InfoSecurity -- A comprehensive magazine on IT Security (a Security magazine)

Content repository when comes integrated with Information Rights Management (IRM) systems, security is ensured without any compromise. Author in this article has eventually explained the combined strength of these two and unprecedented benefit, users can achieve from it.

In today’s world, businesses are built on an eco-system with vendors on one side and customers on the other. Organizations need to share information not only with internal employees but also externally with contractors and other vendors. These business relationships are very dynamic and volatile in nature. For example, your preferred vendor today may not be your vendor tomorrow, or your employee today might be a competitor’s employee tomorrow. Hence, there is a dire need to make sure that information and content is properly protected within and outside the organization, right through the information’s lifecycle from creation, distribution, use, and destruction. Simultaneously, organizations also need to make sure that sensitive and confidential information does not get leaked out or misused.

Today, organizations worldwide are being bombarded by volumes of information flowing through email, removable media, internet, mobile devices etc. There is a continuous inflow and outflow of documents being created, transferred, modified, stored & disposed. To enable high level of collaboration between the employees and their partners, Enterprises invest in sophisticated Content repository and collaboration tools like Electronic Content Management (ECM), Business Process Management (BPM), Knowledge Management (KM) and Document Management Systems (DMS) to reduce and manage the document flow. All these systems are more generally and collectively called Content Repositories.

In most cases, content repositories have been deployed within the enterprise for intra-enterprise collaboration. The need and deployments of content repositories is now quickly expanding to go beyond the enterprise and involve business partners, vendors and sometimes even customers. This however has left the information contained within the repository vulnerable to mass leakage. The volatile nature of business relationships also means that information and systems shared with business partners are used in accordance with pre-defined norms. Ensuring the security of information through the lifecycle of creation, distribution, use, and destruction thus gains importance.

Advanced Information Rights Management (IRM) systems when deployed along with content repositories empower enterprises with the ability to robustly secure and monitor access to content and information within and outside of the repositories.

Security policies for information contained within a content repository are only applicable till the time the information is resident within the repository. Repositories therefore implement only the first level of security called “access control”. Access control policies dictate whether a user can download information (into a browser or a desktop) from the repository or not. Once the access control is given and information is downloaded, repositories don’t have control over what the user can do with the document (e.g. can he print, edit, copy content, and/or distribute the information). No enforcement of control is possible or permissible after the content leaves the system by way of download. Access control therefore does not protect the information but just provides a “gate” though which the information can leave. More technically, the Content Repository system does not implement “usage control” for downloaded content.

In repositories, any activity (download, upload, editing) is only logged when the information leaves and enters the system. Repositories do not have a mechanism to record the authorized and unauthorized attempts/activities on the information when it is outside its purview. E.g. – Repositories cannot record if a user printed a copy of the downloaded content.

Additionally, by loosing all control on information when it moves out, the repository cannot track distribution and usage of the information thereafter. Last, but not the least, changes done on the access control policies gets implemented only for subsequent download / use of content. These changes cannot be forced by repositories for content that is already downloaded.

Because of all the above factors and by virtue of its perimeter-centric nature, information in content repositories frequently gets breached intentionally or unintentionally. Thus they face serious information compromises which pose an enormous threat to the ongoing business and fear of loosing sensitive information to a competitor. Depending on the nature of the business this could prove to be an inscrutable threat to the business and the ROI achieved from the content repository.

Information Rights Management (IRM) enables an Enterprise to limit the actions on files that have been downloaded from Content Repository. IRM protects the files and restricts access to specific users and programs, thereby limiting the rights of the users who can access the files. Unlike other systems (like firewalls, VPN, DLP, etc) which create a security wall around the organization, IRM secures the content itself. This allows organization to retain control of their information regardless of where it resides -- within the firewall or outside.

Securing information with IRM involves defining “usage rights” for the information as it leaves the repository. Usage rights are a combination of the following controls:

WHO : define people allowed to access the document (Users, Groups etc)
WHAT : define allowed actions on the document (view, edit, print, distribute etc)
WHEN : define dates or time spans when document is allowed to be accessed
WHERE: define from where users are allowed to access the document (within office branches)

Hence, consider the case of a simple Workflow consisting of a document preparer (A) à document reviewer (B) à and document approver(C). The usage rights matrix for a downloaded document of such a workflow would typically look like-

WHO	WHAT				WHEN	WHERE
User	View rights	Edit rights	Print rights	Distribute rights	Date Embargo	Location
A	ü	ü	ü	ü	û	Anywhere
B	ü	ü	û	û	û	Anywhere
C	ü	û	ü	û	ü (only after a certain date)	Within the office

In most cases the above usage rights are seamless and transparent to the end user. The user’s experience, as long as his actions are permitted by the system is also exactly the same as before. Documents uploaded into the repository can be automatically protected based on the user and the location in which they are placed. The single sign-on mechanism allow users to access the documents without the overhead of yet another user ID and password.

IRM brings about complete and persistent end-to-end usage control on information throughout the documents lifecycle of creation, distribution, usage and destruction. Security can now be ensured without compromising on the collaboration features offered by the Content Repository.

Authorized actions as well as unauthorized attempts could be tracked across enterprise boundaries. This can help enterprises to adhere to regulatory and compliance frameworks like ISO, Sarbanes-Oxley & HIPPA for “unstructured” data present in emails, removable media and desktops. Other than compliance to regulatory norms, the audit trail feature also helps to track any mysterious or suspicious activity that is happening on the downloaded content. For example, and alert mechanism could be setup to send an email to the IT department if there are three consecutive print command in a time frame of one minute.

IRM provides complete and persistent usage control on information throughout its lifecycle. With IRM, security is ensured without compromising on the collaboration capabilities of content repositories. Apart from usage control, IRM can also track authorized and unauthorized attempts on content across enterprise boundaries. This can help enterprises to adhere to regulatory and compliance frameworks like ISO, Sarbanes-Oxley & HIPPA for “unstructured” data control. It increases revenues by preventing misuses, theft and leakage of “paid” content.

Finally, even though the IT departments will always face security risks in different forms, a Content Repository with integrated Solution will help CIO’s have a carefree attitude when it comes to the security of their data.