Document security in the real world, experience from the field
By Simon Thorpe on Oct 18, 2010
I began working with IRM at SealedMedia and I have seen it grow and mature through the refinement which only comes from many, many real world deployments, where we need to apply thoughtful consideration to the protection of real business information, against real security risks; while keeping real business users happy and assured that the technology wont get in the way.
I decided take on the challenge of forming my own company, Brandon Cross Technologies, just as SealedMedia were being acquired by Oracle. As Brandon Cross Technologies I've had the good fortune of working with a number of vendors, including Oracle, to provide the consultancy to successfully deploy software which requires an understanding of how software really gets used in practice, by real people, as well the technical know-how.
We have recently been working with some of the largest oil & gas and telecom companies, among others, to deploy their IRM solutions to address their concerns regarding the dramatic increase in data security threats.
Secure from the inside
Despite the best efforts of virus checkers and firewalls, platform vulnerabilities and malware provide lots of scope for bad guys to punch holes in your defences, disrupt your systems, and steal your data. If you ensure your own business users can only access and use information they legitimately require, while retaining the ability to revoke that access, then any external threat will be no more able to extract information from your organisation than your own people. Information Rights Management therefore enables us to limit the threat from perimeter security breaches, as well as potential misuse of information by legitimate business users.
As with other security solutions, successful IRM deployments must be simple to use and work without impeding existing business processes. Any solution which slows or limits a business user's ability to do their daily work will be unpopular, but more importantly the user may actually end up putting business information at greater risk by avoiding such systems. In the case of IRM, users may create, request, distribute or keep unprotected files, or use an IRM Context or document classification intended for less sensitive information to avoid the more stringent controls intended by the business.
Of course once information is IRM protected it is under the full control of the appropriate information owner; but it does need to be sealed / protected in the first place. Protecting information using IRM needs to be a continual, business-as-usual process. While IRM provides simple tools to protect information, manual protection does involve the user making the decision to protect information as it is created, and being in the habit of doing so. This can be addressed through creation of clear guidelines, policy requirements and training.
Protecting information using IRM should be performed at the earliest point in the information life cycle. One way to ensure information is appropriately secured using IRM is to automate the protection / sealing process. Oracle IRM has open programmatic interfaces which allow information to be sealed and for rights to be programmatically managed. This allows IRM protection to be integrated with other content management, workflow and security products.
For example Oracle IRM can be integrated with SharePoint, ensuring that any documents which are added into a SharePoint site are automatically IRM protected as they are uploaded. Information is then protected in storage, protecting against privileged users with server access, while still allowing documents to be found by keyword search using Oracle's unique search capabilities. Automated protection can therefore allow users to collaborate in the normal way without having to make the conscious decision to protect it first, or even needing to be aware that such a step is necessary. In this way, taking the manual protection step away from users, the level of usage and consistency with which IRM protection is applied can be substantially improved.
Another policy enforcement technology which can be used in conjunction with IRM is DLP (Data Loss Prevention). There are a variety of vendors which provide DLP solutions and, as with IRM, these solutions work in a variety of ways with different features and capabilities. What they do have in common is the ability to monitor the movement of data within your organisations network, with many also having the ability to control that movement. Some will purely monitor network communications using dedicated network appliances; others monitor file system, device and inter-process communications at the desktop. These capabilities can be used to make sure data does not leave your systems and networks without the necessary IRM protection being applied.
Brandon Cross Technologies
Brandon Cross Technologies is based in the UK, but has delivered projects internationally. It believes it is possible to take the pain and uncertainty out of deploying client-server and web based technologies, simply through listening to customers and sharing experience and expertise.