Professional Documents
Culture Documents
Azure Rights
Management
White Paper
September 2014
White Paper
Contents
Introduction .......................................................... 3
Challenges ............................................................................... 3
Sharing data securely............................................................ 4
Sharing between organizations.......................................... 4
Maintaining control ............................................................... 4
Architecture .......................................................... 7
How RMS works .................................................. 8
Deployment models ........................................... 9
Application integration ...................................... 10
Working with Azure RMS .................................. 11
Summary ............................................................... 15
Introduction the ability to share virtually any file on any platform securely inside or
outside of your organization. Whether the file is on-premises or in the
cloud, RMS can protect your organization’s critical information in a way
that is customizable and easy to manage.
This white paper explains what RMS is, explores what it can do for your
organization, and discusses the latest updates and innovations that are
included in Microsoft Azure RMS.
1 Rammurthy, Govind. “The Snowden Effect on Enterprise Security in 2014.” PCQuest. 20 Dec 2013.
http://www.pcquest.com/pcquest/column/204634/the-snowden-effect-enterprise-security-2014
securely RMS allows users to encrypt individual files and safely share them with
the intended recipients. There are no file type restrictions, so users are
free to send any file to whoever needs to receive it. This occurs via any
transport mechanism, such as email or a cloud-drive storage sync.
Additionally, users can access these files on the most commonly-used
device types, including PCs (Windows and Mac) and mobile devices
(Windows, iOS, and Android).
organizations
that can result from sensitive files falling into the hands of external users.
Furthermore, there can be compatibility concerns for participants who
have not adopted the security software being utilized.
The 1. Compatibility with virtually any file type – Regardless of the file
type, it can be protected.
Microsoft 2. Choice of platform – Regardless of the user’s device, a full-
fledged RMS experience is available.
AD RMS improved and updated since then with each major release of Windows
and Office, but the proliferation of mobile devices and the adoption of
additional platforms requires a new approach.
future with continually receiving updates and improvements to bolster security and
refine the user experience.
Azure RMS Beginning in August 2014, Microsoft will roll out the following additional
capabilities for RMS:
Architecture currently set up. There are two ways to approach RMS, as Figure 1
shows: Active Directory RMS (AD RMS) (on the left of the diagram) or
Azure RMS (on the right of the diagram).
Figure 1) Microsoft RMS overview
Azure RMS operates in two modes, cloud only and hybrid, through on-
premises connectors. Azure RMS relies on Azure Active Directory for
user identity and authentication, and is integrated with Office 365.
Azure RMS provides the best of both worlds, allowing users to connect
to both on-premises servers and cloud services, while still offering
greater integration opportunities with Office 365.
Azure RMS grants multiple levels of control to the customer for storing
and managing this key. The important point to remember is a customer
can opt not to give Microsoft any control over these keys, retaining all
control themselves.
As noted previously, none of the contents from the secured file ever get
sent to the RMS server or service. That content cannot be accessed
because RMS never actually receives the files, only the policy settings for
those files. As Figure 3 demonstrates, enforcement of the rights occurs
through the RMS compatible applications which work in unison with
Azure RMS through SDKs that communicate the policy restrictions to the
server. While compatibility issues between the files and available
applications had previously been a challenge, virtually any file type will
now work with Azure RMS.
models migrate to the cloud, but that does not necessarily mean it is the right
move for everyone (at least right now). To meet the diverse set of
business requirements, Microsoft has readied RMS for each type of
customer.
Cloud ready
RMS in Office 365 is designed for cloud-ready organizations and is by
far the easiest platform to manage. It offers a wide-range of RMS-
enlightened apps, live support, and other exciting features such as Data
Loss Prevention functionality in Exchange. Office 365 is equipped for
organizations that are ready to experience Office anywhere, without
being bound to a physical location. Enabling RMS is a single-click
process.
Cloud accepting
For cloud-accepting organizations that are not ready to fully commit to
Office 365, there is a compelling hybrid alternative—the Microsoft
Rights Management connector. This connector runs on-premises and
acts as a communicator between existing on-premises servers and the
cloud-based Azure RMS.
Windows PowerShell
Azure RMS can be run using Windows PowerShell commands, or
PowerShell can be used to connect other applications to the service.
RMS SDKs
Microsoft has recently released SDK 4.0. This includes AD RMS support,
offline consumption, and a redesigned API. SDKs are available for all
device types, including Android, iOS, and OS X.
Working other integrations of Azure RMS, in addition to some of the steps users
need to follow to unify all of the RMS offerings.
RMS
process. Microsoft has made the experience consistent across the
different platform types. Once deployment is complete, customers must
activate the RMS service and then customize individual template types.
Templates
Managing templates within Azure RMS was designed to be robust, yet
easy to do. This is where policies governing document usage rights are
created and saved. If it is a recurring document or file that needs to
receive consistent treatment per organizational standards, the option to
save the template and reuse the same settings in the future is here.
2. To further manage and create your policy settings, which you can
make available to your desired users, select additional
configurations.
3. To save your policy usage settings as a template, fill out the
required fields.
File Classification, which acts as the auditing and data oversight system
for Windows Server 2012 and R2, integrates with DAC to provide a
mechanism to discover important information in a file server, classify it,
and then perform tasks against it such as automatically applying RMS.
DAC can use either AD RMS or Azure RMS for access protection.
3. Choose your settings, and then click Send. This will create and
open an email, with an attachment that includes default text
explaining that you are attaching a protected document.
The recipient will be guided to download and install the free RMS
sharing application to view the content with the rights granted by the
sender. A mobile version of this app is also available, as Figure 6 shows.
After the receipient completes the log in, he or she will be able to unlock
the protected content and see the level of permissions granted to him
or her.
Learn more
To further explore the capabilities of Azure RMS, visit some of the
available resources from Microsoft’s RMS team.