You've heard that when you send an email message to someone, you're sending it to the whole world because you never know how often it will be forwarded. Imagine the exposure your company risks when employees email confidential financial information, medical records, marketing strategies, or legal documents. According to a PricewaterhouseCoopers survey of business-technology managers, intellectual property theft cost businesses between $53 billion and $59 billion from July 1, 2000 to June 30, 2001.
To secure companies' sensitive information, Windows Server 2003 introduced Windows Rights Management Services (RMS). I surveyed some of our readers to find out what you think about this technology and whether you're using it, then shared the results with Angela Pan and Mario Juarez, product managers in Microsoft's Security Business and Technology Division, to get their response to what you said.
Angela summarized RMS's functionality for me. RMS helps businesses keep their most sensitive information within the organization and lets content owners control how their content is used--who can open and modify a certain document, how long users can access it, and so on. (For more detailed information about RMS, go to http://www.microsoft.com/windows server2003/technologies/rightsmgmt/default.mspx.)
If management asks why your company needs RMS, how should you answer? According to Angela, you'd begin at a point you can both agree on: You need to make sure that your business's information is protected from unintended recipients and unauthorized use. RMS lets you prevent accidental distribution and control what people can do with the information. Further, that protection remains with the file wherever it goes--if someone gains access to a diskette that contains RMS-protected information, that person must have a valid use license against that file in order to read it.
Many respondents to our survey raised the concern that RMS works only with Windows 2003 and can't interoperate with legacy and other systems. One reader hasn't implemented RMS because it's "not effective with cross-platform use, complicated, and obscure." Angela addressed this concern: "RMS is a service of Windows Server 2003, so it does require Windows Server 2003. You need RMS-enabled applications on top of the platform. RMS is a platform technology in which any application that becomes RMS-enabled can utilize the benefits. Although RMS itself needs to run on Windows 2003, the rest of your infrastructure can run on Windows 2000. However, Angela confirmed that RMS doesn't currently interoperate with other platforms, such as Linux.
Mario reminded me that Microsoft provides both client and server RMS software development kits (SDKs), so that any application cand be RMS-enabled. Angela added that you can also use the SDKs to "rights-protect Web portal information."
Implementation and Use
When I asked about implementation, Angela said, "One of the goals of RMS is that it's easy to deploy. You can roll it out by GPO and SMS to get the client bits out." She added, "RMS is an Active Directoryintegrated technology, so if your users have group email attributes in Active Directory, you can publish rights against groups." Thus, you can rights-protect a document against a group, and everybody within that group will have the same rights to that document.
Using RMS templates, you can define exactly what a policy means--for example, "company confidential" might mean that only full-time employees can access data, or it might mean that specific people have specific access rights to the data. Angela explained, "When a user applies that policy, it is enforced by the technology. Because RMS is integrated into Office 2003, the policy is integrated in daily work practices."
How might an end user take advantage of RMS? Angela gave herself as an example. "When we were launching RMS, I had price lists I had to protect. I had marketing plans. I had press communication, and I wanted to make sure it wasn't leaked to a competitor before the right time. So I would create the document and apply the policies specifying that members of my team were the only people who could consume this information. I would also set an expiration date so that after a certain date, this information was no longer valid" and even authorized users could no longer read the expired document.
The notion of content expiration touched on another question our readers raised: People are concerned about being able to retrieve data after users' rights to view it have expired. Mario put that concern to rest. "The author of the document still owns the document. So if the author decides someone still needs this content, it's simply a matter of reassigning the rights." What happens if a content owner leaves the company or you need to access a protected document that has expired rights--is doing so possible? Mario replied, "Absolutely yes. The document will not self-destruct and leave no record at all. It's still there."
"RMS has a 'super user' function, Angela interjected. "By using the super-user key, you can open any piece of content. We recommend that the super-user key be held by corporate legal counsel or someone pretty senior who can make the decision to open any content."
Why Not Use Existing Security?
Several readers believe that their current methods for protecting content are easier to use than RMS and less expensive to implement and maintain. One reader said, "We are using NTFS (ACL) sharing for data files and group policies to assign permission for standalone and domain-level access."
Angela replied, "Access control lists allow certain people access to a particular share. Once you have access to the share, you access all content on that share and save a copy locally onto your drive. The moment you take that content out of the firewall--maybe put it on a USB drive--that content is in the clear. You can do whatever you want with that piece of content." She added, "RMS gives you persistent file-level protection, which means you can still have access control lists in your security strategy. By adding RMS, even when you pull a protected document down from the share and put it on a USB drive, you know that only authorized people have access to that file."
Another danger is accidental information leaks. As Angela pointed out, "If I have information on my USB drive and I'm running through Heathrow Airport to catch my flight, I might drop the USB drive." Anyone who finds the drive could easily try to capitalize on any unprotected information it contains.
The Survey Results
Of the 254 survey respondents, about 86 percent were aware of RMS, but not quite 5 percent were using it. Although small, the sample included companies of all sizes (from fewer than 50 employees to more than 30,000 employees) from all over the world. Most respondents identified themselves as IT staff, IT management, or consultants.
I expected Microsoft to be most interested in verbatim responses to the question of why our readers aren't using RMS. Those comments revealed three main reasons:
1.Existing security is sufficient and RMS-type information protection isn't a priority. As one reader wrote, "Simply put, we're not there yet. Our organization does not yet feel the problems that RMS is supposed to solve."
2.Upgrading to Windows 2003 and other RMS-enabled applications is risky, expensive, and time-consuming. One person said, "I will only use what I have to of Windows 2003 until it becomes stable. I still have NT machines in my network." Another said, "Data security laws and regulations will eventually force us to take steps, but for now management is afraid of the overhead involved."
3.Interoperability isn't supported.
Like last month's Hey Microsoft! survey, our RMS survey revealed that people who don't use the technology aren't convinced that it brings them sufficient value. I asked Angela and Mario whether, based on the survey results, they think users understand the reasons for using RMS. The unexpected response was that Microsoft customers who "have taken the time to look at it get it immediately. There is a clear sense of the need for this kind of a solution."
When I pointed out that our survey results didn't support that conclusion, Microsoft expressed appreciation for the feedback, then went on to assert that the company would focus on data from people who already use RMS. "\[This survey represents\] a specific sample pool.... There were 12 users who actually utilize the technology. From our point of view, we'll leave and respect the survey result as it is, and it provides very good feedback for us. But based on our dialog with our customers, we feel that customers do understand the benefits of this technology."
A Swing and a Miss
Our survey's scope was limited. However, I expected Microsoft to be more interested in understanding and responding to the comments from the majority of users who don't use RMS.
As I explained last month in my first Hey Microsoft! column, my purpose in doing these surveys and sharing the results with Microsoft is to compare what you tell us with Microsoft's assessment of what its customers know about, need to understand about, and expect from a product or technology. I hope that the information will indicate ways for Microsoft to better serve you and will help you more effectively evaluate products. With my first column, I was taken aback that Microsoft representatives took my evaluation of the survey and interview as negative instead of perceiving it as constructive input. This month, Microsoft's reaction seemed to miss the point entirely. Instead of focusing on why most respondents aren't using RMS and how to help those customers, Microsoft appeared to dismiss the survey because it revealed that so few respondents use the technology.
After my September column went to press, Microsoft responded with additional information to address readers' concerns, as you can see in the Web-exclusive sidebar "Update on WSS and SharePoint Portal Server," http://www.windowsitpro.com, InstantDoc ID 43856. I'm sure Microsoft will also provide more information to help customers who aren't yet adopting RMS, so I'll keep you posted.
What do you think about RMS? I look forward to hearing from you on this topic and any others you'd like me to cover.