Controlling Confidentiality: Enterprise Rights Management

Given the onslaught of exposed sensitive documents via WikiLeaks, government agencies are under pressure more than ever to protect sensitive and confidential information on enterprise networks.

Enterprise rights management technology is one way that agencies can protect data from unauthorized access when documents are shared internally or with other agencies, partners, citizens or service providers. Also called information rights management or enterprise digital rights management, ERM tools offer organizations a way to control who has access to a document from the point of creation. Those controls remain persistent with the document throughout its life or until they are turned off.

Leading makers of ERM products today include Adobe, EMC, Microsoft and Oracle, as well as Check Point, which acquired Liquid Machines last year and plans to begin integrating that company’s technology into its products at some point this year.

“There are some situations where [ERM] is needed; if you’ve got ultra-sensitive data that needs to be protected for a short period of time and shared with a small group of people — say, 50 or 100 — you would use ERM for that,” says Eric Ouellet, vice president of security and business enablement research with Gartner.

Ouellet offers the example of Apple wanting to distribute product information about a new version of its iPhone to a select group of people and control access to the documents only until the new device is released; in this case ERM could control who has access to the documents — and define whether they can view, print, or save the file — but include an expiration date that turns off those controls after the product hits the market and the documents are no longer sensitive.

ERM products typically comprise three elements: Identity controls, which can be leveraged from those set in identity and access management products; cryptographic controls, including encryption and digital signatures; and access controls that define what type of actions (view, edit, copy or print) a user is permitted to perform with a certain document.

ERM tools can tailor the controls on a given document to allow different entitlements for different users; for example, one user may be able to view only a document’s abstract, while another can view it in its entirety, Ouellet says. Users can create different levels of access within one document, instead of having to create multiple versions of the documents to assign different privileges to different users, he adds.

Although encryption is one aspect of ERM, the control that these tools offer gives greater protection against unauthorized access to documents than encryption alone.

“The thing with encryption is, once you send an encrypted document to someone and it’s decrypted, then they can send it on to whomever they want,” says Peter Abatan, an ERM adviser who runs the Enterprise Digital Rights Management website. “With ERM, the security is within the document itself, so whether the document is being viewed or sent via e-mail to another person or on any storage medium like a USB key, the security is permanent.”