With the increasing globalization of business and the sharing of information among companies, customers, and suppliers in far-flung parts of the world, protecting confidential information, not only within an enterprise, but also once it leaves, has become paramount.
The gaping hole in security schemes of enterprise content management (ECM) systems is that few, if any, protections exist once the information is legitimately accessed. This confidential information—which may include price lists, patented designs, blueprints, drawings, and reports— can often be printed, faxed, or emailed to unauthorized parties without any security attached. This has given rise to an emerging but critical set of capabilities by a new breed of software companies that develop and sell Digital Rights Management (DRM) software, more commonly termed Enterprise Rights Management (ERM) or Enterprise DRM when it is deployed by organizations distributing content securely inside or outside the firewall. The term DRM (alone) is used primarily to refer to protections of digital entertainment files in the business-to-consumer marketplace.
Who Needs It?
In investment banking, research communications must be monitored, according to NASD regulation 2711, and ERM can help support compliance efforts. In consumer finance, personal financial information collected on paper forms and transmitted by fax (e.g., auto dealers faxing credit applications) or other low-security media can be secured using ERM, even directly from a scanner or copier. Importers and exporters can ensure data security and prevent the loss of cargo from theft or even terrorist activities with it, and they can also comply with U.S. customs and fast-changing trade regulations by deploying ERM software. Public sector data security needs are numerous, including intelligence gathering and distribution and espionage, as well as Homeland Security initiatives. Firms that generate Intellectual Property (IP), such as research and consulting groups, can control and protect access to IP with it, and in the highly collaborative pharmaceutical industry, ERM can secure research and testing data.
ERM software enforces and manages information access policies and use rights of electronic data and documents. Controlled information can be emails, spreadsheets and financial statements, policy and procedure manuals, research, customer and project data, personnel files, medical records, intranet pages, and other sensitive information. ERM provides "persistent" (continual—regardless of where and when access occurs) enforcement of information access policies to allow an organization to control access to information that needs to be secured for privacy, competitive, or compliance reasons.
While its market is not quite mature, ERM is not a new thing. There are a host of vendors vying for the market that tackle the problem from a variety of angles. Here is a look at the main players and their perspectives on the tools used to protect enterprise content.
"We've had rights management capabilities since 1994 in version 2.0 of PDF," states Ryan Hunter, senior product marketing manager of security solutions at Adobe Systems. "Even then, you could restrict access to documents and prevent editing and printing." But this was not a complete solution suitable for use within and outside of an enterprise. For instance, users forget passwords, print rights may need to be revoked after-the-fact, and access rights may need to be revoked so that only the latest version is viewed. This can be accomplished only by enforcing access rules and policies at the server level.
"The limitations caused us to develop an enterprise solution," Hunter says. Adobe began shipping LiveCycle Policy Server in December of last year. LiveCycle boasts cross-platform support, running on Windows, Linux, and Mac OS servers (in contrast with Microsoft's Rights Management Server [RMS], which runs only on Windows 2003 servers). Thus, it is particularly useful in a multi-platform collaborative environment, such as manufacturing design or any kind of research conducted by multiple groups.
AirZip, Inc. has cross-platform support, including the aforementioned platforms as well as applications running on AIX and Solaris. A distinguishing feature of AirZip's FileSECURE is that it can be used for files of any type, not just electronic documents. Interestingly, one of AirZip's biggest markets is China, since they provide a native Chinese version of FileSECURE.
But wait, don't the Chinese allow for copying of software and other intellectual property (IP)? Well, yes . . . mostly. Multinational firms basing manufacturing operations in China are motivated to deploy ERM software to protect IP, but that's not why the Chinese have started protecting theirs. "It seems that Chinese entrepreneurs have caught the capitalist bug and have been walking off with their employers' IP documents and then starting up their own firms down the road," says AirZip CEO Gary Clueit. Since protecting IP is tenuous at best in China, there isn't much to stop them, so Chinese firms have started adopting ERM software to protect their IP from employee theft and potential competition.
Rights management implementations in China have to be a little different, since software encryption (scrambling and encoding data, with a software key to provide access) is illegal there. "So a hardware device has to be used, which is typically a USB hardware key that is inserted into the PC to unlock access to the information," Clueit adds.
AirZip sets up a hierarchy of roles and access rights in FileSECURE: Superusers are generally system administrators that set up and define Organizations; then managers within Organizations set up high-level policies, create users, define security categories, and work groups. Then, within Organizations, Authors create and secure documents and files. When sending documents to those not defined within the hierarchy, Dynamic Readers can be set up with read-only access to documents on the fly. Documents can be scanned into the system from most high-end Multi-Function Printers (MFP), and rights can be assigned automatically by dragging and dropping documents into predefined folders. FileSECURE secures entire documents, not just certain areas of them, and although secure annotations can be added, it doesn't do "secure editing," as do some other firms in the ERM space, such as Authentica.
"We've been in the ERM space for about seven years now" says Mark Overington, VP of marketing at Authentica. Authentica has approximately 200 customers, but it is difficult to ascertain what percentage of those use its secure email product, Secure Mail, and those that use its ERM product, Secure Documents (for MS Office & Adobe PDF). Both product sets use Authentica's Active Rights Management (ARM) server as the foundation. Notably, Authentica delivers the U.S. Presidential Daily Briefing (PDB), giving access to certain pages of the document to those with security access.
Positioned for use in business-to-business and business-to-consumer applications, the latest ARM release includes support for content filtering engines, secure point-to-point communication between partners, and audit functionality—all targeted at the enterprise market. Authentica supports Lotus Notes email and collaboration as well as EMC/ Documentum's eRoom collaboration suite, and ARM runs on Windows 2000 and 2003 platforms.
GigaTrust from GigaMedia Access Corp. started up in the year 2000. GigaTrust is in the Microsoft camp, partnering to extend the reach of Microsoft's RMS server technology by providing a trusted community for third party authentication based on a secure, public Active Directory implementation.
GigaTrust and its hosting partner, Data Return, provide a secure and reliable environment required for mission-critical data through a hosted Application Service Provider (ASP) model.
The latest release of the GigaTrust Client Software provides the ability to protect WordPerfect files, DICOM (radiological images) files, media files, Corel files, Visio files, and other vertical industry content. It already could manage rights for Quattro and PDF files as well. The GigaTrust software works by wrapping sensitive content in an RMS-protected envelope that can be opened only by an authorized recipient. One of GigaTrust's first customers is the National Occupational Testing Institute, which hired GigaTrust to keep people from copying tests and to protect their IP. It also has customers in the legal and healthcare markets.