Use Microsoft Rights Management service (Azure RMS) on Your Terms

Control the critical tenant keys securing your sensitive data in the cloud.

As an Azure RMS user, you need to ensure the security of your tenant key. You can choose to protect your tenant key within a robust boundary using Thales hardware security modules (HSMs). The Thales HSMs generate, safeguard and manage the tenant key independent of the software environment.

Download The Solution Brief
Lorem Ipsum dolor sit
In sodales imperdiet libero. Vivamus elit erat, dignissim nec fringilla in, aliquam eget mi. Nulla facilisi. Pellentesque porttitor sem at diam semper quis euismod lacus tristique.
currently not set
Untitled Document

Enhanced Security – Thales High Assurance for Azure RMS

Thales e-Security has an unparalleled 40-year history in delivering data protection solutions to security-conscious businesses, governments and technology vendors including critical key management solutions for some of the most demanding security organizations in the world. Thales solutions currently protect 19 of the 20 largest banks and 4 out of the top 5 aerospace companies. As experts in the field, Thales products and services provide high assurance security so customers can make effective use of cryptographic protection. Now Thales is facilitating how you retain control of your key when you use Microsoft Rights Management service (Azure RMS) in the cloud.  

What are Hardware Security Modules?

HSMs are high-performance cryptographic devices designed to generate, safeguard and manage sensitive key material. Thales nShield HSMs maintain your key securely locked and usable only within the HSM.  This enables you to maintain custody of your key and visibility over its use.


Why Use Thales nShield HSMs with Azure RMS

Thales nShield HSMs ensure that your key is always under your control and never visible to Microsoft. The capability neutralizes the perception that sensitive data maintained in the cloud is vulnerable because the cloud can only be a shared service with a shared security infrastructure.

Security Properties of Azure RMS

Azure RMS offers you multiple levels of control. The RMS server key becomes your tenant key in Azure RMS and you can trade off the level of control you desire versus cost and effort.

    • By default, Azure RMS generates and manages the lifecycle of your tenant key
    • As an option, a unique Bring Your Own Key (BYOK) capability lets you generate your tenant key on premise 
    • For additional levels of security, near-real time usage logs allow you to see exactly how and when your key is being used

How it Works

Thales nShield HSMs create a locked cage protecting your tenant key.  You can cache the tenant key securely from your Thales nShield HSM in your possession to a Thales nShield HSM in Microsoft's Azure data center without leaving the FIPS compliant security boundary created by the HSMs. The tenant key is protected while in Microsoft's data centers – secured within a carefully designed cryptographic boundary that employs robust access control mechanisms that let you enforce separation of duties to ensure the key is only used for its authorized purpose. 

Download our White Paper: "Security World"

Bring Your Own Key

RMS BYOK capability allows you to match the security properties of an on-premise RMS deployment generating your own tenant key on your premises per your IT policies. Transfer your tenant key securely to the cloud-based Thales nShield HSM hosted by Microsoft. 


Download our White Paper: "Hardware Key Management in the RMS Cloud"

Hosted HSM Validation

To ensure that the hosted HSM is an authorized Thales nShield HSM, the RMS BYOK facility provides you a mechanism to validate its certificate. The capability enables you to verify that the key encryption key used to secure the upload of your tenant key was indeed generated in a Thales nShield HSM.

Tenant Key Usage Logs

To ensure that the hosted service is being used strictly on your terms, Azure RMS allows you to sign up to receive near-real time usage logs.  The capability enables you to know exactly how and when your key is used by  Azure RMS.  This gives you total visibility over the managed service.

About Thales e-Security

Thales e-Security is a leading global provider of data protection solutions with more than 40 year experience securing the world’s most sensitive information. Our customers – businesses, governments, and technology vendors with a broad range of challenges – use Thales products and services to improve the security of applications that rely on encryption and digital signatures. By protecting the confidentiality, integrity, and availability of sensitive information that flows through today’s traditional, virtualized, and cloud-based infrastructures, Thales is helping organizations reduce risk, demonstrate compliance, enhance agility, and pursue strategic goals with greater confidence.  Thales has helped secure Microsoft's footprint since 2003 as a Gold Partner.

MS As threats to the confidentiality and integrity of digital data increase, enterprise rights management solutions have emerged to protect data exchanged within collaborative work environments. By embedding enforceable security policies on data assets, the distribution and consumption of individual files and documents can be controlled within authorized user communities.

On-premise and emerging cloud-based enterprise rights management (ERM) solutions employ cryptography to secure protected content and control distribution. Securing the cryptographic keys used by these solutions is critically important to ensure the security of enterprise data within and across organizational boundaries. 

Exposure of cryptographic keys compromises sensitive data and intellectual property. Whether using enterprise RMS on-premise, in a hybrid configuration or completely in the cloud as a hosted service, the control of the keys that protect customers’ most sensitive data and intellectual property is indispensable.