Strategy

By Karen S. Henrie  |  Posted 05-18-2006 Print Email

Enterprise-rights management controls who can do what with content, and when.
Most of the commonly used security technologies don't address document security head-on. The typical approach to document security involves the same old technologies that companies have always turned to in an effort to -defend their networks, computers and data from attack. Among those who responded to a joint Federal Bureau of Investigation–Computer Security Institute survey and who had suffered a loss of proprietary information, 97 percent were using firewalls, 72 percent were using intrusion-detection systems, 70 percent were using server-based access-control lists, and 68 percent were using encryption for data in transit.

But none of these technologies really solves the specific problem posed by unstructured documents. Network controls—including firewalls, network proxies, content monitoring and filtering—limit network access but have little or no effect on individual documents. Encryption techniques, including PKI systems, help control who opens a document, but not what they do with it after it's been opened.

Information repositories such as online workspaces or content-management systems -impose controls only while the documents are in those containers. Even document-level controls, like Microsoft Word password protections and read-only PDF files, leave plenty of room for miscreants to maneuver, and for regulatory requirements to fall through the cracks.

Safeguarding confidential content requires a different mindset. "IT people want to view this as a network problem or as a container problem, but it is really a data problem," says Ed Gaudet, vice president of product management and marketing for Liquid Machines Inc., a Waltham, Mass.-based provider of rights-management software. "The security needs to be persistent and travel with the document."

That's where ERM software comes in. ERM takes the same approach as DRM does, embedding controls directly into a document, and not simply on the network it travels over, the computer it's stored on, or the folder it's sitting in.

Two hundred Sterling-Hoffman employees worldwide, including consultants, researchers, and managers, now use ERM software from Liquid Machines to protect critical information. Designated employees, including every client manager, determine which documents to protect by attaching specific rights to them. For example, a manager may create a training document using Microsoft PowerPoint or Word, for use by the India-based researchers, with limited, read-only "rights." Attempts to do anything else with the document, such as print it or forward it, will fail.

Rights are defined and managed within a dedicated policy server, and then applied to documents individually by their authors, who select the appropriate permissions from a drop-down menu accessible through a piece of software that runs on every user's machine. An author may reserve the strictest controls (e.g., read only) for confidential client information, while allowing a bit more latitude (e.g., read, print, forward) with less sensitive documents, such as a memo describing an administrative-training procedure.

Sterling-Hoffman says it has spent less than $80,000 on hardware and software licenses, including both the pilot and deployment phases. Mehta views the investment as a bargain: "Previously, we couldn't comfortably engage certain employees on certain projects, or the pace of -information sharing was significantly slower. We couldn't send a training document, so we'd dictate information to ten people over the phone. Training took a week or two instead of an hour, and took valuable time from the principal or vice president giving it. Now we send documents overseas and they don't get stolen."

Meanwhile, at Fairfield Greenwich Group, a New York City-based hedge fund with $9 billion in assets, an annual security review highlighted document security as a concern. As at other hedge funds, FGG's client lists, internal accounting documents and fund information are highly proprietary. "We considered how bad it would be if our client list wound up on the front page of the Wall Street Journal," says Jason Elizaitis, FGG's director of information technology.

All 85 FGG employees now have ERM software installed on their desktops. In addition to safeguarding confidential fund and client information—"you can't trust sales people," says Elizaitis—ERM also helps FGG employees jointly prepare documents created in Microsoft Word, and housed in Microsoft SharePoint, for regulatory approval. It also prevents FGG employees from unwittingly (or not) releasing information to the public prematurely. Elizaitis especially likes the fact that rights "travel" with content, even as it moves from one document format (such as Word) to the next (such as Excel).

What technologies are available for securing content at the document level?

Ask your head of IT security:

What changes should we make to our security to accommodate document-level security?

Story Guide:
Digital Rights for the Enterprise Secures Sensitive Documents. Enterprise-rights management is still in its early stages, but most CIOs acknowledge a need for better document security.

  • Strategy: Enterprise-rights management controls who can do what with content, and when.
  • Limitations: ERM products remain poorly integrated with other IT processes and applications.
  • Future: Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.

    Click here to download a PDF of our Enterprise Rights Management fact sheet



  •  

    Submit a Comment

    Loading Comments...