Enterprise rights management heats up
Enterprise rights management (ERM) software manages and enforces information access policies and use rights of electronic documents within an enterprise. Controlled documents can be e-mails, spreadsheets and financial statements, policy and procedure manuals, research data, customer data, project data, personnel files, intranet pages and other sensitive information. ERM provides "persistent" (continual--regardless of where and when access occurs) enforcement of information access policies to allow an organization to control access to information that needs to be secured for privacy, competitive or compliance reasons.
ERM software is helping companies extend their security beyond just the corporate perimeter--to the documents and even data fields within those documents themselves. That prevents "digital leakage," or loss of organizational data through hackers, competitors or unauthorized employee access or use. ERM is particularly useful in protecting enterprise data in applications that are deployed in a distributed peer-to-peer architecture because there is no server to manage security and access.
Success in the highly collaborative pharmaceutical industry requires that digital leakage be minimized, which good ERM software (and administration) does. In investment banking, NASD (National Association of Securities Dealers) Regulation 2711 requires that the investment bank monitor communications of its research. In consumer finance, personal financial information collected on paper forms and transmitted by fax or other media with very low security can be secured, even directly from a scanner. In importing/exporting cargo, loss of data can cause loss of cargo from theft or terrorist activities. To comply with fast-changing trade regulations and U.S. customs and government initiatives, importers and exporters are deploying ERM software. Research and consulting firms can control access and use of intellectual property through ERM software, and the uses in the public sector for data security are numerous.
Major players in the enterprise content management (ECM) market, such as EMC/Documentum, Stellent and Open Text have added ERM functionality by forming alliances with fast-growing upstarts in the ERM market, such as AirZip Authentica , DigitalContainers, Liquid Machines, SealedMedia, and Informative Graphics . E-mail and content archiving software providers like Symantec/Veritas/KVS have forged relationships with rights management providers, as well. And now, heavies Microsoft and Adobe have even jumped into the rights management marketplace with rights policy servers, meaning that surely it has arrived.
Santa Clara, CA-based AirZip has been a wholly owned subsidiary of Willow Technology since February. AirZip provides ERM software which it OEMs from AegisDRM, a European Union-based company. Stellent, a leading ECM provider, is a reseller partner of AirZip.
Like most ERM products, AirZip FileSECURE controls and tracks access to files and documents inside and outside of corporate networks. It provides global access rights control at the individual file level, but goes beyond simple encryption products, using military-strength AES 256-bit encryption without key management required by Public Key Infrastructure (PKI) management. It also compresses the files for improved transport speed.
FileSECURE protects any file type that can be printed and blocks electronic screen image capture. It enables users to disable access even after a file is sent and protects the information while it is being viewed. FileSECURE ensures that only the intended recipient views a file, and only at the times specified, no matter where the recipient is located--both online and offline. It allows file owners to dynamically change user permissions even after the file has been distributed, and enforces file retention policies to ensure that out-of-date information is not accessible. When a new version is available for distribution, the viewing permission of the old version of the file is revoked. To meet legal and compliance demands, FileSECURE keeps track of who has viewed a file.
Protected files can be shared using any method: e-mail, CD-ROM, FTP download, etc., and the software can be coupled with document scanners and copiers to automatically Scan-Secure-Send documents directly from the scanning device. User accounts and group definitions are synchronized with Microsoft Active Directory, Novell eDirectory and Sun One Directory Server 5.2, which streamlines administration.
Authentica's Active Rights Management also gives organizations the ability to dynamically control documents, e-mail and Web files even after they're distributed to recipients or stored on external networks. The Active Rights Management platform integrates tightly with popular office automation packages, including Microsoft Office and Outlook, Lotus (lotus.com) Notes and Adobe Acrobat. It decrypts information for viewing inside and outside the organization's network, but never makes it accessible unprotected, and ensures content is encrypted at rest after each use. Active rights capabilities can be extended to a variety of applications through a client application program interface (API).
Authentica's Policy Server integrates with e-mail gateway servers and content scanning engines to automatically detect and transparently protect sensitive information, enabling information protection without user involvement. It protects e-mails and documents distributed via Web delivery applications, supporting both active rights and secure delivery policies. The Policy Server leverages existing user directories and authentication systems to create information access policies based on existing users, groups and roles, thereby reducing deployment complexities. It supports LDAP and Windows Single Sign-on (which ensures transparency with user authentication processes), PKI and Digital Certificates for authentication, RSA (rsasecurity.com) SecurID two-factor authentication, and can be extended to support custom authentication systems.
DigitalContainers is more focused on the business-to-consumer digital media (music, video) marketplace. It provides intelligent containers that "wrap" the files in a secure digital shell that can only be opened with a "key" that can be as simple as a password, as individual as a fingerprint, and can be used in conjunction with a patented authorization process in which the container "talks" to remote authorization authorities.
A Digital Container supports secure file and media delivery, including perpetual tracking, authorization, certification and communication of transactional data to trusted third parties across the Internet using any device, including personal computers, PDAs and other wireless devices.
In rich media applications, the container carries graphics on its "cover" for document identification, promotional branding and aesthetic purposes. Those graphics can be GIFs, JPEGs or Flash that can be created with popular desktop image creation software.
The DigitalContainer Secure File Delivery software package can be deployed as either a hosted application service provider (ASP) or in-house solution.
Document Control and Email Control are Liquid Machines' ERM products. Liquid Machines' integration with Symantec/Veritas/KVS provides a comprehensive e-mail management and compliance solution. Policies can be automatically applied to messages without requiring users to change how they use e-mail--no additional clicks are required to send and receive secure messages. E-mail senders do not need to set up any accounts for e-mail recipients before sending messages. KVS/Veritas integration manages the document life cycle and archiving.
Both Document Control and Email Control include:
- Automatic content protection based on corporate policies for persistent control.
- Users work in the native application without extra steps, both online or offline.
- User actions can be audited for compliance reporting.
- User rights are changeable instantly, no matter where the information lives.
Information is encrypted and protected no matter where it is stored or how it is used, including e-mail, portable storage or IM. The user cannot change the policy or remove protection unless authorized. When the user moves information between documents, such as using the clipboard or Adobe Acrobat Distiller, the policy moves with the content, ensuring the enterprise retains control of all protected information.
The enterprise defines and controls user privileges on protected content from a central policy server. If each policy change requires the document to be republished, the enterprise will be constantly searching for these existing files, not to mention the impossibility of changing files on permanent media such as CD-ROM. Multiple roles--or sets of users and privileges--can be defined for each policy to allow different users differing privileges. For example, accounting can print a document but engineering cannot and both groups can read and write.
Compliance often requires that organizations project how secured information may be used for forensics efforts. Any action a user takes with protected information, such as printing or moving via the clipboard, can be audited. Reports are available to authorized administrators using the browser-based server console, Microsoft Excel or reporting tools. E-mail alerts can be configured to support specific company objectives.
The Liquid Machines' client supports existing application versions and operating systems without requiring upgrades or plug-ins. The client is distributed using standard automated deployment tools or a Web-based download. The server connects with Active Directory or LDAP to leverage existing users, groups and authentication. Information is encrypted using industry standards such as DES, AES and RSA. Policies are stored in a standard SQL database. Communication between the client and server occurs using XML over a secure SSL channel.
SealedMedia provides an enterprise ERM solution it terms "Document Sealing," which seals confidential or valuable documents. SealedMedia supports many standard document formats such as MS Outlook, Lotus Notes, MS Word, Excel PowerPoint, Adobe PDF and HTML, in addition to image, music and video formats.
EMC/Documentum is a key strategic partner of SealedMedia in the ECM marketplace. The two combine to offer integrated ECM/ERM solutions. While EMC/Documentum eRoom enables knowledge workers to plan and execute project work and collaborate with extended enterprise teams, Sealed eRoom enables secure Web-based collaboration on projects involving confidential information. SealedMedia ensures that digital information remains persistently protected within the eRoom itself and when files are viewed or edited on remote desktops.
The major elements of the SealedMedia solution include the three software components--the Sealer, the License Server and the Unsealer--and the supported formats.
Content is sealed independently of the right to access it. Rights are stored on a network-accessible server within the organization. Sealed content can be freely distributed, because only those who have rights to unseal the content can access it. That also enables the user to easily restore their secured files after a PC repair or upgrade. Rights to read, print, amend, store and forward before or after a particular time and to work offline for defined periods of time are set individually. Originators have complete control over what recipients can do with the information.
Embargoed information, such as financial results, can be distributed in advance of the deadline, rights being granted from the moment of the deadline.
Informative Graphics provides large-format document management solutions primarily to companies in the manufacturing, construction and architecture markets. It supports integrations to ECM vendors such as EMC/Documentum and Open Text.
Its Visual Rights ERM technology allows users to apply integrated and persistent security controls to documents, drawings and images during the publishing process. Sensitive fields can be redacted (blocked out) based on user permissions. Authorized use of a document can expire, and watermarks and banners can be displayed to reveal rights or copyrights.
The ERM market is heating up, and surely it will see widespread adoption, perhaps supplanting much of the PKI market, particularly in day-to-day office automation activities. ECM providers have already realized the essential functionality ERM provides, and the forging of alliances and complete ERM firm acquisitions will continue at an increasing rate.
Symmetric vs. asymmetric encryption: Is PKI dead?
Using symmetric encryption technologies within the authorization process, such as that employed by DigitalContainers, a key is never transmitted over the Internet, so there's no possible security breach during key exchange. By contrast, asymmetric Public Key Infrastructure (PKI) users can only communicate securely with others who have registered and/or installed the appropriate software provided by the encryption or certificate authority--so what about suppliers or customers?
PKI requires large infrastructure investments to manage the authorizations, and is not an easily scalable solution. Also, PKI users are approved to view the content based on a preinstalled key, which does not secure the unauthorized access for future viewing--only verifying the key is present on a particular machine.
Symmetric encryption is persistent and documents/data remain encrypted by the single private key, and also has distinct advantages for real-time, unobtrusive global secure file delivery. Its proponents claim it offers superior levels of security and tracking over PKI.
Robert Smallwood is a partner with IMERGE Consulting, e-mail robert.smallwood@imergeconsult.com.