CIOL: In that case, isn’t password protection of all information in a Content Repository sufficient to protect data against leakage?

RK: No. Password protection of documents is yet another avatar of perimeter-centric security mechanism like access control. Once the password is shared with the receiver, all control on the document is completely lost. Thereafter repositories don’t have control over what the user can do with document.

CIOL: How can one restrict leakage and misuse of information after they are downloaded from the Content Repository?

RK: Information Rights Management (IRM) technology enables “owners” of information to control the actions that are performed on the information once it has been downloaded from a content repository. IRM can protect and restricts usage on “downloaded” documents to only specific users or groups, specific actions like view, print, edit, copy content and distribute, specific time of usage like “till 19th August 2009” or “2 days”.

In some cases the IRM can also restrict the usage to specific computers and network IP addresses thus providing an additional layer of control when providing access to systems outside of the enterprise.

Additionally, in a few IRM technologies these controls are dynamic in nature which means that the receiver’s actions on a document can be changed without the need to resend the document. Thus the controls that are put on a document can directly reflect the business relationship.

CIOL: Can information be protected even after it leaves the organization's network firewall?

RK: Yes. IRM is applied to the content itself. Hence it is independent of the location of the document. Thus, irrespective of where the document resides - within the content repository or outside of the repository but inside the organization or outside of the organization, IRM is persistently present protecting the document throughout its lifecycle of creation, storage, distribution, usage and deletion.

CIOL: What kind of controls can be levied on downloaded information?

RK: Controls are classified under the 4 W’s of a document-

WHO can access the information: This typically relates to a user repository like a LDAP system. For some IRM technologies, it is also possible to link this to non-LDAP user databases as defined in custom applications and portals.

WHAT can each user do with the information: This typically relates to individual actions allowed on the information by the specific user. Individual actions that can be controlled are viewing, editing, printing, forwarding/sharing, copy/paste of content and un-protecting.

WHEN can each user access the information: This control can limit users to access the information within a specific date range or time span. A document could thus have “19th August 4 pm to 23rd August midnight” as a specific date range or “2 days from first access” as the specific time span within which the document is available.

WHERE can the information be used: Even within IRM technologies, this is not-so-commonly available feature which could become useful in cases of information of extreme confidentiality. This control can restrict usage of the information to only a pre-specified list of computers identified by the hardware or to a specific range of IP addresses or networks.