Thursday, October 27, 2011

Ruminating on IRM (Information Rights Management)

From a security architecture perspective, it is important to consider the need for using IRM technology. Traditionally we have secured access to documents using RBAC patterns for secure access and download.

But how do you control the information once it is downloaded to the users machine? Can the user copy/paste from the document? Can the user print the document? Can the user forward the document to someone or upload it somewhere? Can he run macros on the document? So how can an enterprise have total control on sensitive information?

These questions cannot be answered by classical access control mechanisms, they need a new security framework concept called "Information Rights Management". Many traditional ECM vendors also offer IRM adapters or add-ons to help customers have total centralized control over their digital assets. For e.g. SharePoint 2010 has IRM protectors that can be plugged-in for end-to-end protection of documents on the user's computers.Oracle UCM can be extended with Oracle IRM, etc.

Across all these IRM product architectures, it is necessary to have some form of client application installed on all users machines. Files that get downloaded from the DMS are special encrypted rights-managed files. The file format contains meta-data that defines the access that can be given to the user. The client application would decrypt the file, understand the access constraints and accordingly give rights to the user. On the windows platform, MS has long released the Windows Rights Management Services - a comprehensive API to address IRM challenges on the windows platform.