Content

Document Security 2006

Wikipedia defines enterprise digital rights management as: "... Enterprise digital rights management (E-DRM) refers to the use of DRM technology to control access to corporate documents (Word, PDF, TIFF, AutoCADfiles etc) ..."

For this group of products we analysed individual capabilities of products that meet this definition. What we found was that, if you disregard cost, there is something for everyone. If, on the other hand, cost is a factor, you need to understand your requirements very well in order to justify the - often high - expense of protecting your documents.

The general capabilities of the E-DRM products we tested were very similar. They allow encryption of documents, protection in transit and at rest, designation of permitted users of individual documents and disposition of the documents when in use. This includes allowing the document contents to be copied, printed or screen-captured. Some products have considerably more capability, determining what content is allowed to be transferred out of the organisation, for example.

What differed was the overall feature set, how the product worked and the pricing model. Feature sets ranged from the baseline to those with additional capabilities such as identifying documents that have credit card numbers in them. The number of file types covered stretched from a few standard types (Office, graphics formats etc) to more than a hundred.

The architecture came in three configurations. The simplest of these resides on the desktop and manages the documents leaving that desktop. This assumes that the user is going to determine the characteristics of the document before transmitting it. The recipient needs software to receive the document and enforce the sender's restrictions.

The second architecture is the gateway. This is an in-line device that inspects every file passing through it. The final option is the client-server configuration, where an agent resides on the desktop and communicates with a server to enforce E-DRM policies from the desktop outwards.

Additionally, we found that some products require extensive interaction with third-party products, typically MSSQL or Microsoft SQLServer. These can be very difficult to configure, and you would benefit from the help of a database administrator. The upside is that they can handle massive enterprises.

The bottom line for these products is that they can serve a very important function for organizations where the control of intellectual property and trade secrets is critical. However, they come at a price, not just in terms of an, often hefty, cash outlay, but also in human resources for managing the systems. You must examine your requirements carefully if you want to select the most effective and cost-effective product for your needs.

How we tested
These products need to be set up and used in order to evaluate them. But before we got that far, we were concerned about the difficulty of implementation and the scalability of deployment. If an engineer needs to look at every workstation in order to install the product enterprise-wide, costs quickly escalate. On the other hand, if deployment involves complicated third-party product interactions, you need to have the relevant experts readily available.

We had concerns regarding user interaction as well. There needs to be enough control so that either the user or the administrator has a rich set of features to customise the task at hand. We were interested in the features available to the user.

Finally, we wanted to know what it takes to make the products fail. Under the premise that critical documents might be so protected that they could not be extracted, we wanted to know whether normal use as anticipated by the suppliers' developers posed any danger to protected files. Generally we found that the products performed securely.

Because this class of product is applicable to both large and small implementations as well as extrusion prevention, we selected three Best Buys: one in the desktop category, another specifically addressing large enterprises and one designed for extrusion prevention. The extrusion prevention products really are on the periphery of the digital rights management domain but important nonetheless.

That said, we issue the same caution that we always do with encryption products. Use them right, install them correctly and keep secure backups of clear text versions of documents that you simply cannot afford to lose.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.