Tuesday, October 17, 2006

Enterprise Rights Management

The October 2006 Information Security Magazine features a great story titled Safe Exchanges. It discusses software it calls "enterprise rights management" (ERM):

Enterprise rights management is technology that allows corporations to continuously control and protect documents, email and other corporate content through the use of encryption and security policies that determine access rights.

I found this case study compelling:

Fenwick & West was an early adopter, choosing ERM software by startup SealedMedia, a company recently acquired by Stellent.

Kesner took advantage of SealedMedia's free 30-day trial, tested it with several clients and was wowed by the results. His law firm's clients use hundreds of data types, including Microsoft Office, Adobe Acrobat, accounting databases, architectural drawings and computer-aided design documents--all of which SealedMedia supports.

In addition to the software's broad support, he was impressed by its ease of use. For the firm's lawyers, clients and outsiders to access protected files, they download a small plug-in to their computers. When they try to open protected files on the extranet, the plug-in checks in with Fenwick & West's servers to make sure they have the right to access the documents. It takes about five minutes to get most users up and running.


We're seeing defenses collapse to the level of data, as described by luminaries like Dan Geer. So-called ERM software helps implement this defensive strategy.

ERM, or what might also be called Digital Rights Management (DRM), is no panacea, however. An intruder sitting on a company desktop can read all the documents that the legitimate user can read, at least when the documents are being displayed to the user. Documents cannot be considered "secure" when they must be rendered to users of vulnerable platforms.

I expect to see systems like ERM widely deployed, although I wonder how well they will be accepted when encryption products tend to stump most users. We don't see ubiquitous deployment of encrypted email or documents, even though the technology has been around for years. Perhaps moving the trust decision out of the hands of non-technical users (as must be the case with technologies like PGP/GPG) will help facilitate deployment?

2 comments:

Anonymous said...
This comment has been removed by a blog administrator.
Eric Salerno said...

Richard, I'm glad to hear that the article resonated with you. As one of the companies covered in the Secure Exchanges piece ("Protective Coating" - Page 6 of the online article), Liquid Machines agrees that security requirements are being narrowed down to the information itself and that ERM or Enterprise Rights Management is the model to get us there.

An interesting point to debate is what happens to original files when security is applied. Some products end up leaving the original behind unprotected when a new file type is created in order to apply the security. After all, if you're only protecting copies of information, your original files (and hence your sensitive data or intellectual property) remain as vulnerable as they were when you started.

Liquid Machines' Document Control ERM solution applies a "policy" to the document itself, without changing the file type, eliminating the risk associated with leaving an original copy behind.

In the article, Fairfield Greenwich Group, a financial services company, chose Liquid Machines for its ease of use (see excerpt below) and the fact that the protection travels with the data - meaning if an authorized user copies any portions of a protected document, the target document will either have the same policy applied, or it won't be pasted.

Excerpt:
After poring through IT magazines, he chose ERM software from Liquid Machines for its ease of use.

Liquid Machines software installs a pull-down menu on Microsoft Office applications and Adobe Acrobat. If authors of documents feel they need to protect them with ERM, they click on the pull-down menu to set the policies.

Using just three policies, Fairfield Greenwich was able to protect their most sensitive documents, helping them meet several regulations including requirements set by the Securities and Exchange Commission.