Command and Control
At the core of any IRM system is the policy server where you define a set of rights as broadly or narrowly as you require. Webster says the way the technology companies approached this was to use a process in which the document would "phone home" to the policy server. "A user who wants to use information in a document has to call the [policy] server to get rights," she says. According to David Mendel, senior product marketing manager for content management and archiving at EMC (which purchased IRM vendor Authentica in 2006), the policy server provides the ability to set policies dynamically. "There is a separate policy server on which encryption keys and the policies are stored. That’s important," Mendel says, "because this is what allows for dynamic policy control, which is what you need in a business setting." This provides the ability to change policies on-the-fly over time, even completely revoking the ability to open the document if needed.
Webster provides an example: If a company is taking bids to outsource its manufacturing overseas, it has to share designs and drawings with potential manufacturers. The company, she explains, has to give enough information for these manufacturing companies to make a meaningful bid. "If you send this information to half a dozen companies, you want to be able to revoke the access after you make a decision for those you didn’t pick." She says by using a policy server, it forces recipients to access the server periodically to open the document. And if you revoke the rights, the next time they try to open the document, it will no longer open.
Documents can also be configured to work even when there is no internet access to enable contact with the policy server. Webster says it’s not necessarily constant control if you don’t want it to be. "There is this notion of conditional access, if you will. It’s not up to the minute, but you could generate a file that had to access on every [use] or you could generate a file that has to tag back up on certain time intervals to continue access."
Companies can establish policies in whatever organizing principle makes the most sense. Landwehr suggests creating policies in the same manner as old paper document designations, such as stamping a file Confidential. "You can tie a policy to a document where the policy would be defined in human-friendly terms like ‘Company Confidential’ or ‘Board of Directors Restricted’ and within that policy define the authorized users and groups and what permissions they have," he says.
Gaudet prefers to look at it from a role-based perspective—which roles have access to this document. "We built a series of best practices and we have a methodology we developed. Right now you have no protection. Anyone can access the content." He has customers draw a circle; anyone inside the circle can access content and anyone outside can’t. From there, he says, customers can refine the process and create inner circles within the larger circle to define more granular usage rights. "The more specific the business process, the more you know about the people involved and what rights they should have," he says.
How Do I Open This?
After an organization establishes IRM policies, what happens to a given document is driven by the person’s role and what he or she can do with it as defined on the policy server. But each solution requires that the recipient have a client capable of checking in with the policy server to access credentials. Mendel describes the EMC client solution: "It includes a client piece, which is a plug-in for technical business applications such as Microsoft Office, PDF, Outlook email, and BlackBerry. The plug-in allows you to use the native business application and access the controlled document." Mendel explains that if you don’t have the required plug-in, when you try to open it, a text box opens indicating the document is protected with the EMC information rights management. You can follow a link to download the client, and you will be able to open this type of protected document in the future.
However, there could be instances where a business user has a legitimate need to access a document but does not fall within the sphere of acceptable users. In order to keep information flowing smoothly, the Oracle SealedMedia IRM solution allows business users to provide permission for valid business reasons on-the-fly. Andy MacMillan, VP of product management at Oracle (which bought Stellent and its IRM product SealedMedia in 2006), says, "If I need access to this document, it doesn’t make sense for me to contact IT and ask to be added to a role when they [probably] don’t know the business reason why I should be added." What Oracle does here, MacMillan explains, is to display a webpage with a link to a contact person who can fill out a web-based form and grant an exception to view the document. MacMillan points out there is an audit trail of this activity so IT can check to see which people have been given access to a document.