Application Note
1
Secure collaboration with external users with RightsWATCH and Azure RMS
Organizations have long struggled with how to protect and control sensitive information that
needs to be shared with external parties, i.e. users that are not “known” to your IT
authentication systems. In a similar manner, IT security officers have long struggled with the
“external users” dilemma, i.e. ways to control access to sensitive corporate information across a
myriad of third parties that need access to the information. This has been a show stopper for
many organizations implementing Information Rights Management (IRM) as the default access
control technology for unstructured file formats. Leveraging Microsoft’s Azure Rights
Management (Azure RMS), RightsWATCH delivers ways for corporate users to share rightsprotected files as well as send rights-protected e-mail messages to external parties, without the
overhead and complexity of the IT staff managing “external” users on Active Directory (AD).
How can I share sensitive information with users my IT systems don’t know?
When tackling the “external user” dilemma, the key question has been, “if I can’t validate the identity of a receiving party,
how can I ensure our information is protected?” RightsWATCH provides a simple and straightforward way to enable you to
flexibly collaborate with various partners in a secure and transparent fashion requiring little effort from the user and the IT
department. Leveraging RightsWATCH’s unique integration with Azure RMS, the information shared with external parties
remains protected and users don’t have to change their workflow. Best of all, you can rest assured that the receiving party
is in fact the intended recipient and that Role-based Access Control (RBAC) policies are enforced on those with whom you
share a file or an e-mail of sensitive nature.
RightsWATCH enhances Azure RMS in tackling the “external user” dilemma
RightsWATCH leverages Azure AD ‘trust fabric’ to handle the credentialing and authentication of the “external user”
meaning that your IT systems do not have to be burdened with that task. Your users see very little change in their
workflow, and the “external users” can leverage either their company’s Azure RMS credentials, or sign up for a free ‘Azure
RMS for Individuals’ account. But having an Azure RMS account alone does not allow the enterprise to fully enable its user
population to share rights-protected data with “external users”.
When dealing with external users, enterprises should leverage RightsWATCH if they need to enforce corporate information
policies, make Azure RMS templates available to their users and enable the exchange of information to happen via any
media (i.e. e-mail, cloud drive, USB drive, SharePoint, content manager, etc…).
Because RightsWATCH trusts Azure AD, those external users do not need to own a dedicated username/password
combination, neither do they need to have RightsWATCH software installed on their laptops or mobile devices to access
the rights-protected e-mails and files.
www.watchfulsoftware.com
© Copyright Watchful Software Inc. 2015 All Rights Reserved.
Application Note
2
RightsWATCH enhances Azure RMS in tackling the “external user” dilemma by:






Enabling the identification of sensitive information via a policy driven content, context and metadata aware rules
engine
Allowing the classification, marking and tagging of e-mails and files while you share with “external users”
Applying Azure RMS templates when sharing information with “external users”
Applying Azure RMS protection to e-mails, documents and any other file formats to share that information via any
media
Eliminating the need for “external users” to own a dedicated RightsWATCH username/password combination, nor
RightsWATCH software
Logging client and server side events in a central database for audit trails and forensic analysis purposes
“External Users” collaboration scenario leveraging RightsWATCH
Paul’s company wants to make sure that he is able to share information with John Doe and Steve Smith in a secure fashion.
The company does not expect Paul to be
knowledgeable about which data needs to be
protected, nor trusts that Paul is able and willing to
enforce corporate policies to the e-mails and files
which he needs to share with John and Steve. At the
same time, the information Paul exchanges with John
cannot be shared with Steve, and vice-versa.
Both John and Steve aren’t allowed to have
RightsWATCH installed on their desktops/mobile
devices. Also John’s and Steve’s companies do not
allow them to incur any extra costs in any licensing
needed to have secure collaboration in place.
With RightsWATCH, Paul’s company can rest assured that he will be able to share information with John and Steve and
that all classified e-mails and files will be protected in an automatic and policy driven fashion. If identified as sensitive in
nature by RightsWATCH, those e-mails and files become rights-protected, and an Azure RMS template is applied. Paul does
not need to choose which RMS custom permissions to apply to e-mails and files which he needs to share with John and
Steve. Those are automatically and dynamically enforced on the data, per Paul’s company Information Security Protection
policies.
The Azure RMS templates that RightsWATCH applies to the data have Role-based Access Controls policies embedded,
meaning that John cannot share the information with Steve, nor the other way around. John and Steve can leverage any
corporate or free Azure RMS enlightened application (MS Office, MS Outlook, RMS Sharing App, etc…) to “consume” the emails and files on their multiple devices – desktops, smartphones, tablets.
More info at: www.watchfulsoftware.com and [email protected].
www.watchfulsoftware.com
© Copyright Watchful Software Inc. 2015 All Rights Reserved.