Microsoft Rights Management

vermontdroningMobile - Wireless

Dec 10, 2013 (3 years and 9 months ago)

265 views



Microsoft
Rights Management

Dan Plastina

Translation to <language> by <
translator(s)
>


Organizations share information.
The
Microsoft
Rights Management services (RMS)
offering
helps
organizations keep their
information secure, both inside and outside of the organization, by protecting
documents both at rest and in motion.
I
nfo
rmation protection is critical and, a
t this time, Microsoft is
redoubling

its investment

in RMS
.
This d
ocument outlines our
newest
feature set
,
with a

strong
emphasis
on the July p
review

deliverables
.

The
follo
wing links
complement this document with further
information
:

http://channel9.msdn.com/Events/TechEd/Europe/2013/WCA
-
B322

and
WCA
-
B321

http://microsoft.com/rms

and
http://blogs.technet.com/b/rms



Microsoft
RMS

enables
the flow of protected
data
on
all important devices
, of
all important
file types
,
and let
s

these files
be used by
all important people

in

a user’s collabora
tion circle.
Yes,
RMS will
now
protect any file type (not just
Microsoft
Office documents),
let
you access

them
on ma
n
y devices (not
just
Windows
PCs), and enable sharing with other organizations (not just within your organization)
.
Furthermore
ITPros

can perform simple
,
planned deployments
of

RMS
or
, if not deployed

by

the ITPro
,
Information workers (IWs) can adopt
RMS
on their own (
dubbed ‘
RMS for Individuals

) for free.

The
Microsoft
Rights Management
suite
is implemented
as
a
Windows
Azure
service
.

F
or brevity
,
we
reference
it
within
as
Azure RMS

so as not to confuse with Windows Server AD Rights Management
Services

(
aka
ADRMS)
. It
c
omprises
a set of
RMS

applications that work on all
your
common
devices
,
a
s
et of software development kits,
and
related
tooling
.
By leveraging
Windows
A
zure Active Directory,
the
Azure
RMS

service act
s

as a trusted hub for
secure
collaboration where one
organization can easily
share information securely with other organizations without additional setup or configurat
ion.
T
he
other
organization(s)
may be
existing
Azure
RMS

customer
s

but if not, they can
use
a
free
Azure

RMS

for
I
ndividuals


capability
.


Th
is

offer
ing

is in
preview
as of
July
2
9

followed by general availability in October. Follow our blog
at
blogs.technet.com/b/rms

for details. Also visit the updated
www.microsoft.com/rms

site.

T
h
e E
lephant in the
R
oom

There is no escaping the recent news. If you’ve not y
et seen
Microsoft’s blog on this matter
, please take
a moment to read it now.
In this section we’re going to

ask that you consider this complex problem in
layers and not
idiomatically
;

please don’t

t
hrow the baby out with the bathwater
’.

Specifically
, t
he
ability
to protect and
limit
access to
sensitive files from:

A)

A

broad base of
your
own
internal employees

B)

A

collection of organizations
you
choose to collaborate with

C)

V
arious
exposure
risks
you are subject to
when stored in the c
loud


Each of these
capabilities
poses different ch
alle
nges

and

i
t’s clearer now than ever that no solution can
address every possible aspect of data protection in every possible situation. Fortunately,

y
ou can solve
some
of your
data protection challenges

now
.

Let us begin with a few
very
facts
about
Microsoft’s Azure
-
hosted Rights Management service
:





Azure RMS is at the core of
the
Rights Management
suite

and relies on Windows Azure services
.



A document is protected
by

RMS without the document
being sent to the Azure service
.



Viewing
or sharing

protected document
s

is enabled

without the document
s

themselves

being sent
to the Azure service
.



Sharing a
file
occurs

without the document
being
relayed via
the Azure
RMS
service
.


Shared
amongst
all

of the above statements: T
he Azure RM
S service
never

s
ees your data.
This is a
common misunderstanding about
the RMS technology stack
,

and we want to set the record
straight:
Actual customer content is
never

accessible to RMS data protection services,
n
or

to anyone compelling
the service to do something on their behalf
.

L
et’s dive in deep
er

with a diagram

of
the fictional
US company

Contoso,
who
is
sharing data
. It is a very
accommodating
company
that shares data
via the
four

modern data
storage
models
:

1)

T
h
e document is kept on premise.

A presumption here is that the company has full control over its
security perimeter, something that
may

not
always
be
true. This caveat aside,
the

document
is

generally
considered as
being
mos
t private

(
note:
we did not say

most secure’).

2)

The document
is
shared with a second party

named
Fabrikam, a
fictional
company. The document
is
shared, in privat
e, via what both parties deem
to be a secure means (
e.g.

email,
USB
s
torage)
.

3)

The document
resides
in
any
cloud provider’s
SaaS

application
. From there, it is shared with others.

4)

The document
resides in
any
cloud provider’s storage.
From there, it is shared with others.

Contoso
(
North America
)
Fabrikam
(
Europe
)
Azure
AD and RMS
Office
365
Amazon Web Services
Azure SaaS
/
PaaS
/
IaaS
Conventional Hosters
SalesForce
Conventional SaaS Offers
1
2
4
3

In all
four

of these cases

(1/2/3/4

above
)
the ITPro
at

Contoso, not Microsoft,
was in charge of making
storage location and transfer transport
policy
choice
s

(
though we all know the use
rs often make their
own choices)
.
While those
location and policy
choices do have exposure related consequences
,

none of
them result in the Azure RMS
service having access to the data.

Microsoft RMS is
file
transport and
file
st
orage agnostic.
It operates on files only when they are ‘activated’ (protected, opened/consumed).



Tying this back with the A/B/C
challenges
above, the RMS
offer
is highly adept
a
t
handling
the
protection
at rest
needs of
scenario A (protection within the organization) and scenario B (protection of a private
communication between organizations).

For scenario C (data stored in the cloud
;
storage models
3 and
4

above
)
the considerat
ions are more
complex given
that

data has left the trusted perimeter of Contoso and the partially
-
trusted perimeter of
Fabrikam.
T
here is now a new actor that must
provide

a trusted storage perimeter

in the eyes of the
Security Officer
.
The media frenzy
ov
er data protection
has turned this into a statement of distrust
for
the cloud but
,

the savvy readers know well
that the problem is far more
subtle

than
this
narrow

view.

We
, the RMS team,
often talk with

customers whose own perimeter
ha
s

been challenged by

unwanted
guests

.
In this context one ITPro recently said to us
,

“You have far more to lose (your reputation;
your
many
Saas/IaaS
customers) than I do so
,

I must recognize the effort that
you must be
investing

into
establishing

cloud s
ecurity
and trust”
.

This ITPro was spot on, we are investing a huge effort.

T
he
Microsoft RMS components are scrutin
ized closely

as they
play a critical role

in the overall secure
document protection framework. Specifically, t
hey
enable

the following
:

A)

The

client SDKs protect the data within the runtime environment they are executing. This is normally
a PC (Windows or Mac) or a mobile Device (Windows RT, Windows Phone, iOS, or Android)
.
The
device

can also be a Windows server
service (
e.g.

Exchange) or
a
solution provider’s value
-
add
offering (
e.g.

D
ata Leakage Prevention
).
Those runtimes
use
the
RMS
SDK to interact with the
Azure
RMS
service.


B)

The

Azure RMS server, when responding to client SDK requests,
is
responsible for
the
secure
encryption
key
interc
hange

with the SDK
in order to
protect the data
without the data
going to the
Azure RMS service.

C)

Once protected
,
the Azure RMS service
plays
key roles in document consumption:

a.

The user must be authenticated


Azure
RMS
requests an authorization token from

the
appropriate identity provider. Generally this is federated
on
-
premise
AD or
Windows
Azure
AD but we’ll
seek to
shortly offer
support
for
Microsoft Account (aka LiveID)
and
Google
IDs.

b.

The user must be authorized


Azure RMS serves as a unif
ied policy decision point
and a
policy enforcement point

to follow policies e
stablished by your organization
. This is done by
having the RMS software process the document policy associated with a protected
document and then decide if
user@Fabrikam.com

should be granted permission to view the
document.

c.

Every use must be logged


All user activity, successful or n
ot, is logged in Azure RMS logs
enabling your IT staff to audit access.
We are
now
working with third parti
es
to render
distilled report and/or dash
boards from these logs.


We hope that this section offered
insight
into the assurances we provide and the empowerment you
have in making key choices.

Let’s now move on to describing
RMS
.


Promises

of the new
Micro
so
ft Rights Management services

Users:



I can protect any file type



I can consume protected files on devices

important

to me



I can share with anyone

o

Initially,
I can share with any
business user



o

I can
eventually
share with any individu
al (
e.g.

MS Account,
Google

ID
s

in CY14
)



I can sign up for a free RMS
capability
i
f

my company has yet to deploy RMS


ITPro
:



I can keep my data on
-
premise
if
I don’t yet want to move to the cloud



I am aware of
how

my protected data

is treated



I can control my RMS ‘tenant key’
from on
-
premise



I can rely on
Microsoft

in collaboration with

Partners for complete solutions


These promises combine to create two very powerful
scenarios:

1)

Users
can protect
any
file
type
. Then
share
the file
with someone in
their organization,
in another

org
anization, or with
external
users. They
can
feel confident that
the recipient
will be able to use
it
.


2)

ITPros
have
the
flexibility
in their
choice of storage locale for
their
data and
Security Officers have
the flexibility of maintaining policies
across th
e
s
e

various storage classes.
It can be
kep
t

on premise,
placed in an
business
cloud
data store
such as
SharePoint
,
or
it can
placed
pretty much anywhere
an
d

remain safe (
e.g.

th
umb drive, personal cloud drive)
.


The next few sections will describe

the various
capabilities and
experiences.

Users and their Document Protection Experience

The below screen shots are from applications made available to those who are accepted into the
preview.
If you want to start looking at
Azure
RMS, please
request participation in the preview
.

Documents

are
now
very well supported by RMS. There are several important dimensions:



Users can p
rotect
any document type
. The RMS API used by the RMS
App

or RMS
-
enlightened
applications
will do
its best to protect the f
ile in the most suitable format
.

o

N
ative
RMS
-
enlightened applications
:
DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF

o

The
free ‘
RMS

App’
, an en
lightened application itself:
TXT,
XML,
JPG, JPEG, TIFF, GIF, BMP

o

G
enerically protected file
s are
‘wrapped’
and

launched in the
registered
application.

E
.g.

A Photoshop


file
becomes
MyD
rawing
.PSD.PFILE
.
This protection
offers access control
without

additional usage restrictions
.
Despite the lack of usage restrictions, y
ou
should not
underestimate the value of authorization, education, and the abili
ty to expire content.



The user can publish or consume protected documents on Windows
for compute
r
s
, Win
dows for
tablets
, Win
dows for
p
hones
,
iOS, Android, and
Apple OSX
. Web sites
and other
operating systems

can participate in the
RMS

ecosystem

via RESTful service APIs.



Users can share these protected documents with users in their organizations, other
organizations
(B2B), us
ers who act as individuals (B2I;
support for
Microsoft Account

and Google

ID
s

comes later
)



Consumption of rights protected content is free
. (More below on pricing)


Protecting a documen
t is best experienced within a
n

RMS
-
enlightened
application
.
As application

developer
s

utilize

our
new SDK, they
will
be
provid
ing

a
consistent user experience (UX) as the UX is
integrated into

the
SDK itself
. Outside of an
RMS
-
enlightened application, the user can
protect a
document by using the RMS
Ap
p
’s integrat
ion
in
Windows and
Apple
OS
X
,
as well as
via
Office tool
bar
extensions
. Generally stated, the
capability
is either
Protect in place

or
Share Protected
,

with a special
affordance for
capturing protected photos

from
mobile devices that have cameras.





Protect (in place):

This flow will protect the file in
place.
The user can then take other action
s

to
share the file, if need be. This flow is most suitable for personal or cloud
-
drive file protection
flows
.
The user will

be given the choice of protecting with an organizational template, a previously saved
user template, or create a new ad
-
hoc template.




Share Protected:

This flow will prote
ct a
copy

of the selected file leaving the
original file in
its
prior
state

(which

could also be protected)
.
This
flow
has the user
addressing the document to
people
(email
addresses
)
and selecting related permissions.
Upon sending, an unprotected email will be
sent with the protected document.
The user can customize the email
before it

is
sent.




Share Protected (Camera):
This flow

will

soon be
available on
mobile
devices.
T
he user will be
permitted to take picture and
accept or retake it
.
Once selected,
the above ‘Share Pro
tected’ flow
will apply and a protected JPG image will be
attached.


Here is a visual example of
sharing a
sensitive

file:

While in
Word
, you can save a document and invoke SHARE PROTECTED

(
added
by
the RMS
application
)



Note:
An astute reader will notice that we added a button here instead of reusing what alre
ady present in Office. Stated
plainly, we needed to alter fundamental behaviors such as user interface, underlying RMS SDK support, and authentication
.

This new entry point mirror
s

the user interface you will see in the core OS views, as well as ISV applic
ations.


You are then offered the protection screen. This screen
will be

provided by the SDK and thus
will be the
same in all
RMS
-
enlightened
applications:




When
you are done with
addressing and selecting permissions,
you invoke
SEND. An email will be
created
that is ready to be sent but
you can edit it
first:




Users and their
Do
cument
Consumption
Experience

In due time,
the recipient of the above email simply open
s

the attachment

to view it
. This attachment,
depending on the file type, will invoke the
correct

application. As of the
RMS
preview,
your system

will
launch one of Word, Excel or PowerPoint for those respective files, the Foxit PDF Reader for

protected
PDFs, or the RMS App

for text
, images, or generically protected files (PFILEs).

If the user has an
RMS
-
aware
identity, they will be able to log in. Here you see an email with a PJPG
(protected JPG). Upon opening, the user is asked to log in

and

then

the image is rendered.




Note
:

I
n the July
P
review
,

the mobile applications are not publicly available.
We are
prevent
ed
from
getting them into your hands until such time they have b
een accepted by the respective app stores.
We
ask that you trust us
as
we
used them to produce the above
s
creen captures.
Th
e store distribution

acceptance

process is underway
and all will be released by/before
our
October
general availability date.


Finally
,

in terms of
enabling broad
reach, recipients not in a
n

RMS
-
supported organization can register
for
Microsoft Rights Management
for
i
ndividuals
. This self
-
service offering
permits early department
-
level
adoption
of the RMS services
with limited need for

IT support.
It is a free offer.
This offer lets the
user consum
e
and produce

RMS protected content.
The sign up process is simple:

1)

The user is asked for their organizational email name:
joe@contoso.com
.
At this
time several
checks are made before an ad
-
hoc RMS account is created.

In particular we check to see if the
pa
rent organization already has a Windows
Azure Active Directory
tenant
, i
f the user already
had
an account, etc.

Failing all these
important checks,
the user is given an ad
-
hoc
account for
free
. The below
ITPro sectio
n
offers more insight here as well

as other IT
-
oriented
advice.

2)

To validate the user’s ownership of the cited
ID
, t
hey are sent an email
(Not shown below)
.

3)

Once ownership
is proven,
the user is

asked to provide a display name, a password, and
country
in
order

for their account to be provisioned.
These self
-
service RMS

for Individuals
accounts will
be
re
-
validated
on a
monthly

basis

for users.

4)

The user is prompted

to install

the RMS
application
upon completion.
The
RMS application

requires administrative p
ermissions in order to
be

install
ed

and it is required to be installed in
order to consume protected content in older versions of
Microsoft
Office.


In visual form:

(Cropped to fit)


Try this
live at
https://port
al.aadrm.com
.
Sign up
for real or use the
demo
flow (
<
name
>@contoso.com)



Users and their Email experience

An important class of information is email. Users can both consume and protect email within
enlightened email clients and servers. Microsoft Outlook
2013, when backed by Exchange 2013
,

work
s
with the Azure RMS offers out
-
of
-
the
-
box and offers
fantastic n
ew innovations

that enable automatic

RMS protection. The RMS c
onnector (covered below) also enable
s

Microsoft Exchange on premise offers
to work with Azure RMS. Exchange Online, as part of the
Off
ice 365

suite, works directly with Azure
hosted
RMS.

This
suite

of offers enables a very
usable

means to protect email within your company.

These email offers are no subject to the RMS for Individuals offers


they are capabilities of the RMS
-
enlightened

application. RMS itself does not offer any email protection capability.


ITPro and their Experiences

In a few short pages this section can’t begin to do justice to all the moving parts within. We’ve recorded
two 75min videos that we believe do a far bette
r job:
WCA
-
B322

and
WCA
-
B321
. We’ll instead focus here
on offering a quick overview. The
www.microsoft.com/rms

site also
hosts much related information
.

Deployment

Topologies

The above
-
mentioned videos
generally
express
three
classes of
organizations
,

and then

describe the

associated
RMS
capabilities

and the relationship
s

with

other workloads
.
In abstract form,
the following

slide demonstrates exemplary infrastructure offers (Email, Portals, Storage)

and their relationship to the
RMS deployment types.




Cloud Ready

The cloud ready
organizations
will find
Office 365 very compelling. The combined
offer has simplified
all
aspects
of
configuration
.
Within that
environment,

RMS is very simple to enable


one button and deep
integration with
Exchange, SharePoint, and the entire Office 2013 suite

can be

enabled
.
Through the
RMS
application(s)
, u
sers of Office 365
also
benefit from generic protection of any file type and the


ability to collaborate with non
-
Office 365 organizations or individuals.

This is, by far, the simplest way to
get started
with RMS a
nd
is

available for purchase now.


Cloud
Hesitant

C
loud

h
esitant

organizations generally have less of a drive to move to the cloud at this time.
Reusing the
diagram above, a cloud hesitant organization is one that lives within the cross
-
hatch. Per the ra
tionale
offered above, we expect the use of Azure RMS but exclude the use of cloud IaaS/SaaS offers.
In other
words, a cloud hesitant customer for now will go for options 1) and 2) only as depicted in the illustration
below.
Over time

we expect the
hesitan
cy
to
reduce and more customers will
start to leave the cross
-
hatch a
rea for selective
classes of services
.

Contoso
(
North America
)
Fabrikam
(
Europe
)
Azure
AD and RMS
Office
365
Amazon Web Services
Azure SaaS
/
PaaS
/
IaaS
Conventional Hosters
SalesForce
Conventional SaaS Offers
1
2
4
3



Cloud
Accepting

This organization type
simply
balances
between the being Cloud Ready and Cloud Hesitant.


Features,
and how they relate

At the core we have the
Microsoft Rights Management s
ervice
.

This service is hosted in Azure and
handles all service side duties for the overall offer.
This

Azure
RMS service relies on
Windows A
zure
Active Directory

and associated services (
Directory Sync

and
Federation
)
.

The Azure RMS service requires storage for the
high value tenant keys

at the core of RMS. Our
key
management
service

(KMS)
stores these
RMS tenant keys with extreme security

thanks to its reliance on
industry proven, FIPS com
pliant
HSMs
from

our partner Thales
(
learn more:
hardware security
modules
)
.
The
KMS
also offers
related services such as the
Bring
-
Your
-
O
wn
-
Key

capability
that lets
customers, well, bring their own key.

Finally, b
oth the Azure RMS service and KMS service require
logging and that’s implemented using our
N
ear
-
r
ealt
ime Logging

service
.


A
complementary
whitepaper
on this offer is
forthcoming.


At the
core of our hybrid story is the
R
ights Management c
onnector
.
The
‘connector’
pretends to be
an
AD RMS server
for
the
on
-
premise
Exchange and SharePoint
workloads.
It then relays
all requests
to the
Azure
-
hosted

RMS

service
. The conne
ctor is simple
r

to deploy
than the current AD RMS offering
as only
a pair of them (for high availability) ar
e required for an organization and they can
be deployed on
existing
VM
s
/m
achi
nes.

No fault tolerant SQL servers are needed.

Common Configurations

The baseline conf
iguration for all the below
has you creating
an Azure Active Directory tenant for your
organization
(
or

reclaiming
one that was created
on your behalf by your
RMS for Individuals

users
)
. The
purchased
RMS service
license
s

can then be enabled for
the users in your tenant.
You now have RMS!

As part of this baseline,
if you represent a
larger organiza
tion, you will
layer on
other
integrated services
such as:
Azure AD d
irectory sync,
ADFS
trust federation,
HSMs with
our
bring your own key,
near
-
realti
me
logging,
and other forthcoming capabilities

tuned for enterprises
.


Before we detail t
hese
layered services, let’s first review some common deployments:


On Premise Email
, within

your
company

On the server side, m
ost of you will have an Exchange deploym
ent

with no form of information
protection
.
We
enable
you
to
quickly
add the Microsoft Rights Management connector to your
Exchange
deployment
s

and configure it to interact with the RMS service
.

The result of this topology is that your
Exchange
server is
now fully RMS
-
capable by relaying protection traffic to the RMS service.
As per the
opening section, NEVER does your data leave to the cloud
.
This is so simple that there is no excuse not
to do it.

On the client side, most of you will have a recent versio
n of Office: 2010 or 2013. The 2013 client will
automatically recognize the RMS service and the 2010 client will automatically be made to work with
the RMS service once the RMS application in installed on your PC.
If you are running Office 2007 and
can’t m
ove to a more recent version,
let us know
.
Microsoft Office for Mac does not support the Azure
-
based RMS service off
ering at thi
s time. The Mac RMS application will however permit yo
u to email
protected documents from the Apple Finder.



On the mobile device side, there are two waves of offers. The first is in market and relies on Exchange
Active Sync (EAS)
-
aware devices. Some of
them (
Windows Phone and
Samsung

yes
, but no
t

Apple)
support the EAS rights management capabilities and permit reading and replying to RMS protected
email.
We ask that
customers who need
RM
support
on
iPhones/iPads offer feedback (complain)
to their
mobile
account manager /
Apple.
The second wave
centers on
native
RMS
-
enlightened mail clients
with
full protection at rest and in motion. T
his
wave
can only
begi
n once
we release our
developer
SDKs.

On Premise file sharing
, within your company

On the server side
, many of you will have SharePoint. The above Exchange + RMS connector
configuration also works with SharePoint so you’d follow the same model.

A
lso on the server side, most of you will have Windows file servers. The
Microsoft FCI/DAC offering

is
also
RMS aware
. There are also PowerShell scripts that will connect FCI/DAC to the Azure
-
based RMS
service.

On the client side both native IRM support in Microsoft Office and our RMS application enable RMS.
Of
note, t
he RMS application offers protection for

file types other t
han Word, Excel, and PowerPoint. The
RMS application
Office
button bar
extensions
place

this capability within reach of all users.

External Collaboration

The RMS application
enable
s

very simple point to point sharing with the RMS applica
tion as described
above.
The benefit of point to point is that the transport does not matter


you can use SkyDrive™,
DropBox™, portable USB storage
, email, FTP, or event
P2P torrents.

This use pattern
simply requires
deploying the RMS application to
your
desktop and mobile phones. From there you can use the in
-
application

buttons o
r the shell of your operating system (i.e. Wind
ows File Explorer or Mac Finder).

In
the
details below
we also suggest how you can ready yourself to receive protected content even

if you
choose not to license your users to send protected content. This is important and wise to consider.

On the mobile device side, our RMS application support
s the core behaviors (and will add more soon).

In addition to the above, RMS
-
enlightened appl
ications can
equally
offer
in
-
built
file sharing capabilities.
These can be client based, server based, or even web based.

Office 365

The Microsoft Office 365 e
mpower
s

your employees with virtually anywhere access to the latest Office
applications,
offers
a
dvanced cloud
-
based IT services, and does so
at predictable costs.

This online suite
is RMS
-
enlightened and enabling RMS is trivial. Here’s a
3 minute v
ideo

that shows enablin
g
RMS i
n
Office 356, turning on Exchange’s
RMS
-
aware
DLP
functionality, and
enab
les a SharePoint Secure library
that has checked out documents being RMS protected on egress.


Using the
Microsoft Rights Management
service

Here is a
brief introduction
on th
e specifics of getting
started
with each of
the various moving parts
outlined above.

Enable the Azure
-
hosted Rights Management
service

Existing
Office 365
customers are ready to go. They can
enable RMS

with a simple checkbox in their
administration portal.
Those who don’t currently use Office 365 can’t yet readily
1

purchase the Azure



1

Contact
AskIPTeam@microsoft.com

if you really need to buy it now.



RMS
s
tandalone SKU but you are welcome to sign up for a free
Office 365 E3 trial

and then only use the
RMS features.

Windows
Azure AD
a
ccounts

With a Windows Azure AD tenant in hand, you can enable t
enant sync via the
Directory Sync

and
federation
via the
federation
capability (
or
password syn
c
)
.

There are several reasons to proactively
enable these capabilities
even if only for receiving

content.
T
here is value is turning on Windows Azure
AD and enabling DirSync without being an RMS license holder.
Those are:

1)

Using DirSync allows your users to

receive
protected content
from external companies
without
having them each creating
an ‘RMS for Individuals’ ad
-
hoc
account
.


2)

Federation enables your users to sign in vs having to create an ad
-
hoc account. This is important
as it eliminates the need for
t
emporary one
-
month ad
-
hoc account

life spans as well as permits
you to enforce organizational password policies.

3)

Independent of
Azure RMS, the Windows Azure AD and federated authentication services are
supported
by a
slew of other applications

that are
likely
in use within your organization (and
they too could benefit from single sign o
n).

4)

Windows Azure AD offers t
enant branding
(logos) to the tenant administrator
.


In the absence of proactively setting up the above, the
Azure
RMS

for
I
ndividuals
offer
will let
individuals
use the Microsoft
RMS

services.

An ‘RMS for
Individuals
’ ad
-
hoc
account is simply an Azure AD tenant
that i
s created
for the
specific
organization

(not shared across organizations)
and
the user account is
added.
There is no administrator for these
tenants
.
If other users from the same organization create ad
-
hoc
account
s
, they are placed in this same ‘headless’ tenant. As stated above, these user account
s are
re
-
validated monthly. By way of example,

Joe@
Contoso
.com

signs up




Tenant CONTOSO.COM is created






Joe’s user account is added to CONTOSO.COM
tenant






Joe’s account is given the RMS for Individuals SKU.

Jane@Contoso
.com

signs up




Tenant CONTOSO.COM exists and is reused






Jane’s user account is added to CONTOSO.COM
tenant






Jane’s account is given the RMS for Individuals SKU.

By the time we exit
preview,

an ITPro will be able to ‘convert’

these users
to licensed users with no
impact to the user or the tenant. Once this is done, the ITPro will have full management capabilities for
these users. Stay tuned for an update to this document as those capa
bilities are released.

Enable Bring
-
Your
-
Own
-
Key

RMS has a very important key, the tenant key.
Chief Information Security Officers (
CISOs
)

often
need
to
use a key of their own provenance


sometimes for compliance reasons, sometimes because they are
migrat
ing from their on
-
prem AD

RMS. With the
Bring
-
Your
-
Own
-
Key

(BYOK)
feature CISOs would
generate a key on their premise, using tools of their choice, in compliance with their own policies. This
key would then be securely imported into the Thales


HSMs

we use

in our data center.
The customer
has assurance
that Microsoft operators cannot see or leak the key during the import as well as
during
the running steady state
.

Optionally, the customer can
opt to
push their key to the Azure
RMS

service’s HSMs with a 4 h
our time
to live.
Their on
-
premise infrastructure
would do this
automated push
every 2 hours. We call this



capability ‘Key rejuvenation’ an
d it will be available nearing the RMS p
review

completion
in September.
If the CISO or ITPro interrupts the upload of keys, the Azure
RMS

service ceases to function and the CISO
is assured that Microsoft has no access to their
cached
key once it expires.

Once again, the Microsoft
Rights Management services never
see
your data
[Ed note: sorry for being so repetitive

on this point
].

Enable Realtime
Customer
-
facing
Logging

Security Officers

can obtain logs from the Azure
RMS

service. They do so by purchasing
Windows
Azure
s
torage, and configuring
(via PowerShell)
the Azure
RMS

ser
vice to write
the log entries
to that storage.
This way the ITPro i
s

in control of how much log data they maintain

and
who (
e.g.

3
rd

party reporting
services; auditors; etc) can access these logs.

Deploy the
RMS App

for Computers and Mobile devices

The
RMS

applications will be available through all the appropriate stores as well as in the
RMS

for
Individuals signup flow, and subsequent confirmation email. ITPros can also download the MSI package
from the Microsoft RMS download center and make use of
the ITP
ro
-
oriented silent setup options and
AD
group policies.

Deploy Hybrid Connector
;
C
onfigure Exchange and SharePoint

Deployment
of
a high availa
bility RMS c
onnector
requires
two or more VMs/
servers. These roles
function across forests. Setup is
merely a few
simple screens. Once configured and connected to the
Azure
RMS

service, the ITPro for the
RMS

connector will work with the
Exchange

and
SharePoint

administrators to understand which machines should be given access t
o the Connector
’s

relay serv
ices.
T
his is merely
a task
of granting server
s

permission to use the connector; everything else is automatic.

Enable Dynamic Access Control

The Windows Server
Dynamic Access Control

(DAC/FCI) role is able to work with both
AD
RMS and
Azure
RMS. For the
latter
, a
PowerShell script is available

to connect the two.

Enable
Offic
e 365
Exchange

Online


Exchange Online is
made aware of the existence of
Azure
RMS

when
enabled
.
Once
Exchange Online

is
provision
ed

with the RMS tenant key, the
ITPro
can
make use of the adv
anced
Exchange Online DLP
offer

within the broader Office 365
product
suite
.

Of n
ote: The use of the BYOK feature is not currently supported with Exchange Online.
The ITPro will
have two choices when using the two services together. The preferred option will be to use the software
generated RMS tenant key feature built into Azure RMS. This offer automatically provisions
Exchange
online with the RMS key for it to use.
The alternate

option
has the ITPro install an AD

RMS server with a
software key, and then follow
the steps

to import your
TPD
into Exchange Online.


Enable
Office 365
SharePoint
Online

Enabling
SharePoint Online Secure libraries

is
simply
a task of
creating a library, setting it to be a
Secure
L
ibrary, and adjusting
a few straightforward options

to suit your
needs
.

e.g.: T
he library owner can
choose to
override the prot
ection policies to use a security
group
for protection
(vs individual
protection).
This permits one user to download a file and share

it to others within the specified
security
group

without for
cing a round trip
back to S
harePoint.



Summary

of ITPro

related offerings and activities.

At this point we’ve introduced
the
key parts of a complete Microsoft Rights Management
deployment
.
More details will be provided t
o the selected
TAP organizatio
ns, an
d eventually to the broader
community.

If you want to start looking at RMS, please
request participation in the preview
.


Timelines for the
Azure
RMS

service
s

The preview will take place
late
-
July thru late September with select organizations. The release of the
updated
Microsoft Rights Management
service is slated to be in early October.

The initial Azure RMS offer is
focu
sed on organizational that don’t have
AD
RMS deployed.
This said,
Azure RMS will
support the
coexistence
of
existing customer’s AD RMS
deployment
but during the first
qua
rter or two of
shipping
we need
to eliminate the added layer of complexity that would
come with
coexistence

of two RMS environments.
We apologize in advance for what could appear as

us ignoring
our loyal
AD
RMS

customers
!


For a variety of reasons, we strongly favor the use of the Azure
-
hosted Rights Management offering over
the existing AD

RMS offering. They are: frictionless B2B collaboration,
rich mobile device offers
, far
faster agility in adding new capabilities,
support for Ad
-
hoc RMS user accounts

for the recipients of your
sensitive documen
t
s
, and
easy of deployment.

Buying the
Micr
osoft Rights Management
service

RMS can be purchased directly via the
Office 365 web
portal

or via your
Microsoft account manager.


Available Now



RMS can be purchased directly via the

Office 365 portal as a user subscription license.



Sub
scription covers use by all RMS
-
enlightened application (e.g
. Office, Office 365, Foxit PDF
)
. It
is a
“Pay once, use with all RMS
-
enlightened applications” model
.



Cost is $2/user/month.



Consumption of
rights protected content is free. A license

is required to protect content, be it
manually done by the user or done by a service
on behalf of
the
user.



Azure RMS can be purchased as part of Office 365 suite offerings

o

It is included in E3/E4 and A3/A4 SKUs

o

It is available as an add
-
on to many other Office 365 SKUs.

Available Fall 2013



Azure RMS can be purchased standalone for use with the Azure RMS Connector or third party
RMS enlightened applications.



Azure RMS will be available via the Microsoft Enterpri
se Volume License programs (EA/EAS/EES)



Azure RMS subscription will include the rights to use AD RMS on
-
premise



Enterprise CAL (ECAL) customers can add on the Azure RMS service


If you have any questions please
get in touch with

your Microsoft sales
contac
t
.




Developers

Application ISVs can enlighten their applications and solutions with RMS easily and quickly by utilizing
the Microsoft
Rights Management
developer platform on all important devices and operating systems.

There are a few important concepts worth
mentioning

in this introductory brief:

Code once, use everywhere

RMS enlightened application developers write code once to protect documents.
RMS SDK

takes care of
all the underlying details about customer environment and topologies, document expiration, certificate
renewals, policy updates and more. Our sample code and getting
-
started guidance make it extremely
easy for
you to enable RMS.

RMS
-
enlightened applications
are
most desired
given
they
enforce protection rights

RMS enlightened applications enable individuals to protect and consume content. Content is protected
by using encryption and must be decrypted before it can be consumed. When the file is protected, the
individual applies permissions to the file such as the

ability to print or edit. Your application will need to
honor these rights.
The SDK will facilitate most

of
the protection flows and all initialization

but
,

your
application
must

honor the permission enforcement requested of it. Our SDKs make enforcing th
e rights
easier by providing APIs to control
permissions

such as printing, saving, forwarding, etc.
For

more
details
,

see

here
.

The new SDKs do all of the RMS specific user interface work for you!

Mobile device applications will use the
new v3 SDKs

and benefit from Microsoft
-
provided user interface
s

for consumption and protection behaviors. This not only saves ISVs

time to build protection support,
it

also provides forward compatibility to new protection UX features. The
RMS
App
lication
,

built by
Microsoft
,

is a good example of the UX that the SDK provides / will provide.

Windows desktop based RMS applications utilize our
powerful v2.1 SDK

which doesn’t yet offer built
-
in
consumption and protection flows.
It will before too long
.

It is now easy to add RMS protection to your solutions

There is a class of applications that are quite simple to enlighten with RMS. These app
lications are
created by ‘solution providers’ or ITPros, and enable applications that either need to protect or
unprotect files. These are: data leakage prevention (DLP) agents, search indexers, Anti
-
virus software,
mobile device management (MDM) systems,
and document management systems. They will utilize the
new
File API

available as part of the v2.1 SDK and/or
PowerShell

to protect and unprotect documents
easily and silently on the Windows platform (client or server).

A Protected file is a differe
nt file when persisted

The
easiest

way to implement protection of your file format is to simply use our SDK’s ability to create a
Protected File (PFILE) container
. It encloses
your file
, such that

your

XYZ file
is
protected as a pXYZ file
,
all from a strea
m based API.
Our
PFile format allows your application to immediately participate in the
existing RMS ecosystem.

Customizing

your own RMS enlightened file format is more complex. It also prevents an entire
ecosystem of solution partners from being able to
protect your file formats in
their solutions given they
will all use the
FILE API described
above

(which can protect any file to PFILE format

while honoring
your


file extensions
)
.
Nonetheless, i
f your
needs require that
you to update your existing file fo
rmat with
RMS information, our SDKs support your use case.

RESTful API access

The RMS SDK doesn’t provide SDKs for platforms like Linux,
RIM
BlackBerry or
the web site platforms
which

are too numerous
for us
to implement rich libraries. For these platforms
, we provide REST API
support, protocol documentation and a set of code samples (including open source code)

to facilitate
app
lication

development. If a platform grows to be sufficient
ly important to you, we’ll
consider adding

support
.



In Closing

This do
cument
set
out to:

1)

Express
what new work we’ve done in RMS
; we hope that you will agree we did a lot!

2)

Explain
the value of this offer
at a time when
protecting information is of increasing importance

3)

Offer a subjective view on the actions you can take now,

versus waiting for the cure
-
all solution

4)

Offer an overview of the moving parts involved in our offer
.


We hope we
have come close to or hit your target
.
If you want
to start
looking at RMS, please
request
participation in the preview
.

If you have
thoughts
on how this document could
be
improved
, please
do
take a moment to
share with
our team
.


Thank
s for reading!

Cheers,


Dan Plastina on behalf of our RMS team