Why Content Repositories Need Tighter Protection

by Rahul Kopikar    Feb 04, 2010

Today organizations worldwide are being bombarded by volumes of information flowing through e-mail, Internet and mobile devices. There is a continuous inflow and outflow of documents being created, transferred, modified, stored and disposed. To enable high level of collaboration between the employees and their partners, enterprises invest in sophisticated content repository and collaboration tools like electronic content management (ECM), business process management (BPM), knowledge management (KM) and document management systems (DMS) to reduce and manage the document flow. Let’s call all these systems ‘content repositories’.
Shortcomings of content repositories
Security policies for information contained within a content repository are only applicable till the time the information is resident within the repository. Repositories therefore implement only the first level of security called ‘access control’. Access control policies dictate whether a user can download information (into a browser or a desktop) from the repository or not. Once access control is given and information is downloaded, repositories do not have control over what the user can do with the document (e.g. can he print, edit, copy content, and/or distribute the information). Access control therefore does not protect the information but just the ‘gate’ though which the information can leave.

Additionally, by losing all control on information when it moves out, the repository cannot track distribution and usage of the information thereafter. Last but not the least, changes done on the access control policies get implemented only for subsequent download/use of content. These changes cannot be forced by repositories for content that is already downloaded.

Because of all the above factors and by virtue of its perimeter-centric nature, information in content repositories frequently gets breached intentionally or unintentionally. Depending on the nature of the business this could pose an enormous threat to the business and the ROI achieved from the content repository.

Protecting information within Content Repository with IRM
Information Rights Management (IRM) enables an enterprise to limit the actions on files that have been downloaded from content repository. IRM protects the files and restricts access to specific users and programs, thereby limiting the rights of the users who can access the files. Unlike other systems (like firewalls, VPN, DLP, etc.) which create a security wall around the organization, IRM secures the content itself. This allows the organization to retain control of their information regardless of where it resides — within the firewall or outside.

Securing information with IRM involves defining ‘usage rights’ for the information as it leaves the repository. Usage rights are a combination of the following controls:
- Who: Define people allowed to access the document (users, groups, etc.)
- What: Define allowed actions on the document (view, edit, print, distribute, etc.)
- When: Define dates or time spans when the document is allowed to be accessed
- Where: Define from where users are allowed to access the document (within office branches)

Consequently, consider the case of a simple workflow consisting of a,
- Document preparer (A)
- Document reviewer (B), and
- Document approver (C)

The usage rights matrix for a downloaded document of such a workflow would typically look like this,

Typical workflow

Documents uploaded into the repository can be automatically protected based on the user and the location in which they are placed.

Benefits of an integrated IRM + content repository system
IRM provides complete and persistent usage control on information throughout its lifecycle. With IRM, security is ensured without compromising on the collaboration capabilities of content repositories. Apart from usage control, IRM can also track authorized and unauthorized attempts on content across enterprise boundaries. This can help enterprises to adhere to regulatory and compliance frameworks like ISO, Sarbanes-Oxley and HIPPA for ‘unstructured’ data control. It increases revenues by preventing misuses, theft and leakage of ‘paid’ content.   

The integration of IRM with content repositories makes information-centric security for all confidential content an achievable aim. Even though the IT departments will always face security risks in different forms, an integrated IRM solution will prevent CIOs from appearing in the news for the wrong reasons.