Windows Rights Management Services (RMS)

1. Windows Rights Management Services (RMS) Moshe Zrihen CTO, TrustNet

2. Agenda • The Business Problem • Windows Rights Management Services • How RMS address the problem • Usage Scenarios & Regulation (Sox, HIPPA etc’) • How RMS Is Working & Demo • RMS SP2, what’s new? • RMS Integrated With Office 2007, SharePoint, Mobile • Related Information • Q&A

3. The Business Problem

4. Information Loss and Liability are a Growing Concern among Organizations… “Enterprises report forwarding of e-mails among their top three security breaches” – Jupiter Research “Organizations that manage patient health information, social security numbers, and credit card numbers are being forced by government and industry regulations to implement minimal levels of security to address leakage of personal information.” –IDC Source: JupiterMedia,DRM in the Enterpise, May 2004 Source: Worldwide Secure Content Management 2005-2009 Forecast: The Emergence of Outbound Content Compliance, March 2005

5. …Information Leakage is Broadly Reaching Financial Services • Equity Research, M&A • GLB, NASD 2711 Healthcare & Life Services • Research, Clinical Trials • HIPAA Horizontal Scenarios • Information Protection: sensitive e-mails, board communications, financial data, price lists, HR & Legal information • Corporate Governance: Sarbanes Oxley (US) Manufacturing & High Technology • Collaborative Design, Data Protection in Outsourcing Government • RFP Process, Classified Information • HIPAA

6. Traditional solutions protect initial access … Authorized Users Yes Information Leakage No Access Control List Perimeter Unauthorized Users Unauthorized Users Firewall Perimeter …but not usage

7. Today’s policy expression… …lacks enforcement tools

8. How RMS Address The Problem?

9. Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content • Users without Office 2003 can view rights-protected files • Enforces assigned rights: view, print, export, copy/paste & time-based expiration Outlook 2003 & 2007 Windows RMS • Keep corporate e-mail off the Internet • Prevent forwarding of confidential information • Templates to centrally manage policies Secure Emails Word 2003/7, PowerPoint 2003/7 Excel 2003/7, Windows RMS • Control access to sensitive info • Set access level - view, change, print... • Determine length of access • Log and audit who has accessed rights-protected information Secure Documents IE w/RMA, Windows RMS Secure Intranets End User Scenarios

10. Usage Scenarios & Regulation (Sox, HIPPA etc’)

11. How RMS Enables SOX Compliance Sarbanes-Oxley Act of 2002 Section 404-1 SECURITIES AND EXCHANGE COMMISSION 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274 MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports. Companies must implement, evaluate, and report on controls for financial reporting, operations, and compliance

12. How RMS enables SOX Compliance

13. How RMS Enables HIPAA Compliance Government Hospitals must protect patient data through access controls, user authentication, and auditing

14. How RMS enables HIPAA Compliance

15. How RMS Enables GLBA, 357 Compliance Companies must use information security technology to secure storage and transport of personal financial data

16. FDA Compliance Food and Drug Manufacturers must digitally sign documents used in the manufacturing process and provide audit records, protected archival, and documented access controls FDA 21 CFR PART 11 DEPARTMENT OF HEALTH AND HUMAN SERVICES Food and Drug Administration 21 CFR Part 11 [Docket No. 92N-0251]----------------------------------------------------------------------- SUMMARY: The Food and Drug Administration (FDA) is issuing regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records… Section 11.10 describes controls for closed systems, systems to which access is controlled by persons responsible for the content of electronic records on that system. These controls include measures designed to ensure the integrity of system operations and information stored in the system. Such measures include: (1) Validation; (2) the ability to generate accurate and complete copies of records; (3) archival protection of records; (4) use of computer-generated, time-stamped audit trails; (5) use of appropriate controls over systems documentation; and (6) a determination that persons who develop, maintain, or use electronic records and signature systems have the education, training, and experience to perform their assigned tasks. Section 11.10 also addresses the security of closed systems and requires that: (1) System access be limited to authorized individuals; (2) operational system checks be used to enforce permitted sequencing of steps and events as appropriate; (3) authority checks be used to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform operations; (4) device (e.g., terminal) checks be used to determine the validity of the source of data input or operation instruction; and (5) written policies be established and adhered to holding individuals accountable and responsible for actions initiated under their electronic signatures, so as to deter record and signature falsification. Section 11.30 sets forth controls for open systems, including the controls required for closed systems in Sec. 11.10 and additional measures such as document encryption and use of appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality. Section 11.50 requires signature manifestations to contain information associated with the signing of electronic records.

17. How RMS Is Working & Demo

18. How does RMS work? • Author receives a client licensor certificate the first time they rights-protect information Active Directory SQL Server • Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file RMS Server • Author distributes file 4 1 • Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 2 5 3 • Application renders file and enforces rights Information Author The Recipient

19. Apply Permissions to New Email

24. Add userswith Readand Changepermissions Verify aliases& DLs via AD Add advanced permissions

25. Add/removeadditional users Set expiration date Enableprint, copypermissions Contact forpermissionrequests Enable viewing viaRMA

28. RMS SP2, what’s new?

29. SharePoint 2007 • Protected document libraries • Policy applied at document library level • Protects document on download • Document protected to user • Information searchable on server • Sticky permissions • SharePoint rights  IRM permissions • File format specific • Out-of-the-box support for Word, Excel, PowerPoint, InfoPath, and XPS files

30. Office 2007 • Client applications • Outlook • Word • PowerPoint • Excel • InfoPath - new • Server applications • SharePoint – new • Windows Mobile • Support Windows Mobile 6

31. Protected doc library

42. Windows Mobile • Smartphone and Pocket PC • Optimizations for Mobile platform • RMS API part of Mobile SDK • Pocket Inbox, Word, Excel, and PowerPoint Y Y Y N

43. RMS Live Demo

44. Related Info

45. Related Links: • http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx • http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx

46. תודה רבה על ההקשבה moshe@trustnet.co.il