IRM Cloud-Based File Collaboration
Data breaches and data loss due to insider threats, including malicious insiders stealing, manipulating or destroying data, are the fastest-growing risks that keep managers up at night, according to new research by Ernst & Young. How can we ensure that the right people in an organization have the right access to the right information at the right time? The answer may be to make the data itself the gatekeeper of who has permission to access it.
Information Rights Management (IRM) is an evolving technology designed to protect access to sensitive information at the file level. It does this by embedding encryption and user permissions directly into the file. This is different from most other security technologies designed to build protections around sensitive files, not within them.
History of IRM
IRM began as an extension to the traditional Microsoft DRM (Digital Rights Management) that protects files. But, due to its requirement for a plug in to be loaded to the desktop, adoption of DRM didn’t take off. IRM improves on this concept by allowing protections stay with a file, no matter where it goes or who attempts to access it — plug-in free.
With IRM, documents are secured throughout their entire lifecycle, whether at rest, in motion, or in use. Other security technologies tend to protect information at one stage or another. For example, perimeter security solutions such as identity and access management (IAM) protect files from access by unauthorized users. However, once a person is able to access the information, he can pretty much do whatever he wants with it. Email it to someone outside the company. Download it to a mobile device. Move a copy to a less secure storage space. Whatever he wants. What kind of file protection is that?
(Infographic via http://www.weforum.org)
And then there’s data loss prevention (also called data leakage protection), or DLP. This is another technology that is designed to keep sensitive data from going outside an organization’s protective environment. DLP commonly works by inspecting a file’s contents at ingress and egress points and looking for specific words or patterns that match pre-determined rules. For example, anything that looks like a Social Security number within the file content is flagged and the user is prevented from copying that file or sending it outside the company. DLP works best when looking for well-defined content (like Social Security or credit card numbers) but tends to fall short when an administrator is trying to identify other sensitive data, like intellectual property that might include graphic components, formulas or schematics.
Along with technologies like IAM and DLP, IRM is an important part of a defense-in-depth strategy to protect specific kinds of information. It’s not intended for every file an organization produces, but for high value information — especially if the information is to be shared outside the organization. For example, when two companies approach each other about a merger, they need to share highly confidential information with each other. With IRM embedded into the sensitive files, the companies can be assured that file usage is highly restricted and the usage can be revoked by the information owner at any time.
IRM: more important now than ever
IRM has been around for several years, but is more relevant than ever. For one thing, cyber thieves are specifically targeting high value information. It’s one of the reasons why so many corporate executives are being spear-phished. Organized criminals want access to very sensitive corporate financial information. There’s the recent case of hackers stealing financial reports from PR news services before those reports are officially released. Hackers sold the reports to financial traders who used the confidential insider information to enact trades and make a killing in the stock market.
Another reason why organizations need IRM to secure important files is the ever-increasing regulatory climate. Businesses and government agencies alike are under mandates from the likes of HIPAA, SOX, GGLBA, PCI DSS, FERPA and other acronym-laden regulations. Most of them require that access to information be highly restricted, and IRM is one means to achieve that mandate for the duration of a file’s lifespan.
A third reason to use IRM today is that workers are often the source of accidental data exposure. In a research study, Ponemon Institute unveiled that 60 percent of employees have often or frequently either used personal file sharing applications at work, sent unencrypted emails, failed to delete confidential documents as required, or accidently forwarded files to unauthorized individuals. Accidental and careless happen, but IRM can help combat human error by putting the right document controls in place.
Best-kept secret weapon
If IRM is such a great security measure, and the need is so apparent, why isn’t it used by more organizations? Well, it is actually is used by quite a lot of organizations, but because it’s a security measure, they just don’t talk about it. (It’s called “security by obscurity.”)
Still, there have been occasional adoption obstacles. Some IRM products require the installation of software agents on end users’ desktops and other devices. This can be a deterrent for workers that have a locked-down desktop configuration and who cannot install software agents on their own. This has certainly been a barrier for many large corporations. The best way to ensure that IRM is widely adopted and used is to make it seamless to the users across the entire organization. No plug-ins, no extra work on the administration end.
IRM helps IT managers improve and enable the enforcement of corporate policies about document confidentiality, workflow, and email retention. For senior-level executives and CSOs, IRM helps reduce the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or through intentional abuse. It’s time to let the secret out and add IRM as part of your organization’s overall security strategy.
By Daren Glenister
Daren is the Field Chief Technology Officer for Intralinks. Daren serves as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements.
Glenister brings more than 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software, having worked with many Fortune 1000 companies to turn business challenges into real-world solutions.