This quadra-choice question appears to be more and more common within enterprises .. Some help on this question and at least where to start looking …What is DLP ? (And please lets have the layman's view ...)
DLP prevents information leakage by scanning into the document / email / ... and searching for pre-defined key-words and regular expressions. If a match is found then the DLP system would tag the document and block outbound ports (removable media, CD, internet) of information transfer. It thus controls distribution at the senders side.
The DLP system can do this at multiple points i.e.
1.At the desktop level for documents residing on the computer
2.At network FileShare level for documents residing on the computer
3.At the Email gateway level for outbound emails.
And what about IRM ?
IRM also prevents information leakage by granular-ly defining the “right” receivers of information and then controlling usage actions (view, print, edit, etc) of the receivers of the information.
In short, DLP controls the information distribution at the sender's end and IRM controls the information usage at the receivers side.
It might appear that the deployment of one of the above negates the need for the other. This however is not true in most cases … so lets get under the hood now ..
Lets look at the stuff that DLP and IRM companies won't tell you :
DLP :
Since it is a “transmission control” technology it is useful for organizations which want to control the transmission of information and restrict it to a specific “perimeter”. The perimeter definition is flexible here and may be defined based on devices, networks or (in some cases) applications.
For using any “new – age” concept like cloud computing or mobile computing the DLP system will take a all-or-none approach i.e. either it will completely block the technology or be ineffective when the technology is adopted. So most DLP systems do not have mobile versions and do not really know how to deal with companies looking for cloud adoption.
The “steering wheel” in case of a DLP system is in the hands of the IT / IS team.
IRM :
Since it is a “usage control” technology it is useful when information knows no perimeter and needs to cross boundaries of devices, networks and applications.
IRM systems leave control and decision making in the hands of the end users. End users awareness or willingness (or the lack of it) carries forward in the efficiency of the solution.
The “steering wheel” in case of an IRM system is decentralized and is in the hands of the business users. Good IRM systems usually provide a flexibility of not providing “end users” the right to define policies but with business unit administrators instead.
So now with this context the 30,000 feet answer to the question is …
DLP systems are useful in cases where there is a boundary within which information has to be retained. The boundary for different kinds of information could be different but there is a boundary.
IRM systems are useful where security needs to be ensured without boundaries of computers, geography or networks.
Both are required for organizations where detection and classification of information has to be followed by defining boundaries for certain kinds of information and defining rules for rightful use outside of the boundary for other kinds of information. The way these technologies would work together is that whenever information is sent to a receiver, the DLP system would scan for relevant keywords and pattern matching and if found would call the IRM system to protect the document with the relevant IRM policy. Thereafter, the document remains persistently protected irrespective of the location (inside or outside the organization) of the document.
None of the technologies are useful when the information to be protected is not voluminous i.e. If the information is small enough to be memorized or jotted down then other kinds of security (including physical security) is the best option.
Posts
2 comments:
Nice post, here are few queries on IRM and DLP working together may have potential issues.
1. IRM works on Data Encryption with Data Owners defining access rights on unstructured data (wht abt Structured data?)?
2. Data Discovery is a continuous process so confidential data once discovered and IRM rules applied, can the same data be re-classified or does it require providing Access rights to E-discovery tool in DLP?
3. Bulk Right Assignment through IRM policy server on network shares/file servers or even endpoints may not be a good idea. Right Assignment has to ideally be on Content inspection (Data centric Policies) and to a limited extent context based.
4. One of the biggest challenges which remain with IRM is the increasing number of supported file formats.
DLP or IRM or both the Data security is a much bigger challenge and needs careful planning and execution at infrastructure, Data management, perimeter security and most important Governance controls.
Hi Puneet ... Relevant points and here is what we believe :
1. Structured data is outside of the ambit of IRM though a lot of time there is conversation of structured data to unstructured e.g. ERP system exporting reports where of course IRM is useful.The assumption of data owners applying rights is not universally true and not true in all cases specifically for Seclore FileSecure.
2. The reclassification thing is again IRM product specific. For Seclore FileSecure reclassification is possible manually or automatically if content inspection is enabled for the E-discovery tool in DLP.
3. On Bulk rights assignment we have a different view. In MOST cases assignment of rights based on network share locations is more accurate than trying to inspect content and apply heuristics based classification. Loads of type 1 and type 2 errors there.
4. Format and application dependence of course is a challenge with IRM technologies in general but have you looked at Seclore FileSecure recently ? Write to us and we can have a conversation.
The Seclore Team
Post a Comment