Information rights management is a technology which aims to protect sensitive and critical documents and information while at the same time ensuring that it is made available for genuine needs. For example, two companies may negotiate to trade a patent during which the patent details would be made available to the buying company. Despite signing an NDA, if the deal doesn’t happen, the company which was supposed to buy the patent can come out with a new product based on that patent (whose details were made available to it during negotiation stage) with some modifications.
Information once made available to another person becomes his property too. Ownership and usage cannot be separated and information once shared cannot be recalled. With daily improvements in storage methodologies, it shouldn’t surprise any if a disgruntled employee leaves the organization with an important source code data or vital business contract details in his pen drive.
Using information rights management, the originator or owner of the document can specify the access permissions to that document. The owner can specify the following parameters:
- Who can access the document? (Employee, customer, vendor, business partner etc)
- What access permission does he have? (Read, edit, print, screenshot etc.)
- When can he access? (The document may be kept open for a specified number of days)
- Where can he access? (Can specify the range of IP addresses on which the said document can be opened; the document can also be locked to a specify machine)
Any attempted breaches into the access permissions would result in the self destruction of the document. This technology is not as simple as protecting your pdf file specifying access details. It is more than that and the access policies can be altered even after the document is sent to the third party or the employee. The access policies are persistent i.e. can be applied on any information and all copies made from that document, dynamic i.e. policies can be changed without having access to the sent information, monitored i.e. audit trails can be generated on the usage of the protected information.
IRM encrypts the documents before being transmitted to the end user. The encryption key and the policy definitions are stored on the IRM policy server. The end user has to agree to the policy definitions before he can access the document. Since the file permissions are stored on the IRM policy server, the policies can be modified at any point of time without having to disturb the documents already sent. For instance, if an employee leaves the organization, the access policy to all the critical documents and information lying in his email account can be modified to give no access.
However no system is completely secure. If you really want to get the contents of an important document, it can always be written on a sheet of paper or read and recorded!!
Comments are closed.