SaaS-based IRM solutions to secure the enterprise.

Author:Hakhinian, Mush
Position:Infosecurity Europe 2010 - Software as a service - Information rights management

Data leaks are one of the chief threats facing enterprise IT managers today and Information Rights Management (IRM) technologies are perfectly designed to protect the enterprise by effectively reducing and/or eliminating the risk of accidental leaks.

IRM solutions based on software-as-a-service (SaaS) delivery models offer three major advantages over in-house implementations when it comes to securing information in use. First, IRM is non-intrusive since it is enabled through viewer extensions or plug-ins (rather than the host-based agents that in-house products employ). Second, version updates of extensions require little or no IT staff involvement. Third and last, SaaS-based IRM solutions have the flexibility to cover most popular file types used in productivity applications (e.g. Excel, Word and PDF formats) without being limited to any one vendor. Despite these benefits of SaaS IRM solutions, there are, however, some potential weaknesses that are common to all IRM solutions, whether they are in-house or SaaS-based. Traditional methods of protecting information within well-established perimeter often fail because the data from a larger enterprise is dispersed all over the business and documents need to be accessible 24/7. While most existing products consistently protect from accidental or unintentional document leaks, protecting against data theft comes down to the best approach for protecting the information being regularly accessed from various points across the enterprise, or 'information in use.' Let's take a closer look at ways this can be achieved:


Most organizations can easily protect information in transit by securing browser-to-server communication via SSL with strong encryption. Protecting information at rest, however, requires a few more steps. First, developers need to centralize the storage of critical information and build-in authorization for every access request. Second, the appropriate cryptographic protection needs to be developed through strong algorithms and long keys. A very interesting problem is presented by the requirement to protect the information in use. Here the decryption process itself must be portable and available at the point of viewing.

Data Ownership and Access

Some vendors have developed proprietary viewers for files to protect their information in use--a version of "security by obscurity"--while others implement extensions for browsers or productivity tools, such as document editors and...

To continue reading