How Microsoft and RSA plan to protect our sensitive data

Mention Microsoft and security in the same sentence and most people will scoff but these day’s it really a bit unfair… Windows security has come a long way (it still has a way to go too) but nevertheless, many of the customers that I deal with run third party solutions (often at great cost) rather than trust their data security to Microsoft.

Then there’s digital rights management (DRM) – we hear a lot about how DRM is applied to music and video downloads but little about the real practical use of this technology – making sure that only those who are entitled to see a particular item of data (for example medical records or financial details) are able to access it.  Microsoft has rights management services built into Windows as one of the many identity and access solutions but it seems to me that very few organisations use this capability.  Perhaps a few of the frequent and high profile Government data security mishaps would be mitigated if DRM was applied to their data…

Today, Microsoft and RSA – a well-respected security company, now absorbed into EMC – announced an expansion of their technology partnership.  Under the terms of this partnership, Microsoft will license the RSA Data Loss Prevention (DLP) classification engine in order to trigger policy-based controls over information.

Tom Corn, Vice President of Product Management and Marketing for RSA’s Data Security Group, explained that organisations have a requirement to share information without limiting accessibility – striking a balance between security and accessibility.  Slating existing point products as costly, complex and not addressing the problem he explained how:

  1. Protection is an end-to-end problem and the data moves around – existing products only acts at certain points in the data exchange.
  2. Infrastructure components lack visibility of the data sensitivity – context is required to classify data and take appropriate actions.
  3. Existing tools and controls lack identity awareness, making it difficult to tie protection to identity.
  4. Management – security policies often exist as binders on shelves and may be written by different groups within an organisation (e.g. security, or operations) leading to a disconnected approach.  All too often the management policies are infrastructure-centric (e.g. laptop security policy, Internet security policy) rather than information-centric (e.g. credit card data storage policy).

Meanwhile, John (JG) Chirapurath, Director of Identity and Security at Microsoft spoke about how Microsoft is licensing DLP to build it into products such as Exchange Server and Office SharePoint Server to provide content awareness, then providing identity awareness through components such as Active Directory Rights Management Services (AD RMS) to allow collaboration (which relies on knowledge of identity) whilst protecting intellectual property.  By “building in” and not “bolting on”, Microsoft believes that it can provide an end-to-end solution, supported with centralised management for information-centric policies for usage, protection and access.

Under the terms of the agreement, RSA will launch DLP v6.5 later this month with full integration to AD RMS and, as new versions of products come to market eventually the entire infrastructure will make use of the DLP technology.  Customers are able to protect their investment as the core engine and policy formats exist today and, as the core DLP technologies are adopted into the Microsoft platform, RSA will continue to develop complimentary products (e.g. advanced management consoles).

Microsoft were unwilling to disclose any further details of their roadmap for integrating the DLP product into their products but did comment that the claims-based identity platform codenamed Geneva (formerly Zermatt) is a key part of Microsoft’s identity strategy and that there would be clear advantages in using Windows CardSpace to unlock business to consumer (B2C) scenarios for data exchange.  There was also a hint that management would be possible from RSA’s products and from the Forefront integrated security system product (codenamed Stirling).

All in all, this is a positive step on the part of Microsoft and EMC/RSA.  What remains to be seen is how willing business and Government customers are to invest in protecting their data.  Right now we have a business problem and a technology solution but it seems to me there is an apparent lack of desire to implement the technology and supporting processes.  Let’s hope that by integrating technologies like DLP into the core IT infrastructure, our personal details can remain confidential as we increasingly collaborate online.

Leave a Reply