Rights management needs policies
The little-hyped rights management function in Microsoft Office 2003 has both advantages and disadvantages from a federal user's viewpoint, said Jon Wall, senior technical specialist in Microsoft Corp.'s federal office.
Rights management 'reduces the opportunity for someone to send out something that they shouldn't,' Wall said. But he added, 'I don't lead with rights management' when pitching the values of Office 2003.
The 2003 versions of Excel, Word, PowerPoint and Outlook let their users set permissions for who can read, print, edit or forward each document. They also can set time limits on how a long a document can be read. And agencies can design templates for security purposes, such as usage permissions for classified or sensitive but unclassified files.
An auditing mechanism in Office 2003 shows who accessed which documents.
Unix administrators have long been able to set read and write permissions for files, but the Office feature is more granular, according to Microsoft. For instance, a document based on a security template can be sent out to a distribution list whose membership is variable.
The rights management feature requires Microsoft server software using a public-private key authentication scheme. The user can define the rights through menu items or use agency templates.
Recipients must be recognized by Microsoft's server-based access control software in order to view a sent document in its native form. Earlier versions of Office cannot open documents directly, but users can view them through an Internet Explorer plug-in.
Microsoft is making the application programming interfaces available to third-party software vendors so that other e-mail clients can access the rights-defined documents.
Rights management, for example, would let human resources personnel keep personnel documents on a file server for viewing but not editing by appropriate employees.
In procurement, rights management could guard against information leaks. An individual drafting a request for proposals could forward it to others for review but specify that it could not be copied and sent outside the trusted group.
Office 2003 is not Microsoft's first foray into rights management. Windows Server 2003's Rights Management Services software sets permissions for accessing applications across an enterprise.
Agencies might be slow to adapt rights management, however, Wall said, because it requires new policies for choosing which elements to secure against what types of use.
'Technology-wise rights management is fairly easy to implement, but it does require an agency to step back and make some policy decisions,' Wall said.