Today is the time where we all agree that there is No need to debate on the “need” of Information protection in the enterprises. If solution vendors are still starting the discussions with slides on why Information protection and how many data security breaches have happened recently and you too are still reading analyst reports on secret and custodial then probably that’s wastage of every ones precious time. We don’t need now story tales indicting that – it is happening with our neighbors when we can see the smoke already in our houses and there is a clear increase in demand for safeguard the information assets from business owners, partners and regulators.
Enterprises have crossed that stage of “why” and really at present are confused on “How” and “to what extent” when our sensitive information is always moving & transforming. On top of that so many buzz words are floating around that including Data Discovery & Classification Data Loss/Leakage Prevention (DLP), Information Rights Management [IRM], Digital Rights Management (DRM), Right Management System (RMS), Information Life Cycle Management, Data Protection in terms of Backup & Archiving, Data Degaussing and the this list is endless….
Are all these thought of separate problems or that’s not the way it has to be…should be integrated or should be initiated simultaneously in parallel or be prioritized in pieces? Or we need the answer to very first basic puzzle – from where to start?
With respect to the first basic puzzle – from where to start? The answer lies within our houses and family itself. This Key Pillar in my every post also J i.e. – user awareness and Training. We must Educate and explain so that they can more clearly understand what their employer is trying to accomplish with these concrete rules as well as their own critical role where they can contribute to security breaches without knowing it. No technology tools can be successful unless we are making our employees a part of these information security solutions.
Information usage Control – What it is?
It has been associated with multiple names including – IRM (Information Rights Management), ERM (Enterprise Rights Management), E-DRM (Enterprise Digital Rights Management) and has also been called Document Usage Control …
It is a technology where by you can have
a. Owner initiated or automatically (through the systems control as per pre-defined policies)
b. granular control
c. to provide access rights / usage for an information
d. which can be different for various users & groups
e. is persistent – irrespective of the organization boundaries – “remotely controlled”
f. Along with secure transmission using Encryption
g. And with Monitoring, reporting and auditing capabilities on the usage…
Usage control policies on information (e.g. can you print this? copy it to USB? email it? Forward? Reply all? ) travel together everywhere this is where it contrasts to a DLP solution where prime objective is to protect the information inside & to control access points including endpoints, ports, gateways and storage.
e.g if Pratham sends a document to Ayesha then normally she has pretty much complete control over that document after she receives it i.e. she can view it, print it, edit her copy, forward it to Richa as well as copy content from the document to another one.
But with usage control policies with IRM technology it is possible for Pratham to send the document to Ayesha but can also granular control before and after sending the document, whether Ayesha can only view, but print, edit, forward is not allowed. And For Richa even Read is also not allowed…This remain same irrespective of fact whether that document is inside or outside the organization boundaries.
Information usage Control – Why & Where I should use it?
It’s a world of collaboration and moreover we talk about doing this without boundaries i.e. irrespective of locationsJ. So to collaborate with you I need to share my information so that you can use it… (To remind you the mode of collaboration can include emails and document libraries/repositories)
So this is where I need a capability whereby I can share my information with you to use it but on the other hand needs a control and fine distinction so that it should not be misused.
– E.g Financial, research and development information in the form of process, physical & network drawings, test results etc. should be “used” by the internal employees but should not “misused” for the purpose of distribution to others or sent out to unauthorized users inside and outside organization boundaries.
– Another examples can be – Contractor teams working with the enterprise or a prospective acquirer during the process of an Merger or Acquisition transaction should be usage controlled i.e. Information should be “used” for the required purpose but not “misused” i.e. distributed or viewed after the contract or due diligence period is over.
– Or Information received from customers under an NDA should be “used” for the purpose of executing the project but not “misused” for the purpose of any another project or for further distribution otherwise.
– Sometimes document Libraries provide users with large facilities a central repository in order to share and work with arbitrary business data, this can sometimes lead to users sharing information that should otherwise not be shared.
– And finally we all know how many of us are in a situation where we are sending documents or emails with “internal only” or “do not forward” tags and assuming recipients are obedient. J Moreover what about the situations where every user is broadcasting with reply all with their individual comments on email? Aren’t those situations some times are not embarrassing along with the security & privacy breaches?
Information usage Control – Compliance & framework?
Most regulatory compliance frameworks like ISO – 27001, Sarbanes Oxley, HIPAA, GLBA, and PCI etc. have recommendations on specific controls that need to be put in place. Typical scenarios are:
– Sarbanes Oxley section 404 mandates implementation of internal controls which provide access to erroneous data to personnel. It also recommends protecting and tracking confidential data from unauthorized personnel.
– Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws.
Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, Email, and phone number; government identifiers; payment card details like credit card numbers and Expiration date, medical records and government identifiers like passport number and Social Security Number.
After this discussion, we are able to understand the objective, benefits, use cases and drivers of Information usage control solution and how it is different and actually can complement the DLP solutions.
Having worked with both (IRM & DLP) solution providers; soon I will try to cover information protection from DLP angle as well. J
Hoping you did enjoy reading this…..Do provide your feedback using the ‘Like’ Button or share your comments!!