Microsoft Rights Management Dan Plastina Translation to <language> by <translator(s)> Organizations share information. The Microsoft Rights Management services (RMS) offering helps organizations keep their information secure, both inside and outside of the organization, by protecting documents both at rest and in motion. Information protection is critical and, at this time, Microsoft is redoubling its investment in RMS. This document outlines our newest feature set, with a strong emphasis on the July preview deliverables. The following links complement this document with further information: http://channel9.msdn.com/Events/TechEd/Europe/2013/WCA-B322 and WCA-B321 http://microsoft.com/rms and http://blogs.technet.com/b/rms Microsoft RMS enables the flow of protected data on all important devices, of all important file types, and lets these files be used by all important people in a user’s collaboration circle. Yes, RMS will now protect any file type (not just Microsoft Office documents), let you access them on many devices (not just Windows PCs), and enable sharing with other organizations (not just within your organization). Furthermore ITPros can perform simple, planned deployments of RMS or, if not deployed by the ITPro, Information workers (IWs) can adopt RMS on their own (dubbed ‘RMS for Individuals’) for free. The Microsoft Rights Management suite is implemented as a Windows Azure service. For brevity, we reference it within as Azure RMS so as not to confuse with Windows Server AD Rights Management Services (aka ADRMS). It comprises a set of RMS applications that work on all your common devices, a set of software development kits, and related tooling. By leveraging Windows Azure Active Directory, the Azure RMS service acts as a trusted hub for secure collaboration where one organization can easily share information securely with other organizations without additional setup or configuration. The other organization(s) may be existing Azure RMS customers but if not, they can use a free Azure ‘RMS for Individuals’ capability. This offering is in preview as of July 29 followed by general availability in October. Follow our blog at blogs.technet.com/b/rms for details. Also visit the updated www.microsoft.com/rms site. The Elephant in the Room There is no escaping the recent news. If you’ve not yet seen Microsoft’s blog on this matter, please take a moment to read it now. In this section we’re going to ask that you consider this complex problem in layers and not idiomatically; please don’t ‘throw the baby out with the bathwater’. Specifically, the ability to protect and limit access to sensitive files from: A) A broad base of your own internal employees B) A collection of organizations you choose to collaborate with C) Various exposure risks you are subject to when stored in the cloud Each of these capabilities poses different challenges and it’s clearer now than ever that no solution can address every possible aspect of data protection in every possible situation. Fortunately, you can solve some of your data protection challenges now. Let us begin with a few very facts about Microsoft’s Azure-hosted Rights Management service: Azure RMS is at the core of the Rights Management suite and relies on Windows Azure services. A document is protected by RMS without the document being sent to the Azure service. Viewing or sharing protected documents is enabled without the documents themselves being sent to the Azure service. Sharing a file occurs without the document being relayed via the Azure RMS service. Shared amongst all of the above statements: The Azure RMS service never sees your data. This is a common misunderstanding about the RMS technology stack, and we want to set the record straight: Actual customer content is never accessible to RMS data protection services, nor to anyone compelling the service to do something on their behalf. Let’s dive in deeper with a diagram of the fictional US company Contoso, who is sharing data. It is a very accommodating company that shares data via the four modern data storage models: 1) The document is kept on premise. A presumption here is that the company has full control over its security perimeter, something that may not always be true. This caveat aside, the document is generally considered as being most private (note: we did not say ‘most secure’). 2) The document is shared with a second party named Fabrikam, a fictional company. The document is shared, in private, via what both parties deem to be a secure means (e.g. email, USB storage). 3) The document resides in any cloud provider’s SaaS application. From there, it is shared with others. 4) The document resides in any cloud provider’s storage. From there, it is shared with others. 3 Office 365 Azure SaaS/PaaS/IaaS SalesForce Amazon Web Services Conventional SaaS Offers Azure AD and RMS Conventional Hosters Contoso (North America) 1 4 Fabrikam (Europe) 2 In all four of these cases (1/2/3/4 above) the ITPro at Contoso, not Microsoft, was in charge of making storage location and transfer transport policy choices (though we all know the users often make their own choices). While those location and policy choices do have exposure related consequences, none of them result in the Azure RMS service having access to the data. Microsoft RMS is file transport and file storage agnostic. It operates on files only when they are ‘activated’ (protected, opened/consumed). Tying this back with the A/B/C challenges above, the RMS offer is highly adept at handling the protection at rest needs of scenario A (protection within the organization) and scenario B (protection of a private communication between organizations). For scenario C (data stored in the cloud; storage models 3 and 4 above) the considerations are more complex given that data has left the trusted perimeter of Contoso and the partially-trusted perimeter of Fabrikam. There is now a new actor that must provide a trusted storage perimeter in the eyes of the Security Officer. The media frenzy over data protection has turned this into a statement of distrust for the cloud but, the savvy readers know well that the problem is far more subtle than this narrow view. We, the RMS team, often talk with customers whose own perimeter has been challenged by ‘unwanted guests’. In this context one ITPro recently said to us, “You have far more to lose (your reputation; your many Saas/IaaS customers) than I do so, I must recognize the effort that you must be investing into establishing cloud security and trust”. This ITPro was spot on, we are investing a huge effort. The Microsoft RMS components are scrutinized closely as they play a critical role in the overall secure document protection framework. Specifically, they enable the following: A) The client SDKs protect the data within the runtime environment they are executing. This is normally a PC (Windows or Mac) or a mobile Device (Windows RT, Windows Phone, iOS, or Android). The device can also be a Windows server service (e.g. Exchange) or a solution provider’s value-add offering (e.g. Data Leakage Prevention). Those runtimes use the RMS SDK to interact with the Azure RMS service. B) The Azure RMS server, when responding to client SDK requests, is responsible for the secure encryption key interchange with the SDK in order to protect the data without the data going to the Azure RMS service. C) Once protected, the Azure RMS service plays key roles in document consumption: a. The user must be authenticated – Azure RMS requests an authorization token from the appropriate identity provider. Generally this is federated on-premise AD or Windows Azure AD but we’ll seek to shortly offer support for Microsoft Account (aka LiveID) and Google IDs. b. The user must be authorized – Azure RMS serves as a unified policy decision point and a policy enforcement point to follow policies established by your organization. This is done by having the RMS software process the document policy associated with a protected document and then decide if user@Fabrikam.com should be granted permission to view the document. c. Every use must be logged – All user activity, successful or not, is logged in Azure RMS logs enabling your IT staff to audit access. We are now working with third parties to render distilled report and/or dashboards from these logs. We hope that this section offered insight into the assurances we provide and the empowerment you have in making key choices. Let’s now move on to describing RMS. Promises of the new Microsoft Rights Management services Users: I can protect any file type I can consume protected files on devices important to me I can share with anyone o Initially, I can share with any business user o I can eventually share with any individual (e.g. MS Account, Google IDs in CY14) I can sign up for a free RMS capability if my company has yet to deploy RMS ITPro: I can keep my data on-premise if I don’t yet want to move to the cloud I am aware of how my protected data is treated I can control my RMS ‘tenant key’ from on-premise I can rely on Microsoft in collaboration with Partners for complete solutions These promises combine to create two very powerful scenarios: 1) Users can protect any file type. Then share the file with someone in their organization, in another organization, or with external users. They can feel confident that the recipient will be able to use it. 2) ITPros have the flexibility in their choice of storage locale for their data and Security Officers have the flexibility of maintaining policies across these various storage classes. It can be kept on premise, placed in an business cloud data store such as SharePoint, or it can placed pretty much anywhere and remain safe (e.g. thumb drive, personal cloud drive). The next few sections will describe the various capabilities and experiences. Users and their Document Protection Experience The below screen shots are from applications made available to those who are accepted into the preview. If you want to start looking at Azure RMS, please request participation in the preview. Documents are now very well supported by RMS. There are several important dimensions: Users can protect any document type. The RMS API used by the RMS App or RMS-enlightened applications will do its best to protect the file in the most suitable format. o Native RMS-enlightened applications: DOC, DOCX, XLS, XLSX, PPT, PPTX, PDF o The free ‘RMS App’, an enlightened application itself: TXT, XML, JPG, JPEG, TIFF, GIF, BMP o Generically protected files are ‘wrapped’ and launched in the registered application. E.g. A Photoshop™ file becomes MyDrawing.PSD.PFILE. This protection offers access control without additional usage restrictions. Despite the lack of usage restrictions, you should not underestimate the value of authorization, education, and the ability to expire content. The user can publish or consume protected documents on Windows for computers, Windows for tablets, Windows for phones, iOS, Android, and Apple OSX. Web sites and other operating systems can participate in the RMS ecosystem via RESTful service APIs. Users can share these protected documents with users in their organizations, other organizations (B2B), users who act as individuals (B2I; support for Microsoft Account and Google IDs comes later) Consumption of rights protected content is free. (More below on pricing) Protecting a document is best experienced within an RMS-enlightened application. As application developers utilize our new SDK, they will be providing a consistent user experience (UX) as the UX is integrated into the SDK itself. Outside of an RMS-enlightened application, the user can protect a document by using the RMS App’s integration in Windows and Apple OSX, as well as via Office toolbar extensions. Generally stated, the capability is either Protect in place or Share Protected, with a special affordance for capturing protected photos from mobile devices that have cameras. Protect (in place): This flow will protect the file in place. The user can then take other actions to share the file, if need be. This flow is most suitable for personal or cloud-drive file protection flows. The user will be given the choice of protecting with an organizational template, a previously saved user template, or create a new ad-hoc template. Share Protected: This flow will protect a copy of the selected file leaving the original file in its prior state (which could also be protected). This flow has the user addressing the document to people (email addresses) and selecting related permissions. Upon sending, an unprotected email will be sent with the protected document. The user can customize the email before it is sent. Share Protected (Camera): This flow will soon be available on mobile devices. The user will be permitted to take picture and accept or retake it. Once selected, the above ‘Share Protected’ flow will apply and a protected JPG image will be attached. Here is a visual example of sharing a sensitive file: While in Word, you can save a document and invoke SHARE PROTECTED (added by the RMS application) Note: An astute reader will notice that we added a button here instead of reusing what already present in Office. Stated plainly, we needed to alter fundamental behaviors such as user interface, underlying RMS SDK support, and authentication. This new entry point mirrors the user interface you will see in the core OS views, as well as ISV applications. You are then offered the protection screen. This screen will be provided by the SDK and thus will be the same in all RMS-enlightened applications: When you are done with addressing and selecting permissions, you invoke SEND. An email will be created that is ready to be sent but you can edit it first: Users and their Document Consumption Experience In due time, the recipient of the above email simply opens the attachment to view it. This attachment, depending on the file type, will invoke the correct application. As of the RMS preview, your system will launch one of Word, Excel or PowerPoint for those respective files, the Foxit PDF Reader for protected PDFs, or the RMS App for text, images, or generically protected files (PFILEs). If the user has an RMS-aware identity, they will be able to log in. Here you see an email with a PJPG (protected JPG). Upon opening, the user is asked to log in and then the image is rendered. Note: In the July Preview, the mobile applications are not publicly available. We are prevented from getting them into your hands until such time they have been accepted by the respective app stores. We ask that you trust us as we used them to produce the above screen captures. The store distribution acceptance process is underway and all will be released by/before our October general availability date. Finally, in terms of enabling broad reach, recipients not in an RMS-supported organization can register for Microsoft Rights Management for individuals. This self-service offering permits early departmentlevel adoption of the RMS services with limited need for IT support. It is a free offer. This offer lets the user consume and produce RMS protected content. The sign up process is simple: 1) The user is asked for their organizational email name: joe@contoso.com. At this time several checks are made before an ad-hoc RMS account is created. In particular we check to see if the parent organization already has a Windows Azure Active Directory tenant, if the user already had an account, etc. Failing all these important checks, the user is given an ad-hoc account for free. The below ITPro section offers more insight here as well as other IT-oriented advice. 2) To validate the user’s ownership of the cited ID, they are sent an email (Not shown below). 3) Once ownership is proven, the user is asked to provide a display name, a password, and country in order for their account to be provisioned. These self-service RMS for Individuals accounts will be re-validated on a monthly basis for users. 4) The user is prompted to install the RMS application upon completion. The RMS application requires administrative permissions in order to be installed and it is required to be installed in order to consume protected content in older versions of Microsoft Office. In visual form: (Cropped to fit) Try this live at https://portal.aadrm.com. Sign up for real or use the demo flow (<name>@contoso.com) Users and their Email experience An important class of information is email. Users can both consume and protect email within enlightened email clients and servers. Microsoft Outlook 2013, when backed by Exchange 2013, works with the Azure RMS offers out-of-the-box and offers fantastic new innovations that enable automatic RMS protection. The RMS connector (covered below) also enables Microsoft Exchange on premise offers to work with Azure RMS. Exchange Online, as part of the Office 365 suite, works directly with Azure hosted RMS. This suite of offers enables a very usable means to protect email within your company. These email offers are no subject to the RMS for Individuals offers – they are capabilities of the RMSenlightened application. RMS itself does not offer any email protection capability. ITPro and their Experiences In a few short pages this section can’t begin to do justice to all the moving parts within. We’ve recorded two 75min videos that we believe do a far better job: WCA-B322 and WCA-B321. We’ll instead focus here on offering a quick overview. The www.microsoft.com/rms site also hosts much related information. Deployment Topologies The above-mentioned videos generally express three classes of organizations, and then describe the associated RMS capabilities and the relationships with other workloads. In abstract form, the following slide demonstrates exemplary infrastructure offers (Email, Portals, Storage) and their relationship to the RMS deployment types. Cloud Ready The cloud ready organizations will find Office 365 very compelling. The combined offer has simplified all aspects of configuration. Within that environment, RMS is very simple to enable – one button and deep integration with Exchange, SharePoint, and the entire Office 2013 suite can be enabled. Through the RMS application(s), users of Office 365 also benefit from generic protection of any file type and the ability to collaborate with non-Office 365 organizations or individuals. This is, by far, the simplest way to get started with RMS and is available for purchase now. Cloud Hesitant Cloud hesitant organizations generally have less of a drive to move to the cloud at this time. Reusing the diagram above, a cloud hesitant organization is one that lives within the cross-hatch. Per the rationale offered above, we expect the use of Azure RMS but exclude the use of cloud IaaS/SaaS offers. In other words, a cloud hesitant customer for now will go for options 1) and 2) only as depicted in the illustration below. Over time we expect the hesitancy to reduce and more customers will start to leave the crosshatch area for selective classes of services. 3 Office 365 Azure SaaS/PaaS/IaaS SalesForce Amazon Web Services Conventional SaaS Offers Azure AD and RMS Conventional Hosters Contoso (North America) 1 Fabrikam (Europe) 2 4 Cloud Accepting This organization type simply balances between the being Cloud Ready and Cloud Hesitant. Features, and how they relate At the core we have the Microsoft Rights Management service. This service is hosted in Azure and handles all service side duties for the overall offer. This Azure RMS service relies on Windows Azure Active Directory and associated services (Directory Sync and Federation). The Azure RMS service requires storage for the high value tenant keys at the core of RMS. Our key management service (KMS) stores these RMS tenant keys with extreme security thanks to its reliance on industry proven, FIPS compliant HSMs from our partner Thales (learn more: hardware security modules). The KMS also offers related services such as the Bring-Your-Own-Key capability that lets customers, well, bring their own key. Finally, both the Azure RMS service and KMS service require logging and that’s implemented using our Near-realtime Logging service. A complementary whitepaper on this offer is forthcoming. At the core of our hybrid story is the Rights Management connector. The ‘connector’ pretends to be an AD RMS server for the on-premise Exchange and SharePoint workloads. It then relays all requests to the Azure-hosted RMS service. The connector is simpler to deploy than the current AD RMS offering as only a pair of them (for high availability) are required for an organization and they can be deployed on existing VMs/machines. No fault tolerant SQL servers are needed. Common Configurations The baseline configuration for all the below has you creating an Azure Active Directory tenant for your organization (or reclaiming one that was created on your behalf by your RMS for Individuals users). The purchased RMS service licenses can then be enabled for the users in your tenant. You now have RMS! As part of this baseline, if you represent a larger organization, you will layer on other integrated services such as: Azure AD directory sync, ADFS trust federation, HSMs with our bring your own key, nearrealtime logging, and other forthcoming capabilities tuned for enterprises. Before we detail these layered services, let’s first review some common deployments: On Premise Email, within your company On the server side, most of you will have an Exchange deployment with no form of information protection. We enable you to quickly add the Microsoft Rights Management connector to your Exchange deployments and configure it to interact with the RMS service. The result of this topology is that your Exchange server is now fully RMS-capable by relaying protection traffic to the RMS service. As per the opening section, NEVER does your data leave to the cloud. This is so simple that there is no excuse not to do it. On the client side, most of you will have a recent version of Office: 2010 or 2013. The 2013 client will automatically recognize the RMS service and the 2010 client will automatically be made to work with the RMS service once the RMS application in installed on your PC. If you are running Office 2007 and can’t move to a more recent version, let us know. Microsoft Office for Mac does not support the Azurebased RMS service offering at this time. The Mac RMS application will however permit you to email protected documents from the Apple Finder. On the mobile device side, there are two waves of offers. The first is in market and relies on Exchange Active Sync (EAS) -aware devices. Some of them (Windows Phone and Samsung yes, but not Apple) support the EAS rights management capabilities and permit reading and replying to RMS protected email. We ask that customers who need RM support on iPhones/iPads offer feedback (complain) to their mobile account manager / Apple. The second wave centers on native RMS-enlightened mail clients with full protection at rest and in motion. This wave can only begin once we release our developer SDKs. On Premise file sharing, within your company On the server side, many of you will have SharePoint. The above Exchange + RMS connector configuration also works with SharePoint so you’d follow the same model. Also on the server side, most of you will have Windows file servers. The Microsoft FCI/DAC offering is also RMS aware. There are also PowerShell scripts that will connect FCI/DAC to the Azure-based RMS service. On the client side both native IRM support in Microsoft Office and our RMS application enable RMS. Of note, the RMS application offers protection for file types other than Word, Excel, and PowerPoint. The RMS application Office button bar extensions place this capability within reach of all users. External Collaboration The RMS application enables very simple point to point sharing with the RMS application as described above. The benefit of point to point is that the transport does not matter – you can use SkyDrive™, DropBox™, portable USB storage, email, FTP, or event P2P torrents. This use pattern simply requires deploying the RMS application to your desktop and mobile phones. From there you can use the inapplication buttons or the shell of your operating system (i.e. Windows File Explorer or Mac Finder). In the details below we also suggest how you can ready yourself to receive protected content even if you choose not to license your users to send protected content. This is important and wise to consider. On the mobile device side, our RMS application supports the core behaviors (and will add more soon). In addition to the above, RMS-enlightened applications can equally offer in-built file sharing capabilities. These can be client based, server based, or even web based. Office 365 The Microsoft Office 365 empowers your employees with virtually anywhere access to the latest Office applications, offers advanced cloud-based IT services, and does so at predictable costs. This online suite is RMS-enlightened and enabling RMS is trivial. Here’s a 3 minute video that shows enabling RMS in Office 356, turning on Exchange’s RMS-aware DLP functionality, and enables a SharePoint Secure library that has checked out documents being RMS protected on egress. Using the Microsoft Rights Management service Here is a brief introduction on the specifics of getting started with each of the various moving parts outlined above. Enable the Azure-hosted Rights Management service Existing Office 365 customers are ready to go. They can enable RMS with a simple checkbox in their administration portal. Those who don’t currently use Office 365 can’t yet readily1 purchase the Azure 1 Contact AskIPTeam@microsoft.com if you really need to buy it now. RMS standalone SKU but you are welcome to sign up for a free Office 365 E3 trial and then only use the RMS features. Windows Azure AD accounts With a Windows Azure AD tenant in hand, you can enable tenant sync via the Directory Sync and federation via the federation capability (or password sync). There are several reasons to proactively enable these capabilities even if only for receiving content. There is value is turning on Windows Azure AD and enabling DirSync without being an RMS license holder. Those are: 1) Using DirSync allows your users to receive protected content from external companies without having them each creating an ‘RMS for Individuals’ ad-hoc account. 2) Federation enables your users to sign in vs having to create an ad-hoc account. This is important as it eliminates the need for temporary one-month ad-hoc account life spans as well as permits you to enforce organizational password policies. 3) Independent of Azure RMS, the Windows Azure AD and federated authentication services are supported by a slew of other applications that are likely in use within your organization (and they too could benefit from single sign on). 4) Windows Azure AD offers tenant branding (logos) to the tenant administrator. In the absence of proactively setting up the above, the Azure RMS for Individuals offer will let individuals use the Microsoft RMS services. An ‘RMS for Individuals’ ad-hoc account is simply an Azure AD tenant that is created for the specific organization (not shared across organizations) and the user account is added. There is no administrator for these tenants. If other users from the same organization create adhoc accounts, they are placed in this same ‘headless’ tenant. As stated above, these user accounts are re-validated monthly. By way of example, Joe@Contoso.com signs up Tenant CONTOSO.COM is created Joe’s user account is added to CONTOSO.COM tenant Joe’s account is given the RMS for Individuals SKU. Jane@Contoso.com signs up Tenant CONTOSO.COM exists and is reused Jane’s user account is added to CONTOSO.COM tenant Jane’s account is given the RMS for Individuals SKU. By the time we exit preview, an ITPro will be able to ‘convert’ these users to licensed users with no impact to the user or the tenant. Once this is done, the ITPro will have full management capabilities for these users. Stay tuned for an update to this document as those capabilities are released. Enable Bring-Your-Own-Key RMS has a very important key, the tenant key. Chief Information Security Officers (CISOs) often need to use a key of their own provenance – sometimes for compliance reasons, sometimes because they are migrating from their on-prem AD RMS. With the Bring-Your-Own-Key (BYOK) feature CISOs would generate a key on their premise, using tools of their choice, in compliance with their own policies. This key would then be securely imported into the Thales™ HSMs we use in our data center. The customer has assurance that Microsoft operators cannot see or leak the key during the import as well as during the running steady state. Optionally, the customer can opt to push their key to the Azure RMS service’s HSMs with a 4 hour time to live. Their on-premise infrastructure would do this automated push every 2 hours. We call this capability ‘Key rejuvenation’ and it will be available nearing the RMS preview completion in September. If the CISO or ITPro interrupts the upload of keys, the Azure RMS service ceases to function and the CISO is assured that Microsoft has no access to their cached key once it expires. Once again, the Microsoft Rights Management services never see your data [Ed note: sorry for being so repetitive on this point]. Enable Realtime Customer-facing Logging Security Officers can obtain logs from the Azure RMS service. They do so by purchasing Windows Azure storage, and configuring (via PowerShell) the Azure RMS service to write the log entries to that storage. This way the ITPro is in control of how much log data they maintain and who (e.g. 3rd party reporting services; auditors; etc) can access these logs. Deploy the RMS App for Computers and Mobile devices The RMS applications will be available through all the appropriate stores as well as in the RMS for Individuals signup flow, and subsequent confirmation email. ITPros can also download the MSI package from the Microsoft RMS download center and make use of the ITPro -oriented silent setup options and AD group policies. Deploy Hybrid Connector; Configure Exchange and SharePoint Deployment of a high availability RMS connector requires two or more VMs/servers. These roles function across forests. Setup is merely a few simple screens. Once configured and connected to the Azure RMS service, the ITPro for the RMS connector will work with the Exchange and SharePoint administrators to understand which machines should be given access to the Connector’s relay services. This is merely a task of granting servers permission to use the connector; everything else is automatic. Enable Dynamic Access Control The Windows Server Dynamic Access Control (DAC/FCI) role is able to work with both AD RMS and Azure RMS. For the latter, a PowerShell script is available to connect the two. Enable Office 365 Exchange Online Exchange Online is made aware of the existence of Azure RMS when enabled. Once Exchange Online is provisioned with the RMS tenant key, the ITPro can make use of the advanced Exchange Online DLP offer within the broader Office 365 product suite. Of note: The use of the BYOK feature is not currently supported with Exchange Online. The ITPro will have two choices when using the two services together. The preferred option will be to use the software generated RMS tenant key feature built into Azure RMS. This offer automatically provisions Exchange online with the RMS key for it to use. The alternate option has the ITPro install an AD RMS server with a software key, and then follow the steps to import your TPD into Exchange Online. Enable Office 365 SharePoint Online Enabling SharePoint Online Secure libraries is simply a task of creating a library, setting it to be a Secure Library, and adjusting a few straightforward options to suit your needs. e.g.: The library owner can choose to override the protection policies to use a security group for protection (vs individual protection). This permits one user to download a file and share it to others within the specified security group without forcing a round trip back to SharePoint. Summary of ITPro related offerings and activities. At this point we’ve introduced the key parts of a complete Microsoft Rights Management deployment. More details will be provided to the selected TAP organizations, and eventually to the broader community. If you want to start looking at RMS, please request participation in the preview. Timelines for the Azure RMS services The preview will take place late-July thru late September with select organizations. The release of the updated Microsoft Rights Management service is slated to be in early October. The initial Azure RMS offer is focused on organizational that don’t have AD RMS deployed. This said, Azure RMS will support the coexistence of existing customer’s AD RMS deployment but during the first quarter or two of shipping we need to eliminate the added layer of complexity that would come with coexistence of two RMS environments. We apologize in advance for what could appear as us ignoring our loyal AD RMS customers! For a variety of reasons, we strongly favor the use of the Azure-hosted Rights Management offering over the existing AD RMS offering. They are: frictionless B2B collaboration, rich mobile device offers, far faster agility in adding new capabilities, support for Ad-hoc RMS user accounts for the recipients of your sensitive documents, and easy of deployment. Buying the Microsoft Rights Management service RMS can be purchased directly via the Office 365 web portal or via your Microsoft account manager. Available Now RMS can be purchased directly via the Office 365 portal as a user subscription license. Subscription covers use by all RMS-enlightened application (e.g. Office, Office 365, Foxit PDF). It is a “Pay once, use with all RMS-enlightened applications” model. Cost is $2/user/month. Consumption of rights protected content is free. A license is required to protect content, be it manually done by the user or done by a service on behalf of the user. Azure RMS can be purchased as part of Office 365 suite offerings o It is included in E3/E4 and A3/A4 SKUs o It is available as an add-on to many other Office 365 SKUs. Available Fall 2013 Azure RMS can be purchased standalone for use with the Azure RMS Connector or third party RMS enlightened applications. Azure RMS will be available via the Microsoft Enterprise Volume License programs (EA/EAS/EES) Azure RMS subscription will include the rights to use AD RMS on-premise Enterprise CAL (ECAL) customers can add on the Azure RMS service If you have any questions please get in touch with your Microsoft sales contact. Developers Application ISVs can enlighten their applications and solutions with RMS easily and quickly by utilizing the Microsoft Rights Management developer platform on all important devices and operating systems. There are a few important concepts worth mentioning in this introductory brief: Code once, use everywhere RMS enlightened application developers write code once to protect documents. RMS SDK takes care of all the underlying details about customer environment and topologies, document expiration, certificate renewals, policy updates and more. Our sample code and getting -started guidance make it extremely easy for you to enable RMS. RMS-enlightened applications are most desired given they enforce protection rights RMS enlightened applications enable individuals to protect and consume content. Content is protected by using encryption and must be decrypted before it can be consumed. When the file is protected, the individual applies permissions to the file such as the ability to print or edit. Your application will need to honor these rights. The SDK will facilitate most of the protection flows and all initialization but, your application must honor the permission enforcement requested of it. Our SDKs make enforcing the rights easier by providing APIs to control permissions such as printing, saving, forwarding, etc. For more details, see here. The new SDKs do all of the RMS specific user interface work for you! Mobile device applications will use the new v3 SDKs and benefit from Microsoft-provided user interfaces for consumption and protection behaviors. This not only saves ISVs time to build protection support, it also provides forward compatibility to new protection UX features. The RMS Application, built by Microsoft, is a good example of the UX that the SDK provides / will provide. Windows desktop based RMS applications utilize our powerful v2.1 SDK which doesn’t yet offer built-in consumption and protection flows. It will before too long. It is now easy to add RMS protection to your solutions There is a class of applications that are quite simple to enlighten with RMS. These applications are created by ‘solution providers’ or ITPros, and enable applications that either need to protect or unprotect files. These are: data leakage prevention (DLP) agents, search indexers, Anti-virus software, mobile device management (MDM) systems, and document management systems. They will utilize the new File API available as part of the v2.1 SDK and/or PowerShell to protect and unprotect documents easily and silently on the Windows platform (client or server). A Protected file is a different file when persisted The easiest way to implement protection of your file format is to simply use our SDK’s ability to create a Protected File (PFILE) container. It encloses your file, such that your XYZ file is protected as a pXYZ file, all from a stream based API. Our PFile format allows your application to immediately participate in the existing RMS ecosystem. Customizing your own RMS enlightened file format is more complex. It also prevents an entire ecosystem of solution partners from being able to protect your file formats in their solutions given they will all use the FILE API described above (which can protect any file to PFILE format while honoring your file extensions). Nonetheless, if your needs require that you to update your existing file format with RMS information, our SDKs support your use case. RESTful API access The RMS SDK doesn’t provide SDKs for platforms like Linux, RIM BlackBerry or the web site platforms which are too numerous for us to implement rich libraries. For these platforms, we provide REST API support, protocol documentation and a set of code samples (including open source code) to facilitate application development. If a platform grows to be sufficiently important to you, we’ll consider adding support. In Closing This document set out to: 1) 2) 3) 4) Express what new work we’ve done in RMS; we hope that you will agree we did a lot! Explain the value of this offer at a time when protecting information is of increasing importance Offer a subjective view on the actions you can take now, versus waiting for the cure-all solution Offer an overview of the moving parts involved in our offer. We hope we have come close to or hit your target. If you want to start looking at RMS, please request participation in the preview. If you have thoughts on how this document could be improved, please do take a moment to share with our team. Thanks for reading! Cheers, Dan Plastina on behalf of our RMS team