In the deployment of an IRM/EDRM solution there are two fundamental parts: One, the technical deployment of the solution that includes the installation of the software, local or cloud servers, configuration, etc. The other, and it is the focus of this article, is the establishment of the necessary protection processes within the organization so that the solution is used efficiently and fulfills its function.
Why do many data-centric security projects fail with EDRM deployed?
Many data-centric security projects, including information classification, DLP (Data Leak Prevention) or IRM (Information Rights Management) / EDRM (Enterprise Digital Rights Management) fail because they focus only on the first part: Deployment purely technical. It is clear that the product has to be stable, reliable, and tested for the project to be successful, but an implementation of this type of technology cannot stop exclusively at the technical implementation part.
In some failed projects, we have seen an installed solution left with the customer and informed that it is ready to protect the documentation. The result is that months go by and the client doesn’t use it because they don’t know where to start. In the case of a DLP, the complexity lies in defining a series of well-configured rules to determine what is confidential and what is not, who can get certain information and who cannot. Leaving this in the hands of the IT or Security team is a daunting task since it is very difficult for these teams to know what is confidential and what is not.
This is where information classification tools come in a priori: Users are given options in Office, Outlook, etc. so that they classify each email they send or each document they generate. The user has to determine if it is Public, Internal Use, Restricted, Confidential, Top Secret, etc. information. etc. If a user has sensitive information, such as financial data of the company, he can label it as “Confidential”.
If this documentation isn’t going to be protected in its three states, and if there are no DLP rules associated with this type of classification level, tagging the document is simple and has no impact, but what is it really worth if the information is not being protected in the end?? Effort and time are being spent in the company in actions that are not really going to protect their data.
On the other hand, if for example a rule is created in the DLP to block the output of this data, it can generate a lot of friction since you may have to share it with third parties in a controlled way, but if the DLP is going to block it, it will prevent the user from doing their job. In the end, the user can classify something as “Confidential”, but if when performing that action the user doesn’t know who will be able to see it and who will not, he is lost and the exceptions begin here.
In the case of IRM/E-DRM something similar happens, we have seen how on occasion users have been left with a solution where for each document in Office the user has to indicate with whom they want to share it, the permissions they give, and other options. You can do it for one or two files, but for the third you will stop using it. Or sometimes excessively general policies are given, similar to those of Classification or linked to them as “Confidential”, etc. that protect the document for a group of people within the company, but what if something is “Confidential” but I have to share it with other people and even people outside the organization? The confusion or chaos that we generate in users can be very high.
Challenges and doubts a CISO faces when deploys an EDRM solution
A CIO or CISO knows that they must protect one of the most important assets of their organization which is data, especially the most sensitive and confidential. Much of the security investments are not intended to protect the networks themselves, but to prevent the bad guys from accessing data that is kept inside the network.
IRM/E-DRM or information protection solutions are the most effective to protect data wherever it travels, have a complete audit of access to sensitive information, also are able to destroy documents remotely or revoke their access in the event that someone should not have it. The benefits are immense for the organization, but they also pose certain challenges or issues for the CIO/CISO in approaching deployment. Some of them for example are:
- I want to protect critical data, but where do I start?
- How to convince users to protect sensitive information?
- To what extent can I automate information protection?
- To what extent should I leave the control to the users or have it centralized?
Sometimes the answers given to the CIO to these questions follow either an excessively simple or an extremely complex approach.
Simple approach vs Extensive process consulting
Many times it is interesting for a service partner or manufacturer to transmit that the approach to protection policy management is extremely simple: “Create four basic policies such as Confidential, Restricted, etc. and with that it is valid for users to protect their information, most of their information and, for the rest, that the user protects it as they want”. They focus again on performing a deployment, or rather a quick installation and configuration of software, and end up saying what the customer sometimes wants to hear, that it is worth it. Usually this simple approach is tied to the use of an information classification solution. As I have commented before, this approach is unsuccessful since when classifying or protecting as “Confidential” the user is not clear about who will be able to open their protected document and if they will be able to share it to the provider to whom the user must allow access to their files or plans with sensitive information.
In other cases, the approach is that of “extensive process consulting.” A legion of consultants must land in the company to identify where the confidential documentation is, establish 75 or 100 levels of information classification, define dozens of protection processes, configure dozens or hundreds of DLP rules. To do this, they spend months interviewing security personnel, business users, etc. In addition to the years it takes to implement such a process, the investment in technology can be huge since, in addition to IRM/E-DRM protection, it is convenient to have identification solutions where we have sensitive documentation.
A practical and proven methodology implementing an EDRM solution
Next, we describe a proven deployment strategy across different organization sizes to deploy the protection processes associated with the deployment of an IRM/EDRM solution. In addition to the technical deployment stages of the solution, this methodology focuses on how to approach the creation of protection policies, their application, and their use by the organization. This methodology has been built over the years working with hundreds of organizations of different sizes around the world, from some of a few dozen users to others of tens of thousands of users.
Through the pillars of this methodology, you will be able to spread a security culture in the organization that will allow you to have the most sensitive information of the company protected and under control, whether it is inside or outside the organization.
The deepening of some of these points of this methodology also depends on the size of the company. It is not the same to deploy the solution in a small Engineering company where most of the users manage the same type of information as in one with tens of thousands of users where there are different divisions and departments that manage different types of sensitive documentation.
This methodology is made up of these six phases or stages:
- Educate and communicate.
- Refine and evolve.
As mentioned above, the implementation of an information protection solution or IRM/E-DRM, allows to extend a security culture within the organization. For this it is important that the management of the company is aligned with this objective.
There are different reasons to implement an IRM/EDRM solution such as: To protect against possible leaks of information of internal or external origin; to enable secure and controlled collaboration internally; and with third parties, to implement additional protection against possible breaches in the network (caused by ransomware and other threats), and facilitate compliance with regulations (EU-GDPR, PCI, etc.).
The benefits are very high, but just as users have become accustomed to having physical access controls to their organization, access control to applications, and documentation portals, they will also have access control and permissions on the documents themselves anywhere.
Sometimes these needs can come from the security/IT area, from Management and business users, or both. In any case, the success of the project will increase if it has the support of the Management, business areas and security/IT departments from the beginning and that is why it is important to make them participate in the objective to be achieved, and the benefit it has for the entire organization from the start.
It is necessary to analyze what type of information or use cases should be addressed first. Sensitive or confidential information exists in all organizations, but the concern on the part of the organization regarding certain types can vary.
There is information from the Management or Executive Council area that we don’t want to get into the wrong hands. Information of financial, legal, or human resources type that it is necessary to have under control. Technical and know-how documentation of the company, etc. Data protected by a certain regulation such as patient data, payment methods, etc.
On the other hand, apart from the type of information, there are use cases that are more important than others. Data that we send to suppliers or subcontractors and we want to keep under control. Data information that you want to send to auditors. Internal data sharing with distributed commercial teams where staff turnover can be high.
In some cases, certain organizations start from the idea that “better to protect everything”. Although this may apply in certain environments such as the bathroom, for example, the friction it can create on users can be high. It is more convenient to analyze where the greatest risk is for the organization with regard to the management of sensitive information and address those cases, in addition to giving users the option to protect emails and files when they deem it convenient in use cases that they get out of the highest priority.
This analysis will then make it possible to determine the main protection policies of the organization, more adapted to the most relevant use cases, to make them available to users and facilitate the information protection process.
3. Educate and communicate
It is recommended that communication to users, about the need to protect information, comes with a top-down approach to the organization. As we said in the “involve” section, it is a project that must be supported by Management, even if it is managed by Security or IT.
If users come across a tool to protect sensitive documentation, but no one communicates the need to use it, how it is used, etc., they are at risk that it won’t be used. If users find protected documents and no one has explained why they have restricted permissions or how to access them, we will find friction in use and possible resistance to change by users.
By having involved certain stakeholders from the beginning in the need to protect the information, they can help to transmit it internally to have a cultural change as smooth as possible on the part of the users. Internal communication messages, more frequent at the beginning and periodic, can help to extend this need to protect information.
The process must be accompanied by training. The focus of the training depends on the size of the organization. In addition to the security, IT, or helpdesk teams, it is important to train data managers. When we are talking about many users, an online training approach with short videos that easily show how to protect data is more beneficial. Here it is essential to have an easy-to-use tool with a minimal learning curve.
The communication/education/training discussed in the previous step has more impact when users see that the tool has already created certain policies associated with their use cases, prioritized above.
In this part there may be two approaches or aspects:
- Start a phased deployment where the most critical use cases or types of information for the organization have been prioritized: Users have policies adjusted to these use cases and they have been told how to protect it to avoid possible friction. This will allow you to adjust certain policies or focus before moving on to other use cases, information types, or areas.
- Make the tool available to the entire organization: In addition to having adjusted policies for certain use cases, there is information outside of these cases that needs to be protected. Sometimes business users are what information is relevant and what is not, even more than someone from IT. Along with the necessary communication/training/education, they have at their disposal an easy-to-use tool that will allow them to protect certain attachments, or documentation, monitor their use, revoke access, etc., when they share it with third parties. In this case, the communication should not take place only at the beginning, but periodic refreshments should be made.
It is in the beginning phase, where more doubts can arise and the agility to solve them is essential. This will allow the protection to be made more fluid and the appearance of later doubts will be minimized.
A good IRM/EDRM solution should make it easy to automate protection wherever possible. In an organization, certain information is stored on file servers, document managers, cloud systems, etc. and users have gotten used to leaving it there.
If we create rules to protect this documentation automatically, we will facilitate the deployment of the solution internally. Users will not be relied on to protect certain data but rather they will know that once stored in certain repositories the data will be protected automatically.
In the same way it is possible to do it with email. Depending on the type of data (e.g. bank account numbers, credit card numbers, etc.), if protection rules are put in the email gateway that allow self-protection, we will make it easier for some to escape from the organization by mistake.
If we have DLP systems in the organization, integrating them with EDRM, it may be possible to self-protect this data on users’ computers or repositories when a file with sensitive data that needs to be protected is found.
On the other hand, if the organization has an information classification tool, and you want to put it in value so that the data is really protected, it would help to be able to associate a protection policy with a certain classification level that makes if a user classifies a document like “Confidential – HR”, for example, it is automatically protected with a policy where only the HR area has access.
Remember that automation is not a panacea. The approach of classifying something as “Confidential” for example and assigning a policy that protects it, is worthless if the person who protects the information is not clear about who will have access (Will my collaborator in company X who urgently need these data?). However, well focused, on repositories that are protected in a comfortable and automatic way, the benefits can be very high.
6. Refine and evolve
As the deployment matures, it is convenient to carry out internal control points to see which are the most used protection policies, who is protecting documentation or not, why, etc.
This will allow to fine-tune certain protection policies, refresh communication to certain users, etc. On the other hand, it will allow detecting situations in which automation can help, seeing for example that, if certain data is saved in a network folder, on the computer or in the cloud, protecting it automatically will make life easier for users. It’s important to protect our data in the cloud.
It is important to collect feedback from users, fine-tune the process and extend protection to more areas of the company. Also promote training in areas where it had not occurred, new hires, etc. In this sense, the support of proactive external professional services can simplify tasks for security and IT teams.
A flexible approach depending on the type of organization
Not all organizations are the same. The size, sector, use cases, etc. vary. We do find information of the same type in companies from different sectors that have the same protection needs, but the focus on deployment must be adapted to the casuistry of each one.
In a smaller company, communication to users is more agile, there are well-identified interlocutors, and security and IT management very centralized. In a larger company, security and IT management can be distributed, there can be dozens of document storage systems, multiple tools, and very different casuistry depending on the departments.
However, it is advisable to follow a similar methodology, although certain points are more or less deepened, etc. For example, in an organization with tens or hundreds of thousands of users there may be a use case approach for certain key areas, but a more general policy approach (e.g. internal use) for certain information and that users have simple tools to use to protect information autonomously and without depending on IT.
In all cases, having the support of Management and certain “stakeholders” will help to spread a culture of protection within the organization, facilitate implementation, and ultimately achieve the established protection objectives to minimize possible information leaks, facilitate secure collaboration, have greater protection against breaches in the network or help in compliance with regulations.
Proven methodology implementing SealPath EDRM in organizations of all sectors
SealPath has a practical and proven methodology in different clients from different sectors and types of organization over the years. SealPath works with its channel partners so that this methodology is implemented in customers, facilitating successful deployments of IRM/E-DRM protection.
SealPath’s strategy is based on three pillars: Ease of use, key to the successful deployment of business users, adaptation to the needs of companies of any size including the Enterprise area, and automation and integration with other technologies ( Cloud, DLPs, Classification, Documentation Repositories, etc.). Uniting these three key pillars, with a good deployment methodology and together with SealPath’s focus on IRM/EDRM protection or data-centric security, since we don’t make or market other types of solutions, they allow us to guarantee a deployment successful technology in any type of organization.
You want to know more? Get in touch with us and our experts will advise you and try to solve all your doubts.