What the InfoTrust standard should do
Instead, the information-level security standard -- let's call it InfoTrust -- needs to do the following:
Provide basic usage rights. Usage rights need to be embedded in documents, so they move with the document. Adobe Acrobat is an example of a file format that support this notion, and all popular file formats and productivity apps -- Microsoft Office, LibreOffice, OpenOffice, Apple iWork, Quickoffice, Google Docs/Drive/Apps, and so on -- need to offer similar usage rights that transport from one app to another. The rights should include:
- Restrictions on previewing content (such as in OS X's, iOS's, and Windows' document-preview capabilities)
- Restrictions on changing content
- Restrictions on copying content
- Restrictions on changing and/or assigning usage rights and access rights
Enforce basic access rights. It shouldn't be an endpoint device's or app's responsibility to control access to content, the approach used by many MDM and MAM products today. Instead, the documents should carry the access requirements with them, so the apps can validate access. The requirements should include:
- Password access (as Acrobat and Office today support)
- Policy access (such as requiring it be in an encrypted environment or be openable only by people in a specific Active Directory group)
Allow local policy management. Authoring and editing tools should be able to assign both usage rights and two of the access rights: the password requirement and the encryption requirement. That way, small businesses such as law offices can protect their documents directly, and trusted employees can share documents with others outside the corporate environment (freelancers, contractors, business partners, governments, and so on).
Apply to all platforms, not just mobile. Another key principle is that InfoTrust is not a mobile information security standard. It's for all devices: smartphones, tablets, computers, cloud services, and platform technologies yet to be invented. Again, it's not about the device, but the information, which flows across all sorts of devices and apps. The device, app, and service are irrelevant, unless they don't support the standard.
Operating systems, applications, and cloud services will need to support InfoTrust to act on the embedded policies in the documents, just as they need to support EAS today to apply password and encryption policies. But as a lingua franca that enables full participation in the emerging world of anywhere computing, the key vendors have every reason to participate and not end up being excluded. The tech industry has plenty of examples of what happens when companies delay joining such essential bandwagons -- just ask what used to be Novell or IBM's former Lotus group.
Not manage more than is necessary. Note what's not included: controls over sharing, an encryption option, controls over allowed applications, access management, and identity management. Sharing controls are not needed because the documents carry their own permissions; if they are shared (lost, stolen, emailed, copied to a thumb drive, whatever), the receiving party has to satisfy the access requirements to gain access. It's the same notion as trusting that encrypted documents are safe in today's privacy-breach regulations. Speaking of encryption, that means the documents are automatically encrypted, unless they have no access rights applied.
There's also no need to worry about what app or service that users have on whatever device or computer they're working with. If the app doesn't support the access and policy requirements, the document can't be opened in that app -- end of problem. The goal, as my colleague Terry Retter likes to characterize it, is the ability to be secure even when operating in the middle of Times Square.