected document but not print, edit, save, or copy.
View and Edit
Edit: this right enables the consumer to modify a protected document but not print or copy.
View, Edit, Copy and Print
Copy: This right enables the consumer to copy content of a protected document to the clipboard.
Print: this right enables the consumer to print protected content. If this right is not assigned, the user cannot print the document, even if he or she can open it and view it.
This right gives the consumer the same abilities that the publisher has. This right acts as if no rights restrictions have been applied. It is typically enabled only for an individual who is a member of a larger group of consumers for whom rights that are more restrictive have been applied. It can also be used to transfer ownership of a document.
The Microsoft Rights Management sharing application for mobile devices provides the following capabilities:
Note Although the Microsoft Rights Management sharing application can send protected document by e-mail, only the attached document is protected leaving the body of e-mail unencrypted. The main purpose of the "share protected" functionality is for secure collaborating with others that don't have yet sign up with the Azure Rights Management service. The e-mail contains instruction for sign up for Microsoft Rights Management for free.
More and more information workers use their mobile device for capturing information when taking for example a photo of the meeting room whiteboard.
One new feature, exclusively available on the Microsoft Rights Management sharing application for mobile devices, is the ability for users to create protected images from the camera or on-device camera roll and share it with other attendees, securely.
To illustrate the feature on an iPad, proceed with the following steps:
Here's another example of how it works when a user receives an e-mail with a protected document:
When downloading or opening a protected file, the file association on the device displays the icon of the Rights Management sharing application provided that the Rights Management sharing application is already installed on that device.
Furthermore, when downloading a protected file by using the browser (as illustrated hereafter with the .pjpg extension), you can directly open the file with the Rights Management sharing application by simply clicking Open in "RMS sharing".
The protected image file is then opened and rendered in the Rights Management sharing application and the associated information policy is displayed. In this case, authorized users are only allow to view and print the content.
Users expect to be able to collaborate with anyone by sharing their documents. Often, this usually means emailing a document by attaching it without additional controls. Thus, people tend to conceptualize sharing as sending. Microsoft Rights Management sharing applications make it easy to share document with other individuals in a secure way by e-mailing the protected document.
Note RMS-enlightened applications can also offer in-built file sharing capabilities.
By controlling access to information based on user identity, the Azure Rights Management service is a solution that safeguard corporate information. When access is granted and information is unlocked, the Azure Rights Management service also provides rich auditing capabilities.
To ease the collaboration beyond your organization's boundaries and beyond the organizations that subscribed to the Azure Rights Management service – where the collaboration between them constitutes a native feature as covered earlier in this document, the Azure Rights Management service provides new ways for individuals and/or users in organizations that don't offer the Azure Rights Management service to their employees individuals to sign up for a free account.
With the free Microsoft Rights Management for individuals, users can share with anyone (any business user or any individual), even those who don't have subscribed to Azure Rights Management service as part of Office 365 or as a stand-alone service.
In order to securely consume or exchange protected files, anyone can now follow these three easy steps:
To sign up for a free account, proceed with the following steps:
Note A Windows Azure AD tenant is provisioned if the user's organization doesn't already have one.
A Rights Management for Individuals ad-hoc account is simply a Windows Azure AD tenant that is created for a specific organization (not shared across organizations) and the user account is added. There is no administrator for these tenants. If other users from the same organization create ad-hoc accounts, they are placed in this same headless tenant. By way of (this) example, email@example.com signs up. The tenant CONTOSO-CORPORATION is cre ated. Alice's user account is added to the tenant CONTOSO-CORPORATION. Alice's account is given the Microsoft Rights Management for individuals SKU. firstname.lastname@example.org signs up. The tenant CONTOSO-CORPORATION exists and is reused. Bob's user account is added to the tenant CONTOSO-CORPORATION. Bob's account is given the Microsoft Rights Management for individuals SKU.
IT professionals will be given the ability to convert these ad-hoc accounts to licensed users with no impact to the user or the tenant. Once this is done, IT professionals will have full management capabilities for these users.
If the various checks succeed, a verification e-mail is sent to the email address you've provided to validate your ownership of the email address.
You can now install the sharing application for your device and start leveraging the Azure Rights Management service as an individual.