|Rights Management Comes to the Enterprise|
|Mar. 17, 2003|
A forthcoming technology called Windows Rights Management (RM) will help organizations control the distribution and use of confidential data such as documents and e-mail messages. In addition to a new server component, Windows RM relies on client applications to do much of the work, including presenting the user interface for protecting data and enforcing these restrictions for other users. Thus, its success will largely depend on how well Microsoft and other developers support it in applications—if the system is too complicated or easily breakable, it will be ignored.
The core of Windows RM is a server component called Rights Management Services (RMS). Microsoft considers RMS to be part of Windows Server 2003, but it is on a different release schedule and is expected in the second half of 2003. Office 2003, available in summer 2003, will be the first Microsoft application to support Windows RM, and the company will release SDKs in spring 2003 for third-party developers to support it.
Rights Management Beyond Digital Media
In general, rights management (sometimes called digital rights management, or DRM) allows the owner of digital data to define what other users may do with that data.
So far, rights management software has primarily been marketed as a way for content producers, such as record companies or movie studios, to protect digital media content from unauthorized duplication and use. For example, Windows Media DRM allows content owners to control how many times a user may access an audio or video file, define whether and how many times they may copy it to other devices, and set an expiration time after which certain rights are revoked.
But there's no comparable system that organizations can use to protect other types of data, such as e-mail or ordinary business documents. Windows access control lists and Public Key Infrastructure (PKI) systems can be used to restrict who may read and modify a file, but there's no way to control what users can do once the file has been opened—they could print the file and mail it to a competitor or copy the contents to another document or e-mail, for instance. A user can password-protect an Office file, but the password must then be shared with every other user who wants to access the file, which is time-consuming and exposes the password to possible interception; moreover, if users forget the original password, the data is inaccessible forever, which leads users to employ easily guessable passwords or avoid the feature altogether.
Windows RM (formerly code-named Tungsten) is designed to give organizations the same level of control over their data that digital media owners have today. The new technology offers several significant improvements over older access control methods:
Granularity—organizations can control many more parameters, such as who may view, modify, copy, print, save, and forward each file, and for how long.
Persistence—rights are permanently embedded with the data, regardless of where it is or how many copies of it are made.
Format independence—rights can be appended to any type of binary data, rather than being restricted to digital media files of a certain format, for instance.
Microsoft expects initial demand for Windows RM to come from large organizations where security is a prime concern, such as government agencies and enterprises whose main asset is intellectual property (Microsoft itself plans to deploy Windows RM throughout the company), and from certain departments found within all companies, such as legal, financial, and human resources.
How It Works
Windows RM lets enterprises establish a set of trusted entities, including users, groups, applications, or machines, within an organization. Once these trust relationships are established, users can encrypt data items, such as documents, PowerPoint presentations, and e-mail messages, and assign usage rights and conditions to them based on various levels of trust. For example, a corporate lawyer might trust members of the legal department to modify and print a legal document, while trusting corporate executives only enough to let them read the document but not print it; sales team members might not be trusted even to open it.
Windows RM uses RMS as a centralized "trust broker" service to define and manage trust relationships. RMS is a component that will be delivered for Windows Server 2003 Enterprise Edition after the product ships. In addition to RMS, each PC in the system needs rights-management client software for storing keys, performing encryption functions, and communicating with the server; and at least one RM-enabled application to let users assign rights and enforce those rights once they've been assigned.
(For a step-by-step diagram showing the role played by each of these components in a typical exchange, see the illustration "How Windows Rights Management Works".)
Rights Management Services
The role of RMS is to keep a list of trusted users and to issue and validate licenses that define what users are allowed to do with a protected data item.
When first protecting a data item, the author's application encrypts the data and appends a unique "publishing license" to it. When another user tries to open a protected item, the publishing license must be sent to RMS along with a list of the recipient's credentials. RMS checks to see whether the publishing license is valid, checks the recipient's credentials, and then issues a "use license" with the key necessary to unlock the data item and a list of specific rights the recipient has for that item. Although RMS issues the use license, it is not responsible for enforcing the rights contained in the license—that job falls to the application used to render the data item.
In addition to issuing and validating licenses, RMS offers policy templates for administrators to define specific levels of rights for all or any subset of users in a particular Windows RM system. For example, administrators could create one level called "confidential" that, when applied to a document, would give all employees in the system read-only access; another level called "executive" might allow members of the executive team to read, modify, and forward a document but block all other users from opening it. These templates address one of the biggest obstacles to successful implementation of any rights management scheme—an overwhelming number of choices when assigning rights.
Administrators can create "super users" who will have automatic access to all data protected within a certain rights class (for example, all data classified as "confidential") or owned by a specific user group (for example, all data protected by a member of the legal department). This is necessary in case a user protects an item that is important to the company, then leaves the company or is otherwise incapacitated.
RMS is also responsible for a number of other administrative functions, such as distributing necessary software to clients in a one-time activation process and, optionally, logging all requests.
Microsoft recommends that each instance of RMS be run on a dedicated Windows 2003 Server. For organizations with many users, RMS servers can be arranged in clusters, with one RMS server issuing certificates to other RMS servers.
Each PC in the system must obtain a software "lockbox" that performs cryptographic operations and contains and protects the unique private key that each client PC needs to use the system.
To get the lockbox software, each PC in the system sends a hash of its hardware ID to RMS in a one-time activation process. RMS then sends this hash to a Rights Management Activation Service hosted by Microsoft, which returns the lockbox DLL and a signed client certificate. (Microsoft is working with public key infrastructure [PKI] vendors to create lockbox appliances that can perform this function behind a firewall.)
The software lockbox is conceptually similar to Microsoft's next-generation secure computing base (NGSCB), formerly known by the code name Palladium. NGSCB, however, will use a combination of new hardware and new operating system components to establish a secure data vault on each PC, making it less vulnerable to software-based attacks. When NGSCB emerges (expected to be between 2004 and 2006), PCs with the technology will not need the software lockbox to fit into Windows RM systems.
Additional client software is also necessary to handle interactions with the RMS server. This client software will be distributable through Microsoft's enterprise management technologies, such as Systems Management Server (SMS) and Windows Update.
Finally, each PC in the system must have at least one RM-enabled application, such as Office 2003. The application provides the interface for users to assign rights to a data item and enforces those rights when other users attempt to do something with that item.
Most important, each application is responsible for enforcing the rights contained in the use license when the file gets to the recipient. Therefore, access to a protected file must be limited to trusted applications—otherwise, for example, a user could open a protected Word document in a text editor, then copy the text to an unprotected e-mail. To prevent this scenario, only trusted applications will be able to open RM-protected files. Microsoft will distribute the necessary tools for building trusted applications in its SDKs.
In addition to Office 2003, Internet Explorer (IE) 5 or 6 will also support Windows RM with the help of a Rights Management add-on. This provides a solution for backward compatibility—for example, Office XP users will be able to use IE and the add-on to access protected Office 2003 material. (The IE plug-in contains code necessary for rendering all Office 2003 data.) IE support also lets companies take other information, such as financial or human resources records, from a database and post it to an intranet portal or pass it through a document management system while still keeping it confidential.
Microsoft will make betas of two SDKs available by the end of Mar. 2003. These SDKs—one for client applications and one for server applications—will allow third-party developers to build RM support into applications such as document repositories and workflow systems, business intelligence systems, and departmental portals.
Initially, to share protected documents between Windows RM systems, an organization will have to establish one-to-one trust relationships with other organizations. Once these relationships are established, organizations can set up an RMS Web service to distribute use licenses to individuals at trusted partners. It is also possible to add outside individuals to an organization's list of trusted users by adding them to Active Directory (AD) and adjusting the rights policy templates accordingly.
However, Microsoft is laying the groundwork to make business-to-business exchanges of protected data easier and more automatic. For instance, to activate the RMS server, an organization must present a X.509 certificate to a licensing brokerage service hosted by Microsoft (third parties are expected to host similar services in the future). This will help establish an eventual hierarchy of trust that can span multiple organizations, users, and applications.
In addition, agreeing on a common language for describing rights will help rights management systems from different vendors work together. Windows RM uses Extensible Rights Management Language (XrML), an XML-based language for describing and managing rights and policies. Although XrML has been accepted by the Motion Picture Experts' Group as a standard, other companies, such as Sun Microsystems, use a competing language, Security Assertion Markup Language (SAML).
Initially, Windows RM will not be supported on the Pocket PC or other handheld devices, which could make it unsuitable for organizations with large numbers of mobile workers.
Early Adopters: Microsoft Loyalists
The first beta of RMS will be available by the end of Mar. 2003, and the product will ship in the second half of 2003. Although it will ship separately from Windows Server 2003 Enterprise Edition, Microsoft envisions it as a core component of that server operating system, much like IIS is part of Windows Server today. Pricing and licensing have not been finalized.
Only the largest, most loyal, and most up-to-date Microsoft customers are likely to adopt Windows RM at first. That's because, in addition to the more expensive version of Windows Server 2003, customers will need AD and Office 2003 or another RM-compatible application. (Although the free IE plug-in can be used for accessing protected data, it cannot be used to create it.) In addition, each RMS cluster must have one instance of SQL Server or Microsoft Data Engine (MSDE) to store usernames and permissions and for logging purposes. Adoption could increase as the natural upgrade cycle causes more businesses to implement AD and purchase Windows 2003 and Office 2003, and as third-party developers build Windows RM support into their applications.
The biggest threat to the success of Windows RM, however, is end-user complexity. Because each application determines its own user interface for rights management, users might be faced with multiple methods of assigning rights. Even if Microsoft can enforce user interface consistency among its own applications, it could be difficult to make ISVs and corporate developers toe the line. At customers’ sites, administrators will have to work with nontechnical managers to create foolproof policy templates that are tailored to each department's needs, all without overwhelming users with too many choices. If these challenges are not met, users will avoid the system entirely, leading organizations to wonder why confidential data is still being leaked.
Understanding the technology and terminology of PKI systems will help in understanding Windows RM; for information on Windows PKI, see "Windows Public Key Infrastructure Extends Security" on page 3 of the Dec. 2001 Update.
A nontechnical white paper describing the business case for Windows RM is available at www.microsoft.com/windowsserver2003/techinfo/overview/wrm.mspx. A technical white paper will be available at the same URL in Apr. 2003, and the SDKs later in the spring.
The Rights Management add-on for IE is available as a free download at www.microsoft.com/windows/ie/downloads/addon.
For background on the NGSCB (formerly known as Palladium), see "'Palladium' Plan for Trustworthy OS Revealed" on page 10 of the Aug. 2002 Update.
More information about XrML is at www.xrml.org.