Overview
As content becomes more readily accessible to enterprise users, it also becomes more difficult to control distribution, particularly in situations where content is shared outside of the corporate network. This is especially concerning when the nature of the content could give competitive advantage to outside parties.
In order to minimize the potential impact of sensitive data falling into the wrong hands, organizations are looking to implement Information Rights Management (IRM) solutions. IRM allows companies to gain tighter control of how content is distributed both within the organization and external via partners, vendors, and customers.
EMC Documentum provides the leading platform for storing and managing content in the market. With a recent acquisition, Documentum now includes IRM capabilities in its product offering. These services ensure that Documentum is able to provide a truly secure content management and distribution system.
What is IRM?
Traditionally, organizations have approached data security by ensuring that malicious persons or entities are kept out of the network and resources attached to it. This type of security paradigm is known as perimeter security. While this approach has served the enterprise well, it does not cover situations in which persons within the organization are sharing sensitive data to unauthorized users outside of the network (e.g. emailing, FTPing, etc.)
Information Rights Management (IRM) attempts to solve this problem by securing the content, not just the resources that house the content like file servers or web sites. With IRM, enterprises can mark selected content as protected and authorize select users or groups of users to perform specific actions on the content, including copying, printing, and emailing. Any request to perform an action on protected content is first sent to the IRM policy server, along with the credentials of the person attempting the action. If the policy server determines that the user’s action is authorized, the content is unlocked and the user can finish their work. Otherwise, the user is denied from acting on the content.
A typical example of where IRM’s power becomes apparent involves a content author working in an office application such as Microsoft Word. Prior to IRM, authors wishing to “lock down” their content either used the built-in password protection in Word or third-party encryption tools. In either case, the user needed to provide information to consumers as to how to open the protected content. With IRM, authors can take advantage of plug-ins built into their applications allowing them to protect content and assign rights policies. Consumers receiving this protected content need not know how to unprotect it. This responsibility is left up to the IRM client embedded in their applications (this client communicates with the policy server to determine if the user has the rights to unprotect the content).
Information Rights Management generally encompasses the following concepts:
- Principals – IRM defines Principals as those entities that are authorized to perform given actions on content. Typically, a Principal is a user on the network. In some IRM implementations, a Principal could be a group of users, another network (e.g. a partner) or a resource on the network such as a mobile device.
- Policies – Policies define what actions are acceptable for a given piece of content and a particular Principal or set of Principals. Some IRM products can also allow content owners to create policies which revoke content privileges that were once established. For example, a Sales and Marketing group may release a product’s data sheet and make it available for printing by the sales team. If a new release of the product is introduced, the Sales and Marketing content owners can revoke rights on the old version of the product data sheet, forcing the sales team to request the latest copy.
- Encryption – Content that is considered “protected” under IRM generally has strong encryption applied to it. This encryption prevents unauthorized users from making any sense of the data. Content encrypted with IRM products can only be unlocked using valid encryption keys known to the IRM policy server and the authorized client.
Documentum IRM Services
History
In 2006, EMC Documentum entered into the IRM space with its acquisition of Authentica. At the time of the purchase, Authentica was amongst the leading players in the relatively immature IRM market (SealedMedia and Liquid Machines being other notables). In addition to its stand-alone IRM offering, Authentica also provided support for products like Microsoft Office. This integration allowed for users to easily create IRM protected content from tools they were already familiar with. EMC’s purchase of Authentica was in line with their bigger picture plan of tying together the storage, software and security portions of the business. EMC clearly saw the benefits of rights management in the enterprise, and reeling in Authentica would complete the security picture between Content Server and enterprise users.
Architecture
Documentum IRM services can be deployed in an enterprise with incredible ease (although planning for this is a much larger task – see “Considerations” below). The core component, IRM Server, only requires connectivity to a database server for storing policy and key information. Enterprise users can easily encrypt content via a number of clients that securely connect to the Server. Finally, enterprise services can leverage the Documentum IRM software development kit (SDK) to programmatically encrypt/decrypt sensitive content. Refer to Figure 1 for a contextual diagram of a typical IRM Services architecture.
Figure 1:
Documentum IRM Services Architecture
Three key components make up the IRM Services architecture:
Documentum IRM Server
This is the foundation of the overall IRM service. The IRM Server is responsible for storing policies that indicate what Principals can do, as well as for issuing a usage license when protected content is opened (A usage license tells the IRM client what the user can do with the content and how long the user has rights to the content). In addition to storing policies, the Policy Server also stores keys that were used to originally encrypt the content. When a user attempts to open protected content, a secure call is made to the Policy Server. If the user has the correct permissions (according to the stored policy), the Server passes back the key that can be used to decrypt the content. Typically, the IRM Server is deployed behind the corporate firewall.
Documentum IRM Clients
When users want to protect content, they typically do so using a variety of clients provided by Documentum. These clients make a secure connection to the Policy Server, which provides encryption keys and a policy for the content. After successfully communicating with the Policy Server, the client applies the policy to the content and encrypts it using the key provided by the Server. In addition to facilitating the creation of protected content, these clients are also responsible for determining whether or not a user can open protected content. Documentum currently provides clients for the following:
- Microsoft Office (Word, Excel, PowerPoint)
- Microsoft Outlook
- Adobe Acrobat
- RIM Blackberry
Documentum IRM Repository Server
IRM Repository Server used to be known as Authentica Content Security Server. It is ideal for organizations who want to expose protected content to outside parties such as vendors, partners, or even potential customers. IRM Repository Server actually stores protected content and allows for document creators to send messages to target recipients. These users will then get links back to the protected content stored in the IRM Repository Server (at which point these users will have to identify themselves). In addition, IRM Repository Server provides several web services that external applications can connect to in order to stream protected content over a secure connection. It is important to distinguish between IRM Repository Server and Documentum Content Server. Content Server manages the lifecycle of enterprise content. IRM Repository Server is intended to serve up secure content that is published from within the enterprise. For example, a Sales and Marketing team will use Content Server to create, review and edit a new marketing presentation intended for clients who have signed an NDA. Sales and Marketing will then protect and publish that presentation using IRM Repository Server. Clients will securely connect the IRM Repository Server to obtain an IRM protected copy of the presentation.
Features
Documentum got several IRM features “out of the box” with the purchase of Authentica. Included in these features:
- Dynamic Rights – A key feature in the Documentum IRM offering is the ability to change document policies on the fly. Imagine a scenario where a document owner decides to give a vendor access to a document. When the vendor opens the document, the Documentum IRM Policy Server is contacted to determine if the user opening the document has the appropriate rights to do so. Now suppose that the vendor’s partnership agreement expires. The content creator can revoke the user’s permissions without having to modify or delete the user’s copy of the content. This notion of dynamic policy assignment is critical for enterprises wishing to truly manage access to content that is distributed outside of the corporate network.
- Offline Rights Management – Documentum IRM Services provides functionality to allow offline usage of content, while continuing to respect any policies that have been defined for the document. For example, documents can be made available to users with set expiration dates. Once a user has authenticated against the document’s policy, IRM Services embeds this information in the document and will self destruct the content at the specified expiration date.
- Stand-Alone Product – While Documentum IRM Services integrates with the existing Documentum product line, the IRM Services component is a stand-alone product. Thus, customers do not need to have Documentum in place in order to take advantage of the features provided in IRM Services.
- Plug-Ins for Common Office Applications – Documentum provides a number of plug-ins that allow end users to define IRM policies for documents they create in applications such as Word, Outlook, Excel, PowerPoint and Adobe Acrobat. There is even a plug-in for RIM Blackberry devices for users needing to access IRM protected content on the go.
- Support for Dynamic Watermarks – Documentum IRM Services allows protected documents to carry watermarks, which are useful for identifying the status of a printed document (e.g. “Confidential”, “Draft”, etc.). In addition to standard watermarks, Documentum IRM Services can place dynamic watermarks on documents when certain actions are taken. For example, if a user prints a document, IRM Services can embed a dynamic watermark on the content with the login name of the user who is printing the document. Thus, if an unauthorized hard copy of the data is found, organizations can immediately track down those responsible.
Since the Authentica acquisition, EMC has extended IRM Services to better integrate with the Documentum stack. Some notable enhancements include:
- Direct Integration with Content Server – Documentum IRM provides rights management features from within Documentum Content Server. This integration provides an easier means of applying IRM policies to documents with limited changes to existing Documentum-based architectures. In addition, current business processes (e.g. workflows, lifecycles, etc.) can now take advantage of IRM with minimal modifications.
- Software Development Kit (SDK) – Documentum provides an IRM Services SDK in order to allow third parties to extend IRM functionality to their own applications. Access to this SDK should help facilitate any IRM customizations needed in an enterprise Documentum application. As an example, an organization may have a custom desktop integration with Documentum. In order for users to open IRM protected content, the desktop customization could utilize the SDK to pass the user’s credentials in to the Policy Server to determine whether or not the user should have rights to work with the content.
Architectural Considerations with IRM
Roll out of an enterprise IRM solution is not something that happens overnight. A tremendous amount of planning must go into the initiative, from infrastructure build-out with corporate IT to business change management for the users who will be interacting with IRM. Here are some key points to consider when implementing an IRM solution:
- Sending Content over the Wall – While most organizations will want to exclude outside parties from accessing sensitive information, there are often situations where access must be granted. For example, if a company is working closely with a manufacturing partner, it is very likely that content will be shared with that partner. Documentum IRM Services can be deployed in a manner that keeps policy information secure, while still exposing services to the outside world (this could be done either by setting up IRM Server in a DMZ or having Repository Server directly serving protected content). This decision should be made as early in the planning stages as is possible.
- Enterprise Services Need to “Crack the Safe” – Large organizations typically have services that perform actions on content (full-text indexing for search, backup/recovery, etc.). An enterprise wishing to roll out an IRM solution must understand at which point they want content protected. If an IRM policy is applied when content is created, enterprise services such as indexing will need to have a way to unprotect that information when it is read. Depending on the number of services, customizations required to decrypt data could derail the IRM initiative. Organizations could consider protecting content at the point of distribution to alleviate this problem.
- Who Controls the Policies? – Companies implementing an IRM solution are likely going to have a well-defined set of rules for when policies are applied to content and which rights principals will have to that content. In this situation, the usage of policy templates helps ensure that users aren?t making the decision about what rights to give to whom. Of course, this power can be left in the hands of the user if the company prefers.
Summary
As the enterprise is increasingly becoming connected to the outside world via technologies such as email and web services, securing sensitive information is quickly showing up on CIOs’ priority lists. A key component to fulfilling an organization’s security mandate is to ensure that critical content remains under tight control of the enterprise, whether that content is distributed internally or externally.
Implementation of an Information Rights Management solution helps companies gain confidence that content is secure, no matter where it resides. Documentum’s IRM Services provide a powerful solution to this problem, giving incredible management options for content. In addition, IRM Services tightly integrates with existing tools and platforms within the enterprise such as Documentum Content Server and Microsoft Office.
With the continued demand for organizations to distribute content within the enterprise as well as outside the firewall, the need to control this content is ever increasing. Information Rights Management attempts to fill this need by providing dynamic policy control that follows content, no matter where it goes. While implementation of an enterprise-wide IRM initiative is a significant undertaking, with proper planning and execution, an organization can ensure that only the right people are able to view or manage sensitive information