How IRM Makes File Collaboration “Security-Aware”

IRM Cloud-Based File Collaboration 

Data breaches and data loss due to insider threats, including malicious insiders stealing, manipulating or destroying data, are the fastest-growing risks that keep managers up at night, according to new research by Ernst & Young. How can we ensure that the right people in an organization have the right access to the right information at the right time? The answer may be to make the data itself the gatekeeper of who has permission to access it.

Information Rights Management (IRM) is an evolving technology designed to protect access to sensitive information at the file level. It does this by embedding encryption and user permissions directly into the file. This is different from most other security technologies designed to build protections around sensitive files, not within them.

History of IRM

IRM began as an extension to the traditional Microsoft DRM (Digital Rights Management) that protects files. But, due to its requirement for a plug in to be loaded to the desktop, adoption of DRM didn’t take off. IRM improves on this concept by allowing protections stay with a file, no matter where it goes or who attempts to access it — plug-in free.

With IRM, documents are secured throughout their entire lifecycle, whether at rest, in motion, or in use. Other security technologies tend to protect information at one stage or another. For example, perimeter security solutions such as identity and access management (IAM) protect files from access by unauthorized users. However, once a person is able to access the information, he can pretty much do whatever he wants with it. Email it to someone outside the company. Download it to a mobile device. Move a copy to a less secure storage space. Whatever he wants. What kind of file protection is that?

cyber-security

(Infographic via http://www.weforum.org)

And then there’s data loss prevention (also called data leakage protection), or DLP. This is another technology that is designed to keep sensitive data from going outside an organization’s protective environment. DLP commonly works by inspecting a file’s contents at ingress and egress points and looking for specific words or patterns that match pre-determined rules. For example, anything that looks like a Social Security number within the file content is flagged and the user is prevented from copying that file or sending it outside the company. DLP works best when looking for well-defined content (like Social Security or credit card numbers) but tends to fall short when an administrator is trying to identify other sensitive data, like intellectual property that might include graphic components, formulas or schematics.

Along with technologies like IAM and DLP, IRM is an important part of a defense-in-depth strategy to protect specific kinds of information. It’s not intended for every file an organization produces, but for high value information — especially if the information is to be shared outside the organization. For example, when two companies approach each other about a merger, they need to share highly confidential information with each other. With IRM embedded into the sensitive files, the companies can be assured that file usage is highly restricted and the usage can be revoked by the information owner at any time.

IRM: more important now than ever

IRM has been around for several years, but is more relevant than ever. For one thing, cyber thieves are specifically targeting high value information. It’s one of the reasons why so many corporate executives are being spear-phished. Organized criminals want access to very sensitive corporate financial information. There’s the recent case of hackers stealing financial reports from PR news services before those reports are officially released. Hackers sold the reports to financial traders who used the confidential insider information to enact trades and make a killing in the stock market.

Another reason why organizations need IRM to secure important files is the ever-increasing regulatory climate. Businesses and Government agencies alike are under mandates from the likes of HIPAA, SOX, GGLBA, PCI DSS, FERPA and other acronym-laden regulations. Most of them require that access to information be highly restricted, and IRM is one means to achieve that mandate for the duration of a file’s lifespan.

A third reason to use IRM today is that workers are often the source of accidental data exposure. In a research study, Ponemon Institute unveiled that 60 percent of employees have often or frequently either used personal file sharing applications at work, sent unencrypted emails, failed to delete confidential documents as required, or accidently forwarded files to unauthorized individuals. Accidental and careless happen, but IRM can help combat human error by putting the right document controls in place.

Best-kept secret weapon

If IRM is such a great security measure, and the need is so apparent, why isn’t it used by more organizations? Well, it is actually is used by quite a lot of organizations, but because it’s a security measure, they just don’t talk about it. (It’s called “security by obscurity.”)

Still, there have been occasional adoption obstacles. Some IRM products require the installation of software agents on end users’ desktops and other devices. This can be a deterrent for workers that have a locked-down desktop configuration and who cannot install software agents on their own. This has certainly been a barrier for many large corporations. The best way to ensure that IRM is widely adopted and used is to make it seamless to the users across the entire organization. No plug-ins, no extra work on the administration end.

IRM helps IT managers improve and enable the enforcement of corporate policies about document confidentiality, workflow, and email retention. For senior-level executives and CSOs, IRM helps reduce the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or through intentional abuse. It’s time to let the secret out and add IRM as part of your organization’s overall security strategy.

By Daren Glenister

Ian Hayes

Pick The Right AWS Course And Ensure A Brighter Future Ahead

Picking The Right AWS Course As the leader of the pack, AWS (Amazon Web Services) is the fastest-growing public cloud service in the industry, and it's all set to extend its dominance with a 52% ...
David Gevorkian

How to Apply Website Accessibility in UX and How to Achieve Better User Experience

Design Tweaks: Apply Website Accessibility in UX In this current digital age, websites have become more complex because of the introduction of various aesthetic designs on a web page interface. It especially affects people with ...
Tunio Zafer

Questions To Ask Every Cloud Storage Provider

Cloud Storage Provider Questions As with many new technologies, attitudes toward cloud storage vary. Telephones were immobile; wearables perhaps unwarranted. And now, the global cloud storage market was estimated at $21.1 7 billion in 2015, ...
Ajay

Deep learning to avoid real time computation

Avoid real time computation “The underlying physical laws necessary for the mathematical theory of a large part of physics and the whole of chemistry are thus completely known, and the difficulty is only that the ...
Anita Raj

A Winning Data Strategy Series Part 3: From Data-driven To An Insight-driven Organization

Insight-driven Organization This is the third piece of a 5-part series on plugging the obvious but overlooked gaps in achieving digital success through a refined data strategy. Data is essential, yes. But the whole idea ...
Nik Thumma Contributor

Why It’s Time for Companies to Move ‘All-In’ on the Cloud

Companies to Move ‘All-In’ on the Cloud The cloud offers businesses innovative ways to optimize operations and achieve amazing results. While many companies have already migrated to the cloud in some capacity, the full scope ...