Last week, I discussed how you might roll out Windows Rights Management Services (RMS) in your enterprise. This week, I'll complete my look at this interesting new technology with a short overview of the Windows RMS client experience and how various partners are extending Windows RMS into new areas of functionality.
Windows RMS Client Experience
Creating Windows RMS-enabled documents is simple, and for the sake of space, I discuss only Microsoft Word documents here, but the process is similar for other documents, email messages, and Web pages. When you create a document and want to protect it, you choose File, Permission, then select the permission type. Microsoft Office 2003 provides two permissions by default: Unrestricted and Do Not Distribute; you can also add your own corporate polices by using the Windows RMS policy templates. When you select a permission, Word connects to the Windows RMS server and applies the appropriate policies.
When you receive and attempt to open a rights-protected document, Word checks the document's policies against your rights and acts accordingly, alerting you that you're opening a protected document and explaining that you can access the Permissions toolbar to discover exactly what your rights are. For example, you might be able to open a document for reading but not edit, print, or copy it. If you attempt to print this protected document, you'll receive a denial message and a reminder to access the Permissions toolbar to learn more about your rights.
For space reasons, I won't delve further into the client side of Windows RMS here; however, I'll soon cover this topic in more depth on the SuperSite for Windows ( http://www.itprotoday.com ). This upcoming showcase will also include a number of screen shots that highlight the Windows RMS management experience.
Filling the Gaps: A Look at Some Windows RMS Partners
As a version 1.0 product, Windows RMS doesn't quite do everything out of the box that many enterprises and governments might want, but fortunately, Microsoft has already fostered an active partner program that's designed to address these needs. I spoke to Microsoft Technical Evangelist Michael Atalla late last week to discuss some of the partners with which the company is working and the unique solutions they provide. Atalla told me that the company's Windows RMS partners were building solutions in the following categories:
- iWorker tools--Obviously, Microsoft Office was the first major tool in this important category, and its major applications--Word, Microsoft Excel, Outlook, and PowerPoint--support a technology called Information Rights Management (IRM) that's based on Windows RMS. This category is big for third-party partners as well, with some solutions meeting the number-one request I received from readers, a Windows Explorer shell-based solution that lets you apply explicit rights to files sitting in folders on a file share or Web portal. "This is a broad category," Atalla told me, "with a variety of interesting partner solutions." GigaTrust makes an Internet Server API (ISAPI)-based Web portal product, for example, that makes intelligent calls to Windows RMS, applies rights policies to URLs according to content, and features a helpful management interface. Microsoft is so impressed with this implementation that the company is evaluating it to see whether it can roll it out in-house. GigaTrust also makes a Windows Explorer shell plugin that lets you right-click a folder to apply RMS policies; it will protect anything in that folder at the time of the policy application as well as any new documents that you add later. You can also do policy-based rights protection. For example, you might want any Excel spreadsheets that contain the words "revenue projections" to receive certain rights (perhaps "company confidential").
- policy automation management tools-- With rights management, an obvious need is automation. For example, you might want an online faxing service or certified mail delivery system to automatically apply rights policies to documents, according to content, as the documents leave your enterprise. So you could have a service sitting on your gateway that automatically associates policies. A subcategory of automation management, although it's likely not to be fully developed in this first generation of products, is advanced management tools. Atalla noted that Microsoft hasn't provided enough hooks into this first-generation Windows RMS system for third parties to effectively improve the management experience. One obvious tool here would be a Microsoft Management Console (MMC)-based management tool to replace the Web-based management tool Microsoft ships now with Windows RMS. Omniva Policy Systems was already looking to protect information in transit with policy-based control, so when Microsoft alerted the company to the impending release of its rights-management technologies, the company took its rules-based server management tool that watches email gateways and moved it to Windows RMS. Omniva also takes things a bit further than Windows RMS by offering forensic destruction of documents as they expire. "Some \[enterprises and governments\] won't want that," Atalla said, noting that Windows RMS doesn't support this functionality out of the box. "But some do, obviously."
- document workflow integration--This category encompasses any business logic integration. At a high level, a worker would check in a document to a document management system, and, according to his or her user role, that document would have a particular rights policy applied. You can choose to archive documents in the clear (i.e., with no rights management policies applied) but then re-apply policies as needed when the documents are unarchived later. EDS is working up a digital asset management solution that's Windows RMS enabled.
- hosted services--Although Microsoft isn't sure that hosted services will be a broad category for a number of technical reasons, several Windows RMS partners are already developing business-to-business (B2B) host services. The problem is fairly obvious: Hosting services are tough to implement even with trusted domains, because it's hard to manage numerous one-to-one relationships; when you move to external hosting for (potentially) many companies, the problems are exacerbated. Still, this hasn't stopped some partners from moving forward with Windows RMS hosting services, and given the proliferation of small- and medium-sized businesses that would be interested in this sort of service, it could be a big hit. GigaTrust, for example, is moving forward now with customer pilots for a variety of services, including hosted Windows RMS. The company is also working on an email solution that replaces the Microsoft RMS component with its own Outlook plugin that handles external email.
Atalla pointed out that none of these services need to be tied to Windows. Although the Windows RMS server must be running Windows Server 2003, developers can write services that run on other Windows versions or on Linux or UNIX because Windows RMS is a standards-based Web service that speaks Simple Object Access Protocol (SOAP). At this point, no third parties have created such a non-Windows service, but undoubtedly some will do so as the need arises.
Also coming down the pike is Windows RMS Service Pack 1 (SP1), due sometime in 2004, which will add support for disconnected networks. Right now, Windows RMS-enabled documents need to "phone home" to get an enrollment certificate and perform other duties, but a new generation of hardware appliances will let government and financial institutions--which often can't let their systems be externally connected--accomplish these tasks in-house. "This hardware will allow these institutions to do lockbox generation in their own environments," Atalla said. "They will be rack mounted and tamper resistant." Microsoft is partnering with Rainbow Technologies on the hardware designs.
If these capabilities don't address your needs, or you have additional questions about Windows RMS, please fire away. If I can't answer them, I'll forward them to Microsoft. Thanks!
