Today, we’re announcing a major update to RMS, which is based on your enthusiastic feedback and guidance. We’ll share with you the significant changes to the RMS application(s), our Azure RMS cloud offering, and how we’re bringing the new features of Azure RMS to a broader range of organizations with differing deployment requirements for their cloud service.
The RMS team and I have lots of interaction with passionate business leaders both online and in person. We deeply appreciate your partnership! We collected your individual feedback and validated it with our informal Customer Advisory Board (CAB). Here’s where 313 voters who manage 17 million users are from. We love the diversity given how impactful regional differences are in this space.
You also shared with us your diverse environment. As expected, mobile support is critical but we were surprised to see Linux pushed higher than OS X. We don’t currently have a Linux story but your input will clearly have us revisit that.
The most interesting set of responses are related to the question of ‘why you seek to protect your data’:
You cited as most critical the ability to share sensitive documents with others . Next up were two needs to partition document sharing within your company . A strong fourth vote was ensuring compliance .
Our Promise to You
As a direct result of these inputs (and other clear industry trends) today our deliverables are focused on offering you the following promises:
We hope you agree that addressing the gaps in these 3 areas would represent a substantial update to RMS. Let’s review what we have done for each of them.
#1 Protect the workplace docs you share with others, make it work on all devices.
First, we know that you desire built-in support for RMS into Microsoft Office on all platforms. We currently support RMS in Office 2010, Office 2013, and Office 365 but lack comprehensive support on other platforms. We -- the Office team + the RMS team -- are committed to adding RMS support. The involved teams are working on this now. This said, as I’m sure you can appreciate, the RMS blog is not the right place to disclose the Office release cadence so please stay tuned to @TheRMSGuy (twitter) and this blog for future public disclosures.
To address your immediate need, we’ve come up with a way of supporting the sharing of secured Office documents in advance of the native Office support . We’ve done so via the RMS application’s Share Protected button. When you invoke Share Protected to share Office documents we send your email recipients both an RMS protected version of the Office document and a protected PDF copy of the same file. To ensure success at opening one of these files, we now have RMS-protected PDF rendering built into all of our free RMS applications. As we had in the past, if your recipients don’t have RMS we also offer them a 100% free RMS account .
As an added bonus feature for those using Azure RMS, we enabled email notifications of document use (or abuse). This lets the document sender know if their sensitive document is being used as intended. This is quite critical as we all know that IT can’t easily detect document abuse given their lack awareness of initial intended use. Now the sender can play an important role of responsibly sharing sensitive documents. Let's review the end to end user flow.
Note: The Share Protected button is added to Outlook, Word, Excel, and PowerPoint (v2010 and 2013) when you install the RMS app for Windows .
Do you prefer to experience it first hand?
If so, just send us an email and CC your colleagues. We’ll send you this blog post as a protected document.
Sender creates an email message, invokes SHARE PROTECTED
Sender selects the permissions (and options) they want to grant to the recipient
Recipient receives the email on their device. Note the two attachments of the same name.
After installing RMS App, the user opens the PPDF on their devices.
These are all the same Quarterly Sales Report.XLS, rendered as PPDF
(Clockwise from center: iPad, Windows Phone, Android Phone, Windows, OS X, Android tablet, and iPhone)
The sender gets email notification so that they can monitor for abuse
We’ve provided information previously on this blog about the RMS sign up process, and you’ll find it fully documented on TechNet , so I've omitted that detail here. We support sharing within your business and to other businesses and we continue to support free signup (if needed) for your recipients at http://portal.aadrm.com . Support for consumer social identities like Microsoft Account (aka Live ID) and Gmail IDs remains in our active work backlog.
Here’s how to get started
#2 Protect the documents you have internally, with a more effective way to partition them
A user can create files that are protected to a subset of people within their company. For example, let’s say that Brenda wants to protect a legal case file to the ‘Legal Department’. The traditional means of doing this is via RMS templates. Once protected, only current (and future) membership of the ‘Legal Department’ will have access to these files. Using RMS templates there are countless way of setting up data partitions within your organization… just keep it simple so that ‘IT does not get in the way’ of people have access to their files.
AD RMS already supports custom global templates. Until recently Azure RMS had a fixed set of two templates. As of today, it now supports customizable global templates too. Here’s what it looks like:
Our new Admin console lets you create, manage, and learn about policy templates
The new template ‘Top Secret’ is created and placed in an ‘Archived’ state until you ‘Publish’ it
Administrator can now configure and publish the new template
This is a quick introduction. For more detailed information, see Configuring Custom Templates for Azure Rights Management . We also modified our RMS SDKs to pick up these updated templates more quickly. When Office 2013 refreshes their SDK (next public update) they will get this quicker update time.
We know that the act of enabling RMS is not totally sufficient to protect all your sensitive documents – you will want more automated means of driving documents to be protected. The breath of our Microsoft and partner offers here is what really sets Microsoft Rights Management apart from the others in this space. Let me share with you how the most common and effective means of enabling proactive RMS protection. When available, I’ve included a link to some free videos on the topic.
Last but not least, another core ask was to improve the usage logs. The Share Protected flows we are releasing today put both the file name and the publish date into the logs. We have more logging enhancements in the works but those remain out of reach for this update as code changes must happen in Office itself. We are keeping this ask on our active work list.
#3 Offer the Azure RMS feature set to cloud reluctant customers
The Microsoft Rights Management offer supports two deployment options: on premises and Azure hosted. Some ‘cloud reluctant’ organizations require that their RMS authorization decisions and key management remain within the walls of their organization. We recognize this is an important business requirement from our worldwide customers. Let’s share with you the changes we’re now making to Azure RMS.
Today the Azure RMS offering looks like this:
For ‘cloud ready’ organizations (the top half), we showcase Office 365 with Azure AD and Azure AD Sync; Azure RMS performs the core information protection duties and Azure services are relied on for the remainder of the workloads.
For ‘cloud reluctant’ organizations (the bottom half), the Azure RMS connector permits Exchange, SharePoint and FCI on premises to use Azure RMS to protect essential information. For some, this is still too much cloud exposure. The core feedback we’ve heard is that local RMS traffic should remain local – it should not reach out to Azure AD. When collaborating, leveraging Azure AD is a massive benefit, but not if the full set of AD sync properties is required. We’re addressing both of these concerns while also future proofing your environments.
Let’s now consider this updated diagram:
It’s pretty simple to see several few very important changes:
We’re also going to tackle the oft requested ability to migrate from AD RMS to Azure RMS. Sidebar: Some of you may be surprised that cloud reluctant customers demand support for migration to Azure RMS. We've found a common misconception about what Azure RMS ‘sees’ as part of its role in protecting your data. Some believe that using Azure RMS means that your data travels to the cloud. It does NOT, ever go to the cloud unless you put the document there. The sharing of a document between two on-premises organizations only has an authorization traffic -- an authentication token and the RMS license that was embedded in the document – sent to Azure RMS for evaluation. The document itself remains within your on-premises client. Our client side developer libraries built into each RMS enlightened application handle all the client side decryption. This is an important tidbit of information for those of you increasingly looking to outsource aspects of your core infrastructure. Now you can offload RMS hosting to us knowing that the cloud RMS service never sees any of your content.
With this storyline shared with you, we are promising the following:
We hope the above 3 offers give you a clear indication that we very much care about the needs of all of our organizations.
Best of all, we’re not slowing down anytime soon!
Dan on behalf of the RMS team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.