Why Information Rights Management is mandatory, response to Martin Kuppinger
By Simon Thorpe on Jul 23, 2008
Martin Kuppinger of Kuppinger Cole last month wrote an excellent article on Why Information Rights Management is mandatory. He opens by commenting that: Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time.
A pretty long time indeed Oracle IRM has been in development since 1997 and was in first commercial use back in 2000. Now we are seeing an increase of activity in this space and 2008 could be a good year for IRM, helping industries plagued by information loss from all areas.
Martin goes on to comment that, "There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM."
I respectfully disagree, most IRM technologies go to great lengths to hide from the end users any complexity involved in IRM. Good IRM solutions put very little barriers in the way of the user creating and correctly classifying sensitive content. The Oracle IRM solution for instance requires that a user only choose the "context" of the content to create a secure document. They need know nothing at all about the PKI or encryption infrastructure underneath.
In response to my disagreement Martin continues; The end user does not necessarily need to understand the concepts behind. But the architects and admins have. That's what I've meant. So I agree: There are IRM solutions out there which are relatively easy to use - once they are implemented. But even while the vendors claim that implementation is easy as well I think that there is a lot of knowledge required by the architects and admins, which is an obstacle in adoption.
|Implementation falls into two areas: technical and business. Oracle IRM is very easy to implement technically both from the end users perspective and also from the architect and admin side. In many cases I have been able to deploy a fully operational IRM service within a week. With one customer, a law firm in Minneapolis, after they had pre-prepared the server hardware, operating system and database it took only a day to go from a virgin environment to having documents encrypted, accounts provisioned and workflows in action.||"IRM is an approach which can be consistently used for any type of information at any stage, e.g. when stored as well as when transported."|
I have even worked with a customer to, in one day, integrate the Oracle IRM system via its API through .NET into SharePoint. In 8 hours the customer had content automatically sealed, in memory, as it was checked into a SharePoint library. Users automatically logged in to the IRM Desktop via the SharePoint interface and rights managed from the SharePoint system so that going directly to the IRM service to assign rights to content was not necessary.
The reason Oracle IRM is so easy to deploy, technically, is that for the first 8 years of its life there were a very small number of deployment consultants available. Therefore we needed to engineer a product which could be implemented in a small amount of time without having to charge the customer weeks of consultancy fees.
However I do agree with Martin when it comes to the business. IRM solutions are often purchased to address the need to protect sensitive information that is flowing across many boundaries within the business. There are a lot of touch points involved: the authors of content, the approvers, the end users - internal and external. Therefore the greatest obstacle in deploying IRM is understanding how the business wishes to implement it. Consider also that IRM is often deployed at senior executive level and above, IT and security groups are understandably cautious in quickly bringing new technologies in front of these people.
|"I believe that, once IRM is implemented, there is a lot of room to improve your security management for information because you can at least simplify the access control approaches used before."|
|This is changing. Organizations are more aware of the need to create policies company wide, they are getting better at identifying where the sensitive content lives, the processes it go through during its life and who needs access to this information. Unfortunately these companies are learning this mostly by trail and error, a costly exercise when each loss of information results in fines and public exposure.|
Martin then states that, "If you use IRM for any type of information there is no necessity anymore for the classical access control approaches."
True, strictly speaking if you are using IRM you could do without classical perimeter-based access control, but like all security products IRM is even more secure when used in conjunction with other security products – layered security. Lock the front door AND set the alarm. IRM is not a replacement for existing security applications, it should work alongside because IRM still relies on the most insecure of all components, the end user. Mistakes can happen, people can be given rights to content when they should not have, documents can be misclassified by mistake. Therefore IRM should always be deployed to complement and work with existing technologies and processes to reinforce the enterprise security model.
This leads Martin to state, "You're right saying that more layers are better. What I meant to express is: IRM is an approach which can be consistently used for any type of information at any stage, e.g. when stored as well as when transported. That isn't true with any access control approach. Thus, you could build a complete security model with IRM but you can't do it with classical approaches. Thus, the need for these approaches (detailed file server ACLs and so on) decreases. And I believe that, once IRM is implemented, there is a lot of room to improve your security management for information because you can at least simplify the access control approaches used before.
Absolutely! Existing access control mechanisms surround the perimeter of information. Companies are implementing identity management solutions in an attempt to centralize the control of these access systems, however they still rely on technologies which only secure enterprise perimeters. IRM uses encryption to shrink the perimeter down to the individual units of information - documents and emails. In some ways it is the 101st perimeter, a consistent, “virtual” perimeter that stays with all copies of your most sensitive information, everywhere they go.
Great article Martin, lets hope your thoughts are indeed reflected across the industry over the coming year.