Threat Models and Mitigations
Digital information owners need to be able to evaluate the environments in which their assets will be decrypted. A statement of minimum security standards can provide information owners with a framework for understanding and assessing the security level of the applications to which they entrust their information.
Some industries, such as government and health care, have certification and accreditation processes and standards that may apply to your product. Meeting these minimum security recommendations is not a substitute for the unique accreditation needs of your customers. However, the intent of the security standards is to help you prepare for current and future customer requirements, and any investment you make early in the development cycle will benefit your application. These are recommendations, not a formal Microsoft certification program.
There are several major categories of vulnerabilities in a rights management services system including:
- Leakage — Information appears in unauthorized locations.
- Corruption — Software or data is modified in an unauthorized manner.
- Denial — A computing resource is not available for use.
These topics focus primarily on leakage issues. The integrity of a rights management services system depends upon its ability, over time, to protect information, enabling access only to designated entities. These topics also touch upon corruption issues. Denial issues are not covered.
Microsoft requires minimum security standards of partners who are building AD RMS-enabled applications and want to receive a signed certificate out of the production hierarchy (a production certificate). Partners attest to having met the minimum standards when they sign a legal agreement to obtain the production certificate. Microsoft does not test or review test results related to meeting the minimum standard; it is entirely up to the partner to ensure the minimum standards are met. Microsoft provides two additional levels of recommendations to help mitigate common threats. In general, these suggestions are additive — for example, meeting preferred recommendations assumes that you have met minimum standards, where applicable, unless otherwise specified.
| Standard level | Description |
|---|---|
| Minimum standard | An application that handles AD RMS-protected information must be determined to meet the minimum standard before the application can be signed with the production certificate received from Microsoft. Partners generally use the production hierarchy certificate only at the time of final release of the software when partners' own internal tests have verified that the application meets this minimum standard. Meeting the minimum standard is not, and should not be construed as, a guarantee of security by Microsoft. Microsoft does not test or review test results related to meeting the minimum standard; it is entirely up to the partner to ensure the minimum is met. |
| Recommended standard | Recommended guidelines both chart a path to improved application security and provide an indication of how AD RMS may evolve as more security criteria are implemented. Vendors might attempt to differentiate their applications by building to this higher level of security guidelines. |
| Preferred standard | This is the highest category of security currently defined. Vendors who develop applications marketed as highly secure should aim for this standard. Applications that adhere to this standard are likely to be the least vulnerable to attack. |
Send comments about this topic to Microsoft
Build date: 3/13/2008