Microsoft details new rights management policy

Microsoft is developing add-on security technology for its forthcoming Windows Server 2003 operating system software that will allow organisations to implement rights-management protections on corporate documents such as email messages and data files.

The Windows Rights Management Services (RMS) will be able to enforce protection policies by controlling which users can access specific content and what access rights they are granted. Companies will, for example, be able to restrict content copying, forwarding and printing in applications such as portal, email and word-processing software.

"What this really is about is having customers trust their platform more when they're using it to manage sensitive internal business information such as financial reports and business plans inside the organisation," vice-president of Microsoft's Security Business Unit, Mike Nash, said.

The rights management features will be built in to the Office 2003 versions of the Microsoft Word, Excel, Powerpoint and Outlook applications, group manager of Microsoft's Windows Trusted Platform Technologies group, Amy Carroll, said.

However, only users of Microsoft's most recent products will be able to fully take advantage of the technology. RMS relies on the proposed XrML (Extensible Rights Markup Language) standard, an XML-based (Extensible Markup Language) language that is heavily backed by Microsoft but has yet to attract broad industry support. While Office 2003, Microsoft's Office update scheduled for mid-2003, supports XrML and will work with RMS, older versions of Microsoft Office won't work with the technology, including the currently available Office XP.

However, Microsoft will develop application programming interfaces that will allow RMS-enabled documents to be viewed using the Microsoft Internet Explorer as well as any of Microsoft's supported operating systems, starting with Windows 98 Second Edition.

Beyond that, the company defended its choice of the new XrML standard.

"Despite being new, XrML is the richest and best developed of the rights management languages," general manager of the Windows Trusted Platform Technologies group, John Manferdelli, said.

The XrML standard would allow Microsoft to extend its rights management technology to desktop applications and documents, as well as to the Web, Nash said.

"At the end of the day, you need to make sure your platform can be more trustworthy. It's about enabling security ... and making people willing to be comfortable and to share broadly," he said.

RMS won't be available at Windows Server 2003's launch, slated for April. Instead, RMS would be entering beta in the second quarter, with no final release date announced, Microsoft said. Pricing details were also still being determined, but the software would be sold as an add-on module.

In the second quarter, Microsoft will also release two software kits to aid developers in building rights management functionality into their applications.

"Software development kits will make it easy to develop applications that use rights management consistently," Nash said. "We need to make sure that rights management can be used in a consistent way and can be applied across a broad set of applications."

Microsoft was currently working on RMS with several hardware partners, ISVs (independent software vendors) and likely early-adopter customers, Microsoft UK's chief security officer, Stuart Okin, said.

One of those ISVs was Adobe Systems, Nash said.

An Adobe spokesperson said that his company had been briefed by Microsoft on the RMS technology, but that the company had no definite plans to integrate RMS with any of its desktop publishing products.

"Today we’re not announcing any implementation plans for RMS," vice-president of business development at Adobe, Harry Vitelli, said.

"Since Adobe applications rest on top of Microsoft's platform technology, we take it seriously and are looking into how to integrate (RMS) into our own product plans."

Vitelli declined to speculate on which Adobe products might integrate the RMS technology or when RMS features might be available in Adobe's products.

"Conjecture at this point would only lead to more conjecture," Vitelli said.

Microsoft was seeing particular interest in RMS from government customers and those in the pharmaceutical industry, Okin said. Organisations in those industries often already had in place detailed security and access policies, and were eager to explore technical solutions for enforcing those procedures.