2.9 Unauthorized User Access Part 4: Information Rights Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
now our next section Information rights management. And you may have heard this refer to his D r m. You may hear it is Iran could show up is either on the test.
So we started out with digital rights management being a term, and it sort of came about as a result of a lot of the file sharing and the torrent type applications that allow peer to peer sharing the files. You know, if if you're 100 years old like I am, you remember Napster,
You know, one of the first where
music was freely distributed amongst peers
and many of the artists became very upset because this is our music. We're no longer controlling distribution. People are taking are works of art and they're sharing it for free.
So ultimately, one of the responses to that was to take these, you know, these songs or these books or whatever and embedding digital rights management into them, which is essentially
creating permissions that are bound to the object instead of being, you know, within if we think another a normal network environment, I'm gonna create a file share, and I will assign permissions to the file share. But once that file. If you email it to somebody, those permissions don't stay well.
Digital rights management studies
You download a book, Um,
with the an Amazon. If you download a Kindle book right on your Kindle app, you can't just shift that into a pdf. You can't do a lot of different things with it because digital rights management is bound and protects that particular file. So that's the beauty of it. That's a good thing. Um,
D r Rim, like I said originally was kind of multimedia,
and then information's right I I r m information rights management sort of morphed into a term for
you know, the in office information that we share protecting data even if it's e mailed. If it's, you know, exported off the network, whatever. But the bottom line is embedding permissions into an individual file.
Now that can be done very granular early. I can keep you from copying
but not printing, or I can keep you for modifying or saving or whatever. I have a lot of control over the file in which we have Iram in bed,
also testable. That's dynamic, So if it's some point in time, I want a great yume or rights or more permissions that can be done. I don't have to redistribute the file. So we've got some flexibility.
This idea about persistence of permissions. That's what it's all about right
now. All of this sounds great.
Awesome. The world will be a more protected place. I can keep things safe.
Well, the difficulty is there are a lot of a lot of issues with this. First of all, if I'm gonna implement I r m within my workspace within my organization,
there's some work to be done.
So I have to have software. I have that client software on all the clients systems that I expect in all the server systems to use Iran.
So, you know, I can make that happen by pushing, you know, the client software out with group policy. And I could do that pretty quick and easy. But it's not so easy to make this, you know, to have that degree of granularity. Universally, you don't have the software, it's not gonna work. Okay, so that's a problem.
This is essentially done with keys and different keys will allow different access and different types off of manipulation with the data, so that's what it's driven by. But again, if you don't have the key, you're not gonna have that granular access.
Now. What I could do is lock that file with the key, and if you don't have the key, you can access it. Or maybe you could just view it. But there's very
there's. There's almost no granularity unless you have the software that's associate ID with information rights management. Not to mention the fact that okay, I can prevent you from printing this file. You got a smartphone. Take a picture of the file, do a screen print of the file,
so we've got these kind of great ideas that would provide additional security.
But there are a lot of loopholes in how this works, so I don't want youto to necessarily think it was the greatest thing since life spread. I do think it'll show up on the exam as an important way that we limit copyright violations, and I doubt they would focus as much on the weaknesses associated with him
as much as what you can do with it. So it's key based,
um, you have to authenticate before you can access the file through your key. Um,
different rights and permissions for individuals are embedded into the file its dynamic. It's a way of preventing things like, you know, printing emails, modifying, you know, attachments to files and all those things. So it's purpose is good,
but unfortunately, with a lot of the technology that we have today anyway,
as well as some of the overhead, the requirements of software, it's not really as huge and idea as it sounds like.
And quite honestly, there so many workarounds out on the Internet.
You know, that's what Attackers do is they attacked the security mechanisms we have in place. So you know, Kendall can have the R N protection, but you gotta go out and down, you know, and, uh, download a 1,000,000 different D R M removal tools, so you know, it's it's it's that fine line.
You could download the tool, but you can't use it to remove TR. You know, it's it's kind of weird with that
from an ethical perspective and certainly from an exam perspective, removing the R M software or digital rights obviously would never be something you do.
So that's D R M. Digital rights management Flash I. R M Information rights management. They'll both be used to describe the same idea of embedding permissions within a five.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By