Information Rights Management is the new form of encryption that embeds protection directly within sensitive data files and e-mails themselves, so that wherever those files and e-mail travel, even if they leak outside the company into an enemy’s hands, the data is protected. The enemy can’t do anything with it. Only authorized users are ever able to decrypt and use the data.
Faced with today’s continual stream of high-profile data leaks, we believe Information Rights Management is the future of data protection, and a host of analysts, evangelists and emerging vendors agree.
One question that often comes up is – in Information Rights Management, how do you ensure that the right level of protection is consistently applied to sensitive data in the first place?
For example, do you apply protection to every piece of data, or only to certain sensitive data? Who decides what is sensitive and what’s not sensitive? Does an administrator apply protection to the data, or do individual users apply protection to their own data? Can protection be applied automatically, by smart algorithms based on the nature of the data?
Do you apply protection to every piece of data, or only to certain sensitive data?
Data protection experts agree that not all data is created equal, and therefore it makes sense to identify and classify different types of data and treat each class of data differently. For example, a company may want to encrypt and lock down highly confidential data that includes personally identifiable information (PII), personal financial information (PFI), and sensitive intellectual property, ensuring that only a small group of employees at the company may have access to that data. The same company might want to identify more broadly any HR confidential data and simply ensure it doesn’t get shared beyond the company perimeter. And it may also want to identify publicly available information and put little-to-no restriction on that data at all, to ensure anyone can use the data and share it.
Fundamentally, this comes down to identifying and classifying data and then applying different data protection strategies to each class of data.
Gartner indicates that are Information Rights Management (which it calls EDRM) is the “technical embodiment of data classification policies. Although it’s possible to deploy an EDRM solution without a formal data classification policy (e.g., when protecting sensitive emails from the unauthorized eyes of other users and system administrators), the intent of most organizations looking to deploy EDRM is beyond this basic use case. For these, a well-defined data classification that is understood by users is critical to the success of EDRM.”
There are companies that specialize in data identification and classification technology. Microsoft, for example, acquired such a company called Secure Islands to enhance its legacy Information Rights Management product with classification capabilities. In November 2017, Netskope announced a partnership with Vera (for Information Rights Management) and TITUS (for classification).
Who decides how data is classified and protected?
There are several approaches.
One philosophy is that the content author/owner typically knows the content best and should be allowed to classify the data himself. Some classification solutions prompt the user to classify each e-mail and document they author, so that the correct protection can then be applied. Advantages to this approach include engaging employees in understanding the sensitivity of the data they are authoring, raising their awareness of security best practices. It’s typically more accurate than classifying data programmatically. A disadvantage is that the user is prompted to classify everything that they create, which could slow them down.
Another option is to classify data programmatically. In 2018 this will increasingly be done using sophisticated machine learning algorithms that scan the data for PII, PFI and other keywords that indicate data sensitivity. Advantages include potential ease of use, but the disadvantage is that it can generate incorrect classifications when the algorithm gets it wrong (encrypting and locking down data that should be freely accessible, or worse, classifying sensitive data as ‘public’ and allowing it to be shared freely).
Then there are middle ground options. For example, a machine learning algorithm could be set to programmatically classify any data that it has a confidence level of 90% or higher about, but prompt the user to manually classify data that it’s less sure about. In some scenarios, administrators can enforce a ‘highly confidential’ classification on all data related to a particular project, for example any document related to M&A must go in a shared folder that automatically enforces a highly confidential classification and protection policy.
Can I use Information Rights Management without Classification?
Yes. Although a well-established classification program is an ideal way of enforcing Information Rights management, some vendors support a variety of other options to trigger IRM encryption:
- From e-mail server rules. For example, if Microsoft Exchange rules detect that a particular e-mail or attachment contains sensitive information, or is being sent to a particular user or group, or is stored in a particular e-mail folder.
- When data is uploaded to a shared folder. Whenever a document is placed in the shared folder, it could automatically trigger protection of the document folding the shared folder policy.
- Via Data Loss Protection (DLP). If a company’s DLP technology detects sensitive data, it could apply IRM protection to that data following a pre-defined policy.
- Via Cloud Access Security Brokers (CASB), such as Palo Alto’s Aperture which can scan the data and then decide which data needs to be protected with Information Rights Management.
- Or simply by offering the user a UI option such as “Send Secure” button for e-mail (as opposed to “Send”), or a “Save Secure” button for documents (as opposed to “Save”). Note this can be error-prone, as users will often forget or avoid the “Send Secure” button.
Whether using data classification or any of the above options to identify sensitive data and apply IRM encryption to it, the important thing is to establish data protection policy based on different types of data, and a company culture where employees are knowledgeable about the data protection policies in use and what is expected of them when authoring and accessing data. Without this, a company could make a considerable investment in Information Rights Management and not get the value from it if it’s not applied correctly and consistently by the organization.