The Elusive Silver Bullet: Information Rights Management

By applying both encryption and permissioning capabilities to corporate information, IRM provides the core requirements to protect access to information.

18 June 2009

Information Rights Management (IRM), also known as enterprise digital rights management, has always been the elusive silver bullet for IT organizations trying to protect intellectual property inside and outside the firewall.

By applying both encryption and permissioning capabilities to corporate information, IRM provides the core requirements to protect access to information. First, encryption capabilities ensure that no one is able to access information they are not authorized to see. Second, permissioning capabilities ensure that access authority can be defined based on an individual's role and need to access (view, print, edit etc.) the information.

While corporate employees have many legitimate reasons to exchange information with their counterparts - including their customers, partners and supplier organizations - a lack of established controls increases the risk that improper intellectual property distribution can occur. Additionally, critical information that is linked with financial, logistical or company trade secrets is more and more difficult to control given the proliferation of storage and web messaging platforms in the enterprise. It is just too easy for an unwitting employee to share critical information outside organizational boundaries.

Companies have taken a few approaches towards controlling information leakage and each has had mixed success. One valid line of defense is implementing enterprise-wide applications that primarily provide a security perimeter and sift through information being sent outside the firewall. These applications are generally rule- or policy- driven and result in the overhead required for proactive administration and policy management to make it an efficient tool without blocking valid business transactions.

A second line of defense are Information Rights Management platforms that encrypt information at the source and have permissioning capabilities to restrict access based on organizational or departmental policies. These solutions have had mixed success within the organization, but generally do not work well when information leaves the firewall. The biggest issue here is related to the overhead required for granting access to users outside the firewall and managing the credentials for these users.

As a matter of fact, the whole process of managing the identity, directory and permissions of individual users within and outside the organizations is the most time consuming and difficult to administer part of implementing a pervasive Information Rights Management strategy in an organization.

Here at Intralinks, we initially focused on developing a user and access management model that managed the secure exchange of information across firewalls. This led to the creation of a Global User Directory, which specifies the level of access that individuals have within an Exchange and specifically to a document. Interestingly, this mechanism was almost identical to what is required to protect individual documents through Information Rights Management.

As our permissioning model and user interface evolved, extending these same capabilities to integrate Information Rights Management of individual documents was simple and elegant. An organization now could not only specify who could have access to which document, but also could define what level of access (view, read, edit, print) and for what period of time.

Since documents need to retrieve the most current access settings on each access event, these permissions can be modified or revoked and the change is immediate. Watermarking technologies integrated with Information Rights Management provide another natural extension to protecting critical information as the individual user's email address is overlaid onto the actual document. This provides yet another barrier for unauthorized information sharing. We refer to the whole process as "Document Locking & Protection."

Even though there are no silver bullets, an outside-the-firewall Information Management solution, integrated with organizational policies, provides a practical mechanism for ensuring information security and compliance with a host of regulatory requirements and best practices.

Fahim Siddiqui

Fahim Siddiqui

Fahim served as Chief Executive Officer at Sereniti, a privately held technology company. He was also the Managing Partner of K2 Software Group, a technology consulting partnership providing product solutions to companies in the high tech, energy and transportation industries with clients including Voyence, Inc., E-470 Public Highway Authority and Tellicent, Inc. Previously, Fahim held executive and senior management positions in engineering and information systems with ICG Telecom, Enron Energy Services, MCI, Time Warner Telecommunications and Sprint.