At the risk of annoying yet more people at Microsoft after my comments in this week’s Computer Weekly, last night I attended what was probably the worst Microsoft event I’ve ever been to. To be fair to Microsoft, they are kind of pre-occupied this week… some sort of big launch happening today… something called Windows Vista and Office 2007… but this was Bad (note the capital B).
I’m not sure if I should name the presenters – I’ll just say that there was an IT Pro Evangelist who is normally both a good presenter and who generally gives the impression of possessing detailed product knowledge (something which was sadly lacking at this event) supporting someone from the marketing side of the organisation as she gave a very superficial run through a slide deck with which she was clearly unfamiliar.
The topic was Office Groove 2007 and this was supposed to be a technical overview. To me, it felt like an unrehearsed dry run of a presentation about a product that has been bought into the company and which, based on last night’s presentation, very few Microsoft people understand. Luckily, Ray Jordan from D2i Solutions – the UK distribution partner for the original Groove Networks product line – was extremely knowledgeable and stepped in to rescue the event (although he seemed to disappear at the refreshment break – presumably embarrassed at having to answer questions from the audience to pick up on the Microsoft presenters’ shortcomings).
For those who are not familiar, Groove Networks was a company founded in 1997 by Ray Ozzie (originally of Lotus Notes fame and now Microsoft Chief Software Architect) which specialised in collaboration products and was purchased by Microsoft in 2005. There’s some speculation as to whether Microsoft wanted the company’s products or were really after Ray Ozzie himself, but whatever the politics, Groove Virtual Office is now being absorbed into Microsoft Office.
I used Groove Virtual Office 3.1 for a recent project and found it both useful and impressive. With the launch of Office Groove 2007, I was interested to see what Microsoft has done to the product. It seems that the product bundling has changed and there are some minor changes but on the whole it’s very similar.
Office Groove 2007 is a team workspace application that provides for greater collaboration between customers, partners and colleagues which each user having access to a number of collaborative workspaces across a range of projects. These workspaces may be customised with a range of tools and templates to allow people to use their time effectively through offline working, yet remaining synchronised.
Whereas users in a corporate environment are used to sharing information using file servers and intranets, once a project or other collaboration requirement crosses organisational boundaries it gets more difficult. Groove overcomes this using a highly secure yet distributed architecture whereby each workspace member synchronises changes with others and a relay server acts as a broker when workspace members are offline.
The process of sharing a workspace involves either synchronising a local folder via Groove or creating a new XML datastore, protected using an internal PKI mechanism (with 192-bit AES encryption), then inviting others to join the workspace and sharing encryption keys between members. Each workspace member is allocated one of three roles – manager, participant or guest – and has an exact copy of the workspace. These roles can be amended within the workspace properties and the permissions assigned to each role can also be adjusted. When synchronising changes only the changed portions of the database are transmitted (a hash is calculated on the whole file and on each portion of the file – by comparing hashes it is possible to work out which portions have been modified) and because each change and the whole workspace is signed using the internal PKI (as well as all network traffic) it is impossible to inject any malicious changes.
If a workspace member does not access the workspace for 21 days then they are uninvited – a process which involves all other members having new keys issued – effectively locking the absent member out of the workspace. If a member cannot sign in they can still work offline and access data but no changes will be synchronised. When I suggested that this was a security loophole it was pointed out to me that it is really no worse than traditional methods of sharing data (e.g. transferring files via e-mail) and that digital rights management can be applied to further protect the data (although that would remove many of the advantages of offline access to the workspace).
In addition to controlling workspace members, Groove is able to synchronise data between devices (e.g. a home PC and a work PC) by inviting other devices into the workspace. If a conflict does occur during synchronisation, then two copies are created and the duplicate is suffixed with the username.
Within Groove, it’s easy to identify new content as it gains an additional red flash on the icon. There’s also a communications manager which can be used to monitor the status of synchronisation.
By default, Groove communicates using its native simple symmetrical transfer protocol (SSTP) over TCP port 2492. If this port is unavailable (e.g. blocked by a firewall) then the client and/or relay servers will encapsulate messages within standard HTTP and drop back to using HTTPS over port 443 or, as a last resort, HTTP on port 80, as described in Microsoft knowledge base article 917165.
Each workspace can be based on a standard template or can include additional collaboration tools, including file sharing, discussion tool, calendar, forms, SharePoint files, meeting tool, notepad, pictures and a sketchpad. It’s also possible to build custom forms (or to import them from InfoPath). In addition to workspaces, Groove provides an instant messaging and presence awareness capability for workspace members. I found it strange that Microsoft should continue the use of the Groove instant messaging feature (in addition to its other IM clients) but in reality this is the lowest common denominator – it will read contact lists for both Windows Live Messenger and Office Communicator but because there are no guarantees that all workspace members will be using the same instant messaging client, building the capability into Groove neatly circumvents any connectivity issues.
One of the main changes with Microsoft Office Groove is the product packaging – whereas the Groove Networks incarnation of the product was based around a distributed network of users and Groove’s own public (but highly secure) servers, corporate customers need to see that their data is stored on servers under their own control, with tight controls over account creation. Consequently, Microsoft have made it easier for corporate clients to run the Groove server product internally.
In addition to the Office Groove client application, there area number of server roles – manager, relay (store and forward synchronisation and messages between workspace members as they come online but others are offline), data bridge (to allow the extension of data to other teams) and an enterprise auditing management server.
Centralised administration is made possible using policies to apply identity and device controls (e.g. throttling bandwidth). The Groove server maintains its own account database (which can be synchronised with other directory servers) for provisioning and revoking access and this is where Groove’s heritage is obvious – it would seem reasonable to expect future versions of the product to feature tighter Active Directory integration and possibly the use of ADAM where a connection to a non-Microsoft directory is required.
One potential issue for organisations looking at using Groove in a centralised manner is that of backing up the distributed data within Groove, because there is no central storage location and backups of local copies of the workspace can be invalidated by subsequent PKI key changes. Microsoft’s answer is that the synchronisation mechanism provides built-in protection – certainly more than is generally afforded to user data held on individual PCs.
There is still a hosted version of the product – Office Live Groove. This allows for workspace members to use the Groove client with a public relay server; however they do not lose any or the security within the product. All communications are still signed and all data on the relay server is transient. For many organisations that do not want to maintain their own Groove server infrastructure, this is an ideal solution.
In all, Office Groove 2007 looks to be a great product. The only problem I can see is persuading an IT Manager from a blue-chip corporate to look at a product called “Groove” (it’s probably not such an issue in a creative organisation). Maybe the usual bland Microsoft product names are not so bad after all…
To find out more, read the Microsoft Office Groove 2007 product guide or download a trial version of Office Groove 2007 – both are available from the Microsoft website.
The only thing that worries me is how easy it is to circumvent an organisational’s file distribution policies when you have a tool that just replicates things (including potentially dangerous files) from one machine to another. We’ve all been in companies which prohibit people from using USB sticks to transfer files, do you reckon they’ll let staff use Groove when all you need to do is invite your home PC into your workspace and just replicate stuff across ?
Hi Owen,
Fair comment – you’re correct that it won’t suit all organisations and I think that’s why Microsoft has placed a greater emphasis on the internally-hosted solution. This allows policies to be applied to the devices and individuals who are allowed to connect – potentially it could be limited to only allow replication with machines that are VPNed into the corporate network (at which point other systems such as network access protection can be used to guard against the dangers presented by computers outside the direct control of corporate administrators).
Microsoft made an extremely valid point to me when I questioned data being replicated to people outside the organisation – we do it today, but we use e-mail instead!
The answer is probably rights management (for confidential data) and some sensible policies around data security.
Regardless of all this, there’s very little stopping a user from installing Groove without the knowledge of their IT department – organisations need to be ready to deal with this through appropriate IT policies, although those who are paranoid about USB devices probably already have the desktop locked down pretty tightly and so have less to be concerned about.
Cheers, Mark
Just a couple of footnotes:
please be aware the link you have provided for the free 60 day Groove download it for US residents only :( (form validation requires a US zip code)
studdymx
Here’s the UK link. For anyone who wants to find it in another country, I found this by going to http://office.microsoft.com/en-us/groove/default.aspx, then changing en-us to en-gb (http://office.microsoft.com/en-gb/groove/default.aspx) and following the link on that page.
I have a problem migrating workspaces and keeping the user roles. i.e When I migrate to Office Groove 2007, every one becomes a participant. There are no Managers. Any suggestions?