When I share an email or a document with a colleague and ask for their confidentiality, I trust that they won’t share the information with others. Yet information that is particularly business- sensitive tends to be quite interesting, so we learn in the press when people are tempted to break the rules. For instance, last year Ad Age received leaked documents revealing advertising spending for Google’s largest customers. While Microsoft is not immune to leaks from personnel, it provides customers and employees with technology they can implement to guard email messages and documents from exposure beyond the intended audience.
Information Rights ManagementInformation Rights Management (IRM) is similar to Digital Rights Management for documents and information. With IRM, users can restrict rights to content and prevent authorized recipients of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content. Via IRM, Windows users can even prevent restricted content from being copied with Print Screen.
Let’s take a look at controlling access to Microsoft Word documents in the image below. In Word, I can use permission rights to limit document viewing to company staff. I can set permissions which prevent recipients from forwarding, copying or printing a document, and I can restrict a document so that only full-time employees can access it. Not only that, each Office application has the ability to apply similar restrictions.
Google Docs does not have Information Rights Management. In fact, the window for leaks is wide open in a Google environment! Google Docs allows users to specify who they want to share a document with online, yet users cannot apply any security settings to the document. Other users can download and share it any way they wish. In addition, if a user is working in a Google Apps domain, their files adopt the domain’s security setting, by default, whether those settings are private or not, so Google Apps users may be sharing or publishing documents without knowing they are doing so!
Controlling Document Access with Microsoft Word versus with Google Docs
“More Security Loopholes Found in Google Docs” and “Is Google Docs Secure Enough for Your Company’s Data?” reveal additional risks. Since Google Docs stores images with separate URLs, the images are available to anyone who knows the URL, regardless of whether the owner has given them permission to view the image, has revoked the user’s rights to it, or has deleted the image. Knowledgeable users can even change the revision number in the URL to access older versions of the image. Should an image be sensitive, such as a graph of company budgets or losses, the information could easily become very public, damaging the firm’s reputation. However, Google reviewed these security holes stating “We believe that these concerns do not pose a significant security risk to our users.” Google doesn’t seem to take security for Google Docs images very seriously.
Managing Rights for EmailMicrosoft also enables IRM for email. You can restrict access to email through Exchange via a set of permissions which are very similar to the permission settings in Office. You can identify the specific rights you want to allow or disallow. For example, to reduce risk and liability you can implement IRM so that staff can’t forward private, corporate messages outside the company without permission. Your business keeps private, team emails within the team, and company secrets contained in email remain confidential. Google has none of these capabilities.
Managing Rights with Microsoft Exchange
Information Rights Management requires certain on-premises investments. It is not for everyone. Larger organizations often take the time to implement and benefit from IRM. Should this interest you, customers can establish IRM settings for Office 2010 and Outlook 2010 using Group Policy, while SharePoint customers have the choice of managing security via a LiveID or through a Rights Management Server.
When is IRM coming to the cloud?
Is this similar to Office 2003 IRM? That feature creates incompatibility issues, or at least it did the last time I saw a file where someone had actually used it.
Google did add a "prevent download" feature in early November, FWIW.
I should add that I've long been interested in this technology except for two issues:
1. Fears that it would be just as incompatible as different DRM formats used on other media
2. Issues with being locked out of data such as those in this post http://tinyurl.com/ch3eyej
Standard encryption with keys passphrases seems to work adequately for confidential information and doesn't have the issue of doubt that in the future this information will become unavailable. ECM vendors have tried to sell there management lock-in features for years with very low uptake. If a truly compatible and future-proof solution was devised, I'm sure businesses would be quicker to other encryption methods.
@Ian Ray, Yes, the MSN support team resolved an IRM issue in its trial of a free, consumer, Hotmail IRM service occurring two years ago. Of course, business customers had no impact. By design, the free email service that Microsoft offers consumers and the email services that Microsoft provides to businesses are completely separate.
Thank you for citing options for business customers in securing their documents. That is good to know. More details about IRM for Office 2010 are here. (http://bit.ly/kwH4DQ)
@Gary Ross: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers. (http://bit.ly/l5hNQX). With hybrid deployment, customers can continue leverage this powerful capability.
Another piece of security software I have used in the past is called "outlookgnupg" plugin.
This worked fairly well for decryption of sensitive documents sent when I worked for the government. Are there plans to extend the API of Office 365 to support such things?
I have also used "cr-gpg" for Chrome (which I have had some issues installing on certain configurations due to its alpha status). Perhaps such a browser extension could be developed for encryption/decryption that would work with Office 365 as well.
Just throwing this stuff out there. I haven't seen much Microsoft/Oracle/Adobe IRM integration actually in use, but have seen pgp-type encryption in use on sensitive document transmission many times.
@Ian Ray: While we will certainly be updating this blog with cloud security topics, you might also browse the Office 365 technical blog which provides some good updates. (http://bit.ly/eLdkDk)
Thank you for the link. From reading that blog, it appears S/MIME is not working in Office 365 without OWA. This would break any rights management, yes? I hope that has been/will be fixed.
@Ian Ray: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers.(http://bit.ly/l5hNQX).
really? when do you want to compare this to google *applications* and not google docs?
@Matt: Thank you for your idea.
On the security issue in general, I would like to see an Office 365 option for "two-factor authentication". Enterprise still employs the obsolete 90 day password reset. This compiles with security audits of various standards devised decades ago, but does not secure information in a practical way. That is, a user could have a complex password written on a sticky note every 90 days or have "letmein11" as their password combined with text message codes... The latter seems to be more difficult to break from a practical perspecive.
Really, it doesn't matter how strict sharing is set up if the account shared to is vulnerable. Office 365 programmers could solve this by borrowing a practical concept.
@Ian Ray: Microsoft Active Directory Federation Services now supports RSA SecurID token authentication, (two factor authentication), to secure not only Office 365 applications, but also Microsoft Exchange, and the Azure cloud. (http://bit.ly/uQDbaq).
It would be nice if Active Directory allowed a user to use a set of hard tokens to turn off the existing authentication in the event that the SecurID keychain unit or phone is lost/stolen. I don't really understand the need for a proprietary solution as the only two-factor authentication offered. Seems expensive and cumbersome for a technology that has famously been compromised.
@Ian Ray: Microsoft knows that technical capability is one thing and recommending a sustainable solution is much different. That is an important and much greater commitment. As business partners and customers test, verify and gain experience with how other authentication technologies interoperate and work within organizations, Microsoft may begin to recommend both RSA SecurID and other 2 factor authentication technologies to Office 365 customers. Until that time may come, Microsoft recommends RSA SecurID for 2 factor authentication to Office 365.
Are you stating that SaaS SMS or App-based two-factor authentication is not as "sustainable" a technology as SecurID keys?
SecurID costs at minimum $25,000 for the central hardware and employees regularly lose the $60 keys. SecurID was compromised once, what assurance is there that this won't happen again. "Sustainable" does not seem like an appropriate label... "legacy" would fit better.