The Rights Stuff: The Integration of Enterprise Digital Rights Management into an Enterprise Architecture

Page 2 of 3

E-DRM and Collaboration Solutions
Many of the major providers of collaboration software are beginning to emphasize rights management as an integral part of the process. According to Microsoft program managers Jason Cahill and Ethan Gur-esh, the next release of Microsoft SharePoint Server 2007 will incorporate server integration with Windows Rights Management Services (RMS). For the 2007 release of SharePoint, Microsoft plans to provide an infrastructure to share and collaborate on documents. The company hopes to help automate the rights management process and centralize where corporate policies are specified. SharePoint is designed around document-centric workflows. By piggybacking off the permission policies in a corporation's collaboration server (SharePoint), Microsoft wants to enable centralized information rights management.

With SharePoint Server 2007, policies users set on SharePoint Document Libraries on the server will be enforced even after the content has left the site: the IRM envelope on the downloaded file will match the server-side ACLs. Out of the box, Microsoft Office SharePoint Server (MOSS) 2007 ships with protectors for Word, Excel, and PowerPoint documents, both the Office 97-2003 file formats and the new Open XML formats. In addition, MOSS 2007 can apply IRM to InfoPath forms and XPS documents.

For PDF, AutoCAD documents, Microsoft Visio files, etc., Microsoft customers can look to complementary software such as that from Liquid Machines or Avoco Secure. Microsoft offers a pluggable infrastructure, so independent software vendors' partners can write custom protectors that can rights manage other file types besides Office documents. Partners can even use a third-party rights management platform instead of Windows RMS.

Adobe Systems, Inc. is also active in making rights management part of its solutions. With the Adobe LifeCycle Policy Server, authors can apply security policies to their documents, and the policy will travel with the document. The policy can be updated by the author after the document is distributed, for example, to turn off access to an expired version. Adobe's acquisition of the digital rights management division of Navisware will allow the company to expand the document formats it can support with its Adobe LiveCycle Policy Server to include not only PDF files but also Microsoft Office documents and CAD drawings. Adobe is preparing to publish a beta version and targets Q4 of this year for the commercial availability of the Navisware extensions as an integrated component of LiveCycle Policy Server.

At CeBIT 2006, IBM Germany said it is working with Adobe to develop an Enterprise Rights Management solution based on the Adobe LiveCycle Policy Server for companies in the automotive, aerospace, and military technology sectors that use the PLM (Product Lifecycle Management) solution CATIA. The digital product data generated using CATIA is exchanged with other companies around the world in the course of collaborative engineering projects.

IBM apparently intends to take over responsibility for selling the software that would be installed by customers and for hosting the Adobe LiveCycle Policy Server as a software service in IBM data centers, thereby enabling widespread access to CATIA. Following IBM's recent $1.6 billion acquisition of ECM vendor FileNet Corp., expect IBM/FileNet to integrate more closely with and possibly acquire either Liquid Machines or Avoco Secure.

Policing Rights
There are organizations ready to put DRM-enabled collaborative solutions to work. The U.S. Department of Defense is interested in E-DRM to empower secure inter-agency collaboration. Currently, review of secure documents occurs in Sensitive Compartmentalized Information Facilities (SCIF), window-less rooms enclosed in metal-plated walls. That approach works fine much of the time, but fails when multiple agencies need to communicate quickly and get information out to first responders in the field. The government's Information Sharing Environment initiatives and Open Source Intelligence gathering requirements are designed to be two of the methods to overcome the interagency bottlenecks which prevented the CIA, FBI, DoD, and other agencies from sharing information about terrorist organizations prior to September 11, 2001. One of the organizations leading this effort is the Global Security Consortium, headed by Martin Ross.

The Atlas Consortium, supplier for the U.K. Ministry of Defense, uses Avoco Secure secure2trust for secure collaboration. Secure2trust has built-in policy templates that follow defense organizations' tiered security structure (confidential, secret, top secret, etc.). Avoco secure2trust bundles user authentication information with packaged files, instead of issuing licenses from a policy server. Secure2trust interoperates with Active Directory and X.509 certificates. It integrates with EMC Documentum, Microsoft's upcoming Office 2007 suite, and Microsoft SharePoint content management services.

Previous generation IT security systems alone are insufficient to prevent leakage of sensitive information. Among respondents to a Federal Bureau of Investigation-Computer Security Institute (FBI-CSI) survey who had suffered a loss of proprietary information, 97% were using firewalls, 72% were using intrusion-detection systems, 70% were using server-based access-control lists, and 68% were using encryption for data in transit.

Page 2 of 3