CIOs must be alive to IRM threat, warns software chief

CIOs must be alive to IRM threat, warns software chief

By Stuart Finlayson

The MD of a company that develops software for managing and securing electronic documents has warned that the 'deviously minded' could have a field day with the new encryption systems and rights management software introduced by Microsoft and other vendors if companies do not create policies on how to handle such information.

Chy Chuawiwat, Managing Director of Clearswift, said the launch of Microsoft's Information Rights Management (IRM) functionality within Office 2003 has "sparked a frenzy of research and debate" and that email encryption and rights managed software are clearly going to be CIO priorities in 2004.

"The handling of email may change dramatically next year. With new encryption facility and management protocols, encrypting documents is easier than ever. But there is a huge risk if it is not managed properly," he said.

IRM gives companies structured control of document distribution and storage, and uses an authentication process to check if people are allowed to send out different documents. IRM also enables documents and the emails to be encrypted for internal and external recipients.  

Chuawiwat argues that this is a double-edged sword, as if the authentication is controlled by an external .NET id then the company can’t open the email to check for trafficked information that would violate its data policy, such as pornographic images.

Fears have also been expressed that by using the common encryption facilities it is possible that viruses, hacking tolls, company secrets, intellectual property, movies and sound files could be moving in and out unchecked.

"While there is a great benefit in having added security in emails, it also means encrypted emails might become security or legal nightmares," said Chuawiwat.  

“It's crucial that all encrypted emails can be detected by the email and web filtering engines. The company must set rules to block these items from coming in and out of the company.  

"Clearswift recommends that only encrypted communication to and from authorised individuals are allowed and that the company has a method for decrypting the message if and when it is required," he added.

Peter Knight, a lawyer at Clayton Utz also pointed out that there are legal requirements to archive certain information.  For instance, Corporations Law requires financial documents to be retained for five years and government departments, under the Archive Act, need to retain emails for seven years. This might not be possible if an organisation allows an external .NET authentication system.  The company's archiving system will be unable to read, let alone categorise and archive these documents because they will have been encrypted. "Organisations must ensure that they maintain records and have access to them at all times, in accordance with the law," he said.

More information on Microsoft's IRM functionality will feature in the January/February edition of IDM magazine.

Related Article:

Microsoft refute self-destruct email claims