Rights management has become a hot--and contentious--topic lately. To oversimplify a complex subject, the goal of most kinds of Digital Rights Management (DRM) systems is to let the content creator control what can be done with protected content. Companies that generate content (including the recording and movie industries) favor DRM, which incorporates strong copy protection in every digital version of a song or movie. These folks generally believe that peer-to-peer (P2P) networks and broadband connections will result in the death of their industries. Others believe that this type of copyright protection is far from the original intent of the US Copyright Law and is too restrictive. This group blames the spread of DRM restrictions on software companies such as Microsoft and Apple Computer, which are adding DRM support to their media-oriented products.

Another kind of rights management is coming. Microsoft Office System 2003 will include support for Information Rights Management (IRM). The idea is simple: Individuals or companies will be able to apply fine-grained control over what can be done with the content they create. For example, a user will be able to protect a confidential corporate document so that only a certain set of people can open the document or flag a sensitive email so that recipients can't forward it. This capability is tremendously useful for several reasons.

First, IRM will supplement the conventional strategy of using access controls on files and folders. ACLs work well (after all, they've been around for almost 40 years) but leave open the possibility of copying sensitive materials from a workstation or user that has legitimate access. Because ACLs apply protections to a document's location rather than to the document itself, a document copied to another location can easily be modified or redistributed. Microsoft has attempted to address this problem by providing password protection for documents, but the easy availability of third-party password crackers has rendered that solution fairly ineffective.

Second, IRM will permit controls that don't currently exist in most applications. For example, users will be able to set an IRM-protected document to expire after a certain period of time or permit others to read, but not copy, a protected item. These protections might not be absolute; for example, a protected document can still be copied by photographing its onscreen image with a digital camera. As various military and intelligence agencies learned long ago, a sufficiently motivated person can often find a way to subvert information-security controls. However, IRM will help raise the bar to make this subversion more difficult than it is now. Microsoft is dividing its IRM implementation among three components:

- Windows Server 2003 will provide a rights-management server that will check the identities of machines and users. The server will issue certificates to identify users and computers and will grant users access to documents through use licenses.

- IRM-aware client applications will provide tools for creating content and applying permissions. These applications also will be responsible for using client-side libraries to enforce IRM controls on content.

- The client libraries will be a set of DLLs installed on each client computer. These DLLs will communicate with the rights-management server to get licenses for accessing specific content and will handle encryption and decryption of data flow between client and server. Astute readers might have noticed an omission above: I didn't mention Exchange Server. IRM doesn't involve Exchange in its protection processes--messages are protected before they leave a client's Outlook session and remain protected when stored on the Exchange server--but IRM does have important implications for Exchange administrators, mainly because users who want the additional security that IRM provides will be pressuring you to implement it. IRM's interaction with Exchange is similar to the way that Secure MIME (S/MIME) mail works, but you can store IRM-protected email on any version of Exchange. (Of course, you'll need a Windows 2003 system for the IRM rights-management server, and clients will need to run Windows 2000 or later to support Outlook 2003.) As Office 2003 gets closer to release, users will certainly start asking you about IRM and its effect on your messaging environment.

Rights management has become a hot--and contentious--topic lately. To oversimplify a complex subject, the goal of most kinds of Digital Rights Management (DRM) systems is to let the content creator control what can be done with protected content. Companies that generate content (including the recording and movie industries) favor DRM, which incorporates strong copy protection in every digital version of a song or movie. These folks generally believe that peer-to-peer (P2P) networks and broadband connections will result in the death of their industries. Others believe that this type of copyright protection is far from the original intent of the US Copyright Law and is too restrictive. This group blames the spread of DRM restrictions on software companies such as Microsoft and Apple Computer, which are adding DRM support to their media-oriented products.

Another kind of rights management is coming. Microsoft Office System 2003 will include support for Information Rights Management (IRM). The idea is simple: Individuals or companies will be able to apply fine-grained control over what can be done with the content they create. For example, a user will be able to protect a confidential corporate document so that only a certain set of people can open the document or flag a sensitive email so that recipients can't forward it. This capability is tremendously useful for several reasons.

First, IRM will supplement the conventional strategy of using access controls on files and folders. ACLs work well (after all, they've been around for almost 40 years) but leave open the possibility of copying sensitive materials from a workstation or user that has legitimate access. Because ACLs apply protections to a document's location rather than to the document itself, a document copied to another location can easily be modified or redistributed. Microsoft has attempted to address this problem by providing password protection for documents, but the easy availability of third-party password crackers has rendered that solution fairly ineffective.

Second, IRM will permit controls that don't currently exist in most applications. For example, users will be able to set an IRM-protected document to expire after a certain period of time or permit others to read, but not copy, a protected item. These protections might not be absolute; for example, a protected document can still be copied by photographing its onscreen image with a digital camera. As various military and intelligence agencies learned long ago, a sufficiently motivated person can often find a way to subvert information-security controls. However, IRM will help raise the bar to make this subversion more difficult than it is now. Microsoft is dividing its IRM implementation among three components:

- Windows Server 2003 will provide a rights-management server that will check the identities of machines and users. The server will issue certificates to identify users and computers and will grant users access to documents through use licenses.

- IRM-aware client applications will provide tools for creating content and applying permissions. These applications also will be responsible for using client-side libraries to enforce IRM controls on content.

- The client libraries will be a set of DLLs installed on each client computer. These DLLs will communicate with the rights-management server to get licenses for accessing specific content and will handle encryption and decryption of data flow between client and server. Astute readers might have noticed an omission above: I didn't mention Exchange Server. IRM doesn't involve Exchange in its protection processes--messages are protected before they leave a client's Outlook session and remain protected when stored on the Exchange server--but IRM does have important implications for Exchange administrators, mainly because users who want the additional security that IRM provides will be pressuring you to implement it. IRM's interaction with Exchange is similar to the way that Secure MIME (S/MIME) mail works, but you can store IRM-protected email on any version of Exchange. (Of course, you'll need a Windows 2003 system for the IRM rights-management server, and clients will need to run Windows 2000 or later to support Outlook 2003.) As Office 2003 gets closer to release, users will certainly start asking you about IRM and its effect on your messaging environment.