4-page Case Study - Posted 2/27/2008
Views: 707
Rate This Evidence:
Food Distributor Deploys Enterprise Rights Management to Help Protect Sensitive Data
Situation
U.K.-based Windrush Frozen Foods distributes frozen, chilled, and ambient foods. The company was established in 1986 and, since current ownership took over in 1995, has grown from U.K.£500,000 in sales for 1996 to more than £27 million in sales for 2006. Windrush has been featured twice in the Sunday Times/Virgin Atlantic Fast Track 100 and, in 2007, was accredited as a “best company to work for” by Best Companies.
Windrush prides itself on its application of technology, which enables customers to submit orders by phone, e-mail, fax, or electronic data interchange as little as one hour ahead of time for same-day delivery. The company’s network and computer systems are managed by an in-house staff of four. “We’ve always believed that technology is a key factor in our success,” says Robbie Roberts, IT Manager at Windrush. “We’re a medium-sized company with a large investment in technology, which gives us a competitive advantage.”
However, with that heavy use of technology also comes an increased risk of information leaks, which the company must avoid. Windrush recently acquired another company and, although both companies operate on the same network, needed to make sure that employees at each company can access and use only the information they are permitted to see. In addition, both companies need to protect confidential information such as customer and human resources data.
“The majority of our need to protect sensitive information is based on e-mail, which may mistakenly get sent to the wrong person,” says Roberts. “There was no clear incident that led us to look for a way to protect digital information; rather, we noticed that lots of sensitive information was being sent by e-mail and stored on our network, and we wanted to put a solution in place before a potentially damaging incident occurred.”
In examining potential solutions, Windrush had several key requirements:
- Ease of use. End users should be able to use the solution intuitively.
- Predictability. Windrush had to be able to clearly define and enforce how documents and content are protected.
- Low deployment and management costs. Windrush is a small company, so it needed a solution that was cost-effective to both implement and support.
- Platform. Windrush wanted to stay with the Windows® operating system platform, upon which all of its systems but the company’s AS/400-based order management application are based.
Solution
Windrush is enabling employees to share rights-protected content by using Active Directory® Rights Management Services in the Windows Server® 2008 operating system, which provides identity-based information protection to help safeguard information from unauthorized access and use. When used in conjunction with applications enabled to take advantage of it, Active Directory Rights Management Services provides persistent protection and usage policies that remain with information no matter where it goes or how it’s stored. The same solution enables Windrush to protect documents created in Microsoft® Office Professional 2007, content sent by e mail using the Office Outlook® 2007 messaging and collaboration client, and documents in Office SharePoint® Server 2007 libraries.
Easy Upgrade Delivers New Capabilities
Windrush was already taking advantage of Microsoft software for identity-based information protection, so its move to Active Directory Rights Management Services in Windows Server 2008 was driven by a desire to take advantage of new features and capabilities. “We originally deployed Rights Management Services in Windows Server 2003 a few years ago, but decided to upgrade to Active Directory Rights Management Services in Windows Server 2008 because it serves an important business function and we want to stay up-to-date,” says Roberts. “In addition, the new version offers significant improvements in reporting, management, and integration with the programs in the 2007 Office re-lease we’re already using. Considering that the upgrade process only took an hour, our decision to upgrade was an easy one.”
Active Directory Rights Management Services is used by everyone at the company who uses a PC. All but nine of the companies’ PCs are running Office Professional 2007 on Windows XP Professional. Those nine PCs—and all new ones being added to the system—run Office Professional 2007 on the Windows Vista™ Enterprise operating system.
Safeguarding Office Professional 2007 Documents
One way in which employees are using Active Directory Rights Management Services is to protect documents created using Office Professional 2007 programs. To do so, they simply click the Protect Document button on the Ribbon in the Microsoft Office Fluent™ interface, upon which they are prompted to specify how others can open, modify, print, forward, or take other actions with the document.
“We’re using Active Directory Rights Management Services templates to make it easy for users to limit access to certain groups of people, such as managing directors, employees of various depart-ments, or all employees,” says Roberts. “Anyone in those groups can, say, open and print a document, but they can’t remove the protection.”
Protecting E-Mail
Windrush is using the same Active Directory Rights Management Services templates to protect e-mail. For example, if a sensitive e-mail message to managing directors was mistakenly sent to someone else, that person would still receive—but be unable to view—the e-mail message. The same mechanism protects e-mail sent to the company’s users of Windows Mobile® 6.0 powered devices.
“Today, people send lots of protected e mail,” says Roberts. “We installed the Active Directory Rights Management Services agent on Exchange Server 2007 Service Pack 1 so that it retrieves and downloads access licenses along with messages before the message is downloaded to Outlook 2007. This enables people to download rights-protected e-mail when connected to the corporate network and read it at a later time, even if they’re working offline.”
Extending Protection to SharePoint Libraries
Windrush also is using Active Directory Rights Management Services to protect documents stored in SharePoint libraries. “We store lots of sensitive information in SharePoint libraries, which can be selec-tively configured to apply rights protection to documents when they’re downloaded,” says Christian Arpino, IT Administrator at Windrush. “The people authorized to view a document are the same ones authorized to view the SharePoint list. Setting everything up only took about five minutes.”
Architecture
Windrush is running Active Directory Rights Management Services alongside Windows Certificate Services under Windows Server 2008 Enterprise, which runs on an HP ProLiant DL380 G5 server computer with two processors and 9 gigabytes (GB) of RAM. That server is supported by a similarly configured, shared database server running Windows Server 2003 Standard Edition and Microsoft SQL Server® 2005 database software.
“We’re deploying Windows Server 2008 fairly broadly, with no problems what-soever,” says Roberts. “Microsoft Internet Security and Acceleration Server 2006 runs on Windows Server 2008, and we’re currently rolling out Hyper-V™. In addition, we’ll be running Exchange Server 2007 on Windows Server 2008 soon, and all systems that are new or on Software Assurance will run Windows Server 2008.”
Benefits
With Active Directory Rights Management Services, Windrush Frozen Foods is protect-ing sensitive information from getting into the wrong hands. A single solution enables Windrush to protect information stored in many forms and locations, with usage rights and encryption remaining with the content as it passes from person to person. Deployed with minimal additional infra-structure, the solution integrates with the company’s existing IT assets to deliver ease of use and help Windrush keep both up-front and long-term costs to a minimum.
Ease of Use
The company’s rights management solution is easy for employees to use and integrates with normal workflows. Users need to do little more than select which group of employees can read an e-mail, access a document, or take other actions; all the complexity of protecting that information from unauthorized access happens behind the scenes.
“Security is fairly easy for us as IT professionals, but it can be very confusing—even frustrating—for end users,” says Roberts. “Through its deep integration with Office Professional 2007 desktop programs, Active Directory Rights Management Services makes protecting information simple for end users. No training was required at all—we just sent everyone e-mail.”
Predictable Assignment of Rights
Through its use of Active Directory Rights Management Services templates, Windrush can easily control how various content is protected and who can access it. “It only took a few minutes to create the templates that we use to limit access to various user groups,” says Roberts. “And because the templates map to user groups in Active Directory, we can maintain employee information in one place and have it easily applied to the protection of sensitive data. If we make a change in Active Directory, we know that it’ll apply to rights management as well.”
One-Hour Upgrade Process
The process of upgrading to Active Directory Rights Management Services in Windows Server 2008 was fast and straightforward, enabling Windrush to begin taking advantage of its new features with minimal effort. “The process of upgrading to Active Directory Rights Management Services in Windows Server 2008 was painless, taking less than an hour,” says Arpino. “We simply installed the Active Directory Rights Management Services role on a new server using the server role wizard, joined the new server to the cluster, and removed the old server. No changes were required to the supporting database server, and everything that we had implemented in the past—such as usage rights templates—still worked perfectly.”
Minimal IT Attention Required
Other than initial deployment, Active Directory Rights Management Services has required very little attention from the company’s IT staff. “Out of all the systems on our network, Active Directory Rights Management Services is the one that I spend the least time managing,” says Arpino. “At most, it requires one or two hours of attention every six months.”
One reason for that ease of management is the solution’s Microsoft Management Console snap-in, which replaces the Web-based administrative console provided with the previous version of the technology. “Administration of Active Directory Rights Management Services is unbelievably easy, especially with the new Microsoft Management Console snap-in that replaces the previous version’s Web-based adminis-trator console,” says Arpino. “Other security products in general are complicated, break easily with change, and require lots of administrative overhead. Microsoft has kept Active Directory Rights Management Services extremely simple and user friendly, which has paid strong dividends for us.”
Low Costs
Thanks to the small amount of time required to manage the solution, the company’s cost of ownership for Active Directory Rights Management Services is low. “The only real costs for us were initial hardware and licensing fees,” says Roberts. “The cost of running and maintaining Active Directory Rights Management Services is really insignificant, and those are where the majority of ownership costs usually lie.”
The value provided by that investment, however, is strong. “Our business is changing rapidly, and the rate of change is only increasing as we grow,” says Roberts. “We’re no longer a small company. Some users, however, are still used to working in a small-business way. By enabling us to protect sensitive information, Active Directory Rights Management Services is helping us to grow with fewer problems.”
