Information Rights Management (IRM) is a form of IT security technology used to protect documents containing sensitive information from unauthorized access. Unlike traditional Digital Rights Management (DRM) that applies to mass-produced media like songs and movies, IRM applies to documents, spreadsheets, and presentations created by individuals. IRM protects files from unauthorized copying, viewing, printing, forwarding, deleting, and editing.
However, in order to understand Information Rights Management, its uses and benefits, it’s important to understand Digital Rights Management and how it relates to IRM.
DRM refers to a cohort of access control technologies used to restrict access, editing, or modification of copyrighted digital properties beyond the agreed terms of service. The primary goal of DRM is to protect intellectual property from being copied and distributed without properly compensating the owners of the property.
Most commonly, DRM is applied to mass-produced media including video games, software, audio CDs, HD DVDs, Blue-ray discs and ebooks. DRM can come in the form of encryption, scrambling, digital watermarks, CD keys, etc.
The Digital Millennium Copyright Act, amended to the US copyright law, criminalized the use of techniques intended to circumvent DRM technology. Not surprisingly, DRM remains a controversial technology, with some even calling it anti-competitive. Others criticize DRM for restricting normal use of something purchased by the user.
As mentioned previously, Information Rights Management is the application of DRM to documents created by individuals such as Microsoft Office documents, PDFs, emails, etc. Unlike DRM, which is generally intended to protect copyrighted material, IRM is more often intended to protect the security of highly sensitive information that may be contained in a document.
A hospital may, for example, apply IRM to patient records in order to maintain compliance with HIPAA-HITECH and prevent access to this information in the event that the patient records fall into unauthorized hands. Another example would be when an organization applies IRM to executive communication to protect sensitive information from leaking to the media or to competitors.
HIPAA requires covered entities including business associates to put in place technical, physical, and administrative safeguards for protected health information (PHI). These safeguards are intended to protect not only privacy but also the integrity and accessibility of the data.
The Department of Health and Human Services Office of Civil Rights (OCR) enforces noncriminal violations of HIPAA. Noncompliance may result in fines that range between $100 and $50,000 per violation “of the same provision” per calendar year.
Many OCR HIPAA settlements have resulted in fines over $1 million. The largest settlement as of September 2016 was for $5.5 million, levied against Advocate Health Care, stemming from several breaches that affected a total of 4 million individuals.
In addition to civil penalties, individuals and organizations can be held criminally liable when obtaining or disclosing PHI knowingly, under false pretenses, or with the intention to use for commercial gain or malicious purpose. Criminal offenses under HIPAA fall under the jurisdiction of the U.S. Department of Justice and can result in imprisonment for up to 10 years, in addition to fines.
IRM generally encrypts files in order to enforce access policies. Once encrypted, additional IRM rules can be applied to a document to allow/deny specific activities. In some cases, this means a document can only be viewed and the user cannot copy/paste the content within the document. In other cases, the IRM rule may prevent a user from taking screenshots of the document, printing, or editing it.
Organizations can create and apply custom IRM rules at enterprise level, department level, group level, or user level based on data security, compliance and governance requirements.
One of the oft-cited advantages of IRM is that these protections persist even when files are shared with third parties. A user can be off company network, yet the IRM rules will continue to protect the document. This means IRM sealed documents can remain secure no matter where it’s being accessed.
One of the complaints about IRM solutions is that they require the user to have specialized IRM software installed on their computer in order open any file with IRM protections applies. For this reason, many enterprises seek to limit IRM protection only to files that require protection based on their content.
Despite the fact that IRM can solve a lot of the security issues that arise when documents are shared, there are still simple workarounds that can negate the benefits of IRM. A simple hand held camera (or a smartphone) can capture an image of a file with IRM protection. Most Apple computers can also negate IRM benefits with a simple click of Command-Shift-4 combo that enables screen capture. Likewise for 3rd party software that provide screen capture capabilities.
Microsoft AD Rights Management is a popular IRM solution for data in on-premises email and file servers and Office 365 is now the most popular enterprise cloud service. Office 365 has IRM capabilities across several of its product offerings, powered by Microsoft Azure. Unlike Active Directory Rights Management that has been used for years as an on-premises solution for data security, Microsoft Azure Rights Management is Microsoft’s IRM solution for the cloud.
Organizations that have synced their Active Directory to Azure Rights Management server can also transfer their IRM policy templates from Office 365 to their users’ desktop versions of Microsoft Office apps. At a high level, there are three methods to apply IRM protection a document in Office 365.
Office 365 administrators can activate certain rights management features that enable SharePoint site owners to create IRM rules and apply them to different libraries or lists. Users who upload files to that library can then be assured that the document will remain protected according to the IRM rules.
Organizations who want more granular control can configure Microsoft Azure with Advanced Rights Management Services. This feature allows administrators to create policy templates for individual users and groups of users. One of the advantages of activating this feature is that the policies can then be pushed to the user’s or group’s desktop Office applications.
The first two approaches are based on sites, users, and groups and can apply IRM protection to files that do not require it. A cloud access security broker (CASB) can integrate with Office 365 and IRM offerings to broker the application IRM protections to files based on content or context. For example, a CASB can apply IRM protections to files with sensitive data downloaded to unmanaged devices from Office 365.
Administrators and site owners can limit activity by applying settings to make documents read-only, disable copying of text and restrict the ability to save local copies, or disallow printing of the file. Supported file formats include PDFs, MS Word, PowerPoint, Excel, XML formats for each as well as XPS formats.
For Exchange Online IRM, Microsoft has created the Active Directory Rights Management Services (AD RMS) to protect email messages. Here, permissions are added to the email directly, thereby allowing the message to be protected online, offline, on network, and off network.
An email sender can apply restrictions that would limit the recipient’s ability to save a message, forward it, print it, or extract the information.