Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Security Manager's Journal: Information rights management: Magic bullet or dud?

Our manager seeks a way to protect information on a network whose perimeter is blurring in the age of SaaS

Like many companies, mine has determined that the best way to expand our IT and business capabilities in these rough economic times is to move increasingly toward software as a service (SaaS) and cloud services. As a result, the perimeter of our network continues to blur. That makes the job of protecting confidential documents on the network increasingly difficult.

For the last year or so, I've been looking at data leak prevention (DLP) technologies to keep track of my company's confidential files. Network-based DLP works by monitoring the network perimeter (typically Internet egress points) for data containing certain keywords, watermarks, fingerprints or other identifiable characteristics. When one or more of these characteristics crosses a network threshold where a monitoring device has been placed, the system can generate an alert or actively block the traffic. This is a good way to stop people from sending internal documents to external e-mail addresses, for example, or uploading them to one of those pesky, ubiquitous file-sharing sites.

But what happens when the documents themselves move into a cloud? Where's the perimeter? We already have a lot of confidential data being generated, stored and used at third-party sites, and it looks like there's going to be a lot of expansion in that direction -- for my company, it's just too expensive to build all the services we need. Getting up and running quickly by using a specialized SaaS or cloud service really does make good business sense. But protecting our data when it's outside our boundaries is a lot harder. Technologies like DLP that rely on listening devices placed at strategic points on the network don't translate easily into a highly distributed environment.

So why not build the protections right into the documents themselves instead of trying to rely on protecting all the places where the documents might go? That's the idea behind information rights management (IRM). Essentially the same as the digital rights management (DRM) technologies used by the music and movie industries to restrict unauthorized use of digital entertainment content, IRM is tailored to documents created in standard desktop publishing and word processing applications. The client-side technology is already built into the office productivity software everyone uses, so once a document is protected, there's no special software needed to open it. The software already knows how to check for permissions such as open (am I allowed to open this file?), copy (can I select text and copy it?) and print (can I print it?). So, in theory, it should be pretty easy to deploy. And if we make the person who creates the document responsible for defining those permissions, we should be able to get the whole thing up and running fairly quickly.

The problem is, I haven't been able to find anybody who's actually using IRM. If it's really that easy to use and effective at protecting confidential documents regardless of where they end up, wouldn't you think everybody would be using it? And I'm even having trouble finding information and support within the companies that manufacture the technologies. I'm ready to start testing the software, but so far I haven't been able to locate the expertise I need to get it up and running.

This makes me nervous. I certainly don't want to take the risk of locking legitimate users out of their own documents, or similar worst-case outcomes. Likewise, I don't want to rely on a technology that may not be as effective or reliable as it's advertised to be. I'm not really enthusiastic about breaking new ground -- I'd rather rely on tried-and-true techniques for data protection. But the promises of IRM seem so attractive, it really seems worth pursuing. Who wouldn't want a document protection capability that works everywhere, anytime, without being dependent on network choke-points that are difficult, or even impossible, to find in a modern, distributed, outsourced world?

I'm going to continue digging deeper to find consulting firms and subject-matter experts who can point me in the direction of reference customers. To be fair, I haven't really had a lot of time to spend on background research. (SOX, anyone?) That's why I have been working directly with the companies that make IRM solutions, but so far they haven't been able to help much. I thought this would be a lot easier than it's turning out to be.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

To join in the discussions about security, go to blogs.computerworld.com/security.

Read more about security in Computerworld's Security Topic Center.

Recommended

  1. Opinion: Why national e-health is not for everyone

  2. Corporations need to balance data transparency and security: ...

  3. Tapping into social experience: Tourism Australia

    CMO

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments

Anuj

1

Hi J. F. Rice,

IRM is not really a new technology. The first IRM companies like SealedMedia, Authentica and Liquidmachines came up as far back as 1998. Unfortunately all of these technologies were clunky and had too many pre-requisites in terms of network infrastructure, identity management etc. Logically all of these companies went through fire sales to larger vendors (Oracle, EMC and Checkpoint respectively) who ultimately did not pay any attention to these technologies.

Around 2005, 2006 there were the second generation of IRM technologies which came around i.e. Secore (India), Fasoo (Korea) and Gigatrust (USA). I will not go as far as to recommend one from amongst these but I recommend that you look at these. In most cases you will find some information on Gartner also on these vendors.

I have had a lot of experience in implementing and buying IRM technologies in different roles one thing I would recommend to you is to NOT look at IRM as a shrink wrapped product similar to an anti-virus system or firewall. IRM is a solution which has a technology element but also a lot of process and human element. Evaluate the service capabilities of vendors also seriously besides the technology capabilities. A not-the-best technology accompanied by a great delivery framework is probably a better bet.

I recently read a very interesting blog post on Seclore's website on this specific topic .. Have a look :

http://blog.seclore.com/2012/04/cloud-data-collaboration-and-security.html

Anuj

Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Getting Real About Security Management and Big Data – A Roadmap for Big Data in Security Analytics
    It’s an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. This whitepaper examines the escalating complexity for the security management environment; how to get more meaning from data already collected and the combination of infrastructure, analytic tools and threat intelligence need to drive business value from Big Data. Download now.
    Learn more »
  • Deploying Flash in the Enterprise
    Flash is quickly emerging as the preferred way to overcome the nagging performance limitations of hard disk drives. However, because flash comes at a significant price premium, outright replacement of HDDs with flash only makes sense in situations in which capacity requirements are relatively small and performance requirements are high. Learn how deployment approaches-including hybrid storage arrays, server flash, and all-flash arrays-that combine the performance of flash with the capacity of HDDs can be cost effective for a broad range of performance requirements.
    Learn more »
  • Clearing the Clouds for Midmarket Businesses
    Cloud computing promises to help midmarket companies reduce cost and complexity in the IT equation – and gain the flexibility and agility they need to thrive. Yet charting a clear course to the cloud isn’t always easy. In this paper, we aim to clear the clouds. We examine different cloud computing models, discuss the types of requirements that each can best address, and consider what midmarket businesses should look for in a cloud solutions provider.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

Computerworld
ARN
CFO World
CMO