SaaS-Based IRM Solutions to Secure the Enterprise

Untitled Document

Data leaks are one of the chief threats facing enterprise IT managers today. Information Rights Management (IRM) technologies are perfectly designed to protect the enterprise by effectively reducing and/or eliminating the risk of accidental leaks.

IRM solutions based on software-as-a-service (SaaS) delivery models offer three major advantages over in-house implementations when it comes to securing information in use. First, IRM is non-intrusive since it is enabled through viewer extensions or plug-ins (rather than the host-based agents that in-house products employ). Second, version updates of extensions require little or no IT staff involvement. Third and last, SaaS-based IRM solutions have the flexibility to cover most popular file types used in productivity applications (e.g. Excel, Word and PDF formats) without being limited to any one vendor.

Despite these benefits of SaaS IRM solutions, there are, however, some potential weaknesses that are common to all IRM solutions, whether they are in-house or SaaS-based.

Traditional methods of protecting information within well-established perimeters often fail because the data from a larger enterprise is dispersed all over the business and documents need to be accessible 24/7. While most existing products consistently protect from accidental or unintentional document leaks, protecting against data theft comes down to the best approach for protecting the information being regularly accessed from various points across the enterprise, or "information in use." Let's take a closer look at ways this can be achieved:


Most organizations can easily protect information in transit by securing browser-to-server communication via SSL with strong encryption. Protecting information at rest, however, requires a few more steps. First, developers need to centralize the storage of critical information and build-in authorization for every access request.

Second, the appropriate cryptographic protection needs to be developed through strong algorithms and long keys. A very interesting problem is presented by the requirement to protect the information in use. Here the decryption process itself must be portable and available at the point of viewing.

Data ownership and access

Some vendors have developed proprietary viewers for files to protect their information in use -- a version of "security by obscurity" -- while others implement extensions for browsers or productivity tools, such as document editors and electronic spreadsheets, which are able to decrypt file content as needed. Many of these solutions have additional features allowing data owners to apply centralized policies or user rights to individual files, where each file can have permissions setup for "view-only," "view and print" or "disable printscreen" and combinations of those functions.

In the best of these solutions, the encryption keys and permissions are stored on a proprietary server and get securely downloaded on demand. Those permissions can be removed even after the document has left the enterprise perimeter and changes take effect immediately, allowing the owners to maintain control of the content.


However, IRM alone does not provide protection from data thieves who use video equipment or screen capturing techniques to get illegal copies of documents. IRM needs to be combined with robust watermarks where it can enforce read-only access to the file content. This type of digital watermarking has proven to be an effective deterrent against data theft with in-house as well as SaaS solutions.


Other vendors have recently started offering technologies that obscure the document view so only a small area around the mouse cursor is visible. This type of functionality might also close a curtain over the browser when the focus is lost to protect from screen capture or what some call "shoulder surfing."

While the curtain is useful against older screen capture technologies and is not as intrusive, it does not always protect from newer screen capture products that have built-in capturing delays. From a user perspective, curtain technology obfuscates your view to the point it is either annoying or even unusable (in the case of complex diagrams). This kind of protection often punishes legitimate users and is doing very little to protect the data, so it should be implemented with care and at least be configurable.

In conclusion, good IRM deployment will protect against all accidental document leaks both inside and outside the enterprise with on-the-fly decryption of files. Robust watermarking combined with granular access control and auditing capabilities will deter most data thieves.

A preferred IRM solution will cover close to 100 percent of the document types used in everyday business activities across two or three vendors (and also offer easy conversion utilities for unsupported document types). It will have not only modern cryptographic protection (including tiered key management), but also will have externalized the encryption algorithm and key strength, allowing for quick changes to cryptography. In short, IRM must be easy on the user, creating as little footprint as possible.

IRM makes sure there are no unprotected copies of the documents left on client machines, and how well it does this -- not how well it showcases the product -- should be the main criterion to judge this technology.

About the Author

Mush Hakhinian leads the application security practice at IntraLinks, a leading critical information exchange solutions provider. Prior to IntraLinks, Hakhinian held security leadership positions at ACI Worldwide, an online banking software company, where he managed the application development security lifecycle and relationships with customers’ security departments. He also led the Electronic Security Department at the Central Bank of Armenia. Hakhinian has been managing security initiatives for the past 16 years and is an active member of OWASP Boston Chapter. For more information about IntraLinks, please visit and

More by Mush Hakhinian