What is IRM?

by Rahul Kopikar    May 22, 2009

Although much has been written about information rights management (IRM), very little is known about the exact benefits. 

Simply put, IRM is a set of policies and technologies that help enterprises control the usage of information contained in shared documents.

In general, IRM will address information security needs for all types of enterprises. But for an organization to evaluate if they need an IRM system, it can consider the answers to some of these questions.

1.  Does the organization have a large work force which needs to access / use sensitive information?
2. Does the organizations business require it to share information or sensitive documents with business partners like Vendors / Customers? 
3. Will the organization face business losses if some sensitive information about its business is leaked out to competitors? Is the organization in an industry where it s common that employees quit and join competitors?
4. Are there ay regulatory frameworks which the organization needs to be compliant with in order to conduct business?

There are more such scenarios, but if the answer is YES to more than one of these questions, there is enough basis for the organization to consider evaluating an IRM solution.

IRM provides a holistic approach to information security. Some of the concepts under IRM are:
- Protection of data or information wherever it is.
- Industry standard encryption (e.g. AES 256 and above)
- Providing granular rights to different users on a combination of multiple parameters:
i. Who has rights on the document / data
ii. What can the person do with the data
iii. When will the person have the rights to use the data as specified above
iv. From Where can the person perform the actions
- Apart from the controlling actions like editing, viewing, printing, forwarding etc, specific actions like copy-pasting, print screening, video grabbing etc are also restricted / controlled
- Dynamic rights modification. In other words, rights to the information can be changed after distributing it, and made applicable on the information wherever it is
- Central control for rights and policy management
- Comprehensive Audit Control which includes details about authorized as well as unauthorized activities that authorized users have attempted to perform on the document  
- Providing for offline access when network or central policy repository is not accessible for certain periods of time

Although IRM and Digital Rights Management (DRM) are in the area of controlling access and usage of content, they both provide rights management for the specific content that they enable controlling. However, there are basic differences between the two technologies. DRM is usually associated with security and control of content such as video or music. Also, most DRM technologies do not provide robust dynamic rights management. In the sense, if someone downloads a music title on a device, the control is mainly to ensure that the title is played only on that device and the user cannot forward the same to someone else (or another device).

IRM is currently focused on business documents. I would think that the same principles and need for information security apply also to data which is outsourced as data files or raw data. This may not be in the form of standard documents. In the same manner, securing Software Code is another area I think IRM technologies will focus. This will in providing Secure Software Development Life Cycle. One of the common short comings of IRM solutions is user Identity Management for Authentication. I would see more developments in the area of Identity Federation so that public identities can be used to provide rights to different users and the authentication is done via the same.  

Rahul Kopikar is Co-founder / Head Business Development at Seclore Technology.