When it comes to securing sensitive information, it is important to control not only who can view certain data, but under what circumstances and for how long.
Microsoft Corp. on Monday unveiled its Windows Rights Management Services (RMS) – a Web-based product that will allow users to distribute information and define who, how and when it can be used, as well as when those rights expire and who can open, print or modify the information.
To use RMS, users require Windows Server 2003 and Office 2003, and can download the components required for free from Microsoft’s Web site. Currently there are four RMS-enabled Microsoft Office applications including Outlook 2003, Word 2003, PowerPoint 2003, and Excel 2003, but Microsoft in Redmond, Wash., said RMS can be used by any Windows-based application.
Developed for the large enterprise, Microsoft said RMS is especially well-suited for verticals such as human resources, finance, legal and health care – all sectors that generate oodles of confidential information.
Rob Helm, director of research at Directions on Microsoft – an independent research firm focusing solely on Microsoft – in Kirkland, Wash., agreed.
“It’s useful for companies that are subject to confidentiality regulations or that have some sort of very formal internal regulations in place,” he said. “[RMS] makes it more brain-dead for the user to comply. If there’s any confusion about whether something is attorney-client privilege, or ‘should I give it to this third person,’ well the technology can help a company to enforce that.”
Helm said that while RMS can help prevent casual or inadvertent leaks it still won’t prevent deliberate security breaches. Helm said he himself was able to bypass Outlook’s “do not forward e-mail” command.
“There are loopholes and determined people will get around them,” he said.
Helm added that while RMS can be useful, it is not a project a company should enter into lightly.
“The big challenge here is that it requires a lot of technical savvy on the part of the company to roll this out,” he explained. “They have to understand concepts like public key infrastructure (PKI), and even companies that do understand PKI will have to learn the specific technology in RMS because it’s different from the PKI that is built into Windows.”
Therefore, he said it would require a significant amount of time and training on the part of an organization.
Another concern Helm had is that even though RMS is designed to work with almost any application, will all applications become RMS-enabled? He said there are applications like Adobe Acrobat, which users commonly use alongside Microsoft Office products, that have their own rights management technology, and that this lack of integration might hinder the use of RMS.
Another option, he said, is for users to go for a third-party hosted rights management service such as GigaTrust by GigaMedia Ltd.
“It means you don’t have to be quite as technically savvy to get this going, although it still takes a lot of smarts, but the other thing is that it can help you work with your customers or partners. For example, if you want to share a protected internal price list with your resellers, you can do that more easily if you’ve got GigaTrust to go through as a broker for information,” he explained.
In fact, Microsoft has partnered with GigaMedia, EDS Corp., Avande, Omniva Inc., Reciprocal, SecureAttachment and SyncCast LLC, so these companies can integrate RMS into their own service offerings. Microsoft also provides a development kit for third parties to integrate RMS into their applications.
Microsoft is also working with Rainbow Technologies to produce a RMS appliance so users don’t need Internet connectivity to run the information management program.
RMS has piqued the interest of Microsoft’s install base. Surrey Memorial Hospital, a user of Microsoft Office 2003, has no plans to deploy RMS right now, but will definitely be looking into how the technology could possibly benefit its organization, according to James Orobko, director, information services for the hospital in Surrey, B.C.
He said there is a definite place for information rights management within the organization but he is not sure how it would fit into the hospital’s infrastructure.
Right now he said the hospital uses its large health care application for rights management but as the organization ventures into different areas, it will also be researching different security methods.
In Canada, Microsoft is online at www.microsoft.ca.