Technology: Enterprise Rights Management Aims Digital Rights at Sensitive Documents

By Karen S. Henrie  |  Posted 05-18-2006

Technology: Enterprise Rights Management Aims Digital Rights at Sensitive Documents

 

Opportunity

Problem

Industrial espionage and regulatory demands shine a spotlight on document security.
When executive search firm Sterling-Hoffman acquired two research facilities in India last year—thereby doubling its employee count, from 150 to 300—CEO Angel Mehta quickly ran into problems securing the company's intellectual property. "Emerging markets are like the Wild West, times ten," says Mehta. "In places like India and China, -industrial espionage is commonplace." Companies routinely bribe competitors' employees for information, he says, or they have their own people pose as a competitor's employees and steal it.

Sterling-Hoffman, based in Mountain View, Calif., specializes in recruiting sales and marketing executives for software companies in North America; the firm is training its India-based researchers to help track market trends, executive movements, mergers-and-acquisitions activity, and other events. That intelligence represents the company's stock-in-trade, and most of it is stored in PowerPoint slides, PDF files and other standard document formats. Faced with the possible loss of information to competitors, Sterling-Hoffman's ability to freely share critical documents was -seriously hampered. "We couldn't give researchers the documents necessary to train them, and we found ourselves imposing impractical workarounds," Mehta says.

Sterling-Hoffman isn't alone in its desire to tighten document security. According to a report by Provizio, a competitive-intelligence company based in Meridian, Idaho, U.S. companies lost $133 billion as a result of proprietary information theft in 2005, up from $59 billion in 2002.

To secure their information, a small but growing number of companies have borrowed a page from the digital-rights-management playbook and adopted many of the same tactics used by purveyors of videos, music, and other electronic content to protect their wares from commercial piracy and file sharers. According to a recent Gartner Inc. report, enterprises are now "applying DRM principles to enterprise messaging, documents and intellectual property," using so-called enterprise-rights-management technologies to help control who can read, copy, print, export, save and edit documents, and when.

Ask your IT security team:

What measures do we currently take to protect individual documents?

Ask your compliance officer:

Does our compliance strategy adequately address document security requirements?

Story Guide:
Digital Rights for the Enterprise Secures Sensitive Documents. Enterprise-rights management is still in its early stages, but most CIOs acknowledge a need for better document security.

  • Strategy: Enterprise-rights management controls who can do what with content, and when.
  • Limitations: ERM products remain poorly integrated with other IT processes and applications.
  • Future: Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.

    Click here to download a PDF of our Enterprise Rights Management fact sheet

    Next page: Strategy

    Strategy


    Enterprise-rights management controls who can do what with content, and when.
    Most of the commonly used security technologies don't address document security head-on. The typical approach to document security involves the same old technologies that companies have always turned to in an effort to -defend their networks, computers and data from attack. Among those who responded to a joint Federal Bureau of Investigation–Computer Security Institute survey and who had suffered a loss of proprietary information, 97 percent were using firewalls, 72 percent were using intrusion-detection systems, 70 percent were using server-based access-control lists, and 68 percent were using encryption for data in transit.

    But none of these technologies really solves the specific problem posed by unstructured documents. Network controls—including firewalls, network proxies, content monitoring and filtering—limit network access but have little or no effect on individual documents. Encryption techniques, including PKI systems, help control who opens a document, but not what they do with it after it's been opened.

    Information repositories such as online workspaces or content-management systems -impose controls only while the documents are in those containers. Even document-level controls, like Microsoft Word password protections and read-only PDF files, leave plenty of room for miscreants to maneuver, and for regulatory requirements to fall through the cracks.

    Safeguarding confidential content requires a different mindset. "IT people want to view this as a network problem or as a container problem, but it is really a data problem," says Ed Gaudet, vice president of product management and marketing for Liquid Machines Inc., a Waltham, Mass.-based provider of rights-management software. "The security needs to be persistent and travel with the document."

    That's where ERM software comes in. ERM takes the same approach as DRM does, embedding controls directly into a document, and not simply on the network it travels over, the computer it's stored on, or the folder it's sitting in.

    Two hundred Sterling-Hoffman employees worldwide, including consultants, researchers, and managers, now use ERM software from Liquid Machines to protect critical information. Designated employees, including every client manager, determine which documents to protect by attaching specific rights to them. For example, a manager may create a training document using Microsoft PowerPoint or Word, for use by the India-based researchers, with limited, read-only "rights." Attempts to do anything else with the document, such as print it or forward it, will fail.

    Rights are defined and managed within a dedicated policy server, and then applied to documents individually by their authors, who select the appropriate permissions from a drop-down menu accessible through a piece of software that runs on every user's machine. An author may reserve the strictest controls (e.g., read only) for confidential client information, while allowing a bit more latitude (e.g., read, print, forward) with less sensitive documents, such as a memo describing an administrative-training procedure.

    Sterling-Hoffman says it has spent less than $80,000 on hardware and software licenses, including both the pilot and deployment phases. Mehta views the investment as a bargain: "Previously, we couldn't comfortably engage certain employees on certain projects, or the pace of -information sharing was significantly slower. We couldn't send a training document, so we'd dictate information to ten people over the phone. Training took a week or two instead of an hour, and took valuable time from the principal or vice president giving it. Now we send documents overseas and they don't get stolen."

    Meanwhile, at Fairfield Greenwich Group, a New York City-based hedge fund with $9 billion in assets, an annual security review highlighted document security as a concern. As at other hedge funds, FGG's client lists, internal accounting documents and fund information are highly proprietary. "We considered how bad it would be if our client list wound up on the front page of the Wall Street Journal," says Jason Elizaitis, FGG's director of information technology.

    All 85 FGG employees now have ERM software installed on their desktops. In addition to safeguarding confidential fund and client information—"you can't trust sales people," says Elizaitis—ERM also helps FGG employees jointly prepare documents created in Microsoft Word, and housed in Microsoft SharePoint, for regulatory approval. It also prevents FGG employees from unwittingly (or not) releasing information to the public prematurely. Elizaitis especially likes the fact that rights "travel" with content, even as it moves from one document format (such as Word) to the next (such as Excel).

    What technologies are available for securing content at the document level?

    Ask your head of IT security:

    What changes should we make to our security to accommodate document-level security?

    Story Guide:
    Digital Rights for the Enterprise Secures Sensitive Documents. Enterprise-rights management is still in its early stages, but most CIOs acknowledge a need for better document security.

  • Strategy: Enterprise-rights management controls who can do what with content, and when.
  • Limitations: ERM products remain poorly integrated with other IT processes and applications.
  • Future: Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.

    Click here to download a PDF of our Enterprise Rights Management fact sheet

    Next page: Limitations

    Limitations


    ERM products remain poorly integrated with other IT processes and applications.
    Despite its promise, ERM has yet to attract widespread interest, even among small workgroups, much less across entire corporations. For one thing, it adds complexity to a company's -infrastructure at a time when IT departments are looking to consolidate and simplify. And according to Trent Henry, senior analyst with Burton Group, an IT research firm in Midvale, Utah, CIOs (especially at large companies) are also concerned about integrating ERM software with numerous other IT processes, systems and applications, including backup and recovery systems and records-management systems.

    Consider FGG. As a registered broker/dealer, the firm must archive documents for seven years. Documents with rights attached must either be opened on FGG's network, or unprotected before they are released to its third-party records-management provider, Boston-based Iron Mountain Inc. At Bern, Switzerland-based Swisscom AG, a telecommunications provider with $7.6 billion in 2005 net revenues, documents must be archived for ten years. The firm plans to keep a copy of the policy server on hand for ten years, just in case it needs to access archived documents that inadvertently still have rights attached.

    Burton Group's Henry also points out that many CIOs are suspicious of any security technology that places so much control, and responsibility, in the hands of individual users. That's why so many have settled for less invasive measures—such as network controls, or content sniffers—that can be managed by the IT team.

    Companies that have deployed ERM usually cite ease of use and user acceptance as the most essential requirements for any ERM product. Says FGG's Elizaitis, "We're putting the onus on the authors to protect documents, so ease of use was the most important requirement." He claims their current ERM setup is minimally disruptive. "Applying rights involves two or three extra clicks for the author, who simply has to pull down a droplet and assign a policy."

    Technology aside, ERM assumes all users are clearly versed in company policy, and know which documents to protect. Swisscom implemented Microsoft RMS for all 16,000 full-time employees when it upgraded to Windows 2003 server and Office Professional. According to Markus Schütz, project manager for Swisscom IT Services AG, certain documents need to be classified, and users simply need to know when to do that—with or without RMS in place. "Those decisions are made at the group company level, not at corporate. We've just provided technology that makes it easier to comply."

    Finally, preserving document rights once the documents travel outside the company is generally difficult, unless recipients have rights-management software running on their machines and are connected to the policy server that enforces those rights.

    Ask your business managers:

    What are the key document formats that would benefit from document-level security?

    Ask your COO:

    Are we sufficiently protecting the information we exchange with trading partners?

    Story Guide:
    Digital Rights for the Enterprise Secures Sensitive Documents. Enterprise-rights management is still in its early stages, but most CIOs acknowledge a need for better document security.

  • Strategy: Enterprise-rights management controls who can do what with content, and when.
  • Limitations: ERM products remain poorly integrated with other IT processes and applications.
  • Future: Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.

    Click here to download a PDF of our Enterprise Rights Management fact sheet

    Next page: Future

    Future


    Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.
    The ERM market today remains somewhat ill-defined and anemic, and it includes only a small list of vendors. A flurry of recent deals in the market has caused some prospective buyers to take pause, although it also signals a healthy new direction for ERM, according to Robert Markham, an analyst at Forrester Research Inc.

    Storage giant EMC Corp. recently acquired Authentica Inc., a Lexington, Mass.-based provider of ERM software, and plans to embed ERM capabilities into its Documentum content-management platform. Gartner analyst Ray Wagner sees this move as potentially kick-starting more interest in ERM among content-management vendors, who, he says, have generally been more preoccupied with beefing up their other capabilities, including workflow, version control, and backup. It also begins addressing concerns that ERM isn't sufficiently integrated with applications they use everyday to manage their documents.

    In another recent acquisition, Adobe Systems Inc. acquired the digital-rights management division of Navisware, which will allow Adobe to expand the document formats it can support with its Adobe LiveCycle Policy Server to include not only PDF files but also Microsoft Office documents and CAD drawings.

    Future versions of Microsoft Office SharePoint, which is steadily gaining in popularity among corporate users who need to collaborate on documents, will also include more rights-management features.

    Microsoft Corp. is planning to integrate some rights-management capabilities into Vista, according to Suzanne Kalberer, product manager with Microsoft. This will eliminate the need for a separate, dedicated server, although it will still require companies to purchase separate licenses for the rights-management software running on client machines. It will also make it easier for application vendors to embed rights management into their applications as a matter of course, she says. Still, says Gartner's Wagner, "Until someone offers a standard OS with this capability at the lowest level, ERM won't become ubiquitous."

    Meanwhile, a strong business case can quickly override the many valid concerns enterprises have about ERM today. As Sterling-Hoffman's Mehta puts it: "If we didn't have document security, we could not get the work done."

    Ask your IT team:

    Do any of our vendors plan to incorporate ERM in future product releases?

    Ask your market analyst:

    What market events must occur before we would consider deploying ERM?

    Story Guide:
    Digital Rights for the Enterprise Secures Sensitive Documents. Enterprise-rights management is still in its early stages, but most CIOs acknowledge a need for better document security.

  • Strategy: Enterprise-rights management controls who can do what with content, and when.
  • Limitations: ERM products remain poorly integrated with other IT processes and applications.
  • Future: Attaching rights to documents is poised to become easier, as vendors acknowledge that ERM is a feature, not a standalone market.

    Click here to download a PDF of our Enterprise Rights Management fact sheet