1 / 46

Windows Rights Management Services (RMS)

Windows Rights Management Services (RMS). Moshe Zrihen CTO, TrustNet. Agenda. The Business Problem Windows Rights Management Services How RMS address the problem Usage Scenarios & Regulation (Sox, HIPPA etc’) How RMS Is Working & Demo RMS SP2, what’s new?

pelham
Download Presentation

Windows Rights Management Services (RMS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet

  2. Agenda • The Business Problem • Windows Rights Management Services • How RMS address the problem • Usage Scenarios & Regulation (Sox, HIPPA etc’) • How RMS Is Working & Demo • RMS SP2, what’s new? • RMS Integrated With Office 2007, SharePoint, Mobile • Related Information • Q&A

  3. The Business Problem

  4. Information Loss and Liability are a Growing Concern among Organizations… “Enterprises report forwarding of e-mails among their top three security breaches” – Jupiter Research “Organizations that manage patient health information, social security numbers, and credit card numbers are being forced by government and industry regulations to implement minimal levels of security to address leakage of personal information.” –IDC Source: JupiterMedia,DRM in the Enterpise, May 2004 Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005

  5. …Information Leakage is Broadly Reaching Financial Services • Equity Research, M&A • GLB, NASD 2711 Healthcare & Life Services • Research, Clinical Trials • HIPAA Horizontal Scenarios • Information Protection: sensitive e-mails, board communications, financial data, price lists, HR & Legal information • Corporate Governance: Sarbanes Oxley (US) Manufacturing & High Technology • Collaborative Design, Data Protection in Outsourcing Government • RFP Process, Classified Information • HIPAA

  6. Traditional solutions protect initial access … Authorized Users Yes Information Leakage No Access Control List Perimeter Unauthorized Users Unauthorized Users Firewall Perimeter …but not usage

  7. Today’s policy expression… …lacks enforcement tools

  8. How RMS Address The Problem?

  9. Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content • Users without Office 2003 can view rights-protected files • Enforces assigned rights: view, print, export, copy/paste & time-based expiration Outlook 2003 & 2007 Windows RMS • Keep corporate e-mail off the Internet • Prevent forwarding of confidential information • Templates to centrally manage policies Secure Emails Word 2003/7, PowerPoint 2003/7 Excel 2003/7, Windows RMS • Control access to sensitive info • Set access level - view, change, print... • Determine length of access • Log and audit who has accessed rights-protected information Secure Documents IE w/RMA, Windows RMS Secure Intranets End User Scenarios

  10. Usage Scenarios & Regulation (Sox, HIPPA etc’)

  11. How RMS Enables SOX Compliance Sarbanes-Oxley Act of 2002 Section 404-1 SECURITIES AND EXCHANGE COMMISSION 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274 MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports. Companies must implement, evaluate, and report on controls for financial reporting, operations, and compliance

  12. How RMS enables SOX Compliance

  13. How RMS Enables HIPAA Compliance Government Hospitals must protect patient data through access controls, user authentication, and auditing

  14. How RMS enables HIPAA Compliance

  15. How RMS Enables GLBA, 357 Compliance Companies must use information security technology to secure storage and transport of personal financial data

  16. FDA Compliance Food and Drug Manufacturers must digitally sign documents used in the manufacturing process and provide audit records, protected archival, and documented access controls FDA 21 CFR PART 11 DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration 21 CFR Part 11 [Docket No. 92N-0251]----------------------------------------------------------------------- SUMMARY: The Food and Drug Administration (FDA) is issuing regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records… Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks. Section 11.10 also addresses the security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate; (3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated under their electronic signatures, so as to deter record and signature falsification. Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality. Section 11.50 requires signature manifestations to contain information associated with the signing of electronic records.

  17. How RMS Is Working & Demo

  18. How does RMS work? • Author receives a client licensor certificate the first time they rights-protect information Active Directory SQL Server • Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file RMS Server • Author distributes file 4 1 • Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 2 5 3 • Application renders file and enforces rights Information Author The Recipient

  19. Apply Permissions to New Email

  20. Add userswith Readand Changepermissions Verify aliases& DLs via AD Add advanced permissions

  21. Add/removeadditional users Set expiration date Enableprint, copypermissions Contact forpermissionrequests Enable viewing viaRMA

  22. RMS SP2, what’s new?

  23. SharePoint 2007 • Protected document libraries • Policy applied at document library level • Protects document on download • Document protected to user • Information searchable on server • Sticky permissions • SharePoint rights  IRM permissions • File format specific • Out-of-the-box support for Word, Excel, PowerPoint, InfoPath, and XPS files

  24. Office 2007 • Client applications • Outlook • Word • PowerPoint • Excel • InfoPath - new • Server applications • SharePoint – new • Windows Mobile • Support Windows Mobile 6

  25. Protected doc library

  26. Windows Mobile • Smartphone and Pocket PC • Optimizations for Mobile platform • RMS API part of Mobile SDK • Pocket Inbox, Word, Excel, and PowerPoint Y Y Y N

  27. RMS Live Demo

  28. Related Info

  29. Related Links: • http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx • http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx

  30. תודה רבה על ההקשבה moshe@trustnet.co.il

More Related