Data starts somewhere. Whether it’s a human manually creating a file or an automated process, that data is created and it’s placed somewhere on persistent storage. This is data at rest and you can encrypt that data using a file- or volume-based encryption method, such as EFS or BitLocker. Some data will be happy right there, never leaving the disk except for maybe some forays into memory on the device that created the data.
Other data will be on the move – leaving the its safe encrypted-disk confines. That data will have to move over a network to reach its destination. We can secure that too, using in-transit (or in-flight) network encryption methods, such IPsec or SSL/TLS.
Whether the data is on-disk or in-transit, you have some control over the encryption of the data. But what about the “last mile” – when that data ends up on user devices, most of which you have little or no knowledge of or control over?
If you lose control of that “last mile” data, anyone possessing the device can do whatever they want with it. What you need to do to prevent unauthorized alteration and redistribution of this data. That’s where rights management comes into play.
Rights management provides you with that “last mile” protection, either on-premises with Active Directory Rights Management Services (AD RMS), or with Information Rights Management (IRM) with Microsoft Office, or in more complex and heterogeneous cloud or hybrid environments, with Azure Rights Management.
Personally, I’ve always thought that Rights Management was one of the more “cool” information protection technologies available. I think you’ll think so too after you read Tim Rains’ blog post Cloud security controls series: Rights Management. He goes into the details behind rights management and provides a bunch of useful links to help you learn more.