RMS Components
There are three essential components that comprise RMS: the RMS server, the RMS client, and RMS-enabled applications and SDKs. The RMS server is responsible for the proper certification of trusted entities, provides licensing of content that is rights-protected, and enrolls any users and servers. It also serves as the administrative point for RMS
How RMS Works
RMS is involved in three areas to ensure
proper utilization: the actual creation of rights-protected resources,
licensing and distributing these rights-protected resources, and decryption and
usage of rights-protected resources. A trusted entity (one that has been
granted access to make use of RMS) can create resources that are protected.
When a resource has been protected, an XrML certificate identifies who is
allowed access and what usage requirements are imposed on the resource.
The RMS server will issue a publishing license
that delineates who is allowed to access the resource. Once this is done, the
protected resource can be sent. When a trusted entity, say a user, wants to
access a resource, the user will be validated by the RMS server which holds the
public key for the encrypted resource and will issue a use license to the user.
This use license specifies how the resource can be used and actions that can be
taken with it. So these licenses are employed as the actual control mechanisms.
The publishing license is created when a document is RMS-enabled and has been
encrypted. The use license is required when a document is consumed.
Encrypting and Securing
Content
Exactly how does RMS direct the process
whereby control is maintained over documents, e-mail messages, and
applications? RMS employs Public Key Infrastructure (PKI) as the basis for
controlling access to documents. PKI uses asymmetric encryption in which two
keys are used for the encryption/decryption process: one public key and one
private key. In a typical PKI environment, a user will encrypt a document that
can only be unencrypted by the recipient. In an RMS environment, the document
is encrypted by the user and is maintained by the server. Any requests to
access the document are made to the server, which will validate the request and
its purpose, to include printing, forwarding, and even the saving a document.
The keystone of RMS is in using a standardized
rights expression language (REL) to provide a common framework for
interoperability. The language that is used to provide this commonality is XrML
version 1.2.1. The XrML language can be used to apply rights and security to
digital information in the form of a license. This XrML license is attached to
the resource and is used to specify the permissions and usage applied to it.
XrML provides a universal method for securely
specifying and managing rights and conditions associated with all kinds of
resources including digital content and services. It is fully compliant with
XML namespaces using XML schema technology.
Now let's see how the process of using RMS on
a document works. The IT hero in this scenario has been tasked with coming up
with the raises and salary information for the next fiscal year. Let's assume
that he has the appropriate RMS client software installed on his machine. He
creates a spreadsheet containing the new financial figures (something any
company would want to keep under tight control!) and wants to apply RMS
security to this confidential document.
Our hero uses an RMS-enabled application—in
this case Microsoft Office 2003—to contact the RMS server through the
application to apply for a publishing license for this document. The RMS server
issues the publishing license which is applied to the document. The document
has been encrypted, has a publishing license attached, and has suitable usage
restrictions applied due to this process. The document has now been made more secure
than simply using NTFS permissions and ACLs.
The IT guy sends the document to his manager
for final review and comments. Before the manager can access the document, she
will need to contact an RMS server to receive a use license for the document.
The request for a use license is performed through the RMS-enabled application
and, once complete, allows the manager to access the document according to the
usage restrictions that were applied by the author of the document
The deployment of an AD RMS system provides
the following benefits to an organization:
• Safeguard sensitive information .
Applications such as word processors, e-mail clients, and line-of-business
applications can be AD RMS-enabled to help safeguard sensitive information
Users can define who can open, modify, print, forward, or take other actions
with the information. Organizations can create custom usage policy templates
such as "confidential - read only" that can be applied directly to
the information.
•
Persistent protection . AD RMS augments existing perimeter-based security
solutions, such as firewalls and access control lists (ACLs), for better
information protection by locking the usage rights within the document itself,
controlling how information is used even after it has been opened by intended
recipients.
•
Flexible and customizable technology . Independent software vendors (ISVs) and
developers can AD RMS-enable any application or enable other servers, such as
content management systems or portal servers running on Windows or other
operating systems, to work with AD RMS to help safeguard sensitive information.
ISVs are enabled to integrate information protection into server-based
solutions such as document and records management, e-mail gateways and archival
systems, automated workflows, and content inspection.
0 التعليقات:
إرسال تعليق