The idea of a neuralyzer—a memory eraser—to erase memories from the human brain has been romanticized in myriad movies such as Men In Black and other works of science fiction. Useful as neuralyzers might be to erase bad memories, protect trade secrets or aid in psychoanalysis, they remain firmly within the realm of fiction as far as human memory manipulation goes. However, things are quite different in India when it comes to digital information. It is possible to precisely regulate usage of any information on computers and, when required, remotely destruct the information on demand. This nifty technology is known, rather blandly, as information rights management (IRM).
Usually, information security works by securing the infrastructure of information—the device on which information is stored, the network on which it travels, and the applications that process it. IRM represents a paradigm shift from infrastructure-centric security to information-centric security where security controls are built into the information itself, and therefore independent of the infrastructure. There are many reasons why one should consider transitioning to information-centric security, even if only to complement existing infrastructure-centric security.
Drawbacks of infrastructure-centric security
Firstly, infrastructure-centric security has not been spectacularly successful, especially in India. Despite spending billions of dollars on information
Secondly, infrastructure-centric security often restricts collaboration. When you secure a device, network or application, you restrict use of information resident on that device, potentially affecting the business adversely.
Finally, the very definition of infrastructure has become nebulous due to changing technology trends. New paradigms such as cloud computing, virtualization and BYOD (bring your own device) have made the whole concept of infrastructure rather hazy, if not entirely redundant.
IRM is information centric
Information rights management represents one mode of information-centric security. Other approaches include data loss prevention and document management systems, but these are effective only while information remains within the boundaries of the organization. However, IRM is applicable even when information moves beyond the farthest organizational boundaries.
With IRM, one can precisely set and control policies on who can use information for what purpose, and when and where they can use that information. Only authorized users will have specified access to information depending on assigned usage rights, for specified periods of time, on specified devices.
The basis for IRM lies in encrypting the information to be protected. The decryption key and usage rights are embedded in the information or stored in a central database. In case the decryption key travels with the information, the information can be accessed and used independent of the database. Alternatively, the decryption key could be made valid for a predefined period, after which it would need to be downloaded afresh. Developing robust IRM software can take months of effort and is best left to specialists. The technical intricacies of IRM are beyond the scope of this article, but we shall look into tackling a couple of challenges that IRM implementations invariably encounter.
IRM implementation challenges
IRM implementation challenges fall largely into two categories—lack of awareness on the need for protecting information among business users, and lack of information about IRM technology among the IT team. Clearly, overcoming these challenges requires educating business users and IT personnel.
More IRM stories
As an IRM solution provider, we have had experience with IRM deployment at clients from various industry verticals. One of our clients, a large private sector bank, faced the classical problem of IRM implementation—lack of awareness. We conducted intensive training sessions with both business users and the information security team before getting into the IRM implementation. With another client, a multinational IT company, we had to go beyond training. We actually worked with users to create confidence.
One needs to identify a champion for the IRM cause from within the business setup. This approach worked well at a manufacturing company, part of a large business conglomerate. Here, the parent had a strong information security team, but the manufacturing company itself was lacking in this regard. Fortunately, the business unit head was keen on protecting information, and leveraging on this, other business users and the IT team were educated on IRM. In another case, an Indian power company effectively used an existing knowledge portal to instantly disseminate information about IRM.
The problem of poor awareness is amplified when information resides with vendors or vendors of vendors, such as in the telecom sector. It’s likely that custodians of sensitive information at tertiary levels will have little or no appreciation of the importance of information security. So education and training on such matters must extend to these levels if you have to ensure IRM success.
About the author: Vishal Gupta holds a graduate degree from IIT Mumbai and is founder and CEO at Seclore. He is a specialist in fingerprinting technology founded Herald Logic in 2000 before starting Seclore. His other areas of expertise are information usage control, information rights management (IRM) and secure outsourcing.
This was first published in October 2012