A look into information rights management

Information rights management (IRM) is the set of techniques and methods which protect the highly sensitive information of the organisation irrespective of the file location whether it resides “in” or “outside” the corporate boundaries. This happens as the permissions embedded inside the file don’t allow unauthorised access, modification, copying or printing. This is typically done for protection of financial documents, intellectual property such as patents, design blueprints and executive communications.

IRM broadly speaking addresses the fundamental problem associated with data leak protection (DLP), which heavily relies on protection of sensitive file within the corporate network typically at its end points. It protects the data based on its location (directory, file server/database) or in data in transit, but doesn’t give the protection at a more granular level, i.e. information contained in file itself. IRM currently applies mainly to documents and emails in typical corporate environment setting.

While DLP is “transmission control” technology, IRM is “usage control” technology.

Why do we need IRM?

The rationale for using IRM is that the privacy information associated with data must travel along with it. The copying of that data must not lose the associated rights to that information. Rights to modify, update, restrict or even destroy that information must be retained by the individual it pertains to, even when a third party holds that information.

In larger context, IRM helps organisations in enforcing corporate policy governing the secure flow of highly sensitive data in the organisation. File protections are defined and enforced based on user’s identity along with corporate policy on a given class of data. The best way to protect information is to do it directly at the level of the information – and not at the level of many system(s) which might change, transport or store the information.

What exactly can be achieved with IRM?

• Preventing restricted content from unauthorised modification, copying, printing or pasting.
• Disabling the ‘print screen’ feature in Microsoft Windows from taking snapshots of restricted content.
• Restricting content exposure wherever it is sent.
• Support file expiration so that contents in documents are rendered un-viewable (or viewable) automatically after a set time.
• Full auditing of both access to documents as well as changes to the rights/policy by business users.

What can’t be prevented using IRM?

• Sensitive content from being erased, stolen, captured or transmitted by malicious programs.
• Content from being lost or corrupted due to virus infection.
• Restricted content from being hand-copied or retyped from a display screen.
• Taking digital photographs of the restricted content displayed on a screen by unauthorised person.
• Snapshots of restricted content are possible using third party screen-capture tools.

Are digital rights management (DRM) and IRM the same?

Not really. Digital rights management (DRM) technologies are typically used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices “after sale”. It is specifically targeted to defeat any attempts for rich media piracy like Blu-ray, CD, DVD, tapes and records. In the United States, a legal mandate called Digital Millennium Copyright Act (DMCA) exists which imposes criminal penalties on those who make available technologies whose primary agenda is to bypass content protection technologies.

The main focus of DRM is to defeat copyright infringement by putting “digital locks” to rich media in business to customer domain, while IRM restricts itself to sensitive information exchange in business to business domain such as merger-acquisition plans, design blueprints, patents, financial statements and strategic business plans.

Key for IRM’s successful implementation

The strength of IRM is typically reserved for very sensitive information that travels outside an organisation — to vendors, suppliers, outsourced parties, partners etc. But challenges for proper authentication are quite complex outside the enterprise. Here, three approaches must be used for effective implantation of IRM enterprise based solutions:

1) Automating policy assignment

More automated is policy assignment, better is IRM implementation. This happens as automation eliminates human errors resident in manual processes which in turn make it more effective. They can automatically protect documents such as price lists, product specifications, and manufacturing process description. This works effectively because if we let document authors be the sole arbiter of what to protect, it puts an unwelcome burden on them. They may neglect to do it correctly, consistently, or at all.

Organisations can automatically assign policies to entire information groups such as anything saved to a certain folder, content of a certain type, or information that has reached a particular stage in a workflow. This saves time, ensures consistency, and is the most efficient way to manage large volumes of sensitive information with IRM.

2. Dynamic policy control

As business conditions evolve, IRM policies that govern the use of content must evolve as well. Regulatory changes will almost always require modifications to information policies such as patent expirations, litigation settlements, mergers and acquisitions.

Dynamic policy control enables recipient entitlements to be changed when individual roles or business needs change, regardless of where the content resides – even when its location is unknown. Policies reside on a policy server, not within the content. So they can be changed or revoked at any time. Rights can also be set to automatically expire.

3. Discretionary policy application

In the enterprise, discretionary use of IRM is an option that should be used in addition to rather instead of automated policy application.

Audit trail

An audit trail is an unalterable, chronological log of access to a system and a record of additions, changes, and deletions to information that system manages, which lists the person accessing the system, and the time of access, and the action taken.

Steps before implementing IRM

Before implementing an IRM solution, organisations should answer a set of question;

• Outline business areas where sensitive information is frequently exchanged.
• What needs to be protected (documents, email etc.)
• How will security policies be enforced to protect this sensitive information or communication?
• Who can use the information (people, group)?
• What a user can do with that information (read, write, print or forward)?
• When can the user access the information (time duration and dates)?
• Where can the information be accessed from (in office, home)?
• What would be the consequences to the business if this information ended up in the wrong hands?
• Does the organisation retain any employee, customer, or member information that could be used in identity theft if it were exposed, either through loss or theft?

Challenges in IRM implementation

The biggest roadblock in IRM successful implementation is the inadequate commitment shown by senior management. Management has to be convinced and made aware the value of information in the business. Consequences of losing sensitive information must be highlighted such as unwanted loss in brand image and reputation, and losing client and stakeholder confidence. Unpleasant lawsuits may proceed if the leakage of sensitive information is made public.

A common mistake made by senior managers during implementation is that they delegate the entire part of IRM implementation to the IT team and not take much responsibility for it. It is important to note that IRM must be top driven from senior management which only can bring about a cultural change in the organisation. Without their support, implementation at the best stays patchy and disorganised.

IRM’s restrictive nature and perceived usage hassles may at first not easily gel with users. Users must be made to undergo a mandatory training and awareness workshop to help ease through this process. Suggested methodology can be summarised as:

Methodology for managers to inducing change in users

• Unfreezing: This step alters the forces on individuals sufficiently such that they are distracted to opt for a change. It reduces the user resistance due to increased peer pressure to induce them to go for a change.

• Moving: This step presents direction of the change and the actual practice of learning new attitudes.

• Refreezing: The final step forges the changed attitudes and learned skills in users.

A good practice will be to train some of the people in the organisation and nurture them as champions in usage of IRM. It will be better if at least one person from every department is included as a part of the IRM implementation task force. This task force will work in close cooperation with vendors/security team during implementation process.

After the official implementation is over, these champions will provide the first point of reference and support for any issues arising in DLP to new users. Hence, user satisfaction increases and consequently resistance to adopt new technology is lowered down.

Miscellaneous factors

• External User Authentication for partners, vendors, suppliers and outsourced parties must be strong enough and well formed. Any loose ends will damage the confidentiality of the information.

• Most IRMs like Microsoft’s Windows Rights Management Services are great for Windows and Office. But they are mainly for Microsoft apps. For apps like in CAD or blueprints, other solutions are either from small vendors or very limited in scope.