JRB - Fotolia
Email is a vital means of communication, but when messages contain sensitive information, businesses should explore ways to control that content.
The information rights management (IRM) tools in Exchange 2016 enforce controls over email and documents. When implemented properly, Exchange IRM prevents the improper use of digital content and enables the sender -- and the sender's organization -- to put limits on email and documents received by other parties.
Why there's a need for information rights management
Suppose a user sends an email with a PDF document. Since a copy of the email and attachment resides on the recipient's email server or individual computer, the sender loses direct control of the content. The recipient can view the PDF, print it, forward it and retain it as long as they desire. The recipient can also misuse the sender's content by forwarding it to unauthorized people, losing a copy due to information leakage, or retaining the material long after it loses its relevance.
IRM started to separate the control of information from the information content, enabling the content senders -- its owners -- to determine how to handle email and attachments. Exchange 2016 gets its IRM capabilities via certificates and licenses in the Active Directory Rights Management Services (AD RMS) based in Windows Server. With Exchange IRM enabled, documents and messages get a license that withholds the rights to authorized recipients. If there is no license, Exchange IRM prevents the user from viewing or handling the content.
The sender creates certificates and licenses that the AD RMS server acquires. IRM-enabled applications enforce the restrictions imposed by the license.
The Exchange IRM protections work with Microsoft Office documents, such as Word and Excel. Companies can use custom protections to expand coverage to other file formats.
The capabilities of Exchange information rights management
IRM in Exchange 2016 encrypts and manages email and document attachments, but it has other protections to prevent information leakage.
Exchange IRM can prevent an authorized recipient from forwarding, changing, printing, saving, or performing a copy and paste with the content. Exchange IRM also supports expiration to prevent recipients from viewing messages and attachments after a period specified by the sender.
While Exchange IRM prevents some information disclosure, it is not perfect. Exchange IRM can only exert control over the platforms or applications that support it. For example, Exchange IRM cannot prevent third-party -- IRM-unaware -- screen capture tools from taking images of protected documents. Exchange IRM also cannot prevent content deletion or corruption, or guard content from malware.
More conventional practices, such as staff awareness training, least privilege to minimize the number of message recipients, and other traditional data loss prevention tactics can help supplement Exchange IRM features to provide information security.