Oracle IRM and the evolution of "information-centric" security
By Simon Thorpe on Nov 04, 2009
Whilst responding to an RFI I needed to describe how information rights management was positioned against many other types of technologies that use encryption to protect documents and emails. I thought it would make sense to write up the response on the blog. The diagram below really highlights how information rights management is at the leading edge of using cryptographic technologies to protect your confidential information.
Information security is a crowded and confusing marketplace. Many security solutions are really infrastructure security, because they secure IT infrastructure and users from information (for example anti-virus, anti-spam, intrusion detection). Some information security solutions only attempt to secure information from external attack (for example firewalls).
This diagram above illustrates the evolution of "information-centric" solutions that, by securing information directly, attempt to secure information from accidental or deliberate leakage by internal and external users. This diagram is not entirely even-handed in that it does not show the benefits of earlier solutions, just their critical shortcomings - but the idea is to show how IRM for the first time sufficiently solves these limitations to be the first truly enterprise-viable "information centric" solution.
Information-centric security started with products like PGP, which used public key infrastructure (PKI) encryption to encrypt information, and provided document and email encryption products. Products like PGP have two killer shortcomings. Firstly they ask busy non-technical business people to understand and personally manage the principles of PKI cryptography - pass phrases, public keys, private keys, digital signing, encryption, decryption, public key rings, certificates, etc. And then, after jumping through all these PKI hoops, the PGP-like technologies still just pass the decrypted information off into the clear (decrypted) to the document and email applications, from which they can easily and untraceably be redistributed - there is no post-delivery protection or tracking. Invasive to user workflows and with dubious benefits (most leaks are made, accidentally or deliberately, by end users - not by eavesdropping on networks) these solutions have over a long period gained minimal traction. Many people have briefly played with PGP, or something like it, but it is rare to meet someone who still does.
"In-delivery" secure email products built on the encryption capabilities of PGP-like products, in an email context. As organizations began to see email as their leading vector for information leakage (deliberate or accidental - how often have you sent a confidential email to the wrong user?) they sought solutions for securing email. Almost all of these solutions operate by intercepting outbound emails, and for those marked or scanned as being confidential, they place them on an SSL-protected web site and send on a replacement email with a link back to the original email on the SSL-protected web site. When the users follow the link to collect the email they are typically required to authenticate and the original email is then obtained over a secure SSL connection. So the shortcomings of these solutions are clear - again they provide no post-delivery security (authorized users can still save out in the clear and forward), they only defend against eavesdropping (which is a much less common threat than redistribution) and is ultimately an email-only point solution. While email remains the leading means of sharing information, there is also a huge amount of sharing via file shares, web, USB devices, etc.
The next major evolution of "information centric" security, which is currently generating significant interest, is gateway- or desktop-based filtering/monitoring. These technologies install software agents into gateways (such as email servers or web servers) or desktops that monitor outbound information flows, and scan the outbound emails, attachments and web pages for confidential information (such as social security numbers). It remains to be seen how effective these solutions are in practice, because they tend to be primarily passive (they are often detuned to prevent them blocking outbound information flows as a result of false positives) and act more as a deterrent; because they must monitor a bewildering number of perimeters in a modern network to be effective; and must sift through a staggering amount of legitimate traffic looking for a hopefully small amount of illegitimate traffic. But the fundamental shortcoming of these filtering/monitoring solutions is that they are effectively enterprise spyware: spying on internal information flows. Unfortunately most sensitive business processes involve sharing confidential information with external parties, and they are never going to allow your organization to spy on their networks to protect your information. So it would seem absurdly incomplete to spy on your own employees and then send the same confidential information unprotected and untracked into the networks of your partners, customers and suppliers.
Nevertheless there are considerable synergies between monitoring/filtering technologies and IRM - to help automate the sealing/classification of information. This is seen in the recent integrations between both DLP vendors and IRM vendors.
Oracle Information Rights Management (IRM) is very much an evolution from all these earlier technologies. It uses the PKI encryption from PGP-style products, but hides all the complexity from end users. It uses the close integration with leading email clients of secure email. It shares the same desktop agent and policy server profile of desktop filtering, but is only active in the context of sealed/classified information. But unlike preceding solutions Oracle IRM provides pro-active, post-delivery protection and tracking; works just as well outside the firewall as inside; has a classification-based rights model that completely hides all the complexity of encryption and makes policy management straightforward; and secures documents, emails and web pages regardless of how they are shared - so Oracle IRM it is a significantly more complete solution.