 "IRM: Key To Information Control")
Have you ever felt the need to ‘recall’ information that you have sent to other people?
Are you worried about employees with access to confidential information leaving with the information?
Do you really know what happens to confidential information after it is distributed?
Have you visited any website publishing leaked documents recently and checked if your internal documents or memos are there?
Well, let us explore the answers to some of these questions.
The Internet and computers have allowed unprecedented collaboration within and amongst enterprises. Collaboration, however, comes with issues of privacy and security i.e. the more you share, the more you expose yourself to information leakage and theft.
So does this mean that you can’t collaborate or share confidential information? How can R&D organisations share research data without worrying about leakage? How about board communication before it becomes public?
Enter Information Rights Management or IRM – a technology which allows for information (mostly in the form of documents) to be ‘remote controlled’.
Let us look at an example here.
As of now… If Maya sends a document to John for review, then John has complete control over the document after he receives it i.e. he can view it, print it, forward it, make copies etc. In effect, Maya loses all control over the document as soon as it is distributed. There are, of course, legal mechanisms to control usage like Non-Disclosure Agreements, but we all know how effective they are.
With IRM technology… If Maya sends a document to John for review, she retains ‘ownership’ of the document i.e. she can still control
1. Who (in this case only John) can use the document
2. What (in this case view and perhaps edit but not print, distribute or make copies) can he do
3. When (from March 2 to 15) can he do this and
4. Where (only in the office) can he access the document from
Not only this, Maya can change these permissions (or ‘rights’) in case she changes her mind later. She can adjust her permissions so that John can view the document and perhaps now print it but not edit it anymore.
IRM technology allows for the fine distinction between use and misuse. There are two primary reasons for using an IRM technology, which are listed below.
Security
IRM technology provides security of information, no matter where it is located. Thus, organisation security policies can be implemented irrespective of the location of the information. This is a boon for CISOs of large organisations. Typical scenarios where IRM comes handy are:
- Information shared with a potential acquirer during the process of an M&A transaction
- R&D information in the form of process, drawings, test results etc
- Information received from customers under an NDA
- Information shared with vendors for the purpose of outsourcing of business processes like data entry and printing
Compliance
Most regulatory compliance frameworks like ISO-27001, Sarbanes Oxley, HIPAA, and GLBA etc have recommendations on specific controls that need to be put in place.
Choosing the Right IRM Technology
There are quite a few factors for selection of an IRM technology. For CIOs and CISOs of mid- to large-sized organisations, some of the important factors to be kept in mind are:
- Formats and features: Support for common and not-so-common document formats including open source (open office) and engineering drawing (AutoCAD) formats, security within and outside of the organisation, audit tracking authorised and unauthorised events, etc.
- Security: Granular definition of rights (who, what, when and where), prevention of screen grabbing and screen sharing tools, strong and industry-standard encryption algorithms etc.
- Ease of use and administration: Internal and third-party authentication, document- and folder-based rights, centralised policy definition along with separation of duties, support for remote deployment, support for virtualised environments etc.
Being an emerging technology, there are very few companies providing IRM technologies. In India, Seclore (www.seclore.com ), an IIT Bombay promoted company, has been providing IRM systems largely to financial services and engineering companies.
Conclusion
IRM technology is slowly becoming one of the default infrastructures for security in an organisation. Adoption of this technology needs to done in phases starting from the source of confidential information and moving on to the usage.
Gupta is director of Seclore Technology, India.
 "Vantage | How Nvidia became 'envy' of the world")
 "France to step up security for New Year's Eve due to 'very high' terrorist threat")
 "Body scanners, glass on visitors’ gallery: Big security changes after Lok Sabha breach")
 "Earthquakes: How tech tools can mitigate catastrophic impacts")
 "Vantage | How Nvidia became 'envy' of the world")
 "France to step up security for New Year's Eve due to 'very high' terrorist threat")
 "Body scanners, glass on visitors’ gallery: Big security changes after Lok Sabha breach")
 "Earthquakes: How tech tools can mitigate catastrophic impacts")