Cloud computing increases data mobility and exposure. Corporate data is at risk when it travels the private and public parts of a cloud and data owners ignore the exact cloud location where corporate data is stored or processed. To properly deal with these challenges, organizations need flexible data security tools that let them enforce granular access control to ensure that only authorized users, business partners, cloud service providers, and customers can access their information.
In this context, it’s worthwhile to consider enterprise rights management (ERM) solutions such as Microsoft Windows Rights Management Services (RMS). To prevent unauthorized access, RMS encrypts information and enforces a granular access-control mechanism that decides whether and how it releases information to a user. The protection RMS provides is persistent and travels with the information no matter where it goes on your network or in the cloud.
Microsoft bundles RMS with Windows Server 2008, Windows 7, and Windows Vista. This is RMS version 2—officially called Active Directory Rights Management Services (AD RMS). Microsoft provided RMS version 1 as a free add-on to Windows Server 2003, Windows XP, and Windows 2000 Workstation. RMS protection can be added to Microsoft Office 2010, 2007, and 2003 documents; Microsoft Outlook email messages; and Microsoft PowerPoint, Excel, Word, and InfoPath documents. RMS can also secure XPS-formatted files. RMS support for other document formats (e.g., Adobe Acrobat PDF, Microsoft Office 2000, Microsoft Visio) can be added through special plug-ins that are available from third-party software vendors such as GigaTrust.
You can use RMS to secure information exchanges between different organizations and cloud entities. To do so, you can consider several architectural options.
Overview
RMS provides the following four options for the exchange of RMS-protected documents between organizations:
- Use a single RMS infrastructure and create external accounts for your partner in your AD infrastructure.
- Create an RMS infrastructure at the partner’s site and set up an RMS trust between yours and your partner’s RMS infrastructures.
- Leverage Windows Live ID credentials for authenticating external users.
- Use identity federation by leveraging Active Directory Federation Services (ADFS) or the Microsoft Federation Gateway.
To configure RMS for external collaboration, you must use the Trust Policies container in the Microsoft Management Console (MMC) Active Directory Rights Management Services snap-in, which Figure 1 shows. By default, this container has two subcontainers: Trusted User Domains and Trusted Publishing Domains. If you select the Identity Federation Support role service during installation of the RMS server, the Trust Policies will have a third subcontainer called Federated Identity Support. Finally, if your RMS server runs on Windows Server 2008 R2 SP1, a fourth container called Microsoft Federation Gateway Support will show up in the Trust Policies container. You can also use Windows PowerShell commands to configure all RMS trust policy settings, as described in the Microsoft TechNet article “
Establishing Trust Policies.”
Figure 1: Configuring RMS for external collaboration
Single RMS Infrastructure
Using a single RMS infrastructure saves your partner the effort and cost of setting up an RMS infrastructure but requires you to create external accounts for your partner in your AD infrastructure, thus adding provisioning and de-provisioning complexity and account management overhead. Because each user will get another account and associated credentials to remember and maintain, this approach also isn’t the most user-friendly integration option.
To enable partner users to access and create RMS-protected content, your organization must also publish RMS externally, either to the Internet or an extranet. The Microsoft TechNet article “Internet Access Considerations,” which is a chapter in the RMS documentation at technet.microsoft.com/en-us/library/dd996655(WS.10).aspx, provides good guidance for publishing RMS externally.
Your partner organizations must also make sure their users install the AD RMS client software and use RMS-enabled Office applications. If your partners only want to access protected content (and not create new protected content), they can also use the Rights Management Add-On for Internet Explorer (RMA). In this case, your partner doesn’t need to install the RMS client and RMS-enabled applications on its client computers. When you plan to deploy RMA in your organization, I advise you to read the Microsoft article “Introducing Rights-Managed HTML.”
RMS Trust Relationships
An RMS trust relationship is an RMS-specific trust that’s different from an AD trust and that’s created between two RMS installations. A key condition for an RMS trust is that your partner has deployed an RMS infrastructure—which is a rather heavy infrastructure requirement that you can’t impose on every partner.
You can define an RMS trust from the Active Directory Rights Management Services snap-in. In the Trust Policies container, you’ll see two options for setting up an RMS trust: You can either use a trusted user domain (TUD) or a trusted publishing domain (TPD).
- When you use a TUD, your RMS cluster can issue RMS use licenses to users that were authenticated by another RMS cluster. You can add a trusted user domain by importing the Server Licensor Certificate (SLC) of the RMS cluster in the other organization on your RMS cluster.
- When using a TPD, you let your AD RMS server issue RMS use licenses to users that have a publishing license that was issued by another RMS server. You can add a trusted publishing domain by importing the SLC and the associated private key of the RMS server in the other organization on your RMS server.