By Rajan Samtani
Enterprise Digital Rights Management (or EDRM) technology has been an arrow in the overall data security quiver for nearly two decades, but complexity of platform integrations, over reliance on document formats and a lack of usability and institutional discipline about sensitivity of data types have prevented it from becoming widely deployed. The killer app for EDRM to date has been elusive because most of the implementations to date have been reliant based on a “tick-box” approach to show compliance with some regulatory framework.
The horror story of the Sony Pictures hack in November, 2014 put the world of data security professionals on notice that perimeter based approaches to protecting digital data were no longer going to be enough. The hack itself, although sophisticated, in terms of the speed with which the malware propagated, became a nightmare, due to the exposure of very, very sensitive internal corporate documents about the inner workings of the company which suddenly became “public domain”. Fortune magazine called it the “hack of the century” and it exposed the vulnerabilities of corporate IT’s over-reliance on perimeter based security. To one degree or another, traditional approaches are based on Firewalls, Anti-Spyware, Virus Protection, Device Authentication, SSL, File Encryption, Network Intrusion Detection software as well as sophisticated DLP discovery to mitigate the damage from potential cyber threats. The Sony hack showed that these techniques are necessary but not sufficient to protection the data resident in the enterprise.
Enterprise DRM, also known as Information Rights Management (or IRM), adds a layer of context aware security to the structured data that resides in various file formats across the organization whether in the form of reports, spreadsheets, documents, graphics, CAD, training videos, project management timelines and other esoteric types with their own file extensions. In a world awash in data, generated by ERP, ECM, PLM and HR systems, amidst the overarching requirement for the enterprise to enable productive and collaborative workflows with its diverse supply and distribution chain partners, the files themselves should be protected while stored, shared or being worked-on, with stringent policies to govern how they should be used and by whom. All of this is only exacerbated by the proliferation of personal devices which are used to access company data.
Rules of the Game
The key is to have persistent protection on the data itself, whether the files are accessed and used inside or outside the perimeter of the enterprise. Files should be encrypted whether they are in employee devices, servers, or third-party devices. The policies and permissions can be granular and govern the use by organizations, teams, project members and the roles they are assigned. The rules with this data centric approach define:
- WHO can use the data (Identify and Authenticate)
- WHAT can the user do with the data (Grant Permissions)
- WHEN should the permission expire (Define Timeframe & Expiration of Policy)
- WHERE can the user use the data (Define Usage Context)
With defined rules, the data files are encrypted and sophisticated key management infrastructure adds a layer of trust and governance to ensure that only authenticated users can access the files and use them in authorized ways as defined by the rights management policies which spell out the specific allowed uses of the file.
In contrast to a traditional, application, device and access oriented security solution, EDRM protection persists with the file and ensures that these policies are enforced regardless of where the file ends up. In the past, EDRM was typically used to protect only the files with highest sensitivity such as board memos, commercial contracts, product designs M&A plans, financial reports, or customer databases.
However, in today’s complex world of collaborative partnerships, nearly all data from an enterprise can end up in different repositories and in the cloud. Further, easy access to Electronic File Sync and Sharing (EFSS) Platforms like Dropbox and Box, make it increasingly easy for users to transfer sensitive corporate information. This results in absolute loss of control on the information. Ironically, most enterprises today already have really good Identity Management systems in place and are therefore capable of deploying EDRM rules bound to specific people who fulfill roles in the organization.
It’s just a matter of changing the culture of the organization and its supply chain partners to respect the new rights management policies while adding a thin layer of administrative overhead to classify the information, manage the policies and the exceptions, and therefore control the system going forward. With the right level of executive sponsorship and oversight, beyond just the confines of the IT department, the organization can easily accommodate the desire to protect the corporate crown jewels with EDRM.
It is important to know that perimeter security will always be compromised; it’s just a matter of when, not if. Adding a layer of security around the data/file itself will protect the important, sensitive data in the enterprise regardless of where the files travel, as they flow between applications, platforms, devices and networks. Adding a layer of security around the file itself will protect sensitive information both internally and outside the organization.
As we end up in a world where traditional security approaches are always at risk, EDRM will add an additional layer of security to persistently protect corporate information as it flows between applications, storage platforms, devices and transportation mechanisms, closing the inherent security gaps in perimeter based security. These requirements are only going to become more important as the world becomes more reliant on BYOD and Cloud-based Electronic File Sync and Sharing platforms such as Dropbox and is constantly at risk from cyber-attacks. In addition, EDRM can also help protect against both inadvertent unauthorized sharing of corporate data as well as by internal bad actors. EDRM is an additional layer to help mitigate the risk by rendering the hacked files unusable without additional effort by the hackers.
EDRM is a very useful technology solution that’s finally come of age. It’s definitely time for IT departments to show up at its debutante ball.
Rajan Samtani is a veteran global consultant and expert on Strategy, Market Development and IP Licensing focused on digital rights technologies including media and Enterprise DRM, renewable security, forensic watermarking, content identification, file distribution, among others. Rajan holds several patents in DRM and Digital Watermarking and is based out of Los Angeles. He can be reached at email@example.com