REDMOND, Wash., Feb. 17, 2005 — The topic of information protection — long subject No. 1 in IT security circles — is heating up in the boardroom. New regulations and competitive pressures have heightened the stakes for companies to put effective controls on business data, whether it resides in corporate e-mails, documents, intranet portals or CAD drawings.
Most organizations depend on digital information to run their business, but conventional approaches to protecting that data — firewalls, access control and encryption — have remained largely unchanged. According to Microsoft’s Suzanne Kalberer, the current methods are all important, but all share one significant vulnerability.
“Access control and firewalls keep intruders out, and encryption protects data in transit,” says Kalberer, a product manager in Microsoft’s Security Business & Technology Unit. “But people basically have the freedom to do whatever they wish with the information once it’s in their hands, and this problem is magnified once it leaves the company domain.
After listening to customers express their need for a better way to protect sensitive information, Microsoft entered the enterprise rights management (ERM) space in the latter half of 2003 with the release of Microsoft’s Windows Rights Management Services (RMS) for Windows Server 2003.
“RMS is designed to help protect documents, e-mails and web content — both in terms of access and usage — wherever the information goes,” says Kalberer. “It augments perimeter security solutions and enforces organizational policies for how information ought to be used.”
Extending to Server Applications
The company has since made plans to extend RMS to encompass server applications, and this functionality will become available during the first half of 2005 in the form of RMS Service Pack 1 (SP1). Whereas the first version of RMS was designed to foster the development of RMS-enabled client applications (such as Microsoft Office 2003 Professional Edition), SP1 gives ISV partners a platform to develop RMS-enabled server-based solutions.
According to Kalberer, RMS creates a flexible and customizable platform that can be easily extended by third-party developers, a feature that is increased with SP1. ISVs, she says, are responding to the opportunity by incorporating RMS into a variety of applications to address specific business needs. Third-party solutions are appearing that help customers control access to records and document-management systems, protect sensitive data as it flows through the organization, and extend RMS policies to meet an organization’s e-mail retention policies.
Integrating RMS into Existing Document Management Applications
One such ISV, Liquid Machines, is integrating the new RMS functionality into existing business applications for document management, as well as extending RMS to client-side applications including Adobe Acrobat, Microsoft Visio and earlier versions of Windows-based software. The Waltham, Mass.-based company’s Ed Gaudet explains that the RMS platform’s flexibility provides an opportunity for companies to address the unique challenges of each industry’s regulatory environment.
“Companies are being forced to really get control of the information that runs their business,” says Gaudet. “The great thing about RMS is that it provides a good approach to the problem — a platform approach that can be tailored to address information control in specific ways for these different industries and business functions.”
According to Gaudet, while many government regulations — such as those prescribed by the Sarbanes-Oxley Act in the United States — cut across industries, each vertical industry also faces very specific regulations and pressures, from healthcare to financial services to manufacturing. The RMS platform enables ISVs such as Liquid Machines and others to create new data-control models that extend the capabilities of RMS to give companies the comprehensive, customizable protection they need.
Maintaining Legal Privilege in an Electronic Era
Another industry in which ERM technologies are increasingly important is the legal profession, where communications are often sensitive and confidential; legal firms have embraced e-mail and electronic communications as a vital way of doing business. How can strict confidentiality be maintained in the electronic environment? According to Fred Pretorius of the Boston-area law firm Mintz Levin, firms historically haven’t even tried.
“Important, strategic communications have typically occurred in private, behind closed doors,” he says. “Attorneys are very sensitive not only about what they say, but to whom they’re saying it.”
According to Pretorius, control over information is critical as both a competitive element for law firms, as well as an aspect of maintaining trust with clients. Thus, the issue of enterprise rights management in electronic communications is becoming a topic of importance to the IT department as well as management. “It’s something that, if law firms aren’t looking for it now, they should be,” he says.
ISVs working with RMS share the sentiment that enterprise rights management is a critical issue across all industries. RMS has created a way to address information protection and usage-rights, not just for corporate governance, but for copyrights, and all of a company’s digital intellectual property.
“Customers today are concerned about what they should keep, how long they should keep it and why they should keep it,” says Joshua Konkle of Mountain View, Calif.-based archiving solution provider VERITAS Software Corp. “They’re fighting a combination of storage and management overload, and can have trouble determining what is or is not important. The combination of Microsoft’s RMS solution and VERITAS’ content archiving software effectively addresses the issues inherent to the variety of types of data contained in electronic mail systems and other applications that are critical to company operations.”
Because of its central importance to business, e-mail has become a prime focus for developers working with RMS. Integrating Microsoft RMS protection with solutions such as the VERITAS Enterprise Vault content archiving software allows e-mails to be stored with RMS protection, managed categorically and available for discovery in accordance with corporate governance requirements. RMS-protected e-mails stored by Enterprise Vault software also retain their opening, forward and printing authorizations for individuals — The same protection and security experience as with “live” e-mail in someone’s inbox.
RMS to Help Meet Regulatory Mandates
Microsoft’s Kalberer calls this kind of protection especially important for companies in highly regulated industries. “We have some customers today that are required by regulations to protect sensitive e-mail messages — for example, those containing financial data related to investors,” she says.
Some of those regulations also require companies to be able to archive and index all their email, so they can comply with legal discovery and hold proceedings. Solutions such as Enterprise Vault allow companies to extend RMS protection to those archived e-mails as well. “RMS SP1 allows industry partners such as VERITAS to deliver e-mail archiving solutions that are fully functional with RMS-protected emails.” Kalberer says.
While e-mail is a central example, ISVs agree that the changes RMS SP1 brings to information protection are applicable throughout a business. Just about any kind of file or document can be managed such that, when it is “checked out” by a user, company policies can be applied that control what can happen to the information and who can access it — even after it leaves the network.
According to Paul Neel of the Waltham, Mass.-based solution provider Meridio, this includes controls such as expiration of the usage rights after a certain period. “It creates the ability for you to have an RFP set to expire after 30 days or become public after a length of time, for example. Or it could be a critical strategic memo that expires after 15 days, and even though it’s expired, you have a record of it for compliance with governance regulations.”
In an information economy that is increasingly regulated, the impact of this new approach to data protection on IP and compliance issues could be far reaching. Says Neel, “We think this is going to be a change in the way that people communicate and collaborate in their everyday work life.”
Workflow solution provider K2.net creates solutions to do just that. The company, based in Microsoft’s hometown of Redmond, Wash., is integrating RMS into its workflow solutions to allow rights and permissions to change according to company policy at each step in a workflow process. According to K2’s Adriaan van Wyk, RMS SP1 allows developers to help provide information protection that operates across business functions.
“RMS ties in extremely well with what we are doing and what our customers are asking for,” says van Wyk. “For the first time we have a technology for this kind of information protection and control that is native within Microsoft Office documents. It creates a tremendous opportunity for developers and their customers.”
RMS Spells ‘Customer Service’
In the end, all parties benefit when businesses have more comprehensive control over critical financial, employee, health, credit and other valuable information. With so many ISVs expressing interest in building RMS-enabled solutions, forward-thinking customers such as Mintz Levin are beginning to make investments in RMS technology, not out of reaction to regulation, but from a desire to serve customers and employees better through technology.
“We like to stay as much on the leading edge as possible, to help our attorneys compete with other attorneys in the city or across the nation,” says Mintz Levin’s Pretorius. “Attorneys always need more control and protection over their information and communication. It’s better for them and their clients. The fact that this technology comes from Microsoft gives us the ability to quickly and easily implement new forms of information control across the organization.”
According to Van Wyk, the benefits of RMS in terms of customer service, business operations and regulatory compliance are beginning to gain traction and generate that kind of demand across industries.
“Once people understand what they can do with the technology, what they can do with the software, and how easy it is to use and leverage RMS now that there is an ISV community building solutions on the platform, it almost becomes a no-brainer,” he says. “It’s like air bags in a car. It integrates almost invisibly with the environment. You may never see it, but if you ever need it, you’ll be glad it’s there.”