Information Rights Management (IRM)
Information rights management (IRM) describes the application of digital rights management tools and techniques to files created by individuals.
- aka:
- enterprise rights management
- document rights management
- intelligent rights management
- uses specific controls that act with the organization’s other access control mechanisms
- works at the file level
- used to control data throughout its lifecycle
IRM Objectives
- Data rights
- rights describes the actions that authorized users can take on a given asset
- and how those rights are set, applied, modified, and removed
- creating, editing, copying, viewing, accessing, printing, forwarding, and deleting are common rights controlled by IRM
- rights describes the actions that authorized users can take on a given asset
- Provisioning
- provisioning rights for users in IRM systems is critical to ensuring use of IRM does not disrupt business operations
- need to create roles and groups
- granular control adds complexity
- Access models
- critical aspect to the design and implementation of IRM
Certificates
- certificates and licenses are a common method of identifying users and computers in an IRM system
- licenses describe the rights the users have to the content they are attached to
- certificates are used to validate the identity of the user or computer
- needs
- central certificate management system
- way to check status of certificate
IRM in the Cloud
- IRM capabilities exist natively in many cloud platforms
- example:
- In Azure, IRM can be found in tools like the SharePoint administration center
- Azure Rights Management allows you to control document libraries, lists, and a range of supported file types
- encrypts files
- each file uses licensing information included with it to determine what rights individuals have on it
- IRM attached to files requires local clients or web apps that can support IRM
IRM Tool Traits
- material protected by IRM typically requires labeling or metadata
- some ways IRM can be applied:
- Rudimentary reference checks
- content itself can automatically check for proper usage or ownership
- e.g., video game that pauses operation and asks for a code from a valid licenses copy
- Online reference checks
- Windows OS and Office programs are often locked requiring user to enter a product key at installation
- program then checks the key against an online database
- Local agent checks
- user installs a reference tool that checks the protected content against the user’s license
- e.g., gaming engines like Steam
- when installing a game, Steam agent checks user’s system against online license database
- Support-based licensing
- predicated on the need for continual support for content
- commonly true of production software
- licensed software might allow ready access to updates and patches
- unlicensed versions may be prevented from getting updates and patches
- predicated on the need for continual support for content
- Rudimentary reference checks
- IRM can use its own access control
- IRM can be used to implement localized security policies
Challenges of IRM in the Cloud
- employing IRM in the cloud can introduce challenges:
- Replication restrictions
- IRM often involves preventing unauthorized duplication
- cloud necessitates replicating virtualized host instances
- including user-specific content on the hosts
- so IRM can interfere with automatic resource allocation
- Jurisdictional conflicts
- cloud extends across boundaries
- can pose problems when IP rights are restricted by locale
- cloud extends across boundaries
- Agent/enterprise conflicts
- IRM solutions that require local installation of software agents for enforcement may not always function properly in cloud environment, with virtualized engines or with BYOD platforms
- Mapping IAM and IRM
- IAM and IRM processes might conflict
- due to the extra layer of IRM access controls
- especially possible if using a CASB
- IAM and IRM processes might conflict
- API conflicts
- IRM tool is often incorporated into the content
- usage of the material not offer same level of performance across platforms
- e.g., content readers or media players
- IRM tool is often incorporated into the content
- Replication restrictions
IRM Functions
- Persistent Protection
- IRM should follow the content it protects
- regardless of where it is located, whether duplicated, or how its used
- IRM should follow the content it protects
- Dynamic policy control
- IRM should allow content creators and data owners to modify ACLs and permissions for data under their control
- Automatic expiration
- digital content will not be protected in perpetuity
- IRM protections should cease when the legal protections cease
- licenses also expire
- access and permissions should also expire
- Continuous auditing
- IRM should allow for comprehensive monitoring of content’s use and access history
- Replication restrictions
- IRM should enforce restrictions on the many forms of copying that exist
- including screen-scraping, printing, electronic duplication, email attachment, etc.
- Remote rights revocation
- owner of the rights of content should have the ability to revoke those rights