The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
31 WWW.ILTANET.ORG Information Rights Management: The Missing Piece of the Puzzle? FEATURES JEFF BRANDT Mr. Brandt began his career in the world of litigation support/ eDiscovery. He has been a consultant, a vendor and the Chief Information Officer for several top US law firms. He has worked on projects as diverse as: information governance, organizational development & design, change management, security, process innovation & improvement, knowledge management, leadership & team building, artificial intelligence and IT executive coaching. Mr. Brandt is also the Editor of the popular PinHawk Law Technology Daily Digest, a respected thought leader in the legal technology community, and frequent educational speaker at regional and national user, trade shows, and industry conferences. In October of last year, he chaired The Legal AI Forum '17 in London. He currently works as the Chief Information Officer at Jackson Kelly PLLC in Charleston, West Virginia. You are faced with an interesting puzzle. The puzzle seems to get more complex each year, and the importance of putting it together sometimes seems subject to the whims of the partnership. Just when you think you have that last section complete, a new audit or set of client requirements changes it. And there always seems to be that one missing piece. What is this picture? Your law firm's security landscape. And the missing piece is information rights management (IRM). Traditional Endpoint Management One of the traditional approaches to network security is protecting access points, oen called endpoint security. It focuses on the entry point for security threats and aempts to protect the firm network when accessed by a device. Usually that means some centrally-managed server soware and a client or agent on every client endpoint or device. The server authenticates logins from the endpoints and also updates the device soware when needed. In the beginning it was fairly simple: every user had one device, one access point. But with remote access, wireless access and the exploding mobile market, endpoint security has goen way more complicated. Firm-issued, work-only devices have given way to BYOD (bring your own device) and COPE (corporate-owned, personally-enabled). People have laptops, smartphones, tablets and connected watches. This issue is not going to go away any time soon: last year Cisco forecast 13 networked devices and connections per person by 2021. That is a lot of holes in your perimeter defenses! Traditional Law Firm Document Management Storage Firms generally centralize storage of documents on file servers. In today's world they may be your servers, someone else's at a colocation center or more lately, servers in a cloud service like Amazon Web Services or Azure. Most firms use an open security model that facilitates sharing, collaboration and knowledge reuse. Now those early firm design decisions are under review. Given the increasing cybersecurity threats, firms are considering "need to know" security models. While inconvenient and requiring some cultural adaptation, this can be a significant improvement. Even then, though, if someone with authorized document management system (DMS) access takes the document into the wild, all those security precautions and barriers evaporate. Some firms are also looking to adding data loss prevention tools to contain information from going places it should not, but those tools cannot monitor all possible exits from your firm's systems. Enter Information Rights Management IRM rests on a different philosophical approach to managing information security, utilizing encryption to protect sensitive data from unauthorized access. It is a method of exchanging digital information over the internet where the recipient is granted only the privileges the document sender allows. IRM is a subset of digital rights management (DRM). You may remember a brief fling the music world had with DRM, and if you are a fan of ebooks you are probably quite familiar with it. IRM not only protects confidential and sensitive information from unauthorized access but controls and manages that access as well. IRM solutions rely on two key things: encryption and access or permissions control. Typically a key or password can be used to control access to the secured and encrypted data, and many tasks or actions involving the information can be controlled or restricted. Some controls protect aspects while the data is in use, such as blocking copy and paste, disabling screenshots and printing and preventing editing. Other controls determine how the protected information can be accessed while offline. Some IRM systems also provide for auditing as well as changing and revoking access permissions. While it may go without saying to some, it is important to note what IRM systems cannot do. They cannot prevent protected data from being erased, stolen, captured or transmied elsewhere. They cannot prevent data loss or corruption due to virus, infection or other reason. And of course, they cannot prevent someone from taking a photograph of the screen once the data has been properly unlocked.