NEW DELHI, INDIA: Abhijit Tannu has an experience of 15 years which is rich and varied. It ranges from managing large turn key projects, design, and development to quality assurance
About Seclore Technology: Seclore Technology (incubated by IIT, Bombay) develops innovative solutions in the area of information usage control. Seclore's expertise lies in protection of data irrespective of its location. Seclore is the leading provider of information security solutions in the area of information usage control, information rights management and secure outsourcing.
CIOL: What is Information Rights Management?
Simply put, Information Rights Management is a set of policies and technologies that will help enterprises and individuals to control the usage of documents and the information contained in the documents that are shared.
Typically, enterprises require collaborating within as well as outside to conduct business. This will involve sharing of sensitive data which runs the risk of being mis-used. IRM technologies enable controlling the usage of such documents so that the risk of information breach is mitigated.
CIOL: Is there a need to use Information Rights Management to secure documents which I can easily protect using encryption and password protection?
The answer is YES. Password protection and Encryption allow protection of data when it is stored for e.g. in a file storage or on a hard disk. But when that data is being used, no protection is applied. Also, password protection allows you only to control "access" to the data.
There is no control on how that data is being used after it is accessed. Most data leakages happen via authorized users. For example, if you send me a document which is password protected, and I need to access it, you will need to share the password with me. While you will control "who" has access to the document, you do not have any control over "what" I do with the document after I access it. I can print it, edit it, forward it to somebody whom you'd not like me to.
All of these are issues that are not addressed by common data protection tools. With IRM you can specify granular controls that enable you to tightly control "Who" has rights on the document, "What" are the rights he/she has (View, Print, Edit, Distribute), "When" can the person do the actions and from "Where". What's more, you can also change these rights dynamically after the document has been shared.
CIOL: How is Information Rights Management different from other data security measures?
Information Rights Management is "Information Centric" security. In other words, it protects the information wherever it is and through out its life cycle. In other words, Information is protected when in use, when in motion or when at rest. Most other information or data security products address some of these aspects.
For example, device and hardware encryption protect the data when it is at rest or stored. Secured transmission solutions address security of data that is being transmitted. Often applications like document management systems protect data and documents, but as long as it resides within the application. But these solutions do not address security of the information in its totality.
For example if data is transmitted not via secured transmission, but via email or messengers, it is vulnerable to risk of breach. If a document is checked out of a document management system, it's protection is lost. So in effect, what is being secured is not the information, but rather the device, or the transmission tunnel, or the network, or the application where the data is present. The "data" or "information" itself is not protected. IRM on the other hand protects the data itself. Thus, the protection is available on the information / data no matter where it is, there by providing persistent security.
CIOL: In what circumstances should an enterprise look for an IRM solution? What are the typical scenarios where IRM is applicable?
In general, IRM will address information security needs for all types of enterprises. But for an organization to evaluate if they need an IRM system, it can consider the answers to some of these questions. Does the organization have a large work force which needs to access / use sensitive information? Does the organizations business require it to share information or sensitive documents with business partners like Vendors / Customers?
Will the organization face business losses if some sensitive information about its business is leaked out to competitors? Is the organization in an industry where its common that employees quit and join competitors? Are there any regulatory frameworks which the organization needs to be compliant with in order to conduct business? There are more such scenarios, but if the answer is YES to more than one of these questions, there is enough basis for the organization to consider evaluating an IRM solution.
CIOL: What are the specific features of IRM that make it stand out from other technologies.
IRM provides a holistic approach to information security. Some of the concepts under IRM are:
* Protection of data or information wherever it is.
* Industry standard encryption (e.g. AES 256 and above)
* Providing granular rights to different users on a combination of multiple parameters:
1. Who has rights on the document / data
2.What can the person do with the data
3. When will the person have the rights to use the data as specified above
4. From Where can the person perform the actions
* Apart from the controlling actions like editing, viewing, printing, forwarding etc, specific actions like copy-pasting, print screening, video grabbing etc are also restricted / controlled
* Dynamic rights modification. In other words, rights to the information can be changed after distributing it, and made applicable on the information wherever it is
* Central control for rights and policy management
*Comprehensive Audit Control which includes details about authorized as well as unauthorized activities that authorized users have attempted to perform on the document
*Providing for offline access when network or central policy repository is not accessible for certain periods of time
CIOL: What is the similarity and differences between IRM and DRM?
When you say DRM I assume you are indicating Digital Rights Management. The basis of IRM and DRM are in the area of controlling access and usage of content. They both provide "rights" management for the specific content that they enable controlling. However, there are basic differences between the two technologies.
DRM is usually associated with security and control of content such as video or music. Also, most DRM technologies do not provide robust dynamic rights management. In the sense, if someone downloads a music title on a device, the control is mainly to ensure that the title is played only on that device and the user cannot forward the same to someone else (or another device).
There is little you can do to control or restrict playing the music title on the device itself, let's say for 2 weeks only. Also, there is limited, if any, audit trailing possibilities provided by DRM.
IRM on the other hand is primarily focused towards business documents. It enables controlling of usage of documents from perspective of users, actions, time spans and locations.
Also, these rights are dynamic in nature as in they can be changed and the latest rights will be applicable whenever the user accessed the document. A comprehensive Audit Trailing is provided by IRM which gives details about authorized and attempts of un-authorized usages of documents.
CIOL: What technologies complement Information Rights Management solutions?
Generally speaking, IRM alone will be able to address information security needs of organizations. However, there are potential synergies that can arise if IRM is used in conjunction with other technologies. For instance, IRM integrated with a Document Management System will provide an end-to-end security for documents.
While the documents are within the DMS, they are protected with the control measures of the DMS. If the documents require to the shared with people who do not have access to DMS, the integration with IRM will help to ensure that the data in the document is protected wherever it goes. Similar case is with integration with business applications like ERP or CRM systems especially for reports that are generated from these applications. Synergies also exist between Document Classification solutions / Data Loss Prevention solutions and IRM.
Automatic assignment of rights on the basis of a classification applied to a document will provide extreme benefits. Also, using IRM with DLP will enable to reduce the need to maintain complicated policies often required for DLP to be effective. Integration with archival and e-discovery solutions is another area of potential value adds.
In this case, when IRM protected documents are archived, the integration will enable search on the document from the e-discovery tool, while IRM will provide the persistent security for all times. IRM + Workflow systems is another formidable combination which will enable automatic protection of documents on the basis of the stage / status of a particular process that the document is undergoing.
CIOL: What is the future of IRM? What developments can we expect to see in this area in the near future?
IRM is currently focused on business documents. I would think that the same principles and need for information security apply also to data which is outsourced as data files or raw data. This may not be in the form of standard documents. In the same manner, securing Software Code is another area I think IRM technologies will focus.
This will in providing Secure Software Development Life Cycle. One of the common short comings of IRM solutions is user Identity Management for Authentication. I would see more developments in the area of Identity Federation so that public identities can be used to provide rights to different users and the authentication is done via the same.
