ERM and document security

Few organizations have more stringent document-management needs than the national security committees in Congress.Until a couple of years ago, one House panel kept sensitive documents in locked cabinets and used a largely manual system to log, route, track and then reroute them ' often as many as three weeks later ' to members. When a review period ended, staff members collected the papers ' as many as 100,000 a year ' and locked them again, but they had no way of knowing if any had been copied.To automate and secure the process, congressional information technology staff bought Authentica, an enterprise rights management program (ERM) later acquired by the Documentum division of storage heavyweight EMC. Now employees convert pages to electronic format, encrypt them and assign each a policy that controls how the files can be accessed and used, then route them by e-mail. When someone tries to open a document, a central policy server grants or denies access based on the policy.ERM vendors agree that mitigating security risks is the primary driver of federal demand. 'How many times have you picked up the paper and read about an agency that's been embarrassed by someone stealing a computer,' said Bobby Caudill, group manager, global government solutions at Adobe Systems.Although federal employees appear to be leading the charge, Caudill said there is growing interest among state and local authorities in buying ERM as a data-sharing component of the new fusion centers that are supposed to unite first-responder agencies and jurisdictions. Other vendors noted strong interest among state motor vehicles departments and agencies with large numbers of mobile workers.ERM 'is something people are now focusing on,' said Keith Johnson, vice president at Liquid Machines. 'The emphasis has shifted from protecting the perimeter to protecting the data. It's a paradigm shift.' The main motivator, Johnson said, was a June 2006 memo from the Office of Management and Budget. 'It says the government needs to encrypt, audit and expire all data. That fits right into the functions of enterprise rights management.'True enterprise-quality ERM consists of several basic and essential elements: encryption that protects individual documents, a policy mechanism for setting up and enforcing individual or group access rights, and auditing to track and document compliance with security and privacy regulations. You can set policies to control who can read, edit, save, copy, print or forward documents, cut-and-paste content or capture screens. Expiration can reduce the risk of documents falling in the wrong hands, and prevent the use of outdated manuals, which presents risks that range from mere inconvenience to repair errors on critical equipment that have proved deadly. Some vendors, including EMC and Oracle, claim to offer digital shredding ' the ability to track down and delete every copy of a document.The policy-setting and enforcement piece is critical to any ERM tool's usefulness and security, according to several vendors. 'The IT administrators do not administer the classification of documents,' said Andy MacMillan, vice president for product management at Oracle's enterprise content management line. 'It would be a business user,' MacMillan said, one who belongs to the group that consists of users who have the same permission levels to access the documents, no matter how those documents are ultimately classified. MacMillan gave the example of a board secretary who secures meeting minutes for distribution to board members.Users, in contrast, can have authority to classify the documents themselves, including those they create, a model that also boosts scalability because it prevents them from having to add people to the list of authorized users. 'When I go to open a document that I'm not permitted to access, I get a Web page that tells me why I can't open it, but also gives a contact to resolve it,' MacMillan said.Some people refer to the category as information rights management (IRM). But vendors say it is a synonym for ERM, and many mix both terms in their product literature. Don't confuse either one with the digital variety, which denotes similar technology for such consumer uses as distribution of music and video files.Perhaps because it is barely past the tire-kicking stage, ERM is that rare category of software dominated by a tiny group of vendors, especially when you exclude companies who sell products, such as e-mail or full-disk encryption tools, that provide only one piece of full-fledged ERM.Corporate acquisitions played a big part in shaping the current landscape. EMC Documentum bought Authentica Secure Documents to make its current IRM Services, and the Oracle IRM solution is based almost entirely on former Sealed Media technology Oracle acquired along with Stellent. The oldest player still standing on its own name is Liquid Machines, an ERM pioneer with a pedigree that dates to 2001. Rounding out the list are Adobe Systems ' a relative newcomer with LifeCycle Rights Management ES but whose Portable Document Format standard has long contained basic ERM ' and Microsoft, which offers Rights Management Services (RMS) and IRM for its Office desktop suite.All vendors employ similar client/server architectures that send users' authentication requests back to a server. The scheme is critical to ERM's functioning, said Dave Mandell, product marketing manager at EMC Documentum IRM. 'It provides the ability to change the rights on a piece of content regardless of where it is or who has it,' Mandell said. Embedding rights mostly in the document and using the server only to authenticate the user's identity does not allow such flexibility, he said.Despite having similar architectures, the products have some notable differences, said Ray Wagner, managing vice president at Gartner's secure business enablement group. He said Liquid Machines Document Control is a mature product, and he likes the way it shims between the application and the operating system, and its support for 65 file formats leads the pack, though he said both Authentica, now EMC, and Sealed Media, now Oracle, historically had strong support for numerous formats.Microsoft's RMS supports only the company's Office mainstays ' Excel, Word and Outlook ' and Internet Information Server, but a special version Liquid Machines offered extends it to the broader list, Wagner said. It is closely tied to the newest versions of Windows, including Vista, and benefits from that platform's built-in Kerberos authentication and digital certificate support. The benefit, Wagner said, is that RMS is fairly seamless to users, operating mostly in the background. The drawback ' besides working best in Windows-centric networks ' is that it doesn't work well outside the organization. It requires the IT department to set up trusted relationships between servers and to manage outside Windows clients, including whether they have the RMS feature activated.Adobe's ERM, in comparison, is better at working externally because of the ubiquity of the Acrobat Reader, though it requires all but PDF, Excel, and one type of computer-aided design document to ride along as attachments to PDFs.EMC and Oracle, in comparison, emphasize ERM as components within their broader collaboration tools, Wagner said, but he added that Oracle is still developing the product's role in its overall strategy.Wagner said the lack of a generic formatting scheme is an industry weakness not likely to be resolved. 'Whoever created a format for a new application would have to agree to the standard format,' he said. But the problem isn't as dire as it may seem, once organizations learn that most of their sensitive information ends up in just a handful of formats. 'For most enterprises, Word, Excel and PDF is enough,' he said.Still, buyers should ensure that an ERM solution supports their critical formats. "You have to do some kind of assessment," he said. 'Figure out the stuff you would want to protect, where it is, and in what format. It's very difficult to do.'To work properly, ERM must fit into a broader security infrastructure that likely includes physical access systems such as smart cards and logical security, including digital certificates. 'ERM is part of a solution,' Caudill said. 'It's not a solution in and of itself.'Conversely, experts said, federal agencies' strong push into identity-management systems, spurred in large part by Homeland Security Presidential Directive 12, should provide an infrastructure that makes ERM easier to implement. Johnson explained the relationship between the two by saying authentication guarantees who a user is, while ERM controls what each user can do with the data. He cited Gartner figures that suggest nearly half of employees take sensitive data outside their organization. 'The case has been made that we humans are the security problem that needs to be solved.'Agencies might wonder how to plan their ERM strategies in light of an April policy bulletin from the National Archives and Records Administration prohibiting use of ERM and other encryption-related software on documents at the time of legal receipt, saying the technology could impede agencies' ability to meet their records-management requirements.But the policy might not be the death knell to agency ERM that it seems: Vendors say their products can handle the requirements, and NARA sees no inherent conflict. 'We do not believe that this policy will hinder or undermine agency efforts to safeguard materials ' classified or other ' that require protection from unauthorized disclosure,' said Mark Giguere, lead IT staff person in NARA's records program. Giguere said NARA only requires removing ERM controls from 'the small percentage of materials that have been scheduled and appraised as permanent at the time of transfer to NARA. If ERM vendors have fixes that enable compliance with this policy, they should incorporate those into discussions and presentations with agencies.'The industry faces other challenges such as the spread of smart cards and other encrypted authentication devices, which raises potential barriers to collaboration instead of lowering them. More recently, e-discovery is drawing interest, said Jon Wall, a principal technology specialist of federal sales at Microsoft, as agencies worry about their ability to search and index their own documents. 'There's this key-exchange problem that's just inherent in cryptography,' Wall said. As more employees and contractors get issued encryption devices, the potential for conflicts among the devices increases exponentially. 'They have to do this crypto dance,' Wall said, acknowledging that ERM vendors have yet to present a solution.