Secure Collaboration Using Federated AD RMS with Microsoft Office SharePoint Server 2007
Updated: August 1, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
Most enterprises today are information-intensive organizations that deal with knowledge, expertise, and solutions. Managing information in the enterprise itself is a significant challenge, and that challenge is even more complex for organizations that must share information with external partners.
An organization’s employees must have access to the appropriate tools and services so that they can produce and find information easily within their own company. Enterprises confront significant barriers to creating, storing, organizing, and indexing their own knowledge so their intellectual capital can be used most efficiently. It is even more complex to make sure that only those people who should have access to particular information are actually able to access it. Applying first-level access controls to data is relatively straightforward. However, this type of control does not deter users from disclosing the data to employees or external individuals who should not access it. This is an especially significant problem if employees are using distributed tools such as e-mail or such unmanaged repositories as disk space in their personal computers to store and to collaborate on documents.
The increasing mobility of enterprise employees creates additional challenges for sharing information securely. Mobile employees must be able to work on documents even when they are disconnected from the corporate network. Unfortunately, from the point of view of the remote user, the client experience is not seamless. When a document is updated locally, the user must connect to the network and then manually copy the document to its appropriate location. Furthermore, protecting documents outside the corporate firewall is a major challenge. In many instances, these documents must be secured on the remote user’s device to reduce risks associated with theft of the device or other forms of loss.
To aggravate the problem, employees have access to an increasing number of communication channels that can make it easy for them to breach security policy, even with the best of intentions. These channels include Web mail, instant messaging, peer-to-peer file-sharing applications, and recently emergent Web applications, such as Wikis and RSS feeds. Sometimes security policies may hinder the flow of information from one organization to another, even when the organizations are engaged in a collaborative partnership. When this occurs, users can be tempted to use these technologies to circumvent security policy so that they can get their work done. In the absence of effective and usable controls on the usage of data outside company borders, the potential for information leakage increases. Therefore, additional security measures, such as Information Rights Management, must be implemented to reduce the vulnerability of the data when it exists outside managed repositories.
Organizations have three key problems when they manage access to confidential information:
Users should be able to easily access information in a centralized, easy-to-use form that enables discovery and allows for good organization and collaboration.
Users should be able to share information in a controlled way with trusted parties who might not share any infrastructure with the originating organization.
Users should be able to protect information from theft or leakage, even when put in the hands of users who might not understand the importance of keeping the data confidential or the risks associated with data loss.
Microsoft provides three technologies that, when they are used together, help solve these problems in an elegant way. These technologies can be used to create an information protection infrastructure that lets users collaborate on information with other parties in a flexible way while enabling appropriate controls on the information, regardless of its storage or transmission medium.
Active Directory Rights Management Services (AD RMS) is an information protection technology that works with enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as whether the recipient can open, modify, print, forward, or take other actions on the information.
Active Directory Federation Services (AD FS) is a server role that provides standards-based distributed identification, authentication, and authorization across organizational and operating system boundaries. AD FS can be used in combination with AD RMS to provide access to protected documents in a controlled manner between two organizations without the need for them to share common infrastructure. AD FS and AD RMS together enable two companies to share documents between them while restricting access to the documents outside their intended consumers.
Microsoft® Office SharePoint® Server 2007 provides one possible way to share such protected documents between companies. Office SharePoint Server is a Microsoft collaboration platform that enables users to interact with other users by sharing data and documents through a web site. Office SharePoint Server is tightly integrated with the2007 Microsoft Office system so that, for example, Office SharePoint Server supports automatically applying information protection policies to Microsoft Office documents that are downloaded from a SharePoint document library. Combined with AD FS, this allows a company to publish documents in a SharePoint library and keep control of who can consume those documents and how they can use them. This includes users from other companies without the requirement to provision accounts for those users.
The topics that follow in this document describe the architecture required for an infrastructure that enables secure collaboration between two organizations through Office SharePoint Server and provides step-by-step instructions on how to implement it.