Traditional data protection has been about securing data behind the corporate perimeter, locking down IT systems and endpoints with firewall and data loss prevention (DLP) technology. But going into 2018, there is an increasing recognition that traditional data protection is not working. Faced with the new realities of cloud, shadow IT, BYOD, increasing collaboration with 3rd parties, and “last mile” endpoints like USB devices… no matter how well you secure data behind the perimeter, your data will eventually leak.
In their DLP magic quadrant analysis in February 2017, Gartner said “At present, even with extensive DLP coverage across endpoints, networks and data repositories, there are still gaps and data flows where data can leak. The better answer is a data security strategy focused on securing the data itself, as opposed to trying to secure every system that comes in contact with sensitive data.”
What Gartner is talking about is a revival of Information Rights Management (IRM) technology, that embeds encryption directly in a company’s valuable data assets themselves – their sensitive files and e-mails – so that even if the data does leak beyond the perimeter, it’s still protected.
We expect that the Information Rights Management paradigm will start to go mainstream as of 2018. Here’s a look at what to expect.
Emerging IRM Vendors, Big and Small
For Information Rights Management to go mainstream, there needs to be a growing movement of analysts and vendors evangelizing this technology that embeds protection into sensitive data, so that even if the data leaks, that protection follows it wherever it goes. And this is happening.
Large companies like Microsoft are increasingly advertising their legacy RMS solution under the new name Azure Information Protection, or AIP. Startups like Cloozo, Vera and Seclore are also gaining momentum, with Vera landing a major deal to protect GE’s sensitive CAD data in October 2017. Expect to see more players emerge and more major wins in 2018.
In How to Select the Right EDRM Solution, Eric Ouellet of Gartner says “Organizations need to assess data protection solutions for their ease of use and suitability for their end-user and administrative populations […] This is the capability that will affect the success of deployments the most, and it should be weighted most heavily in the evaluation.”
Many of the emerging Information Rights Management vendors in 2018 will lead with a message about great user experience. We will begin to hear about the different approaches to user experience. The best IRM tools will integrate transparently into current business workflows. Users should not have to deal with a new user experience or require a lot of training to start protecting important business information. Transparent integration into Microsoft Outlook and Office are very important as these are the primary business tools for most workers. An example of a change of workflow that could confuse users would be an IRM that requires the user to use a different Send button (other than normal Outlook Send) when they want to protect an email. The optimal situation is for the protection to be transparent to the user. Integration of Information Rights Management with classifications tools seems to be a trend that makes use of IRM easier. The user only has to decide on the appropriate classification of the information and the protection is applied transparently.
We outline an in-depth look at the User Experience of data protection in a previous post here.
Supply Chain Security
CSO Online lists supply chain attacks as one of the major data threats of 2018. Even small-to-medium size businesses can have hundreds of collaborating partners and suppliers and with traditional perimeter security. All it takes is one of your partners accidentally leaking data to accidentally compromise your most sensitive data.
Information Rights Management solutions take a different approach where they protect the data itself so that even if a supply chain partner is hacked or accidentally leaks your data into the wrong hands, the data itself is still encrypted and protected.
In practice however, most IRM vendors today don’t easily support external partners, severely limiting the promise of protecting data wherever it goes. Microsoft RMS, for example, requires collaborating partners to use their Active Directory identities, and even then configuring the system to recognize different companies’ identities seamlessly is reportedly a challenge. This can frustrate partners and slow down the speed of business, forcing users to find insecure workarounds.
In contrast, vendors are extending support beyond Active Directory to a new ecosystem of identity management standards. This includes players like Ping and Okta in the enterprise world, SAFE-Biopharma in the medical space, as well as the Oauth standard implemented by the likes of Google and LinkedIn.
As growing concern for supply chain security emerges, expect IRM vendors to tackle how they tap in to the identity management ecosystem to ensure data is protected, but still usable, across the entire supply chain. For more on this topic in depth, see our article on protecting data from leaking in the supply chain here.
A New Paradigm Requires Education
Information Rights Management promises a new paradigm of data protection for the modern cloud age, but for many vendors today it falls on deaf ears. Jeremy Wittkop, CTO of Intelisecure, told me “IRM solutions are the future of data security. But for them to go mainstream we need to pitch them as an extension of more familiar content analytics and data classification technologies. I think much of the resistance to adopting technologies like this are based on both a lack of understanding of the true challenges associated with data security and the unwillingness to abandon technologies that organizations have invested so much in. There’s a significant amount of education that needs to take place and many executives are desperate for an easy solution.”
Wittkop goes on in his post on The Future of Information Security. “These are exciting capabilities, but it also necessitates that organizations think of protecting their information in new and far more comprehensive ways, deciding not only to block or allow information to traverse a network segment at a specific moment of time. They must also define the parameters of acceptable use of information for both internal and external users. In most organizations this has never been done before.” In 2018, expect vendors, analysts, and consultants to emphasize training and education on data protection best practices such as the development of such data protection policies, as well as a common industry terminology to emerge.
Success at Scale
As with any emerging paradigm, especially in the security world, Information Rights Management technology will not go mainstream until it has been proven to work at a large scale.
Shaun Marion, CISO of Honeywell, told me “Honeywell has 140,000 employees, about 90,000 of which have some form of device (laptop, desktop, phone, etc.). Several months back, we announced the divestiture of two large businesses which will take that number down to about 70,000 devices. Imagine in the future we make another acquisition. I have to prepare to balloon from 70,000 to 100,000+ within a matter of months. The tools we have need to be able to flex to that level.”
Expect IRM vendors in 2018 to be testing the scale and the variety of successful deployments, driven by innovative enterprises that see the potential and will partner with these vendors to help them get to scale. In addition,GDPR regulations will drive even very large enterprise to adopt IRM because long-term IRM is a natural fit for GDPR’s encryption, “privacy by design”, and “privacy by default” requirements (see here).