The beauty of separating rights from content
By Simon Thorpe on Feb 17, 2009
I was discussing the subject of why separating rights from the content is so important with a friend at work and thought I would share some elements of this discussion.
Fundamental to the success of the Oracle IRM solution is that from day one Martin Lambert, Oracle IRM creator, decided to separate the information that describes who can access content and what they can do with it from the actual content itself. To demonstrate why this important consider the following.
1. You protect 10 documents which you distribute, via email, to 100 people in your company. Each person copies those 10 documents to their local computer from their inbox. 10 of these people are managers who are given rights to print the documents, the rest are prohibited and can only open the content.
2. A few weeks later the company hires another 20 people. 10 of the people from the original 100 are promoted to managers and 15 leave the company, taking the content with them.
Now imagine if those 10 documents, of which there are now thousands of copies, contained information about the 100 people that could initially open them. What happens a few weeks later? What do you do? Recall all the copies of those old documents and reissue new ones with updated lists of rights? How do you ensure users are then opening the right document with the correct rights? What about those who are promoted and have gained new rights to the same content? Do they have different versions of the same document, one they can print and one they cannot?
Many IRM solutions were born from Digital Rights Management (DRM) technologies which typically embed such rights information into the protected content. DRM technologies are commonly used to protect rich media such as music distributed by iTunes and movies by Amazon Unbox. In these environments the content is only designed to be read by the single consumer and the rights are typically distributed/embedded at the time of purchase/download. DRM used to be very restrictive and often received a lot of bad press about the unfair methods employed to restrict the use of content by the end user. Things are better these days and a more separated rights approach is being taken. Yet the technologies are still built on this limiting methodology.
When you take this approach from the consumer world into the enterprise, things suddenly become very difficult. Scalability becomes a large issue. Would you really store the rights of thousands of corporate users in each file you protect? Each time the rights to a specific document changes, do you redistribute those rights? Many IRM solutions in the market are born from such DRM systems and are struggling to scale into the enterprise.
This is where Oracle IRM is able to work so easily and allows the fast changing trust relationships in the enterprise to be reflected quickly. Oracle IRM sealed content only knows of a classification to which it belongs. It also knows on what server this classification resides. So when a user access content, two things happen.
1. A user when attempting to access content whilst online is authenticated against the IRM server.
2. If authentication is successful, the IRM server checks to see if they are authorized to access content with the classification matching the request. Is so, the rights are shipped and cached to the requesting machine and remain valid for a certain period of time. After which the user must again check with the IRM server to see if rights to the content have changed.
What this separation of rights means is that by making a single, simple change to a user rights on the Oracle IRM server, their access to thousands of documents can be affected when they next check with the server.
If you then consider how the Oracle IRM server can be hooked into your LDAP and Active Directory repositories and that groups can be assigned rights to these classifications. Then someone joining an organization can be added to one group in the corporate user repository and this one single act can give them instant access to hundreds and thousands of documents that are stored in a variety of places all over the organization.
Because this was a design feature from the very start, it means that we've been able to improve, learn through customer experience and fine tune this model. Our 11g release will be the best demonstration yet of how Oracle is leading the way when it comes to providing persistent, scalable and usable security to your sensitive enterprise information.