These days I´m working on a AD RMS deployment , and I thought I write something about it. This starts with a short introduction, and if popular (enough people asks for it), I will go more deeply.
There is no doubt that how we approach security needs to change. For too long now we have been thinking about building a castle to protect us with DMZ, Network firewalls and so on. Then we are challenged to face the needs of our mobile users, and we need to be able to talk with “the cloud”. There used to be a time when access control at the folder level was enough. Today, you might have no clue of where your information is. So, how is your folder structure going to protect you? The truth is, it wont. You need to protect your information, but you don't know where it goes, or how it gets there.
Using AD RMS the document is secured the same, inside or outside, on your SAN, or on someone's USB dongle. Even when send through email, your information policy is still travelling with the document.
The document is encrypted, so people who want to open the document needs to talk with your AD RMS service to get the necessary approval (or use license, if you will). The AD RMS will based on the settings in the document give the user rights, for example to read, but nothing more. Or to read and print, but not forward. You can also place expiration dates on the content, so you know that the user is not using old information.
The functionality is integrated with Microsoft Office, Sharepoint and Exchange Server. It also works together with Windows Mobile, and through third party there is support for a broad number of document formats. It is also a SDK to build your own support.
Following is a list of typical rights you can set with AD RMS:
• View
• View permissions
• Print
• Save
• Save as
• Cut & Paste
• Edit
• Run macro
• Forward (email)
• Reply(email)
• Reply all(email)
• Expiration date
• Expire after N days
Using AD RMS you can get reporting on who is accessing what documents, and you can also revoke permissions already given.
If you compare AD RMS with traditional encryption, you will find AD RMS more dynamic, and it also gives you more granular control over the information – not only encryption.
Does it protect against everything? Heck no! If you have granted the user access, he might go around your protection – for example using “the analogue hole” or virtualization.