4-page Case Study - Posted 2/27/2008
Views: 1246
Rate This Evidence:
Dow Corning Uses Enterprise Rights Management to Help Protect Intellectual Property
Situation
Established as a joint venture between Corning Glass Works (now Corning Incorporated) and the Dow Chemical Company, Dow Corning is a global leader in silicon-based technology and innovation. The company provides more than 7,000 products and services to 20,000 customers worldwide, has 10,000 employees, and generated U.S.$4.39 billion in sales in 2006.
For Dow Corning, which has more than 4,000 patents globally, protecting its intellectual property (IP) is a business imperative. “The business world has changed, and IP protection risks can vary from country to country,” says Mark Gandy, Enterprise Architect at Dow Corning. “We’re expanding geographically and collaborating more and more with partners, so we need to handle and protect content in a way that’s compliant both with local regulations and with our own IP-protection policies.”
More specifically, Dow Corning wanted to institutionalize how it protected IP in a way that could be scaled across the enterprise. It already had information protection policies that classify content into categories such as “nonclassified” or “highly confidential” and specify how the content must be handled. However, the company needed a way to make it easy for people to handle content appropriately.
“Although people generally followed the policies that were in place, doing so sapped their productivity and ability to collaborate,” says Gandy. “Encryption and other security-related technologies are complicated for end users and can take several extra steps to employ, which made it difficult for people in the field, who are under pressure to be productive.”
In looking for a solution, Dow Corning identified four major success factors:
- User experience. The solution had to be easy to use and integrate with peoples’ normal workflows. In this case, that meant integrating with the Microsoft® Office programs that are used company-wide to create, manage, and share documents.
- Operational excellence. Dow Corning wanted to deploy and support minimal additional technology infrastructure, as a way to minimize any increases in ongoing IT costs.
- Corporate governance. The company needed to ensure it retained control of protected content such as being able to access it even if the user who encrypted it left the company.
- Scalability. Dow Corning needed a solution that could easily support the company’s worldwide operations, including all 10,000 employees.
Solution
Dow Corning met all requirements with Active Directory® Rights Management Services in the Windows Server® 2008 operating system, which provides identity-based information protection to help safeguard information from unauthorized access and use. In conjunction with applications enabled to take advantage of it, Active Directory Rights Management Services provides persistent protection and usage policies that remain with information no matter where it goes or how it’s stored.
“Active Directory Rights Management Services was the ideal solution for us because it integrates seamlessly with both the Microsoft Office system on the desktop and our Windows Server based IT infrastructure,” says Gandy. “We decided specifically to go with Active Directory Rights Management Services in Windows Server 2008 because of the many enhancements it offers over the previous version, including its inclusion as a core server role, an improved management interface, and the ability to easily extend its reach to support collaboration with business partners.”
Proof of Concept and Planning
To assist with testing and deployment, Dow Corning turned to Titus International, a Microsoft Gold Certified Partner and worldwide leader in Active Directory Rights Management Services consulting and deployment. The project started in July 2007 with a proof of concept, in which Andy Schan, a Titus International Senior Technology Consultant, helped the company deploy Active Directory Rights Management Services in a lab setting.
“During our proof of concept, the ease and power of protecting content with Active Directory Rights Management Services shined through,” says Gandy. “We saw that the level of integration we wanted was there, and the exercise helped us properly position what Active Directory Rights Management Services is and isn’t with respect to digital rights management. The proof of concept also led to the development of business cases and pointed out other areas that the technology could help with, such as protecting content on SharePoint® Server.”
In September 2007, Schan returned to Dow Corning for a two-day architecture design session (ADS) in which he worked with the company to review requirements and help select the best architecture. The company’s centralized infrastructure led Dow Corning to select an architecture based on a single root certification and licensing cluster, which was consistent with the goal of providing mission critical services in a centrally managed environment with a minimum of cost and complexity. The same architecture also allows for extension of the solution to the company’s extranet at a future time.
During the ADS, Dow Corning also validated that its corporate governance needs would be met and that it could retain control of protected content for example, if an employee who applied protection to document left the company. In addition, knowledge transfer sessions helped all team members understand the components of an Active Directory Rights Management Services solution and how they worked, so that people responsible for networking and IT infrastructure could ascertain the impact that the solution would have on those areas.
“Sizing calculations showed that two servers could support the entire company, even under a worst-case scenario in which a protected e-mail message is sent to the entire organization and all 10,000 users read it within 120 seconds,” says Schan. “Concerns over network usage were put to rest by explaining that additional traffic would consist only of small licensing keys.”
The ADS also included a session with representatives from departments such as IT, human resources, customer service, and legal. “We explained Active Directory Rights Management Services within the context of our information protection policies, and how it would help people to both consistently protect IP and be more productive,” says Gandy. “The meeting generated a lot of excitement, with people asking when they could start using it.”
Pilot Phase and Deployment Timeline
Schan returned to Dow Corning in December 2007, at which time he helped the company deploy Active Directory Rights Management Services into its production infrastructure. “Installing Active Directory Rights Management Services is pretty easy because it’s now a core server role, with installation driven by a wizard,” says Schan. “We installed the Secure Sockets Layer certificates that are used to encrypt traffic between clients and the server, used the wizard to install Active Directory Rights Management Services, and installed the Rights Management Services client on the PCs of users participating in the initial pilot phase. The only change made to Active Directory was to register the service connection pointthere’s no need to extend the directory schema.”
Today, during the pilot phase, 100 people have the Rights Management Services client installed along with the Titus Labs Message Classification toolbar, which prompts the user to classify each e-mail as it’s composed and labels the message with the appropriate classification. Although the toolbar is capable of applying specific document-protection options to e-mail automatically, Dow Corning is currently having users set protection options manually. Users protect document files by selecting the Protect Document option on the Ribbon in the Microsoft Office Fluent™ interface, which launches a wizard that prompts the user for the specific protection settings to be applied.
The company plans to deploy Active Directory Rights Management Services to all 10,000 employees worldwide by the third quarter of 2008, as part of its planned deployment of Microsoft Office Professional 2007. “Global deployment will be pretty simple,” says Gandy. “We’ll just hand off the Rights Management Services client and the Titus Labs Message Classification toolbar to our desktop deployment team, which will use Microsoft Systems Management Server 2003 to deploy it to all user desktops along with Office Professional 2007, and use Group Policy to manage and configure the com-ponents. Both additional components are Microsoft Installer based, so they will add minimal complexity to the deployment.”
Future Plans
Plans for 2008 include the deployment of Microsoft Office SharePoint Server 2007, upon which Dow Corning will also use Active Directory Rights Management Services to protect documents stored in SharePoint libraries. “The ability to easily protect files stored in SharePoint Server 2007 document libraries is one of the key reasons we decided to deploy Active Directory Rights Management Services in Windows Server 2008,” says Gandy. “All we’ll need to do is go into SharePoint Server and configure the document libraries to use document protection, and any files downloaded from those libraries will have the appropriate protections applied automatically. We have thousands of such documents in SharePoint libraries that we’ll protect in this way.”
Dow Corning also plans to use Active Directory Rights Management Services with Active Directory Federation Services to facilitate collaboration with a select group of business partners, for which the company maintains a separate extranet directory forest. “In the past, customers wanting to share rights-protected content with external partners had to either add users from the partner company to their main Active Directory forest on a case-by-case basis, which isn’t very scalable, or have the partner deploy Active Directory Rights Management Services and set up a trust relationship, which is expensive and time-consuming,” says Schan. “With Active Directory Rights Management Services in Windows Server 2008, Dow Corning can use Active Directory Federation Services to extend its existing Active Directory Rights Management Services infrastructure to external users who are managed in the extranet forest. In addition, Active Directory Federation Services will provide a mechanism that Dow Corning can use to extend other Web-based collaborative applications to external users, rather than just being a point solution for sharing rights-protected content.”
Benefits
With Active Directory Rights Management Services, Dow Corning is enabling employees to easily share rights-protected content and thus to help protect valuable intellectual property. Usage rights and encryption follow content wherever it goes, and the same solution enables Dow Corning to protect documents, e-mail, and content stored in SharePoint libraries and to share rights-protected content with business partners. Deployed with minimal additional infrastructure, the solution is also scalable and easy to manage, which will help the company keep costs to a minimum while maintaining full corporate control over rights-protected content.
Ease of Use
Dow Corning is enabling employees to share rights-protected content in a way that integrates with familiar desktop programs and existing workflows, thereby making it easy for people to comply with the company’s information protection policies. Wizards in Office Professional 2007 programs guide users through specifying how others can open, modify, print, forward, or take other actions with rights-protected content, and usage policies are stored along with the content to help keep that information protected no matter where it goes or how it’s stored.
“Employees today struggle with questions such as ‘Can I share this document?’ and ‘How do I protect it?’ ” says Gandy. “Through integration with Microsoft Office programs that people already know and use, Active Directory Rights Management Services will put compliance with IP-protection policies at employees’ fingertips. Information security is becoming increasingly more important in today’s global business climate, and our new solution will help people do a good job in a complicated world. The solution is so easy to use that we don’t envision having to train people we’ll just send a communication telling them that the capability is available.”
Minimal Added Infrastructure and Complexity
The company will be able to support all 10,000 users with minimal added infrastructure and complexity by taking advantage of its existing Active Directory service and its planned deployment of Office Professional 2007. Active Directory Rights Management Services runs on a single Dell PowerEdge 2950 server computer with one dual-core processor and 4 gigabytes of RAM, and it is supported by a shared database server running Microsoft SQL Server® 2005 database software.
Should the company require higher levels of reliability than possible with a single Active Directory Rights Management Services server, it can use existing network load-balancing technology to cluster together two such systems just as one would build a Web site farm. Similarly, redundancy at the database level can be achieved with SQL Server 2005 features, such as log shipping or database mirroring.
Extensibility to Business Partners
Through its seamless integration with Active Directory Federation Services, Active Directory Rights Management Services can easily be extended to support rights-protected collaboration with global suppliers and other business partners, thereby helping to ensure that the company’s intellectual property remains protected even when in someone else’s hands. Furthermore, Dow Corning can do so without having to change how or where it manages users.
“We have some global suppliers who help with capital engineering projects, and we need to be able to share rights-protected content with them, too,” says Gandy. “We can use Active Directory Federation Services to easily extend our existing Active Directory Rights Management Services solution to business partners. Furthermore, we can do so without having to manage external users within our intranet domain or having to deploy Active Directory Rights Management Services in our extranet do-main. While we haven’t yet deployed Active Directory Federation Services for seamless partner single sign-on, the ability of Active Directory Rights Management Services to integrate seamlessly with Active Directory Federation Services means that, when we’re ready to extend authentication to partners around the globe, we’ll be able to do so in a way that is both simple and robust.”
Full Control and Auditability
Dow Corning will have full control and audit capabilities over all rights-protected content created by its employees. For example, with previous versions of the technology, if someone was unable to open a protected document, an administrator had to create a Structured Query Language (SQL) script to find the license request information in the database before troubleshooting could begin. With Active Directory Rights Management Services in Windows Server 2008, Dow Corning can use a Microsoft Management Console (MMC) snap-in and accomplish the same task in only a few mouse clicks.
Similar benefits are true for reporting, in that SQL scripts are not necessary to obtain the data for common reports. Instead, a default set of reports are built into the management interface. “We’re excited about how the integration of Active Directory Rights Management Services with SharePoint Server 2007 will give us better insight into how content is being used,” says Gandy. “Not only will we know who has access to the information, but we’ll also know whether they’re accessing it. And we really like the fact that we can, say, expire access to content after 30 days.”
New administrative roles in Active Directory Rights Management Services also will help Dow Corning to efficiently scale and administer the solution. “As we scale our Active Directory Rights Management Services deployment across the enterprise, we’ll need to be able to delegate different permissions to different people within the organization,” says Gandy. “With the latest release of Active Directory Rights Management Services, the new administrative roles for Enterprise Administrators, Template Administrators, and Auditors will help ensure we can scale information protection management in a way that’s best for both our team and the company.”
Ease of Management
Dow Corning can easily manage Active Directory Rights Management Services through its MMC snap-in, which is more intuitive and efficient than the Web-based management interface used with Rights Management Services for Windows Server 2003. “With Active Directory Rights Management Services in Windows Server 2008, we can now use the Microsoft Management Console to administer that server role, which provides a much easier and richer management experience than the Web-based front end used in earlier versions,” says Armand Martin, Senior Infrastructure Engineer at Dow Corning.
Low Total Cost of Ownership
Many of the aforementioned benefits also will help Dow Corning to minimize its total cost of ownership. “The solution’s ease of use, low training costs, ease of management, scalability, and integration with existing IT assets will all help keep total costs to a minimum,” says Gandy. “It’s hard to measure return on investment for such a project, but I think it’s fair to say that the value of such a solution will far exceed its costs. But we would have done it regardless. In today’s global business climate, the ability to protect our intellectual property is a necessity, not a luxury just like the phone on your desk.”
Windows Server 2008
Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized data center. Powerful new tools like Internet Information Services version 7.0, Server Manager, and Windows PowerShell™ allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhance-ments like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and help protect your server environment to ensure you have a solid foundation on which to build your business.
For more information, go to:
www.microsoft.com/windowsserver2008
