Microsoft has a (relatively new and not well known) technology called Rights Management Services (RMS). When used with Office 2003, it provides the ability to apply rights to individual documents and emails, enabling an author to control access and distribution. For example, if you wanted to send out an email containing sensitive data, and did not want any recipient to forward the email on to other people, you click a button and, hey presto, the email is sent with certain features unavailable. Recipients can not forward the email, print it, cut/copy & paste it and if they reply to the email, the original message is removed (they can’t even open it to read the email if they are not on the approved recipients list). Another example: if you have a document containing time-sensitive content, such as a price list, you might want to set an expiry date. Beyond the expiry date, the document can no longer be opened – this could prevent people from accidentally using an out-of-date price sheet when selling products. If you have a document you want to collaborate on with only a limited group of people, you can restrict who has the right to view, edit and print the document.
This ability is sometimes called document security, but that description is wrong and can be misleading. The accurate definition is controlling distribution of content. It’s a subtle but important difference. When a document has rights applied to it using RMS, the rights (lets call them ‘a lock’) live with the document. When someone tries to access the document, they will be challenged – the appropriate certificate (let’s call it a ‘key’) is required before the document can be opened. However, because the rights live with the document, and the document is allowed to travel outside the boundaries of a company’s own IT systems, the potential will always exist for someone, with suitable tools and patience, to crack open the document without a key. It’s just like a safety deposit box. You put items into a safety deposit box (locked) to control who has access to those items (the key holders). However, if you decide to leave the safety deposit box in the park, someone is going to pick it up and, eventually, they will get the box open by fair means or foul. That’s why you store the safety deposit box in a vault. The vault is the security layer. Yes, vaults do occasionally get broken into. But it’s a lot harder to do than taking that safety deposit box home and working on it in your own time, and when it happens, you know it has happened. The big hole in the wall and the people wearing balaclavas are a bit of a give away.
The Rights Management Service is a useful tool when you have a need to control distribution of content. It is not unbreakable – you can’t stop someone using a camera to take a photo of the document whilst it is displayed on their monitor screen – but it is a lot lot better than no restrictions at all when handling sensitive content, and is certainly better than traditional methods, such as sealed and recorded delivery of physical copies of the documents. If you want document security, you need to consider the vault – the store where the document will reside – and you need to consider the implications of allowing the document to be removed from that vault, from a security perspective.