[Blogger: Trent Henry]
Burton Group has long covered enterprise digital rights management (known varyingly as ERM or E-DRM). Our most recent report on E-DRM describes the technology as “driving security to the data.” Similar to consumer DRM schemes that protect Windows media or Apple iTunes content, E-DRM uses cryptography and fine-grained policies to limit what a user can do with data. Unlike consumer media, however, E-DRM is used exclusively by enterprises to protect corporate data and is typically targeted at word processing files, spreadsheets, email, and related content.
Here in Prague at Burton Group’s Catalyst Conference, many of our security talks have been geared around the trend of information-centric security. As a result, several attendees have approached me to ask, “Where is E-DRM going?”
Good question, but a hard one, because even Burton Group is
of a mixed mind on the topic. On one hand, we see E-DRM as software-based
technologies whose consumer counterparts have suffered one break (attack) after
another. In short, they’re low-surety solutions. In addition, the products
suffer from an in-your-face user experience that necessarily adds complexity
for employees. On the other hand, E-DRM is arguably the finest example of
security surrounding data itself: fine-grained policies (e.g. “You cannot print
this document and may only email to other Finance Group members”),
cryptographic protection, and prevention of other sorts of leakage (e.g. no copy/paste
to unauthorized applications).
The vendor landscape for E-DRM has changed substantially in the last 18 months. Microsoft has made significant strides in adding E-DRM support to SharePoint. Oracle, through its acquisition of Stellent, picked up SealedMedia. And EMC, through its acquisition of Documentum, did the same with Authentica. The remaining standalone vendors are Adobe and Liquid Machines. It’s clear that vendors are solving one typical objection to E-DRM: the management of yet another silo of policies. By linking Enterprise Content Management (ECM) and E-DRM, the content repository’s security settings can automatically be reflected in DRM-protected documents that leave the ECM environment.
Where does that leave us?
- We have cautious optimism that E-DRM will continue to receive uptake, even though today’s deployments tend to be relatively small and tactical.
- We expect vendors to enhance protection, making use of trusted platform modules for integrity validation and hardware cryptomodules for improved cryptography handling.
- We expect additional integration between rights management and content management solutions.
- Ultimately, we think there will be interesting synergies between virtualization and E-DRM, where mobile workloads (on virtual machines) and the sensitive content they contain can be managed, tethered, and persistently secured via rights-management no matter where a machine image lands.
Trent, an interesting blog. I think the future in this space is only just starting to grow across many areas in the enterprise. I responded to some of your comments here;
http://blogs.oracle.com/irm/2008/10/where_is_enterprise_digital_ri.html
Posted by: Simon Thorpe | October 22, 2008 at 06:13 PM
The ERM hype is yet another rebranding of encryption with access controls. I worked at a computer desktop security company 15 years ago when we were doing this stuff. Data was encrypted and access controls determined who could view it. Anything saved to external media was automatically encrypted ensuring it could not be passed on unless the receipient had a key to view it. It turns out however that in reality companies have very few secrets. There is not much point protecting email text if it only composes of a few lines of importance that can be easily typed from scratch and then passed on to others outside the organization. The real value of protection is usually for large documents (the attachments) that must be read but not modified by others or passed on. Adobe PDF format is great for the conversion of all file types into PDF, and you can get extra protection by purchasing a PDF DRM solution (see LockLizard amongst others). Also DRM solutions work outside the enterprise so you control use of protected information sent to third parties, whereas ERM solutions tend to be focused internally since many use Windows RMS. So companies should save themselves the pain and expensive of implementing an ERM solution and opt for a PDF DRM alternative instead for a tenth of the price.
Posted by: Stephen Martin | October 23, 2008 at 07:35 AM
ERM/IRM is getting a new surge in interest as analysts and customers alike realize its potential for protecting their most valuable content. I've just started blogging on the Oracle IRM technology.
Posted by: sayen | January 19, 2009 at 10:31 AM
Hey!Good article.What I don't understand is why corporate America has not turned to the folks who have been working on the Semantic Web for ages starting on SGML and moving to XML. It's those MLIS-heads who have dedicated a good portion of their careers working on meta data and DATA CLASSIFICATION schemas and solutions.
What we're seeing now with DLP is that you really need to "know what you've got" before you can protection, meaning companies are now being forced to implement data classification. It's already been done several times over...just on a smaller scale and many cases in specific industries.
It certainly would save many security folks from recreating the wheel and could give them another ally within their organizations
Posted by: sayen | January 23, 2009 at 02:43 AM
Trent, an interesting take on IRM and subscrive wholly to your views. There is an interesting post on the future of IRM as well as comparison with consumer DRM technologies which was posted by Vishal Gupta, the CEO of Seclore ( http://www.seclore.com ) on his personal blog i.e.
http://edrm.blogspot.com
Have a look ..
Posted by: Anuj | February 01, 2009 at 04:12 AM