Blogs

Imagine that you send a confidential letter to a client, who puts it on cloud-file share, saves it to her laptop’s C-drive, and then emails from her phone that night to her friend for an opinion (“But, please DO NOT SHARE this….”). Her friend is an expert in international trade and responds back with a set of comments in-line on the document but finds the matter so interesting that he sends it (letter plus comments) to a friend in Germany because of the EU implications with the admonishment, “Please do not share this with anyone.” The letter is saved (by the German person) to an iPad and a SharePoint workgroup library with open security privileges. The original letter, of course, contains the author’s name and company, along with the client’s name and company.

Meanwhile, the client who saved the letter to a cloud drive put it in a general subdirectory where another worker, searching the drive with some key words, found it, opened it up and read it. Finding it interesting and relevant to some work he was doing, he copies the letter to his private subdirectory, and then copies, without rewriting, portions of the letter into a document he is working on. He then sends the new document to legal for review and legal, guess what, asks the original receiver of the document to take a look at it since she is working in that area.

We really don’t have to imagine this because it is happening today and will continue to happen in the future. If you weren’t counting, the confidential letter is now in the hands of at least four people who should not have seen it in the first place, the letter is stored on many devices and in many “open” repositories, and the letter’s contents have been incorporated into another document that will be published.

Got IRM? (Information Rights Management or AKA Digital Rights Management (DRM)) If the letter that was sent to the client was protected with IRM, the rest of this story would not have happened. The letter would have stayed only with the client and could not have been forwarded.

For many of us, any document sent internally or externally to another person is unprotected once it leaves the server or our “C” drive. It does not matter how the receiving device is secured because the document itself is not protected. Also, once out in the wild, the document itself can be copied, emailed, printed, stored and read on mobile devices, and become part of the “backup” for almost any server that it resides on and it would become impossible to trace or eradicate the document from all the servers and devices that it resides on.

Companies today are focusing at the device level in an effort to control the device such that it can be wiped or shut down if it is lost, stolen, or otherwise compromised. But this is only one half of the equation as this does nothing to protect the content once it is “released” whether unintentionally or not.

A second, and growing effort, is to protect the content itself so that no matter what device or server that it is resident on, the content can be protected and managed according to set permissions within the document. IRM allows the user to set permissions within a document and those permissions remain with the document wherever it is – IRM is device and server independent.

There are many companies offering IRM so the following list is a compilation of features that IRM can provide:

1. Restrict forwarding of the document
2. Restrict printing of the document
3. Restrict copy/paste of the document contents
4. Apply a watermark to the document
5. Expire access to a document according to preset requirements (such as a date)
6. Remote wipe of documents
7. Encrypt documents
8. Require dual authentication to open
9. Restrict sending to mobile devices
10. Provide document permission for view, edit, delete, etc. (view only means that document cannot be downloaded or saved and is opened in a view screen)
11. Restrict ability to share a document within a library/repository
12. Restrict ability to add or create documents in a workspace by group or user
13. Limit ability to search a directory/subdirectory
14. Revoke access to the document based on preset requirements (employee leaves company)
15. Maintain an audit trail of the document (who, where, when, what)
16. Unauthorized attempted access reporting
17. Enforce version control requirements (each version is protected with same rights)
18. Help implement data protection for regulatory compliance (HIPAA, SOX, GLBA, etc.)
19. Integrate with company directory services such as active directory (AD), LDAP, etc.
20. Restrict who can set permission levels (above list)

Depending on the vendor, IRM generally requires that the document, when opened, authenticate with the IRM server – which means that when opening a document the user has to be online and be able to connect with the IRM server. If a user is traveling and unable to connect to the IRM server, the document cannot be opened. However, some vendors allow users to package documents prior to leaving on a trip, or not having Internet access, and are able to open and work on the document. While off-line, the document records and maintains the audit trail which is uploaded when reconnected to the IRM server.

The above feature list may or may not be found in all vendors and some vendors may have additional features not listed. Also, each vendor may differ on how the features are implemented – at the directory level, at the document level, and who may turn on or turn off a feature – user or admin. The features may also be applied to internal (within the company) groups/people as well as external groups/people.

While it is possible to implement one of these systems throughout the company, it may be better to begin with one group within one department. Examples may be contracts, legal, internal HR affairs, marketing (new product), intellectual property, and other areas that may require extra security around a set of documents or an area that requires confidential documents to be sent to external groups.

In an ever increasing “documents anywhere on any device” world, it is important to begin thinking about how to protect assets wherever they may reside. Protection at the device level is simply not enough.