If you work under heavily regulated industries like Banks or Pharmaceuticals; I am sure you ran across several governance, audits and security drills that kept you scratching your head. And every interal/external audit goes by 'they' come up with something new to 'ding' you. Now a big buzz word is document security. Well, you would say that you have configured security within SharePoint so that Sue Thomas in Purchasing department dont have access to SOX compliance documents that Phil Langer in Compliance department does. Well, let me throw some light on this particular subject that has been a problem area since Eve ate that forbidden fruit. You can secure your documents inside SharePoint by leveraging SharePoint's native security infrastructure, but what if the document is copied on a users hard drive and is then circulated to the group via email or simply a plain copy to a thumb drive. How do you prevent users from doing this? Also, a disgruntled employee, can print a company's chemical formula, product specifications, or some patent method stored in SharePoint site to which he/she has access to and take those document home or keep in safe until the judgement day to reveal those to competetors or even worse to the Press. Well, look no further, SharePoint (both WSS and MOSS) has support for Information Rights Management which can be configured to use corporate IRM server.

What good is this IRM Server Anyway?

Per Microsoft: IRM server is actually a service ("Windows Rights Management Service") that is available in Windows 2003 server and now also in Windows 2008 server that works with RMS enabled application (including SharePoint) to help safeguard digital information from unauthorized use.

How to configure IRM Capabilities in SharePoint

  1. Log in to SharePoint Central Administration Site and click on Operations. Under Operations, under Security Configuration click on Information Rights Management. (Screenshot below) 
  2. By default, "Do Not use IRM on this server" is selected. You want to change it to either "Use the default RMS Server specified in Active Directory" or "Use this RMS Server" and enter the RMS server that you or your organization would like to use. Needless to say that, in order to choose "Use the default RMS Server specified in Active Directory", you should have a pre-configured RMS inside Active Directory.
  3. Now you are ready to enable IRM settings to your document library. Remember that, in order to execute IRM settings, you need to have Adminitrative priviledges. You enable IRM by going to specific document library -> Settings -> Document Library Settings -> And under Permissions and Management click on Information Management by policy settings.  (Screenshot below)

IRM helps you in safeguarding digital assets by.

  1. Disabling Print for the documents. This way, people cannot print and take the document home.
  2. Disable 'Save' for the documents.
  3. Assigning if a user can run Macros or other custom code in the file.
  4. License expiration: meaning # of days before the document expires.
  5. Restricting users to allow uploads for files types that cannot be rights managed. Remember that out of box, SharPoint and IRM only supports Powerpoint, Word Doc, Excel, InfoPath forms and XPS documents (similar to pdfs).
  6. Helps prevent an authorized user from even taking a screen shot of the document. Pretty amazing huh!

There are few 3rd party tools available that can help you with rights management for adobe pdf documents. A prominent one that I know is GigaTrust. I am not endorsing them by any means, but majority of the companies actually use PDFs and GigaTrust has a product that integrates with SharePoint and seamlessly allows you to manage information rights just as seamlessly as IRM does for a .docx file.

Hopefully, now you have some idea on IRM and how it can help protect digital assets within your organization.