Do you need RMS/IRM in Office for Macintosh?

Steve Riley — Thu, 24 Apr 2008 01:34:16 GMT

Please let me know if this is a feature you'd be interested in. We're looking to build the business case to develop it, and the best way to do that is for you, our customers, to let us know.

Also, if any of you want to deploy RMS now but can't because there's currently no Mac support, I especially need to know. Thanks!

Protect your data: everything else is just plumbing

Steve Riley — Mon, 02 Jul 2007 23:46:32 GMT

Take a few moments and indulge in a thought exercise with me. Consider your company’s complete collection of information processing assets—all the computers, the networks they’re connected to, the applications you use, and the data and information you manipulate. Which of those is the most valuable? Which—if it suddenly and tragically disappeared tomorrow—would jeopardize your company’s ability to remain in business?

That’s right, it’s your data. Any of the other elements could easily be replaced. But if your data vanishes, well then, you might as well close up shop and take residence on some forsaken island in the middle of the ocean. It’s your data that gives you your competitive edge, your data that constitutes a large part of your business, and your data that is most attractive to attackers.

Why, then, is there still so much emphasis on protecting all the plumbing that moves the data around, but little interest in protecting the data itself? My guess: old habits die hard. For most of the history of information security, emphasis on security has roughly followed this model:

Historical approaches to security have placed most emphasis on the network, with decreasing consideration of individual computers and the applications they run, and the least amount of consideration for the security of the data. (I’ve purposefully placed the physical layer outside the triangle, partly as a joke and partly for real—when I visit data centers I routinely discover physical security problems!) Once upon a time, this was the correct approach: computers and applications weren’t designed with much regard for security, and the only way to protect the data was to protect the network. And indeed, because it was generally the network that the bad guys were after, this approach worked.

The old model is no longer appropriate today. The bad guys really don’t care about your network anymore: they’re going after your data. Attackers were once motivated by pride: Mafiaboy was notorious for bragging about bringing down large parts of the Internet in February 2000 (and his bragging became his undoing). But these days, attackers are motivated by profit: they’re out to make money. The economics of the game have changed, and along with that so have the bad guys’ skills and the capabilities of their tools. Let me repeat: they want your data. They’ll steal it and sell it to your competitors, they’ll damage it and put you out of business. The network and your computers exist only as a means to get to your data. So we, as defenders of information assets, must change our tactics to react to—and possibly get in front of—the tactics of the bad guys. We’ve got to invert the traditional thinking and now emphasize security by following this new model:

Because protecting your data is now paramount, data protection deserves the bulk of your attention. Application security—developing applications with a mind toward security and how they might be purposefully abused by an attacker—is similarly critical. Good host security will remain important in this world as well, especially the security of mobile computers of all kinds. Because people use computers to run applications that process data, it’s these layers that are crucial. If you apply this model, the network can return to doing its only true job: moving bits around as fast as possible.

Traveling to the new world

So how do you get from there to here? One word: cool technology (OK, two words).

Full drive encryption

For some time, I’ve been advocating that using host-based firewalls isn’t an option: it’s required. Ordinarily, you have no control over the traffic that appears at your Ethernet port. A host firewall gives you control. I now have a second requirement: full drive encryption, especially on portable computers. According to the 2006 Australian Computer Crime and Security Survey, for four years in a row, laptop theft is the most expensive attack weathered by the organizations who responded. The exposure (and expense) isn’t the hardware—it’s the data stored on the computers. This tells me that good-quality full drive encryption is probably one of the best investments you can make to help save your company money! So go ahead and upgrade those laptops to Windows Vista (Enterprise or Ultimate editions) right now, to take advantage of BitLocker full volume encryption, because the cost of the upgrade is most certainly less than the cost of losing your data (and your reputation).

Learn more about BitLocker: http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx

Document protection

When Alice creates a file and wants to give Bob read/write access, give Phil read access, and deny everyone else, the traditional approach involves a lot of work on the part of someone else. Alice has to beg, cajole, and bribe the network admin to create a file share, create two security groups, add Bob to one and Phil to the other, and create access control entries on the share’s access control list. That’s a lot of work for someone who really doesn’t care about Alice’s problems. And it’s incomplete: sure, Eve can’t touch the file on the share, but she can certainly convince Phil to give her a copy—read access also permits copying. If Phil were particularly malicious, he could modify his copy of the document first. You see, network-based access control works only so long as the protected object remains within the network. As soon as someone opens the file, the local copy in the computer’s memory obeys no restrictions.

Windows Rights Management Services (RMS) and Microsoft Office Information Rights Management (IRM) give you an alternate form of access control that persists on the documents themselves regardless of where they live. When Alice assigns read/write access to Bob and read-only access to Phil, she doesn’t need to involve the network admin at all. The access she assigns is stored right in the document and enforced by IRM. When Bob opens the document, Word first checks Bob’s permissions and then disables functionality so that Bob can’t do anything more than what he’s allowed. In Bob’s case, Word will refuse to do anything other than display the content in the window.

In addition to enforcing policy through IRM, RMS protects documents by encrypting them. RMS-protected documents remain encrypted in storage and in transit. They’re decrypted only after an authorized user has been authenticated and his or her permissions have been enforced. If someone outside the RMS’s domain attempts to open a file, it’ll just appear as nonsense. Unless your computer is enrolled in RMS and you’re on the list of authorized users, this document is useless to you. It’s also useless to the friends you’ve given copies to on those ubiquitous USB drives littering the basement of your desk.

Learn more about Rights Management Services: http://www.microsoft.com/rms

Data security

One definition of news is “something that happens rarely.” Data breaches must no longer be news, then, because they seem to happen with increasing regularity. The best way to avoid a breach is not to store data you don’t need—after you process that credit card number, delete it, don’t retain it. Other sensitive data you do need to retain in some database as part of your business. The best way to keep this data secure is to encrypt it in the database. Microsoft SQL Server 2005 includes some great features to help you here—field-level encryption of data in storage, encryption of data in transit, and enterprise-level key management. An important project that you should soon consider is to evaluate all instances where your company is storing private or confidential information (especially about your customers) and add data encryption where appropriate.

Learn more about SQL Server encryption: http://download.microsoft.com/download/4/7/a/47a548b9-249e-484c-abd7-29f31282b04d/SQLEncryption.doc

Of course, there’s more to data security than just the physical storage. Equally important are policies and processes for classifying data. There’s an entire body of knowledge—too much to absorb, really—on this topic. Rather than send you off on some endless forage through your favorite search engine, I’ll share with you a classification scheme I discovered recently. It’s simple and elegant—which means it’s something you can actually use.

First, think about confidentiality classifications. These are important because they help guide your response in case of a breach. Four classifications should be sufficient: public, internal, confidential, and private.

Next, consider retention classifications. If you should ever be hauled into court for some reason, the discovery process will uncover a whole lot of your data. You could face major penalties if new information is discovered after a trial starts. Therefore, it’s necessary to follow a policy that routinely purges e-mails and file shares after a period of time. These three retention classifications are good enough for most cases: regulated data for seven years, historical business data for three years, and temporary data (like e-mail) for one year.

Finally, consider recovery classifications. How quickly, in the event of a disaster, will you need to recover certain kinds of data? Are employees allowed to store mission-critical information on home computers or portable devices? Here’s a sample recovery classification: for mission-critical data, immediate recovery; for urgent data, recovery within 72 hours; for non-urgent data, recovery within 30 days.

Security for the modern age

Attackers constantly improve their tactics as their motives become more sinister. By adjusting your tactics as well, you can be certain that you’re doing your part to keep your information secure.

Lousy security

Steve Riley — Wed, 14 Sep 2005 01:33:00 GMT

Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit, i love griping about). Here I have in mind lousy computer security. And lest you think I'm proceeding to engage in naval-gazing introspection, no -- I'm not going to write about our own products.

Jesper already wrote up his impressions of a popular wireless router. Now I'd like to tell you about some software I encountered recently.

Rights management systems (no, not evil DRM that stops you from using, on your own devices, music you've purchased) are becoming more critical in business information systems these days. It's becoming more and more difficult to use a network function -- in this case, file system ACLs -- to enforce access control to objects that can live in many places outside the network. This is the beauty of rights management systems: they offer you a way to enforce access control no matter where an object resides.

Sure, we have some pretty cool rights management stuff. But I'd like to tell you about another one. Recently at an event Jesper told me about a vendor who approached him. This itself isn't so unusual. But this gentleman was bubbling over with excitement about his new rights-management system that was entirely client based -- unlike Windows RMS, it required no server infrastructure. "Hm," thought I, and I agreed to let him show me the product.

Operationally, it was fairly straightforward -- while their software is running, any documents you create can be protected through the system. On the hard drive it's just an AES-encrypted blob. Good so far. I started chatting with him about how authorization is enforced, and while listening I tried an experiment. I had Jesper open a protected Word document inside Notepad -- always a good thing to do if you want to get an idea of how a file might be modified. At the top of the file was some XML, followed by random binary goop. Sure looked encrypted all right. Then I said, "Hey, save that thing right back to the hard drive and re-open it in Word," wondering whether a simple read-save in Notepad would do anything to his system.

We loaded Word, opened the document, and -- yes! -- a blue screen! Wham! Cue rapid expressions of surprise and fear across the sales robot's face.

What happened here? Originally the document was in Unicode. Notepad saved the file in ANSI. Obviously, then, their protection system is incapable of handling non-Unicode files, and the developers made the disastrous assumption that all input is valid. "Who would ever do that?" must have been their answer to the question "What if someone tries to open a non-Unicode file?" Probably, though, they never even thought to ask the question in the first place. The system should have checked the collating sequence and either rejectd non-Unicode files or adjusted for ANSI.

Now why do I relate this tale? It's simple -- software is difficult. Good software is more difficult. Good secure software is monumentally more difficult. Thinking about how a bad guy might abuse your application and developing reslient software that doesn't just blow up in the onslaught of attacks is something that the entire industry is only now beginning to figure out. Jesper's even talking about this now and demonstrating the good and bad in a new event session called "Is that app really safe?"

People bash Microsoft stuff for being insecure, but at least we have dedicated people whose job is to try to break our stuff. We've got the resources to do that. I'll tell ya, sometimes I'm not sure about some third parties, especially those selling "security software." Conduct your own dilligence, test the crap out of anything before you buy, and reward good vendors with your money.

Steve Riley on Security : RMS