Ministry of Transport Public Website Refresh.

August 2009

The Rights Management Debate

A great deal has been written about IT security over the last few years, and such stories usually appear in the context of fear of data loss, and intellectual property theft. One such story appeared in the Dominion Post this week, and highlighted the use of Personal Storage Devices (PSDs) within government agencies, and the inherent risks of such devices.

It is a fact of our time that people require access to information, and such access is no longer governed by having to be at a desk. The concept of the mobile worker is not new, and employees now have the technology to work from home, on the move, or in any location they choose. The issue for security is really about the data itself, not the medium on which it is stored, but more around who has access to it, what they can do with it, and for how long.

Any access to company confidential information, does lead to the risk of data loss or theft. Traditional IT departments restrict remote access to company systems in a futile effort to protect data, but employees simply copy data to PSDs, which in many cases not only breaks a company's security policies, but can expose the company to greater risk.

Often the excuse for not providing remote access for employees comes down to a fear around security, but one might suggest that such behaviour drives the practice underground and forces the use of PSDs. In addition, employees come and go in every company, and when they leave they can take confidential material, company secrets, and client lists. So the issue is more around how to provide your employees with open access to your company data at all times, so they can do their job, yet ensure that it is secure and properly governed.

This has been a major issue for companies to deal with, and the boom in social networking and collaboration has scared many IT departments into locking down folders and actual data access to the point where it reduces the ability for staff to be productive workers. However, there is a very simple solution to all of this and it integrates seamlessly into the Microsoft suite of products. The concept is called Rights Management and it is not new; the traditional practice of locking down everything is far easier for an IT department to impose, but it does force employees to take risks in order to do their work.

Rights Management Service (RMS) is a method by which information can be shared across an enterprise without fear of loss of control. It works on a policy basis by which permissioned employees (users) have specific rights to use documents, or e-mails, that have been appropriately classified.

Think about all those spy films with documents that are stamped "Top Secret"; only those employees with the right level of security clearance have access to read such documents and the same rules apply to RMS. If you have the permission, you can open and read the document, and if you don't have the rights, the file is unable to be viewed.

RMS actually encrypts the protected data, and so even if it exists on a PSD, it cannot be read unless a user has the appropriate permission. The rights actually travel with, and are an embedded component of, the document; as a result, it is less intrusive than a password, and happens without any conscious effort by the user.

What this means for companies is that not only can they protect who has access to their data, they can dynamically manage user permissions at any time. Rights Management works by associating predefined security policies to a document, and those policies are validated to a centrally managed server every time the document is opened. The policies can be very granular and can restrict the user from printing, forwarding, or even copying the content. Short of photographing the screen, the content use can be completely controlled.

E-mail can also be protected, and so an internal memo stays within an organisation. There is no way for someone outside your trusted group being able to read the content of a RMS protected e-mail, even if it is forwarded to them. Any documents that have been captured by the Right Management policies can only ever be consumed by the individuals that have the appropriate permissions. If those permissions are withdrawn, such as if an employee leaves a company, it no longer matters if they have the files on a PSD, as they will no longer be able to credential themselves to decrypt the content, ever.

Martin Cayford, a security consultant working for Provoke Solutions Limited says "the solution to data theft is not just about securing PSD's, this can be very effective. However it is also very onerous for an enterprise and the PSD landscape is continually changing. There are other factors to consider, such as ensuring new PSD's are secured, rolling out and managing the software that does this, while still leaving other avenues for data to leak out of the organisation."

The great thing with RMS is the persistent way access and use is controlled; the use policy travels with the document. The policy applies to the document every time it is opened with no regard to the storage or transport medium. This takes some work and whilst Rights Management can be rapidly deployed, the real benefits come from taking the time to define your security policies.

Martin is a Certified Information Systems Security Professional, one of only a handful in New Zealand. CISSP is an industry standard, and globally recognised accreditation, and was adopted as the baseline standard by the National Security Agency, the government agency in the US that deals with communications intelligence.

Martin is a firm believer in open, but secure, access and states, "The secret to success with security is to make it invisible; it should not be intrusive and should just be part of daily life." Forcing restrictions on employees and locking up information simply means that people find other ways to work and data escapes via the back door. Creating policies and defining governance is the key to proper data security, and open collaboration, without the fear of IP theft or data loss."

Martin Cayford

Martin Cayford, Senior Technology Consultant

martin.cayford@provoke.co.nz

Copyright © 2001-2010 Provoke Solutions Ltd.