I talk to a lot of executives about various security topics. These days, when I talk to senior executives about leveraging cloud computing in their organization, the conversation they want to have tends to start with Rights Management and Rights Management Services (RMS). Top of mind for them is protecting their organization’s sensitive information from unauthorized access and exercising some control on how information is used within their organization and by their partner organizations.

This is where RMS can help. If you’ve been reading this blog series on cloud security controls, you have already read about some of the security controls that protect data when it’s in-transit and when it’s at-rest. RMS helps protect data at all times including when it’s in-transit and when it’s at-rest; with RMS protection is persistent whether the data is within your on-premises environment, in the cloud, or shared with people outside of your organization.

Many enterprise customers have been using RMS for many years via Active Directory Rights Management Services (AD RMS) on Windows Server and Information Rights Management (IRM) with Microsoft Office services. New capabilities evolved and flourished over time as RMS offerings matured – which resulted in a lot of great capabilities and acronyms. Today, collectively all of these RMS offerings are referred to as Microsoft Rights Management or Microsoft Rights Management Services.

The diagram below illustrates how RMS works to protect a document with confidential information in it. Essentially the document is encrypted on the client system that is sharing it, i.e. the RMS service doesn’t get to see the data, it only manages the policy and encryption key exchanges. Encrypting the document helps maintain the confidentiality and the integrity of the information. The policy that is also applied to the document dictates who can open the document and what they can do with it. When someone tries to open the document, their application will need to contact the RMS service for authentication and authorization. The application will only provide the functions allowed by the policy – for example permitting the user to open the document, forward it, print it, edit it, etc. Since the application must contact the RMS service to open the document, the RMS service can log potentially useful information about the request including who tried to open the document, where, when, etc.  This centralized authentication and policy enforcement model also enables your organization to better manage the lifecycle of protected data. For example, you can put an expiration date on the document after which it is no longer accessible by anyone, regardless of where the document is.
09142015_Figure1

A great addition to Microsoft Rights Management capabilities is Azure Rights Management – frequently abbreviated to Azure RMS. To understand the difference between Azure RMS and AD RMS that you might be running on-premises, this article has a table that will show you the differences between the two.

For many of the enterprise customers I have talked to, I think a big advantage of using Azure RMS is how easily it enables them to share protected data with external partner organizations. To do this using AD RMS on-premises requires that trusts must be explicitly defined in a direct point-to-point relationship between two organizations by using either trusted user domains (TUDs) or federated trusts that you create by using Active Directory Federation Services (AD FS). Many organizations have built this type of federated environment.

Azure RMS enables implicit trust between organizations and users in any organization. This means that protected content can be shared between users within the same organization or across organizations when users have Microsoft Office 365, or Azure Rights Management, or users sign up for RMS for individuals. i.e. most of the work to federate directories with partner organizations is done for you using Azure AD as a “trust fabric.” For those of you that are familiar with directory federation – you likely agree that this will save organizations a lot of time, work and complexity.  Essentially, organizations federate once with Azure AD which then operates as a claims broker between them and all their external partners who have also federated with Azure AD. An example is illustrated in the diagram below.
09142015_Figure2

Besides securely sharing data with external trusted partners, another key scenario that Azure RMS can help organizations with is sharing data across devices and platforms. This is key when organizations have a BYOD environment or when trusted partner organizations have a diverse population of devices and platforms. Azure RMS has tight integration with Microsoft Office applications (Word, Excel, PowerPoint, and Outlook, from Office 365 ProPlus, Office 365 Enterprise E3, Office Professional 2013, and Office Professional 2010) and services (Exchange Online and Exchange Server, SharePoint Online and SharePoint Server). It extends support for other applications by using the RMS sharing application. In addition the Microsoft Rights Management SDK provides developers and software vendors with the APIs they need to write custom applications that support protect data via Azure RMS. This combination enables Azure RMS to protect data across devices and platforms including Windows-based devices, Mac OS, iOS-based devices like iPads and iPhones, and Android-based devices.

The diagram below illustrates how Azure RMS works as a Rights Management solution for Office 365 as well as for on-premises servers and services, across end user devices that run Windows, Mac OS, iOS, Android, and Windows Phone.
09142015_Figure3

This is what those senior executives I mentioned earlier typically want to talk about. Does Microsoft’s cloud make it easier for them to securely share sensitive emails and documents with trusted partners regardless of whether their information workers use Windows-based devices, Mac, iOS-based devices or Android devices, or combinations of all of them? They simply want to know that their data is protected regardless of where it is – Azure RMS helps them do this.

When those executives ask their CISOs questions about who had access to specific emails, documents or files, they’ll get the answers they are looking for using Azure RMS Document Tracking. For example, the screen shots below show the web hosted document tracking site with a list of all prior sharing sessions, a summary of all document sharing activity, and even a map view showing the location of the users attempting to access the protected content.
09142015_Figure4
09142015_Figure5
09142015_Figure6

Notice the “revoke access” button in the screen shot above. This will help control the lifetime of protected content. Once access has been revoked, as seen in the screenshot below, the content will be inaccessible.
09142015_Figure7

I’ve really only scratched the surface with this introduction to Azure RMS. But there is plenty of great content published:

Azure Rights Management
What is Azure Rights Management?
Terminology for Azure Rights Management
Requirements for Azure Rights Management
Azure RMS Security Evaluation Guide
Office 365 Information Protection using Azure Rights Management
The Official RMS Team Blog
https://technet.microsoft.com/en-us/library/dn595132.aspx
Azure Rights Management: What It Is, New Features, and a View into the Roadmap (video)
Azure Rights Management Services Core Skills (video)
@TheRMSGuy

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection