Information Rights Management (IRM) is one of these technologies which isn’t really successful until now, even while it is discussed and available for a pretty long time. IRM is about protecting the information directly, through signatures, encryption and a direct assignment of rights. These rights describe who is allowed to do what with that piece of information.
There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM. Another reason are the somewhat limited implementations. Most of them are fine for a limited set of applications and environments. Microsoft’s Windows Rights Management Services are great for Windows and Office. They even work in a B2B environment with some trust between the partners. But they are mainly for Microsoft apps. How about CAD and blueprints? How about the other office apps? And all the other types of documents, starting from XML documents, which are sent and stored? There are some other solutions, but most of them are either from pretty small vendors or very limited in scope.
But the most important reason is, in my opinion, that the relevance of Information Rights Management isn’t fully understood. Even when I talk with IAM responsible, IRM seems to be amongst the best hidden secrets. But access control which is limited to data in a silo like a file server or a document management system isn’t sufficient. Data is read and used by users, attached to mails, transferred via FTP – the perfect way to bypass most security concepts [I had a very interesting conversation with Taher Elgamal from Tumbleweed some days ago – Taher has been responsible for “inventing” SSL at Netscape, and it is definitely worth to have a look at Tumbleweed’s approaches to minimize FTP risk] and so on.
But if you look on it the other way round, everything is fine. IRM works as well for data which is stored in silos. With other words: If you use IRM for any type of information there is no necessity anymore for the classical access control approaches. The best way to protect information is to do it directly at the level of the information – and not at the level of one of these many systems which might change, transport or store the information. Given that, it is really time for an industry-wide initiative for IRM standards which work on every platform and with every type of information and every application.