Information Rights Management: Coming of age

by Vishal Gupta    Apr 29, 2010

Through the evolution of the IRM (Information Rights Management) technology it has been associated with multiple TLA (Three letter acronyms) i.e. ERM (Enterprise Rights Management), E-DRM (Enterprise Digital Rights Management) and has also been called Document Usage Control.
IRM is a technology which allows for information (mostly in the form of documents) to be ‘remote controlled’. This means that information and its control can now we separately created, viewed, edited & distributed.
With present day technologies, information and its control travel together i.e. If Richard sends a document (lets say an excel sheet) to Linda then Linda has pretty much complete control over that document after she receives it i.e. she can view it, print it, edit her copy, forward it to Susan as well as copy content from the document to another one. With IRM technology it is possible for Richard to send the excel sheet to Linda but be able to control, before and after sending the document, whether Linda can view, print, edit, forward that document. Not only that, but Richard can also audit exactly what actions are performed by Linda on her copy of the document.

More generally, it means that ‘owners’ of the information are able to control and audit some of the critical actions that are performed on the information wherever it goes. These critical actions typically mean control over viewing, editing, printing and distribution of the information. The significant difference between IRM and other document control technologies is that IRM focuses real time or dynamic control over usage of information, as compared to static or one-time control in distributed information.
Why IRM: security and compliance
IRM technology allows for the fine distinction between use and misuse. It is typically used for secure collaboration an i.e. case in which information needs to be shared with people for use and at the same be controlled so that they do not misuse the same. There are two primary reasons for using an IRM technology i.e.
Security: IRM technology provides security of information, irrespective of its location. From an information security perspective this means that organization security policies can be implemented irrespective of the location of the information. This is a boon for CISOs of large organizations where non-informization of security policies across systems is a huge task. Typical scenarios are:
1. Information shared with a potential acquirer during the process of an M&A transaction should be usage controlled i.e. Information should be ‘used’ for the purpose of due diligence but not ‘misused’ i.e. distributed or viewed after the due diligence is over
2. R&D information in the form of process, drawings, test results etc. should be ‘used’ for the purpose of furthering the company’s interests but not ‘misused’ for the purpose of distribution to others or sent out of the company’s offices by employees planning to leave the company.
3. Information received from customers under an NDA should be ‘used’ for the purpose of executing the project but not ‘misused’ for the purpose of another project or for distribution otherwise.

4. Information shared with vendors for the purpose of outsourcing of business processes like data entry and printing needs to be used but should not be misused for theft and sale.
Compliance: Most regulatory compliance frameworks like ISO - 27001, Sarbanes Oxley, HIPAA, and GLBA etc. have recommendations on specific controls that need to be put in place. Typical scenarios are:
1. ISO 27001 mandates that ‘digital assets’ are tracked for usage as they flow within and outside the organization and a complete audit trail is maintained of their access and usage.
2. Sarbanes Oxley section 404 mandates implementation of internal controls which provide access to erroneous data to personnel. It also recommends to protect and track confidential data from unauthorized personnel.

Next up: Comparing IRM, DRM, DLP and perimeter security technologies