Providing security controls to data that is shared outside the organization is called Information Rights Management, or sometimes Digital Rights Management. There are 2 main categories to IRM:

• Consumer-grade IRM, which is commonly known as DRM. This controls the use, copying, and distribution of copyrighted material such as music, videos, software, and movies.
• Enterprise-grade IRM, which is commonly associated with digital files such as images and documents.

Objectives

Most IRM solutions work by using an access control list (ACL). The ACL specifies users and authorizes what those users can do with the data (read, write, modify, print). Most SaaS offerings provide built-in controls for sharing data. These are what IRM systems should implement:

• Persistence: The controls for the data must be able to follow the data when it is shared.
• Dynamic policy control: Provide a way to update the restriction after a document has been shared.
• Expiration: The ability to set a time limit on the shared document.
• Continuous audit trail: An audit trail is generated for all shared documents.
• Interoperability: The ability for the IRM solution to work in a variety of environments. Not all organizations utilize the same OSes, Office suite, etc.

There are different access control models for an IRM solution an the restrictions are set by the data owner:

• (DAC) Discretionary Access Control: The data owner sets the controls on a per-document basis.
• (MAC) Mandatory Access Control: The data owner sets controls on the metadata of the document, such as classification level, or specific job roles.

Appropriate tools

IRM tools, in order to function, require the ability to create, issue, store, and revoke certificates and tokens. These certificates and tokens are used to verify authorized users and their actions. This requires local storage for the encryption keys and security for the storage to ensure it's integrity