Rights management and the GDPR: users are still in the loop

I just returned from RSA2018, and after doing an accounting of the ‘hot topics’, GDPR seems to top the list, followed close behind by Hack Back, Blockchain, IoT, and a repeat performance of ML applied to security. (Here’s an early prediction—next year’s list of hottest topics will be Adversarial ML, a topic we AI researchers have studied for a while. The Hugh Thompson show-closing RSA presentation makes us think about the good, the bad and the ugly of AI.) Of all these topics, perhaps the hottest topic is the impending doom of GDPR, just a few days away from ground zero. (Do you hear a clock ticking?) Will IRM finally save the day?

What is IRM anyway?

Information Rights Management (IRM) is a subset of Digital Rights Management (DRM) pertaining primarily to documents and email communication. It has had a long and somewhat disappointing history, although it is widely supported in Microsoft Windows. One or another solution has been touted as the ultimate answer to protecting sensitive documents. But still it fails to change the “breach-a-day” state of affairs.

The principles behind IRM are well understood: control who may open a document. This entails associating access rights with an identity or credential, and encrypting to protect the document. Managing keys remains the core problem. Users are still in the loop, and managing their own keys—or managing many keys by an organization for a large collection of users—is a conundrum. The topic remains a serious research issue, with researchers discussing various solutions at conferences such as SOUPS. This yearly conference brings together great thinkers who seek to make security controls easy to use—but have they?

By planting responsibility for controlling sensitive documents in the hands of end users, large enterprises run the risk of failure and conflict. Failure occurs easily when there is a conflict between ease of communication and the need to execute mission critical business processes. And of course, there’s good old user error. A knowledgeable observer remarked that prior to the Gulf War, the military brass ensured (ordered) encrypted data and communication be in routine use. But when the conflict started, all bets were off, and the delays and complexity of keeping communication and data safely encrypted fell prey to the needs of immediate communication during the conflict. In other words, the users in the loop simply ignored their training in order to communicate effortlessly and quickly. IRM still has a long way to go in managing user behavior.

How might we make IRM easy to use?

Users are trained to classify documents, but training will undoubtedly fail. The interruption of a normal workflow almost assures users won’t get it right. For this reason alone, a number of new technologies are being deployed to automatically classify documents and instantly protect them. Microsoft Azure Information Protection (AIP) is the latest entry, and they have worked hard to incorporate their IRM solution by embedding support directly into Windows and Office. Problem solved, except of course for the pesky problem that users are still in the loop. Users still have to correctly specify the allowable recipients of the sensitive documents they produce. What if they make a mistake, as surely they will, and grant rights to the wrong recipient? Or worse, what if the authorized recipient is incorrectly granted rights to forward the document to another unknown and unauthorized recipient? The security of the sensitive document has just been compromised by a simple user error, and the sender is entirely unaware of their error. Patience is needed to get this right. (The best way to learn patience is de-plane from the very last row on a flight. No one wants to ever do that.)

Managed IRM and tracking beacons is an insurance policy

A network-centric, IRM-based security architecture may improve security if users aren’t asked to manage their own keys and passcodes, and if they correctly specify allowable recipients. More automation, perhaps AI and ML, might improve enough to automatically configure and classify communications so the humans in the loop aren’t depended upon to do a task they are not well suited to. But even so, it is safer to automatically “beaconize” the protected documents so you get alerted whenever they are opened outside of the allowable security envelope. Beacons are a simple and safe insurance policy. If a user indeed didn’t get it right, at least the beacon signal will let you know that one of those sensitive documents got away. Isn’t it best to know that a supposedly well protected sensitive document wasn’t? IRM and document tracking beacons might finally bring a new era where data is safely secured. GDPR might not be so fearsome after all.