A quick intro to IRMAn IRM solution protects sensitive information from un-authorized access, and the good part is, the controls remain with the information in spite of where the information goes and how it goes.
IRM solutions are used to protect sensitive information such as financial data, intellectual property, business plans, client or personal information. In its present shape and IRM technologies focus on unstructured forms of data like documents, emails, web pages, designs and images.
Few questions to ponder
Any successful technology implementation needs to start with the end purpose in mind, rather than technology and the same is true for IRM solutions. In my experience, clients need to have answers for five key questions before starting an IRM implementation.
1.Do you have a Data Governance and Classification policy?
An IRM solution will help an organization implement their data classification and protection policy. Does your organization have a data classification and protection policy? If not, what are you going to use the IRM solution for?You need to define your organizations policy for data classification and protection. What is sensitive, what is confidential and what is public, needs to be clear. What is allowed and what is not allowed needs to be defined and documented.
2.Do you know what and where is critical data in your organization?
So your data protection policy is defined, great! You now know data is critical in your organization.But do you know who creates it, who uses it, where it is stored? Most organizations do not have visibility on how data flows within or outside the organization. A data flow analysis is needed to understand this in detail and more importantly to get buy-in from the business on what is critical and what is not.
3.How does the Authentication work?
Authentication is one of the primary prerequisites of any security system. When authentication fails, the entire security of the system is vulnerable to attacks leading to loss of information.The authentication strategy of any IRM system is absolutely critical. Whether single sign on with existing authentication infrastructure, a new authentication system within IRM itself or a combination, the authentication piece needs to be in place. For critical data a multi-factor authentication should also be considered.
4.What happens after implementation?
Most technology projects are focused on technology selection and implementation. But what happens after successful sign-off? Is the project complete? Are the end-objectives met?
In security, the critical phase starts after technology implementation. It is absolutely necessary to monitor effectiveness of the IRM solution. Are users using it or not? If not, why not? What are the true positives? Is it getting recorded, is it getting escalated? Is new information getting created? Are new partners getting added? A lot of questions, that can only be answered if a strong sustenance and optimization process is implemented. The key is to ensure the IRM life-cycle is managed well.
5.What about auditing and compliance?
Generating a detailed audit trail listing details like, who tried to access the information, time of access, what action taken by the user, what IP address. Audit trails are required to prove that security measures are effective and prevent information flow when the organization is meeting regulatory compliance such as, SOX, HIPAA, and Gramm-Leach-Bliley. These regulations require organizations to protect their information from unauthorized access.
Conclusion
IRM solutions are used to protect sensitive information such as financial data, intellectual property, business plans, client or personal information. In its present shape and IRM technologies focus on unstructured forms of data like documents, emails, web pages, designs and images.
Few questions to ponder
Any successful technology implementation needs to start with the end purpose in mind, rather than technology and the same is true for IRM solutions. In my experience, clients need to have answers for five key questions before starting an IRM implementation.
1.Do you have a Data Governance and Classification policy?
An IRM solution will help an organization implement their data classification and protection policy. Does your organization have a data classification and protection policy? If not, what are you going to use the IRM solution for?You need to define your organizations policy for data classification and protection. What is sensitive, what is confidential and what is public, needs to be clear. What is allowed and what is not allowed needs to be defined and documented.
2.Do you know what and where is critical data in your organization?
So your data protection policy is defined, great! You now know data is critical in your organization.But do you know who creates it, who uses it, where it is stored? Most organizations do not have visibility on how data flows within or outside the organization. A data flow analysis is needed to understand this in detail and more importantly to get buy-in from the business on what is critical and what is not.
3.How does the Authentication work?
Authentication is one of the primary prerequisites of any security system. When authentication fails, the entire security of the system is vulnerable to attacks leading to loss of information.The authentication strategy of any IRM system is absolutely critical. Whether single sign on with existing authentication infrastructure, a new authentication system within IRM itself or a combination, the authentication piece needs to be in place. For critical data a multi-factor authentication should also be considered.
4.What happens after implementation?
Most technology projects are focused on technology selection and implementation. But what happens after successful sign-off? Is the project complete? Are the end-objectives met?
In security, the critical phase starts after technology implementation. It is absolutely necessary to monitor effectiveness of the IRM solution. Are users using it or not? If not, why not? What are the true positives? Is it getting recorded, is it getting escalated? Is new information getting created? Are new partners getting added? A lot of questions, that can only be answered if a strong sustenance and optimization process is implemented. The key is to ensure the IRM life-cycle is managed well.
5.What about auditing and compliance?
Generating a detailed audit trail listing details like, who tried to access the information, time of access, what action taken by the user, what IP address. Audit trails are required to prove that security measures are effective and prevent information flow when the organization is meeting regulatory compliance such as, SOX, HIPAA, and Gramm-Leach-Bliley. These regulations require organizations to protect their information from unauthorized access.
Conclusion
As with all technologies, you cannot put the cart before the horse. End goals and process frameworks have to come before technology solutions.
IRM solutions are critical components in the security arsenal of an enterprise and builds on the defense-in-depth principle. It empowers the business and users to protect sensitive information not only within the boundaries of the organization, but also once it leaves the enterprise. Hence it is critical to ensure we take a holistic view to the entire IRM deployment, not just implementation but also through-out the life-cycle.
Guest Blog by John Prathab is a senior consultant in the Secure Development Lifecycle (SDL) practice at Aujas Networks. His works span multiple products and technologies to solve real-world information and application management problems. His special areas of interest are secure software development framework, information and application security, cloud security, Information Rights Management and convergence of logical and physical access.He holds M.Sc Software Engineering and MBA in Sales & Marketing.
Guest Blog by John Prathab is a senior consultant in the Secure Development Lifecycle (SDL) practice at Aujas Networks. His works span multiple products and technologies to solve real-world information and application management problems. His special areas of interest are secure software development framework, information and application security, cloud security, Information Rights Management and convergence of logical and physical access.He holds M.Sc Software Engineering and MBA in Sales & Marketing. 
Posts
3 comments:
Really a very helpful article....
Thanks for sharing your knowledge and its my request you to please update your articles time to time and giving such precious article so me and others can improve their knowledge...
Really very helpful article..
Thanks for sharing your knowledge and its my request to update your precious article time to time as its
very helpful for me as well as for others !!
Hi Nitin,
Thanks for your feedback..its very encouraging and keeps us motivating.
Thanks,
Ritu Pande.
Post a Comment