Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Advantages of Using SaaS Based Information Rights Management

InfoSecurity Europe : 01 April, 2010  (Technical Article)
Mush Hakhinian of IntraLinks discusses methods of protecting enterprises from accidental data leakage with emphasis on the use of Information Rights Management based on a Software-as-a-Service model
See our events guide listing for more details

Data leaks are one of the chief threats facing enterprise IT managers today and Information Rights Management (IRM) technologies are perfectly designed to protect the enterprise by effectively reducing and/or eliminating the risk of accidental leaks.

IRM solutions based on software-as-a-service (SaaS) delivery models offer three major advantages over in-house implementations when it comes to securing information in use. First, IRM is non-intrusive since it is enabled through viewer extensions or plug-ins (rather than the host-based agents that in-house products employ). Second, version updates of extensions require little or no IT staff involvement. Third and last, SaaS-based IRM solutions have the flexibility to cover most popular file types used in productivity applications (e.g. Excel, Word and PDF formats) without being limited to any one vendor.

Despite these benefits of SaaS IRM solutions, there are, however, some potential weaknesses that are common to all IRM solutions, whether they are in-house or SaaS-based.

Traditional methods of protecting information within well-established perimeter often fail because the data from a larger enterprise is dispersed all over the business and documents need to be accessible 24/7. While most existing products consistently protect from accidental or unintentional document leaks, protecting against data theft comes down to the best approach for protecting the information being regularly accessed from various points across the enterprise, or 'information in use.' Let's take a closer look at ways this can be achieved:

Encryption - Most organizations can easily protect information in transit by securing browser-to-server communication via SSL with strong encryption. Protecting information at rest, however, requires a few more steps. First, developers need to centralize the storage of critical information and build-in authorization for every access request. Second, the appropriate cryptographic protection needs to be developed through strong algorithms and long keys. A very interesting problem is presented by the requirement to protect the information in use. Here the decryption process itself must be portable and available at the point of viewing.

Data Ownership and Access - Some vendors have developed proprietary viewers for files to protect their information in use - a version of "security by obscurity" - while others implement extensions for browsers or productivity tools, such as document editors and electronic spreadsheets, which are able to decrypt file content as needed. Many of these solutions have additional features allowing data owners to apply centralized policies or user rights to individual files, where each file can have permissions setup for 'view-only,' 'view and print' or 'disable printscreen' and combinations of those functions. In the best of these solutions, the encryption keys and permissions are stored on a proprietary server and get securely downloaded on demand. Those permissions can be removed even after the document has left the enterprise perimeter and changes take effect immediately, allowing the owners to maintain control of the content.

Watermarking - However, IRM alone does not provide protection from data thieves who use video equipment or screen capturing techniques to get illegal copies of documents. IRM needs to be combined with robust watermarks where it can enforce read-only access to the file content. This type of digital watermarking has proven to be an effective deterrent against data theft with in-house as well as SaaS solutions.

Curtains - Other vendors have recently started offering technologies that obscure the document view so only a small area around the mouse cursor is visible. This type of functionality might also close a curtain over the browser when the focus is lost to protect from screen capture or what some call "shoulder surfing." While the curtain is useful against older screen capture technologies and is not as intrusive, it does not always protect from newer screen capture products that have built-in capturing delays. From a user perspective, curtain technology obfuscates your view to the point it is either annoying or even unusable (in the case of complex diagrams). This kind of protection often punishes legitimate users and is doing very little to protect the data, so it should be implemented with care and at least be configurable.

In conclusion, good IRM deployment will protect against all accidental document leaks both inside and outside the enterprise with on-the-fly decryption of files. Robust watermarking combined with granular access control and auditing capabilities will deter most data thieves.

A preferred IRM solution will cover close to 100% of the document types used in everyday business activities across two or three vendors (and also offer easy conversion utilities for unsupported document types.) It will have not only modern cryptographic protection (including tiered key management), but also will have externalized the encryption algorithm and key strength, allowing for quick changes to cryptography. In short, IRM must be easy on the user, creating as little footprint as possible.

IRM makes sure there are no unprotected copies of the documents left on client machines, and how well it does this - not how well it showcases the product - should be the main criterion to judge this technology.

IntraLinks is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo