SPC 2008 Session — RMS and SharePoint
This article was originally posted on March 10, 2008.
Q: What is RMS, and why would I need it?
A: RMS stands for Rights Management Services. It is a security software that provides greater control over content that has IRM (Information Rights Management) associated with it. The business reason for needing it is simple: Stay out of the news. e.g., problems stemming from leaked executive e-mail, information theft, loss of IP, legal/regulatory/compliance.
Q: How is it different from what I can do today with just SharePoint or network security?
A: With RMS, security travels with the data. This means a document-level security policy is effective if the user is on-line or off-line, can be active for a specified period of time, and can be used to control certain activities (user cannot print or forward document, etc.).
Q: What are the components of RMS?
1. Client workstation containing lockbox, APO, templates
2. Active Directory for authentication
3. Microsoft SQL Server database with configuration data, logging, cached credentials
4. Microsoft Office SharePoint Server for document libraries with Information Rights Management (IRM) attached
5. Clients and Services that are “RMS-aware” (e.g., MS-Office) and recognize the “manifest” information attached to each document
6. Exchange 2007 SP1 which contains pre-licensing/fetching components for RMS as well
Q: How is it licensed?
A: Free server product, pay for Client Access Licenses (CALs), external connector for users outside your organization.
Q: What hardware does it require?
A: It should be installed on a web front end server (WFE), and can be installed on a SharePoint WFE.
Q: What software does it require?
A: On the server: it is incorporated into Windows Server 2008 operating system. With other network operating systems, it requires a separate installation or RMS. On the client: Windows 2000, XP, or Vista. Pre-Vista, a small RM client needs to be installed. MS-Office is RMS-aware out of the box, and there is an RM add-in for Internet Explorer. RMS for PDF files is managed via a third-party tool (Liquid Machines and Giganet are two mentioned in the session).
Q: What are some key considerations around RMS integration with SharePoint?
1. In Central Admin, IRM section, specify name of your Rights Management Services.
2. Specify IRM settings at Document Library level.
3. You CANNOT DEFINE IRM POLICIES BY CONTENT TYPE (single biggest weakness in the story that I heard. Content types are so powerful and a great tool, and this is a real impediment to building out rich security models.)
4. Document Library permissions override document permissions unless the document-level permissions are higher (in other words, in the event of a conflict, the more restrictive security wins).
5. Search results will continue to be dictated by the Active Directory security model. RMS initiates only as a document is opened, and has no effect on what results are surfaced by MOSS Search or Microsoft Search Server.
6. RMS does not encrypt documents stored on the server (you still need EFS, PGP, SSL, or other security if this is important to you); it only protects them as a user downloads/tries to open them.
7. Consider and test the performance hit on your MOSS server with RMS implemented, as the crypto processes are processor-intensive.
8. Consider how SharePoint rights and IRM permissions map:
[source: session presentation]
There were many other areas covered in the presentation (e.g., options for extranet deployment), but these were the key ones from my point of view.
RMS is an important component of many companies’ security and compliance strategies around data stored in SharePoint. I look forward to seeing more about how it works with SharePoint as we deploy SharePoint at customer sites with IRM needs.
Also, when I get around to taking a long look at Google Sites, I’m anxious to understand how their security model matches up to this. My hypothesis is that there won’t be an analogue to this “off-line” security model in the Google world…
Originally published at https://mikegil.typepad.com.