/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: Today, organizations worldwide are being bombarded by volumes of information flowing through email, Internet and mobile devices.
There is a continuous inflow and outflow of documents being created, transferred, modified, stored and disposed. Thus, to reduce and manage the document flow, enterprises invest in sophisticated Content Repository and collaboration tools.
Content Repository systems come in different flavors like Electronic Content Management (ECM), Workflow systems, Business Process Management (BPM), Knowledge Management (KM) and Document Management Systems (DMS).
In an interaction with Abhigna N G of CIOL, Rahul Kopikar, business development, Seclore Technology talked about deployment of content management system and content repositories.
He also shared his views on development and future of content management system and content repositories. Excerpts:
CIOL: How do you see the deployment of content repositories? And does it require tight security?
Rahul Kopikar: The need and deployments of content repositories is now quickly expanding to go beyond the enterprise and involve business partners, vendors and sometimes even customers. This, however, has left the information contained within the repository vulnerable to mass leakage.
The volatile nature of business relationships also means that information and systems shared with business partners are used in accordance with pre-defined norms. Depending on the nature of the business this could pose an enormous threat to the business and the ROI achieved from the content repository.
Ensuring the security of information through the lifecycle of creation, distribution, use, and destruction is thus gaining a lot of importance
CIOL: Are there any security loopholes through which data can get leaked out of a Content Repository?
RK: Yes. Security policies for information contained within a content repository are only applicable till the time the information is resident within the repository. Repositories, therefore, implement only the first level of security called “access control”.
Access control policies are binary in nature. They dictate whether a user can download information from the repository or not. Once the access control is given and information is downloaded, repositories don’t have control over what the user can do with document (e.g. can he print, edit, copy content, and/or distribute the information).
In other words the user is free to do whatever he wants with the information. Access control, therefore, does not protect the information but just the 'gate' though which the information can leave.
CIOL: In that case, isn’t password protection of all information in a Content Repository sufficient to protect data against leakage?
RK: No. Password protection of documents is yet another avatar of perimeter-centric security mechanism like access control. Once the password is shared with the receiver, all control on the document is completely lost. Thereafter repositories don’t have control over what the user can do with document.
CIOL: How can one restrict leakage and misuse of information after they are downloaded from the Content Repository?
RK: Information Rights Management (IRM) technology enables “owners” of information to control the actions that are performed on the information once it has been downloaded from a content repository. IRM can protect and restricts usage on “downloaded” documents to only specific users or groups, specific actions like view, print, edit, copy content and distribute, specific time of usage like “till 19th August 2009” or “2 days”.
In some cases the IRM can also restrict the usage to specific computers and network IP addresses thus providing an additional layer of control when providing access to systems outside of the enterprise.
Additionally, in a few IRM technologies these controls are dynamic in nature which means that the receiver’s actions on a document can be changed without the need to resend the document. Thus the controls that are put on a document can directly reflect the business relationship.
CIOL: Can information be protected even after it leaves the organization's network firewall?
RK: Yes. IRM is applied to the content itself. Hence it is independent of the location of the document. Thus, irrespective of where the document resides - within the content repository or outside of the repository but inside the organization or outside of the organization, IRM is persistently present protecting the document throughout its lifecycle of creation, storage, distribution, usage and deletion.
CIOL: What kind of controls can be levied on downloaded information?
RK: Controls are classified under the 4 W’s of a document-
WHO can access the information: This typically relates to a user repository like a LDAP system. For some IRM technologies, it is also possible to link this to non-LDAP user databases as defined in custom applications and portals.
WHAT can each user do with the information: This typically relates to individual actions allowed on the information by the specific user. Individual actions that can be controlled are viewing, editing, printing, forwarding/sharing, copy/paste of content and un-protecting.
WHEN can each user access the information: This control can limit users to access the information within a specific date range or time span. A document could thus have “19th August 4 pm to 23rd August midnight” as a specific date range or “2 days from first access” as the specific time span within which the document is available.
WHERE can the information be used: Even within IRM technologies, this is not-so-commonly available feature which could become useful in cases of information of extreme confidentiality. This control can restrict usage of the information to only a pre-specified list of computers identified by the hardware or to a specific range of IP addresses or networks.
CIOL: Does one have to manually put these controls on every document that is uploaded into the Content Repository?
RK: No. In most cases the above usage rights are seamless and transparent to the up-loader of the document. Pre-defined credentials (i.e. the 4 W’s of the document) are assigned to folders inside the content repository.
Documents uploaded into the repository get automatically protected based on the folder in which they are placed. The credentials can be assigned to the folders by the system administrator or the owner of the folder (head of a group).
CIOL: What are the other benefits of integrating IRM with Content Repository?
RK: Security + Collaboration: The biggest benefit that IRM brings to content repositories is that security of downloaded documents can be ensured without compromising on the collaboration capabilities of content repositories.
Audit trail: IRM can audit trail the usage of the information once it leaves the repository. Authorized actions as well as unauthorized attempts can be tracked across enterprise boundaries. This not only help enterprises to adhere to regulatory and compliance frameworks like ISO, Sarbanes-Oxley & HIPPA for “unstructured” data but also helps in detecting suspicious activities on documents by unauthorized users.
Deprecation of documents: Documents could also be 'deprecated' such that access to old documents residing on desktops can be prevented.
Increase revenues: It increases revenues by preventing misuses, theft and leakage of 'paid' content.
CIOL: What is future of IRM with Content Repositories? What developments can one expect in this space?
RK: Today, the requirement for persistent and content-level protection for information outside of the content repository makes IRM almost a necessary component of any content repository system. Moving beyond ECM and Workflow systems, the need for IRM technology is being seen in many other technologies, more generically in any system which stores information - e.g. - Enterprise Resource Planning (ERP) and Core Banking Systems (CBS). In the near future IRM will be able to support many more document formats including proprietary file formats of a transaction system.
CIOL: Apart from Content Repository, what other technologies can IRM compliment ?
RK: There are quite a few technologies that compliment IRM. A few of them are-
IRM + DLP: Data Loss Prevention (DLP) systems prevent unauthorized access to information classified as confidential by restricting the distribution by blocking removable media, emails, etc. All of this, however, is possible while information is within a 'perimeter' (desktop/network firewall). Also, in today’s collaborative world information needs to be shared on an ongoing basis. IRM extends the security of confidential information beyond the perimeters of desktop and network firewalls.
IRM + ERP: There is a constant upload and download of information in ERP systems. ERP systems cease to hold control on information as soon it leaves the the ERP server by way of download. By integrating with IRM, ERP can provide control on information even after it is out of the ERP system.
IRM + CBS: CBS generate reports for all the transactions that take place. These reports are downloaded on to desktops for offline viewing and analysis. IRM provides complete control on reports that have been downloaded from a CBS and prevents any misuse and customer information leakage.
IRM + Antivirus: Antivirus technology shields data and other resources against malware, worms and viruses. Seclore FileSecure shields data from unauthorized access, data leakage, misuse and theft. By combining IRM with an anti virus / spyware / malware system it is possible to provide a single desktop / server security agent to the customer thus enhancing value and reducing administrative expenses.