Like many companies, mine has determined that the best way to expand our IT and business capabilities in these rough economic times is to move increasingly toward software as a service (SaaS) and cloud services. As a result, the perimeter of our network continues to blur. That makes the job of protecting confidential documents on the network increasingly difficult.
For the last year or so, I've been looking at data leak prevention (DLP) technologies to keep track of my company's confidential files. Network-based DLP works by monitoring the network perimeter (typically Internet egress points) for data containing certain keywords, watermarks, fingerprints or other identifiable characteristics. When one or more of these characteristics crosses a network threshold where a monitoring device has been placed, the system can generate an alert or actively block the traffic. This is a good way to stop people from sending internal documents to external e-mail addresses, for example, or uploading them to one of those pesky, ubiquitous file-sharing sites.
But what happens when the documents themselves move into a cloud? Where's the perimeter? We already have a lot of confidential data being generated, stored and used at third-party sites, and it looks like there's going to be a lot of expansion in that direction -- for my company, it's just too expensive to build all the services we need. Getting up and running quickly by using a specialized SaaS or cloud service really does make good business sense. But protecting our data when it's outside our boundaries is a lot harder. Technologies like DLP that rely on listening devices placed at strategic points on the network don't translate easily into a highly distributed environment.
So why not build the protections right into the documents themselves instead of trying to rely on protecting all the places where the documents might go? That's the idea behind information rights management (IRM). Essentially the same as the digital rights management (DRM) technologies used by the music and movie industries to restrict unauthorized use of digital entertainment content, IRM is tailored to documents created in standard desktop publishing and word processing applications. The client-side technology is already built into the office productivity software everyone uses, so once a document is protected, there's no special software needed to open it. The software already knows how to check for permissions such as open (am I allowed to open this file?), copy (can I select text and copy it?) and print (can I print it?). So, in theory, it should be pretty easy to deploy. And if we make the person who creates the document responsible for defining those permissions, we should be able to get the whole thing up and running fairly quickly.
The problem is, I haven't been able to find anybody who's actually using IRM. If it's really that easy to use and effective at protecting confidential documents regardless of where they end up, wouldn't you think everybody would be using it? And I'm even having trouble finding information and support within the companies that manufacture the technologies. I'm ready to start testing the software, but so far I haven't been able to locate the expertise I need to get it up and running.
This makes me nervous. I certainly don't want to take the risk of locking legitimate users out of their own documents, or similar worst-case outcomes. Likewise, I don't want to rely on a technology that may not be as effective or reliable as it's advertised to be. I'm not really enthusiastic about breaking new ground -- I'd rather rely on tried-and-true techniques for data protection. But the promises of IRM seem so attractive, it really seems worth pursuing. Who wouldn't want a document protection capability that works everywhere, anytime, without being dependent on network choke-points that are difficult, or even impossible, to find in a modern, distributed, outsourced world?
I'm going to continue digging deeper to find consulting firms and subject-matter experts who can point me in the direction of reference customers. To be fair, I haven't really had a lot of time to spend on background research. (SOX, anyone?) That's why I have been working directly with the companies that make IRM solutions, but so far they haven't been able to help much. I thought this would be a lot easier than it's turning out to be.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.