GTB IRM - How it Works - 2013
-
Upload
ravindran-vasu -
Category
Documents
-
view
325 -
download
6
description
Transcript of GTB IRM - How it Works - 2013
Content Aware Enterprise Information Rights Management
How it Works ? GTB Technologies, Inc
An IRM system which can transfer the responsibility of protection from human beings to a content aware automated process will be extremely valuable in case of large organizations.
The need to integrate DLP and IRM is critical
Lots have been written about famous data breaches and the need for Data Loss Prevention. I will spare the reader the aggravation of reading it again here. There are hundreds of data security systems designed to control and prevent data breaches, and yet, every week we here about a new Data Breach. It is clear that users and administrators are unable to fully protect sensitive data. The main problem is that Data changes all the time. Users are focused on doing their job and not on data security. Aggravating the problem is that Hackers, Malware, Spyware and Viruses are focused on extracting such data from the perimeter. What is a CSO to do?
Content awareness and the 4 W's
A good solution is to provide Content-Aware Information Rights Management System. Automatic Content visibility transfers the obligation of Data Security from users to a process. Imagine a system that automatically identifies files containing Credit Cards, Source Code, Images or any other intellectual property. Furthermore, imagine a process in which pre-defined IRM Policies are automatically enforced on such files as soon as they are saved on desktops or file shares. Such policies are the 4 W’s that are so crucial to protecting Data.
The 4 W’s – Who – What – Where and When
Access controls and usage control are two aspects of Data Security that are often ignored. Mapping the content discovery to the IRM policies (see example picture below) provides automatic control of the 4 W’s:
WHO can access the information: The IRM system's identity establishment method, LDAP or non-LDAP databases as defined in custom applications and portals.
WHAT can recipients do with the information: Control specific allowed actions on files: View, Edit, Print (Print Screen), Forward/Share, Copy/Paste.
WHEN can each user access the information: IRM can control the time-span in which the recipient has access to the file. A document may have allowed access from August, 20, 4 pm to August 23rd, midnight. Alternatively time span may be defined as 2 days from first access.
WHERE the information can be used : This important Control restricts usage of the information to only a pre - specified list of computers identified by the hardware (MAC address) or to a specific range of IP addresses or networks. CSO’s can now control Data even if such data is outside the perimeter. This is a very good way to provide data protection for Smart Mobile Devices. One can prevent such devices from ever seeing the data. Users, who have such credentials, may view the files with the local Browser. The discovery agent must be monitoring the system constantly so that anytime a file is saved; it is scanned for a pattern or fingerprint and then the mapped IRM Policy is enforced.
The Case for Content Aware Information Rights Management
A Typical File Sharing Scenario – without IRM
SENDER RECEIVER
Once the file is sent to the RECEIVER,
The SENDER has no control on the file.
It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)
It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)
Edited
Copied
Printed
Viewed
Un-protected File
Distributed
Once the file is sent to the RECEIVER,
The SENDER has no control on the file.
It can further be: Edited, Copied, Printed, Distributed, Viewed (by others)
A Typical File Sharing Scenario – without IRM
Policy Server (PS)
Request is sent to the
Policy Server
SENDER defines the
Usage Rights
GTB IRM by FileSecure - File Sharing Scenario [File Protection]
Seclore Policy Server (PS)
Usage Rights Matrix
View Edit Print Copy/Paste Time Limit Location
USER 1 Office
USER 2 1-5 Jan
USER 3
USER 4 Office
Representative form of Usage Rights Matrix
Various Users Different Rights
Examples of protected files
View only View & Edit only View & Distribute only View & Print only
… & other
combinations
GTB IRM by FileSecure - File Sharing Scenario [File Protection]
Policy Server (PS)
Encryption Key is
generated at the Policy
Server and sent to the
SENDER
File gets Protected
GTB IRM by FileSecure - File Sharing Scenario [File Protection]
@
File with different Usage rights travels through various media (email, CD, shared internet
portals, LAN, etc.) to various RECEIVERS
External users
GTB IRM by FileSecure - File Sharing Scenario [File Distribution]
organization
1. RECEIVER gets a
protected file through
removable media. Clicks on the file to open it
Policy Server (PS)
? √
2. Authentication
Information goes to a User
Authentication system
(AD).
3. Once authenticated,
Key travels to RECEIVER
and the file opens with
restricted rights.
File access in ONLINE mode (for Employees)
USB
AUTHENTICATED
2
3
1
organization
View Edit Print Copy/Pas
te
Time
Limit
Location
USER 1 Office
USER 2 1-5 Jan
USER 3
USER 4 Office
“SENDER can still change usage rights at the Policy Server and the new rights are transferred
automatically to the RECEIVER” . See Sequence 1 2 3
USB
IRM Policy Server (PS)
√ 2. Authenticated
Same File, but with
New usage rights
File access in ONLINE mode (for Employees)
1. RECEIVER gets a protected file through e-mail. Clicks on the file to open it.
Policy Server (PS)
?
2. Authentication Information goes to a User Authentication system (LDAP/non-LDAP)
3. Once authenticated, Key travels to RECEIVER and the file opens with restricted rights
√
AUTHENTICATED
File access in ONLINE mode (for Business Partners)
1
2
3
Policy Server (PS)
? √
AUTHENTICATED
1. RECEIVER gets a protected file through e-mail. Clicks on the file to open it
2. Authentication Information goes to a User Authentication system (LDAP/non-LDAP)
3. Once authenticated,
Key travels to RECEIVER and the file opens with restricted rights.
4. But in this case, Key gets
stored in RECEIVERS computer after being encrypted with another key for offline usage along with a timer
1
2
4 3
File access in OFFLINE mode
1. The Document can still be opened even if the RECEIVER moves to a different location (OFFLINE, No access to Policy Server)
2. Once the timer expires, the OFFLINE rights get deleted. The USER can no-longer access the document in OFFLINE mode.
File access in OFFLINE mode
1
2
RECEIVER has to come back ONLINE and authenticate himself to open the document.
Policy Server (PS)
? √
AUTHENTICATED
File access in OFFLINE mode
If the RECEIVER forwards the document, the RECIPIENT will not be able to open the document because he doesn't have the key.
If the RECEIVER tampers with the system time, all OFFLINE rights are Automatically terminated.
File access in OFFLINE mode
THE GTB Data Protection Suite We return the “P” back into “DLP”
For more information, please contact:
GTB Technologies, Inc.
5000 Birch St., Suite 3000
Newport Beach, CA 92660
Sales: (800) 507-9926 Main: (949) 783-3359
Email: [email protected] or your local representative.
Web: www.gtbtechnologies.com
Reference: Graphics courtesy of Seclore Pvt. Ltd.
Conclusion
The marriage of Content-Awareness and IRM provide the organization comprehensive access control on sensitive data for internal and external constituents. Sensitive or confidential data is automatically encrypted based on file content and access to such data is controlled by either the File Owner or designated Administrator. External constituents may also have access rights to such files but only if they have been approved. This way organizations are able to secure files even after such files are circulating outside the perimeter.