Content Aware Enterprise Information Rights Management

How it Works ? GTB Technologies, Inc

An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.

The need to integrate DLP and IRM is critical

Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter. What is a CSO to do?

Content awareness and the 4 W's

A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or file shares. Such policies are the 4 W’s that are so crucial to protecting Data.

The 4 W’s – Who – What – Where and When

Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:

WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.

WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.

WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.

WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (MAC address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser. The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.

The Case for Content Aware Information Rights Management

A Typical File Sharing Scenario – without IRM

SENDER RECEIVER

Once the file is sent to the RECEIVER,

The SENDER has no control on the file.

It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)

It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)

Edited

Copied

Printed

Viewed

Un-protected File

Distributed

Once the file is sent to the RECEIVER,

The SENDER has no control on the file.

It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)

A Typical File Sharing Scenario – without IRM

Policy Server (PS)

Request is sent to the

Policy Server

SENDER defines the

Usage Rights

GTB IRM by FileSecure - File Sharing Scenario [File Protection]

Seclore Policy Server (PS)

Usage Rights Matrix

View Edit Print Copy/Paste Time Limit Location

USER 1 Office

USER 2 1-5 Jan

USER 3

USER 4 Office

Representative form of Usage Rights Matrix

Various Users Different Rights

Examples of protected files

View only View & Edit only View & Distribute only View & Print only

… & other

combinations

GTB IRM by FileSecure - File Sharing Scenario [File Protection]

Policy Server (PS)

Encryption Key is

generated at the Policy

Server and sent to the

SENDER

File gets Protected

GTB IRM by FileSecure - File Sharing Scenario [File Protection]

@

File with different Usage rights travels through various media (email, CD, shared internet

portals, LAN, etc.) to various RECEIVERS

External users

GTB IRM by FileSecure - File Sharing Scenario [File Distribution]

organization

1. RECEIVER gets a

protected file through

removable media. Clicks on the file to open it

Policy Server (PS)

? √

2. Authentication

Information goes to a User

Authentication system

(AD).

3. Once authenticated,

Key travels to RECEIVER

and the file opens with

restricted rights.

File access in ONLINE mode (for Employees)

USB

AUTHENTICATED

2

3

1

organization

View Edit Print Copy/Pas

te

Time

Limit

Location

USER 1 Office

USER 2 1-5 Jan

USER 3

USER 4 Office

“SENDER can still change usage rights at the Policy Server and the new rights are transferred

automatically to the RECEIVER” . See Sequence 1 2 3

USB

IRM Policy Server (PS)

√ 2. Authenticated

Same File, but with

New usage rights

File access in ONLINE mode (for Employees)

1. RECEIVER gets a protected file through e-mail. Clicks on the file to open it.

e-mail

Policy Server (PS)

?

2. Authentication Information goes to a User Authentication system (LDAP/non-LDAP)

3. Once authenticated, Key travels to RECEIVER and the file opens with restricted rights

√

AUTHENTICATED

File access in ONLINE mode (for Business Partners)

1

2

3

e-mail

Policy Server (PS)

? √

AUTHENTICATED

1. RECEIVER gets a protected file through e-mail. Clicks on the file to open it

2. Authentication Information goes to a User Authentication system (LDAP/non-LDAP)

3. Once authenticated,

Key travels to RECEIVER and the file opens with restricted rights.

4. But in this case, Key gets

stored in RECEIVERS computer after being encrypted with another key for offline usage along with a timer

1

2

4 3

File access in OFFLINE mode

1. The Document can still be opened even if the RECEIVER moves to a different location (OFFLINE, No access to Policy Server)

2. Once the timer expires, the OFFLINE rights get deleted. The USER can no-longer access the document in OFFLINE mode.

File access in OFFLINE mode

1

2

RECEIVER has to come back ONLINE and authenticate himself to open the document.

Policy Server (PS)

? √

AUTHENTICATED

File access in OFFLINE mode

e-mail

If the RECEIVER forwards the document, the RECIPIENT will not be able to open the document because he doesn't have the key.

If the RECEIVER tampers with the system time, all OFFLINE rights are Automatically terminated.

File access in OFFLINE mode

THE GTB Data Protection Suite We return the “P” back into “DLP”

For more information, please contact:

GTB Technologies, Inc.

5000 Birch St., Suite 3000

Newport Beach, CA 92660

Sales: (800) 507-9926 Main: (949) 783-3359

Email: info@gttb.com or your local representative.

Web: www.gtbtechnologies.com

Reference: Graphics courtesy of Seclore Pvt. Ltd.

Conclusion

The marriage of Content-Awareness and IRM provide the organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.