Tuesday, August 13, 2013

Using Information Rights Management in SharePoint Online

With the new Office 365, Microsoft has introduced a new functionality to secure documents using Information Rights Management (IRM) services. It is a persistent file-level technology that stops sensitive information from being printed, forwarded, downloaded or copied by unauthorized users. In Office 365 IRM is available as part of the Enterprise E3 and E4 plan or the Academic Plan 3 and Plan 4. The functionality is similar to Windows Right Management Server (RMS)  – see http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx for more details about RMS in an on premise deployment. When documents are downloaded from an IRM protected SharePoint document library, the supported file types carry the restrictions (in the form of an IRM license) along with the document as part of its content. Supported file types also include PDF next  to the standard Office file types in SharePoint 2013. The IRM protected files are encrypted and rights are restricted to the authenticated user who downloaded the document. IRM protection of PDF files is an extension to the existing ISO 32000 standard (See Microsoft IRM protection for PDF specification for more details) and needs to be implemented by the PDF readers – for the moment it is supported by FoxIT PDF line of products. To be able to use Information Rights Management (IRM) or Windows Azure Rights Management Services (the commercial name for IRM) in SharePoint Online there are 3 major steps required:
  1. First enable Windows Azure RMS on Office 365 level – see Office 365 – Use Right Management Services. RMS is a shared service which can be used by Exchange Online and SharePoint Online and needs to be enabled at tenant level. It is not default enabled.
  2. Next Set up Information Rights Management (IRM) in SharePoint admin center (Office 365). If you get an error here saying “Error: RMS Online is not enabled for this tenant, please contact Office 365 to enable.” – you probably forgot step 1.
  3. Finally configure Rights Management on specific Document Libraries in SharePoint Online.
The IRM permissions map to SharePoint permissions on the document library as outlined in the following table
SharePoint Permissions IRM Permissions
Manage Permissions
Manage Web
Full control of the documents. This allows the user to read, edit, copy, save and modify permission of the document
Edit List Items
Manage List
Add and customize pages
Edit, copy and save permissions. The user can print the document only if the document library IRM settings are configured to allow document printing
View List Item Read permissions. The user can read the document but not copy or edit its content. The user can  print the document only if the document library IRM settings are configured to allow document printing
All other permissions Not applicable, no corresponding IRM permissions
In the IRM permissions can define additional options such as specifying whether documents that do not support IRM protection can be uploaded to the library and whether or not the document can be viewed in the browser. You can also configure additional document access rights which includes rights to print, run scripts to enable screen reader or enable writing to a copy of the downloaded document. The group protection and credential intervals determines the caching policy of the license that applications will use to open the documents. You can also enable sharing of the downloaded documents with users in a specified group.



Before you start implementing IRM in SharePoint Online you should carefully plan for it and define specific usage scenario’s for it since it is not meant to be activated on all information in discriminatory – ask yourself some of the following questions:
  • Which business areas use sensitive information which is frequently exchanged?
  • What needs to be protected (Office documents, e-mails, CAD design drawings, etc ..)
  • How will security policies by applied and how will enforce and control that procedures are being followed.
The introduction of IRM should be part of an overall information architecture and should be viewed upon at as part of a risk management strategy – ask yourself what would be the impact and consequence of information ending up in the wrong hands…
References:




1 comment:

Shawn Deny said...

To be able to use Information Rights Management (IRM) or Windows Azure Rights Management Services (the commercial name for IRM) in SharePoint Online there are 3 major steps required
marketing