Imagine this scenario: You have two clients, both leaders in their business niche, who are intense local competitors with one another. Each has agreed to let you work their account, trusting in your confidentiality and comfortable that what they tell you will not find its way to their competitor. One of them sends you an email asking for a copy of a projection you have done for them. You find the document on your network, attach it to the email reply, encrypt the email for security, and send it. Only once it’s gone do you realize with horror that you have mistakenly attached a confidential projection for the competitor instead of the one you meant to send! Disaster has struck!
Fortunately, with the advent of Microsoft Office 2003 and Microsoft Windows Server 2003, a new information security tool called Information Rights Management can help prevent this nightmare from occurring. Like all new technologies, however, this one too includes both costs and benefits. The question is, does it make sense for your firm? This article will not attempt to explain the technical details of setting up and enabling Information Rights Management. Instead it will provide an executive level overview of the technology, its requirements and potential benefits, and hopefully, serve as a decision making guide for choosing whether or not to implement the technology in your firm.
So, what is Information Rights Management and how does it work? Let’s begin with a few definitions.
Windows Rights Management Services (RMS): A composite Microsoft technology enabling the creator of content to apply restrictions to the use of that content.
Information Rights Management (IRM): A subset of RMS which applies a file level protection to the content of a document or message. When properly installed, it will allow the author of data files to limit both who can access those files and what authorized recipients can do with them. These restrictions are effective both inside and outside the local area network on which the files were created.
The purpose of an Information Rights Management program is to add an additional degree of security to information documents above and beyond traditional network perimeter security techniques. In other words, network security protects the network from unauthorized access. IRM protects the information itself, regardless of where it is found, and even when in the hands of authorized recipients. An author may, for example, specify that a particular document may be read but not printed, restrict the ability to copy and paste from the document, or set an expiration date beyond which the document may no longer be viewed. Note that these protections are different from the security permissions applied to documents using Windows NTFS file system.
There are three primary components of an IRM installation:
- Windows Rights Management Services (RMS) for Windows Server 2003. This is the “server side” piece and provides certification, licensing, enrollment of users and administrative functions. This component is available for download from the Microsoft website. It further requires server and network infrastructure components including Active Directory, a SQL Server 2000 database, Internet Information Services (IIS) and Message Queuing. For organizations without this full suite of infrastructure, an online version is available through the Microsoft website, enabling testing or limited small volume use. Users of this service must have a Microsoft Passport account to register.
- Windows Rights Management Client. Also available for download from Microsoft, this application enables the establishment and enforcement of restricted permissions on documents prepared or received by your computer.
- Rights Management enabled application. For most users this will be Microsoft Office 2003, including Microsoft Word, Excel, and PowerPoint. For those users without Office 2003, a “Rights Management Add-on for Internet Explorer” is available for download from Microsoft, allowing documents to be opened in HTML format in an Internet Explorer browser window with all applicable restrictions applied.
Once the required components are installed and available, the creator of a document can assign restricted permissions to any document. These permissions are quite robust and granular. For example, you can specify which particular recipient may read a document, but not print it, forward it, copy and paste it, or other means of reproducing the content. Users not specifically authorized access to a document may not even view it. Upon attempting to open the document they will be given an advisory saying they do not have permission to access the content.
So, how is this level of content protection different from traditional security practices? Most accounting firms will have adequate network perimeter security in place. That means that firewalls, access control lists, and sound remote access policies will safeguard the network and its data files from unauthorized outside intruders. In addition, Windows NTFS file permissions allow the restriction of access to a document on the network. This primarily governs the ability to access, read, or modify a file stored on the local area network. All of this is still essential, and remains unchanged when using Information Rights Management.
Likewise, many firms recognize the importance of encrypting email, with or without attachments, while traveling through the connections of the public Internet. This simply helps ensure that only the intended recipient can read the email once it is received. This too remains an important security measure, with or without Information Rights Management.
What IRM adds to the traditional security mix is a protection of content itself, regardless of where it might reside. Thus, a file retrieved from a protected network and forwarded while encrypted to an authorized email recipient has been safeguarded all the way to its final destination. At that point, traditional security leaves it unprotected. It can be copied, printed, further emailed, and has no defined life span. By contrast, IRM continues to protect the content of that document even after delivery to its recipient. In Microsoft terminology, this protection is “persistent” and follows the document wherever it goes.
So, in our example that began this article, how might IRM have prevented the disaster? If you, the creator of the projection, had applied IRM restricted permissions to the document allowing only yourself and your client access to read it, then when it was mistakenly forwarded to the competitor he or she would not have been able to open it. The email would be there, with the attachment, but the attachment could not be opened and read by anyone not specifically authorized.
It is easy to visualize ways that this technology could be useful to CPA firms. Partners could apply restrictions to certain client documents or internal financial data allowing only specified staff members’ access. Or, documents could be restricted to the “Read” permission, giving authorized recipients access to view the document, but not copy, print, forward, or save the file to a different name using “save as”. Note that this is significantly different from the NTFS “Read” permission which would allow all of the above actions to occur. Another useful technique might be to apply a document expiration date. Thus, a document could be viewed up until a specified date, after which it would no longer be accessible, even to view. And, of course, applying protective restrictions at the time of creation could prevent the hypothetical client disaster outlined at the beginning of this article.
What does it cost to get started with Information Rights Management? Remember that there are substantial infrastructure requirements to make it work. Each user needs Microsoft Office 2003, and Microsoft Windows Server 2003 with related components and a database server such as MS SQL Server 2000 is required in the back office. Although the rights management service is available for Windows Server 2003 at no additional charge, and the rights management client is a free download as well, there is still a requirement for Rights Management Services Client Access Licenses (CAL) in order to use the service. Current pricing, subject to change, is $37 per RMS CAL, or a 5 pack for $185. For testing, or limited actual use, you can use the Microsoft online RMS server, requiring only a Microsoft Passport account, the downloadable RMS client and an Office 2003 application.
So what is your next step? You could begin by downloading the RMS client onto a few machines for testing using the Microsoft online RMS server for authentication. Try it out in various scenarios. See for yourself what the capabilities are, and think about how you might incorporate them into your practice. This is powerful technology available at a reasonable cost to firms who already have the key infrastructure in place. As with most technologies, however, the key to using it well will be carefully thought-out standards, policies, and procedures which govern when and how it will be used. Give Information Rights Management a try and see if it has a place in your business. Don’t be surprised if you decide that it does.
Kenneth M. McCall, MBA, MCP
Boomer Consulting, Inc.
Manhattan, KS 66502
Phone: 785-537-2358 ext. 15
Toll Free: 888-266-6375 ext. 15
Kenneth M. McCall is a Consultant at Boomer Consulting, Inc., an organization devoted to the application of computer technology and management consulting.