DRM and ILP

When you have identified your sensitive information, you need to do something about it. The worst position to be in, is to have sensitive information identified in areas it should not belong without a solid business plan on how to remediate it.

Unprotected sensitive information is also available to the malicious insider, and it is important to balance security needs and productivity needs. Finding a balanced solution can be done with a combination of DLP solutions, Classification Solutions, Entitlement Solutions, and Protection Solutions.

The best way to protect sensitive information is to manage the entitlements to the information as well as placing security controls on the information. Entitlement management is hard to achieve unless you can enlist the owner or custodian of the information to manage the entitlement to the information. However if you ask them to both manage entitlement and encryption of the information, you will not be successful unless you automate the solution for the custodian.

If you put in place a classification system, you can manage both via automation. However it is important to also evaluate the encryption technology you want to use. Encryption File System, EFS, may not necessarily be the best solution as when information is copied from one repository to the next, the encryption is lost, therefore exposing the document.

Digital Rights Management, DRM, is a better solution as the document is protected the entire time. It is protected at rest, in transit, and in use. One drawback is of course that DRM solutions may not necessarily protect all documents.

One DRM solution to consider is Individual Rights Management, IRM, which is capable of protecting Microsoft Office documents. IRM works in conjunction with the Rights Management Server, RMS. With such a solution, you can protect Excel spreadsheets, Word documents, PowerPoint decks and other document types. IRM also works on documents retrieved from SharePoint when IRM is used in SharePoint.

A comprehensive solution will use the information from the DLP solution, and apply the correct classification level to the repository where the documents are found. Then the entitlement solution will restrict the number of users allowed access, as well as requiring re-validation of entitlements on a periodic basis. Then finally the protection solution will place IRM protection on the documents.

IRM protection can prevent the un-authorized copy, print and forward of documents. It can in addition be used to control the lifecycle of the document by setting an expiration date on the document.