Problems that RMS Solves
Business Requirements
Protect all file types
In previous implementation of Rights Management, only Office files could be protected, using native protection. Now, generic protection means that all file types are supported.
Protect files anywhere
When a file is saved to a location (protect in-place), the protection stays with the file, even if it is copied to storage that is not under the control of IT, such as a cloud storage service.
Share files securely by email
When a file is shared by email (share protected), the file is protected as an attachment to an email message, with instructions how to open the protected attachment. The email text is not encrypted, so the recipient can always read these instructions. However, because the attached document is protected, only authorized users will be able to open it, even if the email or document is forwarded to other people.
Support for all commonly used devices, not just Windows computers
Supported devices include:
- Windows computers and phones
- Mac computers
- iOS tablets and phones
- Android tablets and phones
Support for business-to-business collaboration
Because Azure RMS is a cloud service, there’s no need to explicitly configure trusts with other organizations before you can share protected content with them. If they already have an Office 365 or an Azure AD directory, collaboration across organizations is automatically supported. If they do not, users can sign up for the free RMS for individuals subscription.
Support for on-premises services, as well as Office 365
In addition to working seamlessly with Office 365, you can also use Azure RMS with the following on-premises services when you deploy the RMS connector:
- Exchange Server
- SharePoint Server
- Windows Server running File Classification Infrastructure
Easy activation
Activating the Rights Management service for users requires just a couple of clicks in the Azure portal.
IT Administration Requirements
Ability to scale across your organization, as needed
Because Azure RMS runs as a cloud service with the Azure elasticity to scale up and out, you don’t have to provision or deploy additional on-premises servers.
Ability to create simple and flexible policies
Customized rights policy templates provide a quick and easy solution for administrators to apply policies, and for users to apply the correct level of protection for each document and restrict access to people inside your organization.
For example, for a company-wide strategy paper to be shared with all employees, you could apply a read-only policy to all internal employees. Then, for a more sensitive document, such as a financial report, you could restrict access to executives only.
Broad application support
- Azure RMS has tight integration with Microsoft Office applications and services, and extends support for other applications by using the RMS sharing application.
- The Microsoft Rights Management SDK provides your internal developers and software vendors with APIs to write custom applications that support Azure RMS.
Auditing and monitoring
You can audit and monitor usage of your protected files, even after these files leave your organization’s boundaries.
For example, you work for Contoso, Ltd. You are working on a joint project with 3 people from Fabrikam, Inc. You email these 3 people a document that you protect and restrict to read-only. Azure RMS auditing can provide the following information:
- Whether the people you specified in Fabrikam opened the document, and when.
- Whether other people that you didn’t specify attempted (and failed) to open the document—perhaps because it was forwarded or saved to a shared location that others could access.
- Whether any of the specified people tried (and failed) to print or change the document.
IT must maintain control of data
- Organizations can choose to manage their own tenant key and use the “Bring Your Own Key” (BYOK) solution and store their tenant key in Hardware Security Modules (HSMs).
- Support for auditing and usage logging so that you can analyze for business insights, monitor for abuse, and (if you have an information leak) perform forensic analysis.
- Delegated access by using the super user feature ensures that IT can always access protected content, even if a document was protected by an employee who then leaves the organization. In comparison, peer-to-peer encryption solutions risk losing access to company data.
- Synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using Azure Active Directory Synchronization Services (AAD Sync) or Azure AD Connect.
- Enable single-sign on without replicating passwords to the cloud, by using AD FS.
- Organizations always have the choice to stop using Azure RMS without losing access to content that was previously protected by Azure RMS. For information about decommissioning options, see Decommissioning and Deactivating Azure Rights Management. In addition, organizations who have deployed Active Directory Rights Management Services (AD RMS) can migrate to Azure RMS without losing access to data that was previously protected by AD RMS.
Tip
If you are familiar with the on-premises version of Rights Management, Active Directory Rights Management Services (AD RMS), you might be interested in the comparison table from Comparing Azure Rights Management and AD RMS.
Security, Compliance, and Regulatory Requirements
Azure RMS supports the following security, compliance and regulatory requirements:
- Use of industry-standard cryptography and supports FIPS 140-2. For more information, see Cryptographic controls used by Azure RMS: Algorithms and key lengths.
- Support for Thales Hardware Security Modules (HSMs) to store your tenant key in Microsoft Azure data centers. Azure RMS uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia, so your keys can be used only in your region.
- Certified for the following:
- ISO/IEC 27001:2013 (includes ISO/IEC 27018)
- SOC 2 SSAE 16/ISAE 3402 attestations
- HIPAA BAA
- EU Model Clause
- FedRAMP as part of Azure Active Directory in Office 365 certification, issued FedRAMP Agency Authority to Operate by HHS
- PCI DSS Level 1
For more information about these external certifications, see the Azure Trust Center.