Information Rights Management (IRM)

[simran]

Hi All, 

Does anyone know of a good free and/or open source product in the Information Rights Management (IRM) space? 

In essence, IRM covers files that are protected even after being able to be secured after they have been sent. It usually involves encrypting the file and getting the client to download some software via which they can decrypt it (the client usually restricts what one can do with the file as welll, eg. "view" but not "print", etc etc etc...). 

On this list as IRM is all about security, it's a segment often little known about by security professionals, but is getting to be a popular way of preventing unauthorised use of files(/data) after they have left your network... 

simran.

[anindya biswas]

Nice thing you asked Simran.

Unfortunately I don't have any knowledge but looking for something
similar for my organization environment.I have to distribute pdf files
to employees which often on unsecured network and have to stop illegal
distribution so they can't make a copy/print/distribute to others.

Looking forward for knowledgeable answers.

Thanks in advance.

Regards,
Anindya Biswas
MSc Information Security,RHUL

[Naga Rohit S]

Isn't it as simple as using a custom key for 'encoding' a file into binary and placing the respective decoding key at the client ?

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

--
Naga Rohit S

Aliter: s.n...@iitg.ernet.in

[simran]

That is certainly the essence of it, but that's almost trivialising email as "data packets that go down the wire" ;) 

These are usually functions that are often offered by IRM packages:

(simplifying for the sake of this email)

* document expiry (the client key has built into it a time function, and if connected, the client is told by the server that the key has expired)

* restrict forward (the key is hidden in the client and cannot be retrieved, so you cannot forward the document to others)

* restrict by client ip/domain/etc... 

* restrict ability for certain functions (eg. print, edit, copy)... clients usually integrated with software such as word/excel/powerpoint (in the case of microsloth) and disable that functionality

* traceability of the flow of the document itself... 

It is something that is becoming more and more popular in organisations (especially as things move to the cloud and perimeter security is becoming irrelevant) - security now must be "packaged into the document itself"

As people have pointed out, seclore, pawaa, boule and a number of others offer good IRM solutions, however, i am looking for an open source one... 

(it's a new frontier as it's really in it's commercial infancy; and it's changing the paradigm of "protecting from getting to the data at all" to "protecting and restricting the ability to act on that data"...)... 

simran.