Analysis: Enterprise Rights Management

If you need the "why" of tighter data-confidentiality protection, pick up a newspaper. When IT pros heard a laptop with personal information on millions of military personnel had been stolen, most probably just shook their heads. We know all too well how data loss happens. One innovative way to prevent it is with ERM (enterprise rights management). Problem is, rights management has a PR problem, most recently embodied in headlines trumpeting the Sony-BMC DRM rootkit debacle. Although the business case for rights management is there, expect resistance from users.

Our advice: Push right back.

Risks remain, and we'll discuss them, but ERM can provide persistent protection of information throughout the data's life. Offerings from large vendors like Adobe, EMC and Microsoft are complementing technology from innovative small players in the market, meaning organizations have an ever-wider range of product choices.

We define rights management as those access and usage policies that persist with protected digital content, no matter where that content resides. Digital "rights" are what computers (and the people who use them) are allowed to do with digital content; enforcement flows through mechanisms in the content and/or the content container. Because these rights are persistent, they're enforced whether the data is transmitted over a network, copied to the clipboard, stored in a database or simply saved to a laptop hard drive.

Rights management covers the policies, encoding and agreements that govern the lifecycle of digital rights. This includes defining various digital objects--CAD documents, spreadsheets and audio files, for instance--then identifying users or computers that interact with objects, codifying the rules of object use and so on. Rights-management technologies include encrypted digital content, like documents or audio/video media; licenses or other policies that describe how digital content may be used; and software/hardware systems that enforce policies and render content for consumption by users and computers.

The realm of rights management spans both the consumer market and the enterprise space. Consumer DRM is widely deployed to protect for-sale digital data, such as ring tones for mobile phones, digital music and video, and streamed broadcast content. These technologies are built into Apple's digital audio products and various Microsoft Windows Media formats, for example. In contrast, ERM, also known as enterprise digital rights management, or E-DRM, is a corporate information-protection mechanism. ERM is most often deployed to protect the confidentiality of sensitive enterprise information that should have a limited audience, including executive communications or product specs. ERM is also used to satisfy the information-use-control security objective: providing assurance that users work with enterprise data in controlled ways.

Although ERM and DRM are different, they have some shared issues, including intellectual property concerns over the technology used to express rights (with several competing patent-holders) and user acceptance. It's important for enterprises to clearly articulate that, even though employees may have issues with DRM in their home media, ERM serves important business goals.

The Encryption Conundrum

To control sensitive data, both in-house and as it travels afield, many organizations use encryption--and encounter significant challenges. Security architects must define where encryption makes sense--would it be best in files and folders, over entire workstation disks, across a database and/or through network channels? Encrypting data in a critical database might satisfy some payment-card-industry security requirements, but it doesn't save your reputation when an analyst's missing laptop contains a spreadsheet of the same information.

Then there's the thorny question of how encryption is managed. Which users should have access to what data? How often should encryption keys be changed? Once authorized users are allowed to read encrypted information, how can we prevent them from forwarding the data to others? In short, how is policy enforced?

To sidestep or augment encryption, enterprises may deploy a content filter that monitors activity on workstations or over the network. A filter can analyze outgoing e-mail or instant messages to ensure that intellectual property isn't flowing to unauthorized recipients. Or, a host-based agent can apply policies to prevent data from being written to a CD-ROM or flash drive. Unfortunately, some information must be shared, and once it passes the filter, all bets are off.

Rights-management technology is evolving to answer some of these challenges. A handful of small, innovative vendors started the trend, and they're being joined by much larger industry stalwarts. All are looking to provide ERM systems that combine built-in encryption, point-of-use control, filtering and policy management. These offerings help enforce the guidelines set for use of data on endpoints and prevent accidental leakage of important information over the network. The end result is an increasingly mature array of tools that drive information protection down to the data itself.

Rights Management Risks

Enterprise IT has legitimate concerns about deploying rights management. There are a number of vulnerable locales in the ERM suite, giving rise to several new risks--license/policy servers could be undermined, rights-management encoding and crypto algorithms could be subverted, public-key servers could be compromised. There are possible backdoors, and weaknesses in hardware implementations have been imposed by vendors, even required by governments: Switzerland's Crypto AG is reported to have placed backdoors in some of its systems, and there have been similar questions about cryptosystems in China and Korea.

Like patch- and vulnerability-management systems, centralized rights-management servers provide a single focal point for attack, misconfiguration or malfeasant administration. On the other hand, ERM suites also ameliorate certain risks by reducing threat volume on user desktops. An organization might have tens of thousands of employees, any of whom could accidentally or deliberately redistribute sensitive documents or e-mail. With ERM deployed, employees would have to leap a higher hurdle to deliberately abuse corporate information.

For companies worried about desktop malware, ERM poses content-protection challenges. Encrypted application-layer data that might contain viruses cannot be scanned by gateways unless the gateways are ERM-enabled and possess the keys to decrypt content. Realistically, protection must reside in the desktop client, and at a deeper level than ever before. An ERM-enabled application must invoke content-scanning mechanisms, for example, because only that application has the associated rights to decrypt the content. Alternatively, PC antivirus software and host-based firewalls could be rights-management-enabled, to scan for malware. But unless RM mechanisms are trusted implicitly, or other integrity controls are in place, RM-enabled applications shouldn't act on content in any way--by executing a macro, running embedded virtual code and so forth--until a scanning engine has validated the data. The vendor community could address this by, for example, adding APIs to let external antivirus-scanning software scan protected documents. Microsoft is working to grow an ecosystem of partners to help answer this problem, and we expect other vendors to follow suit. But for now, be aware.

In addition, information availability is a long-term problem, as it is with any encryption scheme. Organizations risk losing data if keys are not handled correctly. As documents are archived over many years, the exposure to data loss increases. Unfortunately, even mature generic cryptographic systems suffer from a paucity of solutions for long-term key management and information storage. Vendors provide some automated key management, but no solution has been in place long enough to truly test long-term archive and recovery issues.

Along the same lines, ERM complicates backup and recovery, as operations teams figure out how to integrate rights management into normal archival tasks. Media must be periodically refreshed as tape and disk systems age and evolve, for example, and data must be rewritten as applications no longer support flagging file formats. When these media and formats include rights-managed information, the complexity of refreshing, updating and verifying long-term data increases greatly. We find it unlikely that vendors will address these issues specifically, at least within the next couple of years. Solutions must therefore be part of operational manual procedures, as are so many disaster-recovery processes today.

All Over the Map

The ERM field is no longer a collection of small vendors; large software companies like Adobe, EMC and Microsoft are in the hunt. Although the market had seen several years of modest growth and customer interest, recent developments, including a few notable acquisitions, have brought increased attention to the arena.

Current ERM offerings vary in architectural focus, however; see "Where Do the Key Vendors Fit?" at right, for a breakdown. Some include software agents that may be applied to a wide variety of applications, but which must monitor the application externally rather than being embedded in the code itself. This approach can require an additional user interface for managing rights. In contrast, platform rights-management offerings use APIs or built-in application functions to enable protection. Although more tightly integrated with the rights-enabled executable, a platform approach may only protect a limited set of applications because it relies on independent software vendors to add rights-management functionality. The endgame is to create collaborative offerings that apply rights-management protection at all phases of document development.

There was a significant increase in ERM awareness when Microsoft entered the market in 2003 with its Rights Management Services for Windows Server and proceeded to make RMS a core aspect of its security strategy. By creating a platform for rights management, Microsoft sought to create a developer ecosystem of third-party products that create and consume rights-protected information in many different layers: office automation (like the rights-enabled Office Professional suite), computer-aided design, messaging infrastructure and so on. The platform comprises a common set of APIs and services (in the form of the RMS server) that application developers can use to add rights management to new and existing applications. Unlike vendors that provide an agent--as Liquid Machines and SealedMedia do--Microsoft's technology requires strong adoption and support by a developer community. So the downside is that protection strength varies from application to application, and implementation requires involvement from ISVs.

Liquid Machines made a wise choice by enhancing its product line to consume RMS policies while preserving compatibility with software that Microsoft did not support, such as Visio and early versions of Windows. This move has let Liquid Machines capitalize on some novel user interface capabilities while still interoperating with Microsoft's policy-management strengths. Over time, Liquid Machines is likely to continue to extend its architecture to consume other rights-management policy stores. Liquid Machines uses an agent to rights-protect applications but also has spent considerable effort creating interfaces to improve third-party integration, which suggests movement toward platform rights management.

An early player in the field, Authentica, was recently acquired in a deal that represents what has long been viewed as a natural point of synergy for ERM: the enterprise content-management market. EMC/Documentum bought Authentica in early 2006 and announced that it would combine the lifecycle-management capabilities of its eRoom document-management suite with Authentica Secure Documents' ability to provide persistent protection of information. This dynamic is a natural and will likely be repeated by other vendors down the road. Although Authentica's agent-based product supports various Office formats now, prior versions were geared toward protecting published information that was sent outside the enterprise, rather than living documents.

Adobe has had rights-management capabilities in its Reader software for many versions, but it's only been in the last couple of years that the company has added policy management with its LiveCycle technology. With its 2006 acquisition of Navisware, Adobe further expanded its product footprint by moving beyond the PDF file format into Microsoft Office and CAD support. Still, the PDF has been the focal point for the company, and though fill-out forms provide a modicum of collaborative capability, it has limitations.

SealedMedia rounds out the list of major ERM providers. With possibly the largest customer count, SealedMedia has sought to create an agent architecture that is easy to deploy and causes minimal impact to client systems. Most interesting, we've seen its eponymous offering deployed in several shops to extend outside the enterprise perimeter--persistently protecting information that is sent to partners or customers, not just internal employees.

Make the Case

ERM is an important part of policy management, enforcement, and--in some cases--compliance controls, but as previously mentioned, it's had some negative press. To make the sale, illustrate use cases; for example, ensuring confidentiality of enterprise e-mail. The store-and-forward nature of Internet e-mail has made it eminently replicable, but notorious full-disclosure Web sites (with names we can't print) are making many executives lose sleep; having proprietary--and possibly embarrassing--information posted on widely read sites or news groups can lead to undesirable coverage by mainstream media outlets. Rights-protected e-mail lets administrators restrict what employees may do with messages. So, for example, a confidential announcement might contain the rules "employee read only," "no forward" and "expire in three days." Client ERM software authenticates employees and lets them read the message but prevents forwarding. Moreover, no matter where the message is, after three days it's revoked by the ERM system and, for all intents and purposes, rendered unreadable everywhere, simultaneously. Furthermore, the ERM clients prevent other forms of information leakage, like printing, copying/pasting, screen capturing and so on.

Another enterprise use case is "document recall." Organizations sometimes find that they've sent information to customers, investors or others which contains incorrect or sensitive data. All too often, this prompts a flurry of phone calls from customer support or marketing employees pleading, "Please delete that information." Of course, the first thing most clients do after one of these calls is closely read the memo in question. A rights-management license can require the client to check with the ERM system every time a particular document is opened. If a document contains outdated or erroneous data, the organization can effectively revoke it and require users to obtain a newer version.

There are countless other use cases, many focused around satisfying various regulatory compliance requirements. For example, HIPAA patient information can be protected from disclosure no matter where the records travel. Gramm-Leach-Bliley Act compliant audit data can show exactly who has used what documents in an organization. And Sarbanes-Oxley requirements for financial records accuracy and accountability are aided by an ERM system that lets only authorized staff modify records.

Trent Henry is a senior analyst with Burton Group. Write to him at [email protected].

Evaluating ERM

The crop of ERM vendors will change over time, and product features will evolve. To gain longer-term investment protection, organizations must create a rational evaluation framework. To that end, we offer a decision matrix with 30 key questions (see chart at right).

Important considerations for IT include management, integration and security. In addition to typical issues--remote accessibility, hierarchical (delegated) administration, flexibility of the management console, ties to other management infrastructure like security event information management and so on--core to RM are the rights themselves, so policy management is particularly crucial. In addition, ERM cannot be an IT island. It must tie into a wide range of infrastructure elements, not the least of which are your identity management provisioning and directory systems.

As for security, rights management could--and arguably, should--be an essential part of an enterprise information-protection program. It's therefore important for IT to understand the risks and limitations of the technology. ERM is good at preventing accidental disclosure of electronic information and thwarting the momentarily disgruntled employee who may seek to forward sensitive data in a fit of pique. Stopping a determined, malicious attacker is another matter. ERM will reduce the aggregate volume of information leakage, but analog attacks--like a user photographing a document--could still occur. If loss of certain information, such as theft of trade secrets, can seriously damage your business, protect that information with strong physical, logical, personnel and technical controls.

That said, the move toward hardware enforcement could improve the overall security of protected information, so vendors should be queried about their support. Without hardware in place, a dedicated attacker can circumvent any software agent eventually. For example, many organizations figure the cryptography their ERM vendors employ is "good enough" and are considerably more worried about usability and management. Those are important considerations for sure, but the ERM security should still be assessed, and must address key management, ciphers, key lengths, communication channels, analog attack vectors and so on.

Finally, do your due diligence to minimize unpleasant legal surprises. Go beyond tracking a potential vendor's patent holdings, IP licenses and adherence to standards. Also consider the vendor's general attitude about copyright, fair use and the current culture of acceptable rights-management use. Opinions vary considerably, so select a vendor that is aligned as closely as possible to your company's principles.

Must Play Well With Others

To date, standards like the Moving Picture Experts Group's MPEG-21 have largely failed in creating interoperable rights management. But it's still a goal, so IT should ask vendors the hard questions, like what license formats are used by the product and how others may be supported.

For interoperability to flourish, two major factors must be considered. First, what is the means for identifying subjects (users)? Unlike consumer DRM, in which downloaded content is sometimes licensed to a particular player rather than a given user, ERM assigns rights based on identity points such as user name, organization, group membership or operational role. ERM systems typically rely on enterprise identity directories to acquire user information, but this technique breaks down when traversing organizational boundaries. For interoperation, the ERM system must rely on inter-enterprise identity management techniques such as PKI or--preferably--Federated Identity. Does the ERM suite being considered support such approaches?

Second, interoperable ERM requires a cross-organizational trust model. ERM systems are based on cryptography and key distribution, but it's essential to know which keys belong to which pieces of infrastructure, and whether they're reliable. Many XML-based messaging systems (ERM included) assume the existence of an underlying trust infrastructure by relying on digital signatures or other mechanisms for integrity and authentication. Unfortunately, short of certification authorities that provide SSL certificates for Web site commerce, there are few brokers of trust that allow scalable, secure message exchange among organizations. This "trust gap" is a fundamental problem for Federated Identity, Web services security and ERM alike. It must be solved for such technologies to achieve ultimate success between enterprises.

Bottom line, IT can expect vendor lock-in when deploying rights management. The result is that organizations tend to deploy ERM for specific data-protection projects or limited user populations, rather than across the entire company. Vendors should take notice.