information rights management(irm)

7/29/2019 Information Rights Management(IRM)

1/12

INFORMATION RIGHTS

MANAGEMENT IMPLEMENTATION AND

CHALLENGES

From

An article on Information Rights Management (IRM) and our methodology for its

proper implementation in achieving secure flow of sensitive information within and

beyond the organizational boundaries.
http://www.niiconsulting.com/


2/12

Information Rights Management[IRM]

Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of

12

Document Tracker

Author Version Summary of Changes

Manasdeep September 2012 Document Created


3/12



12

NOTICEThis document contains information which is the intellectual property ofNetwork Intelligence. This

document is received in confidence and its contents cannot be disclosed or copied without the prior

written consent of Network Intelligence.

Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied.

Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including

but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual

property or other rights of any third party or of Network Intelligence; indemnity; and all others. The

reader is advised that third parties can have intellectual property rights that can be relevant to this

document and the technologies discussed herein, and is advised to seek the advice of competent

legal counsel, without obligation of Network Intelligence.

Network Intelligence retains the right to make changes to this document at any time without notice.

Network Intelligence makes no warranty for the use of this document and assumes no responsibility

for any errors that can appear in the document nor does it make a commitment to update the

information contained herein.Copyright

Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.

NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt.

Ltd.

Trademarks

Other product and corporate names may be trademarks of other companies and are used only for

explanation and to the owners' benefit, without intent to infringe.

NIICONTACT DETAILSNetwork Intelligence India Pvt. Ltd.

204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E),

Mumbai 400 069, India

Tel: +91-22-2839-2628

+91-22-4005-2628

Fax: +91-22-2837-5454

Email:[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


4/12



12

Contents

1. Introduction .............................................................................................................................. 5

2. Why do we need IRM? ............................................................................................................... 5

3. What exactly can be achieved with IRM?[1]

................................................................................ 6

4. What can't be prevented using IRM? ......................................................................................... 6

5. Are Digital Rights Management (DRM) and IRM same things? .................................................... 7

6. Key for IRMs successful implementation[5]

................................................................................ 8

a. Automating policy assignment ............................................................................................... 8

b. Dynamic policy control ........................................................................................................... 8

c. Discretionary policy application ............................................................................................. 8

d. Audit Trail .............................................................................................................................. 8

7. Steps before implementing IRM[6]

.............................................................................................. 9

8. Popular IRM vendor list ............................................................................................................. 9

9. Challenges in IRM implementation .......................................................................................... 10

a. Lack of commitment by senior management ........................................................................ 10

b. User Unwillingness to change .............................................................................................. 10

c. Miscellaneous Factors

[5]

....................................................................................................... 1110. References ........................................................................................................................... 12


5/12



12

1.INTRODUCTIONInformation Rights Management is the set of techniques and methods which protect the

highly sensitive information of the organization irrespective of the file location whetherit resides "in" or "outside" the corporate boundaries. This happens as the permissions

embedded inside the file don't allow unauthorized access, modification, copying or

printing. This is typically done for protection of financial documents, intellectual

property such as patents, design blueprints and executive communications.

IRM[4] broadly speaking addresses the fundamental problem associated with Data

Protection Leakage (DLP). DLP heavily relies on protection of sensitive file within the

corporate network typically at its end points. It protects the data based on its location

(directory, file server/ database) or in data in transit, but doesn't give the protection at

a more granular level, i.e. information contained in file itself. IRM currently applies

mainly to documents and emails in typical corporate environment setting.

While DLP is transmission control technology, IRM is usage control technology.

2.WHY DO WE NEED IRM?The rationale for using IRM is that the privacy information associated with data must

travel along with it. The copying of that data must not lose the associated rights to that

information. Rights to modify, update, restrict or even destroy that information must be

retained by the individual it pertains to, even when a 3rd party holds that information.

In larger context, IRM helps organizations in enforcing corporate policy governing thesecure flow of highly sensitive data in the organization. File protections are defined and

enforced based on user's identity along with corporate policy on a given class of data.

The best way to protect information is to do it directly at the level of the information

and not at the level of many system(s) which might change, transport or store the

information.


6/12



12

3.WHAT EXACTLY CAN BE ACHIEVED WI TH IRM?[1] Preventing restricted content from unauthorized modification, copying, printing

or pasting Disabling Print Screen feature in Microsoft Windows for taking snapshots of

restricted content.

Restricting content exposure wherever it is sent Support file expiration so that contents in documents are rendered un-viewable

(or viewable) automatically after a set time.

Full auditing of both access to documents as well as changes to the rights/policyby business users

4.WHAT CAN'T BE PREVENTED USING IRM? Sensitive Content from being erased, stolen, captured or transmitted by

malicious programs like Trojans, key loggers etc.

Content from being lost or corrupted due to virus infection Restricted content from being hand-copied or retyped from a display screen. Taking digital photograph of the restricted content displayed on a screen by

unauthorized person

Snapshots of restricted content are possible using 3rd party screen-capture tools


7/12



12

5.ARE DIGITAL RIGHTS MANAGEMENT (DRM) AND IRMSAME THINGS?

Not Really. Digital Rights management (DRM)[2] technologies are typically used by

hardware manufacturers, publishers, copyright holders and individuals with the intent

to limit the use of digital content and devices "after sale". It is specifically targeted to

defeat any attempts for rich media piracy like Blu-ray, CD, DVD's, tapes, records. In

United States, a legal mandate called Digital Millennium Copyright Act (DMCA) exists

which imposes criminal penalties on those who make available technologies whose

primary agenda is to bypass content protection technologies.

Main focus of DRM is to defeat copyright infringement by putting "digital locks" to rich

media eg. records, CD, DVD's etc in business to customer domain, while IRM restricts

itself to sensitive information exchange in business to business domain such as merger-acquisition plans, design blueprints, patents, financial statements, strategic business

plans etc.


8/12



12

6.KEY FOR IRMS SUCCESSFUL IMPLEMENTATION[5] The strength of IRM is typically reserved for very sensitive information that travels

outside organization to vendors, suppliers, outsourced parties, partners etc. Butchallenges for proper authentication are quite complex outside the enterprise. Hence,

following approaches must be used for effective implantation of IRM enterprise based

solutions:

a. Automating policy assignmentMore automated is policy assignment, better is IRM implementation. This happens as

automation eliminates human errors resident in manual processes which in turn make

it more effective. They can automatically protect documents such as price lists, product

specifications, and manufacturing process description. This works effectively because if

we let document authors be the sole arbiter of what to protect, it puts an unwelcome

burden on them. They may neglect to do it correctly, consistently, or at all.

Organizations can automatically assign policies to entire information groups such as

anything saved to a certain folder, content of a certain type, or information that has

reached a particular stage in a workflow. This saves time, ensures consistency, and is

the most efficient way to manage large volumes of sensitive information with IRM.

b. Dynamic policy controlAs business conditions evolve, IRM policies that govern the use of content must evolve

as well. Regulatory changes will almost always require modifications to information

policies such as patent expirations, litigation settlements, mergers and acquisitions etc.

Dynamic policy control enables recipient entitlements to be changed when individual

roles or business needs change, regardless of where the content resideseven when its

location is unknown. Policies reside on a policy server, not within the content. So they

can be changed or revoked at any time. Rights can also be set to automatically expire.

c. Discretionary policy applicationIn the enterprise, discretionary use of IRM is an option that should be used in addition

to rather instead of automated policy application.

d. Audit TrailAn audit trail is an unalterable, chronological log of access to a system and a record of

additions, changes, and deletions to information that system manages, which lists the

person accessing the system, and the time of access, and the action taken.


9/12



12

7.STEPS BEFORE IMPLEMENTING IRM[6] So you are all rolled up to implement IRM solution in your company. But before that,

answer this quick checklist: Outline business areas where sensitive information is frequently exchanged? What needs to be protected (documents, email etc.) How will security policies be enforced to protect this sensitive information or

communication?

Who can use the information (people, group) What a user can do with that information (read, write, print or forward) When can the user access the information (time duration and dates) Where can the information be accessed from (in office, home,)

What would be the consequences to the business if this information ended up inthe wrong hands?

Does the organization retain any employee, customer, or member informationthat could be used in identity theft if it were exposed, either through loss or

theft.

8.POPULAR IRM VENDOR LIST Seclore FileSecure Microsoft Integrated Rights Management

Boole Server SmartCipher EMC IRM Product Suite


10/12



12

9.CHALLENGES IN IRM IMPLEMENTATIONa. Lack of commitment by senior managementThe biggest roadblock in IRM successful implementation is the inadequate commitmentshown by senior management. Management has to be convinced and made aware the

value of information in the business. Consequences of losing sensitive information must

be highlighted such as unwanted loss in brand image and reputation, losing client and

stakeholder confidence. Unpleasant lawsuits may proceed if the leakage of sensitive

information is made public.

Common mistake made by senior managers during implementation is that they delegate

the entire part of IRM implementation to the IT team and not take much responsibility

for it. It is important to note that IRM must be top driven from senior management

which only can bring about a cultural change in the organization. Without their support,implementation at the best stays patchy and disorganized.

b. User Unwillingness to changeIRMs restrictive nature and perceived usage hassles may at first not easily gel with

users. Users must be made to undergo a mandatory training and awareness workshop

to help ease through this process. Suggested methodology can be summarized as:

Methodology for managers to inducing change in users:

Unfreezing: This step alters the forces on individuals sufficiently such that theyare distracted to opt for a change. It reduces the user resistance due to increasedpeer pressure to induce them to go for a change.

Moving: This step presents direction of the change and the actual practice oflearning new attitudes.

Refreezing: The final step forges the changed attitudes and learned skills in users.A good practice will be to train some of the people in the organization and nurture them

as champions in usage of IRM. It will be better if at least one person from every

department is included as a part of the IRM implementation task force. This task force

will work in close cooperation with vendors/security team during implementation

process.

After the official implementation is over, these champions will provide the first point of

reference and support for any issues arising in DLP to new users. Hence, user

satisfaction increases and consequently resistance to adopt new technology is lowered

down.


11/12



12

c. Miscellaneous Factors [ 5] External User Authentication for partners, vendors, suppliers, outsourced

parties, must be strong enough and well formed. Any loose ends will damage theconfidentiality of the information.

Most IRM's like Microsofts Windows Rights Management Services are great forWindows and Office. But they are mainly for Microsoft apps. For apps like in CAD

or blueprints, other solutions are either from small vendors or very limited in

scope.


12/12



12

10.REFERENCES 1. http://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspx2. http://en.wikipedia.org/wiki/Information_Rights_Management3. http://blogs.kuppingercole.com/kuppinger/category/information-rights-

management/

4. http://covertix.blogspot.in/5. http://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_E

MC_Whitepaper11534369.pdf

6. http://www.niiconsulting.com/solutions/information_rights_management.html
http://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://en.wikipedia.org/wiki/Information_Rights_Managementhttp://en.wikipedia.org/wiki/Information_Rights_Managementhttp://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://covertix.blogspot.in/http://covertix.blogspot.in/http://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.niiconsulting.com/solutions/information_rights_management.htmlhttp://www.niiconsulting.com/solutions/information_rights_management.htmlhttp://www.niiconsulting.com/solutions/information_rights_management.htmlhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://www.rcpbuyersguide.com/dload.php?file=whitepapers/SponsorIndex_EMC_Whitepaper11534369.pdfhttp://covertix.blogspot.in/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://blogs.kuppingercole.com/kuppinger/category/information-rights-management/http://en.wikipedia.org/wiki/Information_Rights_Managementhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspxhttp://www.iotap.com/Blog/tabid/673/entryid/61/Information-Rights-Management-Sharepoint-2010.aspx

information rights management(irm)

Documents