With so many security experts talking about the need to protect company data and high value information, it’s a bit surprising we don’t hear more about the power of Information Rights Management (IRM).
What is Information Rights Management (IRM)?
IRM is a technology which protects sensitive information by embedding encryption and user permissions directly into the file containing the information. This is different from most other security technologies that build protections around sensitive files.
IRM is an extension to the traditional Microsoft DRM (Digital Rights Management) that protects files however due to its requirement for a plug in to be loaded to the desktop it was not as widely adopted as it could have been, IRM protections stay with a file, no matter where it goes or who attempts to access it — plug-in free. Documents are protected throughout their entire lifecycle, whether at rest, in motion, or in use. Other security technologies tend to protect information at one stage or another. For example, perimeter security solutions such as identity and access management (IAM) protect files from access by unauthorized users. However, once a person is able to access the information, he can pretty much do whatever he wants with it. Email it to someone outside the company. Download it to a mobile device. Move a copy to a less secure storage space. Whatever he wants. What kind of file protection is that?
And then there’s data loss prevention (also called data leakage protection), or DLP. This is another technology that is designed to keep sensitive data from going outside an organization’s protective environment. DLP commonly works by inspecting a file’s contents at ingress and egress points and looking for specific words or patterns that match pre-determined rules. For example, anything that looks like a Social Security number within the file content is flagged and the user is prevented from copying that file or sending it outside the company. DLP works best when looking for well-defined content (like Social Security or credit card numbers) but tends to fall short when an administrator is trying to identify other sensitive data, like intellectual property that might include graphic components, formulas or schematics.
Along with technologies like IAM and DLP, IRM is an important part of a defense-in-depth strategy to protect specific kinds of information. It’s not intended for every file an organization produces, but for high value information — especially if the information is to be shared outside the organization. For example, when two companies approach each other about a merger, they need to share highly confidential information with each other. With IRM embedded into the sensitive files, the companies can be assured that file usage is highly restricted and the usage can be revoked by the information owner at any time.
IRM is more important now than ever
IRM has been around for several years, but today IRM is more important than ever. For one thing, cyber thieves are specifically targeting high value information. It’s one of the reasons why so many corporate executives are being spear-phished. Organized criminals want access to very sensitive corporate financial information. There’s the recent case of hackers stealing financial reports from PR news services before those reports are officially released. Hackers sold the reports to financial traders who used the confidential insider information to enact trades and make a killing in the stock market.
Another reason why organizations need IRM to secure important files is the ever-increasing regulatory climate. Businesses and government agencies alike are under mandates from the likes of HIPAA, SOX, GGLBA, PCI DSS, FERPA and other acronym-laden regulations. Most of them require that access to information be highly restricted, and IRM is one means to achieve that mandate for the duration of a file’s lifespan.
A third reason to use IRM today is that workers are often the source of accidental data exposure. In a research study, Ponemon Institute unveiled that 60 percent of employees have often or frequently either used personal file sharing applications at work, sent unencrypted emails, failed to delete confidential documents as required, or accidently forwarded files to unauthorized individuals. Accidental and careless happen, but IRM can help combat human error by putting the right document controls in place.
So, why isn’t IRM more broadly used?
If IRM is such a great security measure, and the need is so apparent, why isn’t it used by more organizations? Well, it is actually is used by quite a lot of organizations, but because it’s a security measure, they just don’t talk about it. (It’s called “security by obscurity.”) For instance, Lawyers Without Borders uses Intralinks VIA® exclusively for secure, easy-to-use file sharing with its clients. By leveraging Intralinks VIA’s IRM capabilities, it can retract access to documents in real-time.
Still, there have been occasional adoption obstacles. Some IRM products require the installation of software agents on end users’ desktops and other devices. This can be a deterrent for workers that have a locked-down desktop configuration and who cannot install software agents on their own. This has certainly been a barrier for many large corporations.
At Intralinks, we believe that IRM implementation and use should be as easy and intuitive as the security measures are strong – which is why ours is plug-in free. If you have highly valuable information you need to secure, come talk to us about how to lock it down for life.