The free flow of information is the lifeblood of any organization. Employees need to be able to share documents with each other and with customers, partners, and suppliers, but once these documents leave the cozy confines of your firewall, making an electronic or physical copy becomes a simple matter. Even inside the firewall, documents aren’t safe, especially when employees can walk in with a 4GB USB drive on a key chain or keep a 160GB iPod in a pocket. Therefore, it’s critical that organizations have a way to ensure control of documents wherever they travel. This is where information rights management (IRM) comes into play.
IRM enables an organization to build policies around document types and user groups and to apply a set of rules to ensure that you can apply an element of control when employees share documents. This guarantees that, for instance, a document will expire by a certain date or that only a trusted group can even open a given document. And because the document is always controlled at the server level, it means you can always revoke rights if the situation warrants it. While IRM gives your company the desired amount of control, it comes at a price in that you have to build that control level and require that all document recipients install a small client to communicate with the policy server and to determine the correct rights. Document recipients with tight IT policies are not likely to be enamored with a document that has to programmatically call outside of the firewall to access permission, but overall, given what’s at stake, it seems that it’s a small price to pay for the peace of mind that your documents will always be under your company’s control.
What Is IRM?
John Landwehr, director of enterprise security at Adobe, says the idea behind IRM is "to persistently protect information independent of storage or transport so as the document is emailed or put on files servers, content management systems, USB drives, CDs [or any other system or storage option], you have persistent control to meet data loss prevention objectives to control who can open it and what they can do with it anywhere the document goes." Chris Schneider, who is senior product manager for Microsoft Office, adds that IRM allows individuals and administrators to specify document access permissions. "This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people," Schneider explains. "IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information," he says.
A good way to think about it, says Melissa Webster, an analyst at IDC, is as digital rights management (DRM) for corporate documents. "Companies started thinking about the problem as DRM for documents as opposed to DRM for music and video and consumer products. Instead of making non-copyable assets, the enterprise user needed to be able [to] establish rules for access," says Webster.
However, Ed Gaudet, senior VP of corporate development and marketing at Liquid Machines, a company that refers to this field as enterprise rights management (ERM), says it’s important to make a clear distinction between DRM and IRM. "Digital Rights Management and Enterprise Rights Management, although they share similar technical concepts, they are very different in application. DRM is focused on monetization of content. ERM doesn’t care about that. We care about controlling access and usage to content across a distributed and collaborative context. Collaboration is extrem-ely important when you talk about rights management," he says.