Information Rights Management

23.07.2007 14:29 Martin Kuppinger
Shabbily treated IRM
Information Rights Management and Risk Management are closely bound up with one another
In each of the Webinars held on the results of our market study 2006 I got stuck with something which is also the subject of lively discussions within KPC: Why is it that Information Rights Management as one of the “future issues” is not believed to be as important as other topics? I myself, though, am convinced that it not less relevant as for example Identity Federation.

Well, the issue of accessing information – which is what it is all about – has long been a matter of particular interest for me. I am talking of an access to information not only when it is available on a server, but to information in general, at any time, especially when the data are passed on. In this context, I am somehow irritated by the minor attention paid to this problem, and I would like to take up the cudgels for it in this article.

I guess everybody knows this situation: The e-mail is written and we press the send-button. But then we doubt if this was reasonable, because we fear that the e-mail might be passed on to someone else: A case for Information Rights Management (IRM), a close relative of Digital Rights Management (DRM). Whereas the latter aims at copyright protection only, IRM is designed to arrange for protection of any digital information we produce and do not want to get into the hands of just anybody.

IRM is also closely related to ILM (Information Lifecycle Management). Primarily, the business of ILM is storage, that is the end of the life cycle, ignoring what actually happens to information during its lifecycle. As far as I can see, for enterprises IRM should be one of the top issues at all. I am writing “should” because the number of firms at least in parts attending to it, let alone having a strategy at hand for a cross-enterprise usage is very small.

For either aspects, “why should we use it” as well as “why isn´t it used” there are some good reasons. IRM is part of the Risk Management in enterprises when it comes to the protection against the abuse of digital information. I wonder what Bill Gates would have given to prevent some of his e-mails used in the suits against Microsoft some years ago from getting known in public. Or just think of internal documents getting public or building plans used by Chinese competitors.

Nowadays, enterprises must be able to control which information is passed to which persons and how it is used. IRM protects information and controls for example, who is allowed to read, print or forward an e-mail. But this requires a very tight integration with applications.

Admittedly, IRM is a rather complex subject. Ordinary applications are generally not capable of handling security data. In order to protect an e-mail, we will have to encrypt it. Only after decryption it should be possible to access the application, the use of it being restricted to defined actions, for example printing, but not forwarding.

As to the integration with the applications, the software producers unfortunately have not yet managed to get to a common solution. Although XACML is a format by the use of which access control lists can be described, it can not be regarded as a real standard. In other words: You may use the Microsoft solution, the Adobe solution or any solution of one of the few vendors supporting IRM. But realizing a consistent strategic plan in the enterprise is not possible up to now.

Microsoft has solved this problem in the Office environment for end users in a relatively satisfying way – and its iPod rival Zune uses another approach we will soon have the opportunity to look at in detail. But conception and as well as administration are still rather complex. Users strictly sticking to a Microsoft world are able to get along quite well on Office-level. But building plans and other valuable intellectual property are not addressed. There is of course a reason for the administrative complexity: First of all, you need a PKI because the documents must be signed, encrypted and decrypted. This alone is quite a challenge. Another additional requirement is that the PKI smoothly cooperates with the IRM infrastructure.

Well, what can be done? Ignoring the problem is obviously not the answer in the long run, for we are talking about a central point of every Compliance strategy. Therefore my recommendation is to develop a multi-stage strategy: First, rules must be defined for handling the digital information. After this, the realization of selected solutions may be addressed, depending on the applications used. Some of them must be established as strategically “predominant” this being a decision which in the course of further standardizations must be re-examined.

In the opinion of KPC , it will take another three to five years until the first pioneers will tackle the fourth stage: a constistent IRM concept across the applications of diverse manufacturers.

Even if the products factually existing today are far from being able to solve the problems, one thing undisputable: Not taking IRM serious today amounts to a grossly negligent action. My colleague Jörg Resch, who likes to play the devil´s advocate, rightly pointed out in one of our discussions that IRM might serve as a basis on which investments in elements of an Identity Management infrastructure like PKI`s, Smartcard and others can be well justified. I can´t think of a decider who wants to be the one to be blamed if data and know-how of the enterprise are not properly protected.

© 2012 KuppingerCole