This month's Super Group focuses on protecting data under a variety of circumstances. First, we look at digital rights management (DRM). DRM lets us send data wherever we want while dictating what can be done with it.
Data leakage prevention, sometimes called extrusion prevention, has a different objective. In this case, we want to keep our data where we put it and we do not want unauthorized users to remove it.
Finally, we have a twist on DRM: license protection. In this case, we usually have some sort of app that we want to control the use of in accordance with our end-user license. This is the familiar copy protection dongle that we see regularly, especially on big ticket applications.
DRM has multiple levels of protection depending on the product and the data being protected. One of the simplest functions is watermarking. This places a notation, or "watermark," in the file, such that it cannot be removed. Other functionality present with some products includes prevention of printing, emailing, copying, deleting and editing protected files. Some products allow a self-destruct policy for the file.
When buying a DRM product, consider carefully why you are applying it. DRM is not a substitute for encryption. It is intended to allow controlled access, rather than to deny all access. However, like all of our product types this month, it might include encryption.
Data leakage products sometimes can be confused with endpoint management products. Many endpoint protection systems do a rudimentary form of DLP by preventing the use of thumb drives or other peripherals. However, for this review we concentrated on products whose primary function was to protect data, wherever it lies in the enterprise, from being removed without authorization. Perhaps the most insidious type of data leakage is that facilitated by malware. Unfortunately, positive control of that problem still is a bit of a Holy Grail. There are some good efforts, but this is a very hard problem.
When buying DLP, look at what types of extrusion you are addressing. Also, look at what endpoint protection you have in place - or plan to have - and focus on augmenting them in functional areas over which you do not have control. Here, as with most enterprise products, centralized management is a key issue. This means the ability to deploy, provision and manage the product over the enterprise. It means that where identity management of some sort is required there are clear connections to something, such as lightweight directory access protocol (LDAP) or Active Directory. The user should be able to access the benefits of the product transparently from any workstation in the enterprise where they have authorized access.
Finally the twist on DRM: license protection. These are products that offer some sort of copy protection. For high value products, the cost of the hardware key (USB dongle) is absorbed easily in the price of the product. Piracy of such products may have serious consequences - from the proliferation of pirated copies of very expensive software to uncontrolled availability of dangerous products, such as penetration testing tools.
When buying this type of copy protection, consider how you intend it to be used. This is an application that usually is used by developers. There are two ways to approach this. One is to use a license server that allows anyone authorized to access the resource to do so, but does not allow access if the dongle is not in the license server. This is an economical way to allow universal access to an application that is copy protected. Many of these license servers are configured to allow a certain number of licenses.
If you are a developer and are building license protection capability into your code, the parameters will be straightforward. If you are using the envelope approach, be sure you understand what works and what does not.