People forwarding e-mails is one of the biggest problems of security breaches that enterprises are faced with now days. Don't believe me?
Read this article:http://www.nytimes.com/2007/01/11/technology/11email.html?_r=2&oref=slogin&oref=slogin
If you are a financial institution or health care provider, you fall under certain regulations (HIPPA, GLB) that require that security measures be put in place to prevent information leakage. Nothing says 'I should have protected that data better', more than sitting in front of a judge while you are being sued by a client who's information was leaked all over the internet, because a laptop containing sensitive information was stolen from one of your employees vehicles, and there was no protection in place to keep this information from prying eyes.
I am a veteran, and I recently got a letter in the mail stating that my information was on a laptop stolen from a government employees house. My first thought was, 'Why was my information on a laptop at someones house?', my second thought was what kind of protection did they have on that laptop, and my third thought was 'Oh man. Who is going to be ruining my credit report by becoming me, causing me years and years of fighting with the credit bureau to get my report cleared?'. How embarrassing do you think that letter was for the DOD to have to send out to all of its veterans?
What if you are an e-commerce company, and your customer's information gets leaked to the public with their credit card numbers, personal information, and purchase history. How long do you think you will be in business after that happens?
How about if you send out a absolutely genius plan for turning your small business into the next Microsoft. You send this plan out to all of your employees, and one of your employees, forwards the mail to his external account so he can read it at home. Well lets say that the external ISP hosting the mail service isn't quite so secure, and this employees mailbox is compromised. Well now your big dollar plan for the future just got sent to your competitor, or leaked onto the internet, and you are finished.
I see alot of e-mails that have an opening line of 'Do not forward this e-mail under ANY circumstances' that were forwarded to me. Obviously if I'm looking at it, and it wasn't originally sent to me, someone did not follow the Amish protection plan that was in place. Trust me, writing that on an e-mail doesn't really work, and can lead to a severely embarrassing situation for you and your company.
How happy do you think your company stockholders would be if everyone on the internet knew what the next years forecasts were, before they did?
So how can RMS help?
First let's talk about what RMS can't do.
- It can't stop people from talking. If someone has access to a piece of e-mail, then we can't stop them from talking about what was in it.
- It can't stop people from taking a picture of the screen. If someone wants to bring a camera into work, and take a photo, we can't stop it.
- It can't stop third-party capture programs. If you've done your administrative duties, people shouldn't have the right to put this on a machine anyways.
- Bottom line: It can't stop the 'authorized' malicious user from giving up the information. If you have people like this that you are worried about in your company FIRE THEM right away. :)
- What it does do, is protect information from the eyes of 'unauthorized users', and keep the 'authorized' good users from accidentally leaking information.
Let's see what RMS can do.
- If you protect a piece of content with RMS, it is protected regardless of whether it is on a thumb drive, laptop, file share, CD, wherever...it doesn't matter where it lives, it is protected.
- It's encrypted with 128 bit AES encryption. Good luck trying to break that.
- It uses AD user accounts for verification of credentials. How easy is that? You've already got AD all setup in your environment hopefully.
- Its easy to implement. Once you set it up (which is extremely painless assuming you followed best practices), you are good to go.
- Integrates with Office. Once the client is installed, you can use Office 2003 applications (Outlook, Word, Excel, etc..), and protect the content by simply clicking on the protection icon, and picking who you want to be able to view the content.
- Template-able - Is that even a word? Lets say you have a Legal Department, and they are always sending e-mail back and forth. Well you can create a template called 'Legal Only', and add their group to who has permissions. You can then adjust the registry to point to these templates that you have created, and the users will now have options as to what specific group they want to RMS protect the e-mail against in a simple list.
- With Sharepoint 2007, you can protect content on the fly. Lets say you have a Sharepoint site setup for your Finance department. Well with Sharepoint 2007, you can check in and check out documents and what not, and the protection is automatically applied. This gives you the ability to 'search' documents in Sharepoint for what you are looking for, and then once you have found it, you can check out the document, with the RMS protection automatically put onto it.
- You can choose what rights you want someone to have. Let say you want someone to have the ability to view and print, but not change. Well it is all customizable, through templates.
- If you turn on Auditing through the file system this will add another layer of 'who accessed what', on RMS protected content. Combining this with, the reporting features of QuickLook (from the RMS Toolkit), and you've got some great tracking capabilities.
- It has an API set so you can write your own applications, or plug ins for other applications, and protect that content also.
I'm not a sales guy. I'm sure that our sales people with the pearly white smiles, and plastic hair have a wonderful presentation that will knock your socks off regarding RMS. I'm just a support guy, who also happens to be on the security incident response team at Microsoft, and have seen so many companies lose sensitive information, and been embarrassed by leaks, because they didn't take the necessary steps to protect their information. I feel really bad for these people when they call, because once its out there, that's it...game over...you lose. RMS is such an easy product to implement into an environment, that it's almost a sin not to. It will also give you the ability to sleep again at night knowing that your information is protected from unauthorized access. :) We also have some amazing partners like Liquid Machines, and GigaTrust who make some great RMS solutions for using it with things like your BlackBerry devices, and Linux (yes I just said the 'L' word).
With the release of Vista the RMS client ships right in the box, and when we release Longhorn, the server part of RMS is now going to be a ROLE...thats right...a ROLE. You install the server, and turn on RMS. How friggin easy is that? We are also adding some super cool reporting features to it to make administration a breeze. Do yourself a favor, start now, get your stuff protected, and get some experience under your belt, so when that releases your already in the game. :)
Pricing: Before any of you get the idea to post the typical M$ wants our money posts.
Here is a link to the CAL licensing page:http://www.microsoft.com/windowsserver2003/techinfo/overview/rmsplfaq.mspxNow go look at some pricing from competing products, and also see if they have 180 day free trial offers? Fughettaboutit!
Yes. It costs money. If it didn't, we would get in trouble for being anti-competitive. No thanks. I like things the way they are right now.
If you are a small company with 5 people, you only need 5 CALs at around 37 bucks a pop. If you are a large enterprise, you can get bundles. If you want something free, you can use the Passport service.
There really is an option for almost any budget. So before all of you tin foil hat people start sending me hate mail, telling me how Microsoft is 'the man', and is 'keeping you down', go look at your alternatives. I've heard it all before, and if you are upset that we charge for it, I have a gigantic lawn I'd love for you to come to my house and mow with a push mower. I'll pay you in smiles (and tin foil). :) :) :) :)
Jason, I just noticed your blog. Good stuff, please keep it up!
Hey...look at that. I have a blog comment.
Now I have a reason to keep writing. :)
Thanks for the kudo.
Jason, also check out Seclore (http://www.seclore.com). Their product in the IRM space is pretty good. Infact they seem to disable all third party screen grabbing tools and are also very competative on their pricing.