Securing documents in the WikiLeaks era
A crucial technology deployed today to secure e-documents and communications is enterprise rights management software, originally termed enterprise digital rights management, and also often referred to as information rights management (IRM). (See related article in the April 2008 issue of KMWorld at kmworld.com/Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx.) ERM/IRM controls and protects the use of e-documents and data wherever they may reside—even if they leave the organization. That is called "persistent protection."
Enterprise rights management protections can be added to all document types including e-mail, word processing files, spreadsheets, graphic presentations and computer-aided design (CAD) plans and blueprints. That security can be enforced globally on all documents or granularly down to the smallest level, protecting sensitive fields of information from prying eyes. It is true even if multiple copies of the e-documents are scattered on servers in varying geographic locations.
Enterprise rights management protections can be applied permanently or within controlled timeframes. For instance, a person may be granted access to a secure e-document for a day, a week or year. Also, ERM applies its persistent protection to electronic documents regardless of media type. So, even if a document is somehow copied to a thumb drive and taken out of the organization, its protections travel with it and usage is controlled, that is, the permissions or "rights" to be able to print, copy, forward, fax, edit or otherwise access the document are restricted.
According to Peter Abatan, an adviser in enterprise rights management who publishes a blog on the topic at enterprisedrm.info, there are at least six real consequences of failing to deploy enterprise rights management:
- The perceived value of your business is eroded slowly through the loss of your intellectual property to competitors that former employees join or new startups by former employees.
- Investor confidence in your business' ability to safeguard trade secrets can wane.
- The organization does not have full control of where information assets are located and as such cannot know when confidential information gets into the wrong hands.
- The organization cannot control how confidential information or sensitive data is used once it is sent to a third party.
- Staff could (accidentally or not) mail confidential documents or sensitive data to the wrong recipient after which there is no control.
- It will never be known when intellectual property is taken without permission and used in a way that is counterintuitive to the business.
So, it would seem that deploying ERM makes clear business sense, that it is a security imperative and that deployments should be exploding—but they have not—as yet. Brian Hill, senior analyst with Forrester Research, says, "The ERM market has been on a ‘slow burn' for a while. Organizations are starting to pay more attention to it, but ERM adoption remains limited to a dedicated minority of enterprises. And most ERM deployments are not enterprisewide, instead focusing on the needs of a specific business unit within an organization."
What is the holdup? Why aren't enterprise rights deployments more widespread? Mostly, the devil is in the details, which means creating usage policies for specific types or classes of documents and individual users, and maintaining those policies. In one installation, more than 200,000 policies were created, because the software required that policies be created for each user. It was replaced by newer software that applies policies by role, which drastically reduced the policy creation requirements to around 200.
"What makes implementing ERM so difficult," says The 451 Group's Coplan, "is that you have to strike a balance between establishing policies that are broad enough to apply to groups of documents, yet specific enough to provide the protections for that particular document class. Also, people come and go in organizations, so there is a need for constant policy maintenance."
To explain the sluggishness of the enterprise rights management market, Forrester's Hill says, "High cost and difficulty of implementation, due to the rigidity of most ERM applications, have kept this market from taking off."
Companies needing to secure sensitive data have focused on easier targets. Coplan says, "These difficulties are why today most organizations concerned about document and data security are focusing on more finite approaches, such as database activity or file monitoring. They are much easier to implement."
The first wave of ERM software providers are now being challenged by new players utilizing new technology and new approaches. Covertix, based in Israel, started full operations in 2008, after receiving venture funding. It is just starting to market in Europe, with an eye on the United States. CEO Samia says, "This market had not taken off yet, so when we sat down to design our product, we asked, ‘Why isn't ERM widespread, if there is such a great need?' We found a couple of key reasons: First, implementations run into problems because of the constant changes to policies, so policy maintenance is generally an issue. Secondly, there is a ‘people' aspect to implementing, that is, ‘How do you make it easy to use?' So we addressed these issues in our product design. We use a business rule engine and define rules in a central repository, and apply it to the endpoint. That way there's no work on the user end. Also, we use ‘smart file' technology, which means that the rights and restrictions information travels with the document, wherever it goes."
The enterprise rights management marketplace is still forming, yet Microsoft is the leader in terms of number of licenses for its Active Directory Rights Management Services (AD RMS) product. This is due to the fact that the server side of the software has been bundled into server offerings (Windows Server 2003, 2008), and basic ERM is included now as part of the Windows 7 and Vista operating systems. But AD RMS also requires a client license and running a database, such as MS SQL Server. According to Microsoft's website, MS Office 2003/2007 Professional Edition is required, but Standard Edition users may view-but not create-rights-protected content. Client licenses for RMS access are $37 per user, which is inexpensive, but the greater costs lie in actual implementation and maintenance.