ERM and document security

 

Connecting state and local government leaders

Enterprise rights management does more than just control access to your network. It also can help protect the data inside.

Few organizations have more stringent document-management needs than the national security committees in Congress.Until a couple of years ago, one House panel kept sensitive documents in locked cabinets and used a largely manual system to log, route, track and then reroute them ' often as many as three weeks later ' to members. When a review period ended, staff members collected the papers ' as many as 100,000 a year ' and locked them again, but they had no way of knowing if any had been copied.To automate and secure the process, congressional information technology staff bought Authentica, an enterprise rights management program (ERM) later acquired by the Documentum division of storage heavyweight EMC. Now employees convert pages to electronic format, encrypt them and assign each a policy that controls how the files can be accessed and used, then route them by e-mail. When someone tries to open a document, a central policy server grants or denies access based on the policy.ERM vendors agree that mitigating security risks is the primary driver of federal demand. 'How many times have you picked up the paper and read about an agency that's been embarrassed by someone stealing a computer,' said Bobby Caudill, group manager, global government solutions at Adobe Systems.Although federal employees appear to be leading the charge, Caudill said there is growing interest among state and local authorities in buying ERM as a data-sharing component of the new fusion centers that are supposed to unite first-responder agencies and jurisdictions. Other vendors noted strong interest among state motor vehicles departments and agencies with large numbers of mobile workers.ERM 'is something people are now focusing on,' said Keith Johnson, vice president at Liquid Machines. 'The emphasis has shifted from protecting the perimeter to protecting the data. It's a paradigm shift.' The main motivator, Johnson said, was a June 2006 memo from the Office of Management and Budget. 'It says the government needs to encrypt, audit and expire all data. That fits right into the functions of enterprise rights management.'True enterprise-quality ERM consists of several basic and essential elements: encryption that protects individual documents, a policy mechanism for setting up and enforcing individual or group access rights, and auditing to track and document compliance with security and privacy regulations. You can set policies to control who can read, edit, save, copy, print or forward documents, cut-and-paste content or capture screens. Expiration can reduce the risk of documents falling in the wrong hands, and prevent the use of outdated manuals, which presents risks that range from mere inconvenience to repair errors on critical equipment that have proved deadly. Some vendors, including EMC and Oracle, claim to offer digital shredding ' the ability to track down and delete every copy of a document.The policy-setting and enforcement piece is critical to any ERM tool's usefulness and security, according to several vendors. 'The IT administrators do not administer the classification of documents,' said Andy MacMillan, vice president for product management at Oracle's enterprise content management line. 'It would be a business user,' MacMillan said, one who belongs to the group that consists of users who have the same permission levels to access the documents, no matter how those documents are ultimately classified. MacMillan gave the example of a board secretary who secures meeting minutes for distribution to board members.Users, in contrast, can have authority to classify the documents themselves, including those they create, a model that also boosts scalability because it prevents them from having to add people to the list of authorized users. 'When I go to open a document that I'm not permitted to access, I get a Web page that tells me why I can't open it, but also gives a contact to resolve it,' MacMillan said.Some people refer to the category as information rights management (IRM). But vendors say it is a synonym for ERM, and many mix both terms in their product literature. Don't confuse either one with the digital variety, which denotes similar technology for such consumer uses as distribution of music and video files.Perhaps because it is barely past the tire-kicking stage, ERM is that rare category of software dominated by a tiny group of vendors, especially when you exclude companies who sell products, such as e-mail or full-disk encryption tools, that provide only one piece of full-fledged ERM.Corporate acquisitions played a big part in shaping the current landscape. EMC Documentum bought Authentica Secure Documents to make its current IRM Services, and the Oracle IRM solution is based almost entirely on former Sealed Media technology Oracle acquired along with Stellent. The oldest player still standing on its own name is Liquid Machines, an ERM pioneer with a pedigree that dates to 2001. Rounding out the list are Adobe Systems ' a relative newcomer with LifeCycle Rights Management ES but whose Portable Document Format standard has long contained basic ERM ' and Microsoft, which offers Rights Management Services (RMS) and IRM for its Office desktop suite.All vendors employ similar client/server architectures that send users' authentication requests back to a server. The scheme is critical to ERM's functioning, said Dave Mandell, product marketing manager at EMC Documentum IRM. 'It provides the ability to change the rights on a piece of content regardless of where it is or who has it,' Mandell said. Embedding rights mostly in the document and using the server only to authenticate the user's identity does not allow such flexibility, he said.Despite having similar architectures, the products have some notable differences, said Ray Wagner, managing vice president at Gartner's secure business enablement group. He said Liquid Machines Document Control is a mature product, and he likes the way it shims between the application and the operating system, and its support for 65 file formats leads the pack, though he said both Authentica, now EMC, and Sealed Media, now Oracle, historically had strong support for numerous formats.Microsoft's RMS supports only the company's Office mainstays ' Excel, Word and Outlook ' and Internet Information Server, but a special version Liquid Machines offered extends it to the broader list, Wagner said. It is closely tied to the newest versions of Windows, including Vista, and benefits from that platform's built-in Kerberos authentication and digital certificate support. The benefit, Wagner said, is that RMS is fairly seamless to users, operating mostly in the background. The drawback ' besides working best in Windows-centric networks ' is that it doesn't work well outside the organization. It requires the IT department to set up trusted relationships between servers and to manage outside Windows clients, including whether they have the RMS feature activated.Adobe's ERM, in comparison, is better at working externally because of the ubiquity of the Acrobat Reader, though it requires all but PDF, Excel, and one type of computer-aided design document to ride along as attachments to PDFs.EMC and Oracle, in comparison, emphasize ERM as components within their broader collaboration tools, Wagner said, but he added that Oracle is still developing the product's role in its overall strategy.Wagner said the lack of a generic formatting scheme is an industry weakness not likely to be resolved. 'Whoever created a format for a new application would have to agree to the standard format,' he said. But the problem isn't as dire as it may seem, once organizations learn that most of their sensitive information ends up in just a handful of formats. 'For most enterprises, Word, Excel and PDF is enough,' he said.Still, buyers should ensure that an ERM solution supports their critical formats. "You have to do some kind of assessment," he said. 'Figure out the stuff you would want to protect, where it is, and in what format. It's very difficult to do.'To work properly, ERM must fit into a broader security infrastructure that likely includes physical access systems such as smart cards and logical security, including digital certificates. 'ERM is part of a solution,' Caudill said. 'It's not a solution in and of itself.'Conversely, experts said, federal agencies' strong push into identity-management systems, spurred in large part by Homeland Security Presidential Directive 12, should provide an infrastructure that makes ERM easier to implement. Johnson explained the relationship between the two by saying authentication guarantees who a user is, while ERM controls what each user can do with the data. He cited Gartner figures that suggest nearly half of employees take sensitive data outside their organization. 'The case has been made that we humans are the security problem that needs to be solved.'Agencies might wonder how to plan their ERM strategies in light of an April policy bulletin from the National Archives and Records Administration prohibiting use of ERM and other encryption-related software on documents at the time of legal receipt, saying the technology could impede agencies' ability to meet their records-management requirements.But the policy might not be the death knell to agency ERM that it seems: Vendors say their products can handle the requirements, and NARA sees no inherent conflict. 'We do not believe that this policy will hinder or undermine agency efforts to safeguard materials ' classified or other ' that require protection from unauthorized disclosure,' said Mark Giguere, lead IT staff person in NARA's records program. Giguere said NARA only requires removing ERM controls from 'the small percentage of materials that have been scheduled and appraised as permanent at the time of transfer to NARA. If ERM vendors have fixes that enable compliance with this policy, they should incorporate those into discussions and presentations with agencies.'The industry faces other challenges such as the spread of smart cards and other encrypted authentication devices, which raises potential barriers to collaboration instead of lowering them. More recently, e-discovery is drawing interest, said Jon Wall, a principal technology specialist of federal sales at Microsoft, as agencies worry about their ability to search and index their own documents. 'There's this key-exchange problem that's just inherent in cryptography,' Wall said. As more employees and contractors get issued encryption devices, the potential for conflicts among the devices increases exponentially. 'They have to do this crypto dance,' Wall said, acknowledging that ERM vendors have yet to present a solution.

The ERM solution

Implementing an enterprise rights management solution will affect many aspects of your organization. Here are the major questions to consider before committing to a particular solution.

Plan well. Have a clear idea which risks you must defend against and those you can live with because they involve few users, or information with low sensitivity.

Ask how the product's encryption mechanism changes, if at all, the normal use of applications. Provide one or two document workflow examples and ask how the product handles them, making particular note of how much user intervention it requires.

Provide a list of critical document formats and see if the vendor supports all of them, or consider the different levels of protection you might require for each type.

If improved collaboration is your goal, ask whether protection is persistent and travels with information when moved among applications.

Don't accept claims about an audit feature as a simple checklist item. Ask for specifics on what gets tracked and reported to ensure it meets your security compliance requirements under the
E-Government Act and Federal Information Security Management Act and privacy mandates such as the Privacy Act.

Don't overlook backup and recovery. Ask how easy it is to establish and enforce rights on this step of the life cycle. A loophole could let an unauthorized user access a document as it comes through the recovery
process.

Request evidence of the size of a product's actual deployments. Large numbers could provide proof of the product's scalability, while a small number suggests the opposite.

ERM vendors

Adobe Systems

(408) 536-6000 www.adobe.com

EMC

(508) 435-1000 www.emc.com

Liquid Machines

(877) 885-4784 www.liquidmachines.com

Microsoft

(425) 882-8080 www.microsoft.com

Oracle

(800) 672-2531 www.oracle.com













Join the club





To work properly, ERM must fit into a broader security infrastructure that likely includes physical access systems such as smart cards and logical security, including digital certificates.









On the fly
























David Essex is a freelance technology writer based in Antrim, N.H.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.