Wednesday Oct 22, 2008

Where is Enterprise Digital Rights Management Going?


Trent Henry, an analyst from the Burton Group, has recently blogged about the future of what it refers to as Enterprise Digital Rights Management (E-DRM), more commonly these days refered to as IRM. Trent blogs his views on the future of IRM after he was approached by numerous people at a recent Burton conference in Prague. They were all asking, "Where is E-DRM going?" He confirms how the space has changed significantly in the past 18 months, the two leaders in the space have now been acquired into larger companies. Authentica into EMC and SealedMedia into Oracle.

Trent makes the observation that one area being focussed on is the fact that IRM brings with it yet another set of users, groups and policies that are to be managed by the enterprise. One way to mitigate this is by integrating the IRM system with the enterprise content management (ECM) system so that the security can be managed in ECM and applied automatically, via the integration, to the document security solution.

Trent Henry

"It’s clear that vendors are solving one typical objection to E-DRM: the management of yet another silo of policies."
Trent Henry, VP and Research Director Burton Group
This is one approach that Documentum, a content management company, have focused on. The Authentica IRM technology is now embedded into the Documentum content management system, allowing the access to content be managed and controlled from the content management system itself.

Oracle have also released a similar integration where Oracle IRM can be integrated with the Oracle Content Server to allow for the automated protection of content as it is checked into the content management system.

Oracle however believe this is only part of the total IRM solution. IRM is a core technology that applies not only to content within the repository, but also to the protection of data exported from financial, engineering and other applications such as Agile, Hyperion and Siebel. We also recognize that only a small percentage of the content actually resides in the repository, if your IRM solution only works on the document repository, what do you do about all the other content?

This is why Oracle IRM is not only working to be integrated with the content repositories and applications, but also to integrate with identity management technologies and collaboration systems like Oracle's Beehive. To enable these integrations the Oracle IRM server in its next release, 11g, is porting the entire server into the Oracle Fusion Middleware environment. This allows for other development groups within Oracle to put IRM functionality into their own systems. It also allows customers to integrate IRM with their home grown custom applications. One customer I spoke to recently had a requirement to leverage a large application they had already built to manage the rights concerning employees that fall under foreign national compliance regulations. With the new Oracle IRM server they can simply integrate with this customised application which already contains all the users, groups, rights, roles and policies.

Trent goes onto speculate where this is all is going:

  • We have cautious optimism that E-DRM will continue to receive uptake, even though today’s deployments tend to be relatively small and tactical.
I agree, I have visibility of many customers requiring the need for IRM and although it initially is deployed for tactical solutions, we do have customers using Oracle IRM across the entire enterprise.
  • We expect vendors to enhance protection, making use of trusted platform modules for integrity validation and hardware cryptomodules for improved cryptography handling.
Absolutely, the next release of Oracle IRM will present a huge leap in the ability to integrate the server with a variety of different systems.
  • We expect additional integration between rights management and content management solutions.
No need to expect, tis already done.
  • Ultimately, we think there will be interesting synergies between virtualization and E-DRM, where mobile workloads (on virtual machines) and the sensitive content they contain can be managed, tethered, and persistently secured via rights-management no matter where a machine image lands.
An interesting point of view, IRM will always focus on protecting an object such as a document or email. Therefore no matter where this item resides, be it in a virtual environment, IRM persistently has control.


Monday Jul 21, 2008

Upsetting your employees 101, Ban the use of iPods...

One way to guarantee annoying your employees, ban them from using cool and useful technologies. This is exactly what Jim Hereford from NextSentry seems to be suggesting. In his podcast with MacVoices he describes the risk with mass storage devices being used in the enterprise and calls for the banning of iPods and other cool devices. Even commenting that the PDA/phone is a risk.

His solution? NextSentry develops a product called Active Sentry, a perimeter security technology which monitors activity on your computer and prevents the copying of data to CD/DVD, USB devices, and instant messaging networks. It also controls printing, forwarding of emails etc. In effect it locks down the corporate desktop to ensure a user cannot copy information outside the boundaries of the controlled enterprise. Bizarrely Active Sentry doesn't work at all on Macintosh operating systems... how odd they would have an interview with someone from MacVoices.

But what if you legitimately want to share information across these perimeters? The following are a few simple use cases I come across in my working week.

  • I want to legitimately email documents to an external party, such as a customer or partner.
  • Weekly I backup my important files, often the most sensitive, to a remote drive. I have had two laptop hard disk failures in the past year!
  • For me, the quickest way to copy files between machines is via USB flash drives. Countless times I am sharing documents with my co-workers in meetings by passing a USB drive around.
  • I attend meetings using a shared computer hooked up to the projector, I carry my presentations and supporting documents on a USB flash drive and then copy them to the shared machine.
  • I use my iPod to listen to the excellent Digital Planet broadcast from the BBC as well as Oracle podcasts which I sync from the office before I drive home.


I'm sure there are many more cases where users in the enterprise environment need to use sensitive data across classic network boundaries. How frustrated would you be if a technology like Active Sentry kept interfering with your working day?

Lisa Vaas posts on the eWeek security watch blog picking up on the fact that, Banning the popular devices would be an unpopular move. Employers themselves are using iPods for convenient employee training. NextSentry's release referred to an Oct. 25, 2006 Wall Street Journal article that described some examples, such as National Semiconductor spending $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements.

Unpopular indeed! This is a great example of how companies are using new technology to share information with their users using a very familiar device.

She also mentions other rising technologies which are attempting to control the flow of sensitive data. "As portable storage devices shrink in size and gain in storage capacity, they pose an ever greater risk to organizations. Third-party security products have emerged to address this threat. For example, Safend markets an auditor that keeps an eye on every port in an enterprise, from USB to WiFi and Bluetooth. Another Safend product allows the definition and enforcement of security policies to control how ports and devices are accessed. DeviceLock is in the same space, as is SecureWave."

So the message from the above is one which describes a need to constantly keep looking for new security holes in your environment. Purchase a technology to plug that hole and then prevent your employees from using new devices and ways of sharing information!

You could of course take a much more balanced approach and implement Information Rights Management (IRM). Because IRM protects documents and emails directly (not indirectly as a side effect of protecting the perimeters within which some of the copies are stored), you do not need to be so strict about the locations to which the content is ultimately copied or forwarded. You do not need the draconian approach of banning all these really useful devices such as USB drives and iPods. It doesn't matter where the information ultimately ends up, IRM ensures only authorized users gain access.

Oracle IRM has long realized, by working with many large corporate environments, that security must come hand in hand with usability. If the security of a technology interferes too much with the end users existing workflows, it ultimately is less effective. Users find ways around the security mechanism, such as working on sensitive documents on home machines because the corporate desktop is too painful to use. Oracle IRM therefore places as much emphasis on the user experience as it does on its patented security techniques.

These Data Loss Prevention (DLP) and content monitoring technologies do have some very useful features however. They can use natural language filters to look for content that is deemed sensitive and then take remedial action. This would work very nicely with IRM, ensuring that if a user is moving content past a monitored point and it has not been protected with IRM, if could be automatically sealed at the perimeter.

So free up your employees. Don't ban their devices. Stop trying to monitor an ever increasing array of storage devices, file sharing networks, and cool technologies. Instead use IRM to protect the document throughout its entire life cycle – from creation to archival, no matter where it goes, no matter who tries to open it.

Wednesday Jul 16, 2008

Response to Jon Oltsik on ERM

Jon Oltisk, a senior analyst at Enterprise Strategy Group recently posted the article titled ERM: The forgotten data security space. He comments on the ERM space, now more usually called IRM, as a forgotten technology with regards to data security. DLP is also discussed as another technology which addresses the problem of trying to protect your sensitive data.

He comments on two particular ironies that have resulted in the past few years in consolidation of these two technology spaces.

Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.

Very true, DLP only protects at a gateway where the information passes. Such as a firewall or virus scanner. Yet there are so many ways in which content can be distributed, such as copying to USB flash keys, sent via non-corporate email, shared of peer to peer networks such as Gnutella and KaZaA. IRM however applies the controls at the document or email level, therefore it doesn't matter where or how the content is distributed, IRM persists the security.

Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.

Thankfully for me, also very true... although Jon forgot to mention the market leader in IRM, i'll excuse him this one time. Oracle IRM, formerly SealedMedia, is the market leader in terms of large-scale enterprise deployments. He closes his rather short article stating that, "ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.".

Indeed, in fact DLP and IRM are both on an intersecting path via either partnerships, acquisition or development. Both aim to control the distribution and access to an organizations most sensitive content but do so in very different ways. IRM is designed to offer persistent information security controls at the content level. DLP mostly grew from outbound acceptable use content filtering, such as virus scanners and is still regarded as quite a new technology. DLP would be wise to seek partnerships where mature IRM technologies, like Oracle IRM, can be integrated alongside.

When DLP and IRM are combined, it provides a solution which moves the enterprise closer to the goal of having its corporate protection policies actually applied to their masses of unstructured sensitive content that is being distributed everywhere. Then if you consider adding to the mix GRC style applications and auditing technologies, the enterprise is very close to complete control and deep visibility of its data in use well beyond it's physical and virtual perimeters.

I plan to write a more detailed article DLP and IRM comparison, keep an eye on this blog.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016