Enterprise Digital Rights Management
Data Loss Prevention and Enterprise Rights Management; Complimentary or alternative?

Enterprise Rights Management is all I write about, so when I first started this blog it occurred to me that I might not find sufficient material to write on this very narrow topic, but this has been the contrary and I always get a kick from finding something to post on my blog. I recently read an article by Yuval Shavit titled “Data security: Alternatives to data leak prevention” on the search security channel website. He listed Enterprise DRM among other encryption tools as an alternative to Data Loss Prevention but I am reticent to use the term “alternative”.
   
Data leak prevention or data loss prevention (DLP) technology monitors and blocks anyone who tries to send potentially sensitive or confidential data outside the corporate firewall. Enterprise DRM on the other hand persistently secures a file no matter where it is located. Unlike file encryption or hard disk encryption, Enterprise DRM secures the content of the file while it is on the move, stored on a hard drive or in use (i.e. being read, printed, or edited).

Regarding Enterprise DRM, Yuval described it as “the most advanced alternative to data leak prevention software”. Unfortunately, this is an inaccurate description of Enterprise Rights Management or Enterprise DRM as it is also called. This evident in the partnerships between both DLP and ERM vendors like Liquid Machines, GigaTrust, McAfee and Symantec who have described their technologies as complimentary and not alternatives.

Yuval also described Enterprise DRM as client-side software. Hmmm! I wonder what he meant by client-side, because it is the server that grants access to DRM secured files by checking the access rights and the defined policies. The server also keeps the audit trail of the file over its entire life. Fasoo has an Enterprise Rights Management file server solution that enables users to drag confidential files to a DRM protected folder, thereby allowing the file to be bound by the policy defined for that folder.

Also in this article Enterprise DRM software is described as a much more expensive alternative to data leak prevention which is not entirely the case. Today you can get a server based Enterprise DRM solution for just under $5,000. While companies like OneHub are among the pioneers in providing Enterprise DRM cloud based solutions making it more accessible to small businesses and individuals costing a few dollars per month.

However, I do agree with Rob Eggebrecht, senior partner and CEO of BEW Global, a Castle Rock, Colo.-based security consultancy who in the same article said “Whereas Enterprise DRM technologies can be applied company-wide, Enterprise DRM is better kept as a tactical tool deployed only in a few key departments” Very good point Rob.

What left me a bit confused was at the end of the section on Enterprise DRM where Yuval said “Depending on your client’s company, you may want to recommend complementing a company-wide DLP deployment with Enterprise DRM in the most at-risk departments, or it may be enough to protect just those departments”. So the question is complementary or alternative?

I’ll be glad to hear your thoughts?

Reference:
Data security: Alternatives to data leak prevention by Yuval Shavit, Features Writer at the SearchSecurityChannel.com

This article’s level of difficulty is rated as intermediate

Posted 2 years ago
view comments
Tagged: information rights management, intelligent rights management, information security, enterprise digital rights management, enterprise drm, enterprise rights management, document security, document rights management, document protection, document usage control, persistent security, irm, erm, e-drm, file security, file protection, file encryption, .
A new development idea for Information Rights Management

Some organisations may not see the reason for implementing Information Rights Management because in their view the “cat has been let out of the bag” i.e. confidential documents have been copied many times over. This is a wrong approach, because things will not get better but get worse resulting in a potential embarrassing moment like a data breach.

Implementing Information Rights Management across an organisation can sometimes be challenging especially if the very documents that you want to secure have been copied a number of times all over the organisation. The next step for Information Rights Management vendors is to develop software that can crawl the enterprise’ network and secure all documents that have been copied from the original document. Once a copied document has been identified the policy that was applied to the parent document should be applied to it.

Yes there are a number of questions that still need to be answered, but the benefits could be immense. Maybe this is an idea someone somewhere is already working on!

Posted 2 years ago
view comments
Tagged: enterprise digital rights management, enterprise rights management, enterprise drm, data security, Data Leak Prevention, data breaches, document security, document rights management, document protection, document usage control, information rights management, intelligent rights management, information security, it security, erm, e-drm, irm, file security, file protection, file encryption, .
Protecting Corporate Sensitive and Confidential Information Across the Enterprise.

There are 2 types of information that need to be protected across the enterprise. The first is structured data which is the data you find in database repositories like Oracle, Sybase and Microsoft’s SQL Server. The other is unstructured data which can be protected by a number of other means like file encryption, full disk encryption, access authentication, information rights management and a number of other means.

Structured Data: Security in this area has moved on in leaps and bounds over the last 10 years, but according to the Enterprise Strategy Group 86% of enterprises feel that their databases are secure, yet 56% have experienced a breach indicating that many organisations still have a false sense of security. One of the worst data breach cases has been Heartland Payment Systems that experienced a breach in 2008 and is still paying out millions in compensation. However, the good news about protecting structured data is that given the right advice and the right tools, the effort required to plug all the non-compliance holes and eliminating the data leak risks that may exist.

Unstructured Data: This is the most challenging type of data to keep a lid on because it is very easy to duplicate and very difficult to track, moreover structured data is always analysed in an unstructured format used to provide strategic direction for the organisation. This means it is easier for your competitors to know what you are doing if there is a rogue or disgruntled employee on the inside. The challenges in protecting unstructured data is defining the data categories, locating where this data is and classifying it before protecting it. Information rights management commonly called enterprise rights management and data loss prevention are at the forefront of protecting unstructured data which would normally exist as boardroom strategies, intellectual property, financial information, trade secrets, etc.

So as you move to protect your information assets there has to be a balance between protecting both structured data and unstructured data to ensure that focusing on only one area of data security does not make the other area of data protection vulnerable and vice verza.

Comments and feedback welcome.

Posted 2 years ago
view comments
Tagged: enterprise digital rights management, enterprise drm, enterprise rights management, information rights management, intelligent rights management, document security, document rights management, document protection, protecting unstructured data, erm, irm, e-drm, edrm, file security, file protection, file encryption, .
Quick guide to the differences between Enterprise Rights Management, File Encryption and Full Disk Encryption.

File Encryption, Full Disk Encryption and now Enterprise Rights Management! What does all this mean, and how are they all different?

File Encryption

  • Encrypts individual files / folders
  • Requires authentication to decrypt and access files
  • May result in out-of-compliance status with mix of unencrypted and encrypted data
  • Encryption is not persistent once files are decrypted
  • Files protected by file encryption can only be accessed by the persons who have the right decryption key, but can be forwarded to unauthorised persons once decrypted
  • The access policy is no longer enforced once decrypted
  • You cannot withdraw access rights to the file once decrypted


Full Disk Encryption (FDE)

  • Encrypts entire hard drive
  • Replaces Master Boot Record with pre-boot environment
  • Decrypts automatically as files are accessed, once decrypted can be forwarded and distributed freely
  • Encryption is not persistent once files are decrypted
  • Files protected by full disk encryption can only be accessed by the persons defined as having rightful access to the hard disk.
  • The access policy is no longer enforced once it a file emailed or transferred from the disk
  • You cannot withdraw access rights to the file once it leaves the hard disk


Enterprise Rights Management (ERM)

  • Encrypts individual files / folders
  • Authentication to access files can be piggy backed on your corporate authentication systems e.g. Active Directory.
  • May result in out-of-compliance status with mix of unencrypted and encrypted data
  • Encryption is persistent even when files are accessed
  • Files protected by Enterprise Rights Management are secured and can only be accessed by the persons and groups defined in the policy of the file
  • The access policy can be enforced no matter the geographical location
  • You can withdraw access rights to a ERM protected file at any time

References:
PGP Corporation: Building the Business Case for Endpoint Data Protection by Shilpi Dey, CISSP. Senior Product Marketing Manager

Posted 2 years ago
view comments
Tagged: enterprise digital rights management, enterprise rights management, enterprise drm, data security, Data Leak Prevention, data breaches, document security, document protection, document rights management, document usage control, persistent security, erm, irm, edrm, e-drm, file encryption, full disk encryption, .