Email is a vital means of communication, but when messages contain sensitive information, businesses should explore...
ways to control that content.
The information rights management (IRM) tools in Exchange 2016 enforce controls over email and documents. When implemented properly, Exchange IRM prevents the improper use of digital content and enables the sender -- and the sender's organization -- to put limits on email and documents received by other parties.
Why there's a need for information rights management
Suppose a user sends an email with a PDF document. Since a copy of the email and attachment resides on the recipient's email server or individual computer, the sender loses direct control of the content. The recipient can view the PDF, print it, forward it and retain it as long as they desire. The recipient can also misuse the sender's content by forwarding it to unauthorized people, losing a copy due to information leakage, or retaining the material long after it loses its relevance.
IRM started to separate the control of information from the information content, enabling the content senders -- its owners -- to determine how to handle email and attachments. Exchange 2016 gets its IRM capabilities via certificates and licenses in the Active Directory Rights Management Services (AD RMS) based in Windows Server. With Exchange IRM enabled, documents and messages get a license that withholds the rights to authorized recipients. If there is no license, Exchange IRM prevents the user from viewing or handling the content.
The sender creates certificates and licenses that the AD RMS server acquires. IRM-enabled applications enforce the restrictions imposed by the license.
The Exchange IRM protections work with Microsoft Office documents, such as Word and Excel. Companies can use custom protections to expand coverage to other file formats.
The capabilities of Exchange information rights management
IRM in Exchange 2016 encrypts and manages email and document attachments, but it has other protections to prevent information leakage.
Exchange IRM can prevent an authorized recipient from forwarding, changing, printing, saving, or performing a copy and paste with the content. Exchange IRM also supports expiration to prevent recipients from viewing messages and attachments after a period specified by the sender.
While Exchange IRM prevents some information disclosure, it is not perfect. Exchange IRM can only exert control over the platforms or applications that support it. For example, Exchange IRM cannot prevent third-party -- IRM-unaware -- screen capture tools from taking images of protected documents. Exchange IRM also cannot prevent content deletion or corruption, or guard content from malware.
More conventional practices, such as staff awareness training, least privilege to minimize the number of message recipients, and other traditional data loss prevention tactics can help supplement Exchange IRM features to provide information security.
Dig Deeper on Email Encryption
Related Q&A from Stephen J. Bigelow
Administrators in charge of keeping antivirus software up to date have a few options to protect their servers. Learn about the methods and services ... Continue Reading
The Office Insider program can benefit organizations that want as much lead time as possible to see what new features Microsoft plans to release for ... Continue Reading
Microsoft offers Windows Defender Antivirus as its native tool to prevent malware attacks. Discover how it works and what advanced protections it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.