Rights of Passage

Computerworld - When Corning Inc. began selling products for military and aerospace use, the optical-fiber and cabling product manufacturer needed a way to show that it was following export controls and handling sensitive documents properly. "The government regulations are very explicit," says James Scott, director of knowledge and information management. To meet those requirements, the Corning, N.Y.-based company deployed enterprise rights management (ERM) software from Liquid Machines Inc.

Corning's research and development staff uses the software to encrypt critical documents and apply rules that determine not just who has access to the files but also whether they can print, copy or forward them to others. The system also establishes a chain of custody, providing an audit trail of who accessed a document when and what they did with it. "We can put our hands on our hearts and say we know we are compliant," Scott says.

Government contractors such as Corning aren't the only organizations thinking about document security these days. Recent high-profile data thefts and government regulations covering everything from financial disclosure to customer privacy have businesses worrying about where sensitive e-mail is going. IT organizations are struggling to control both dissemination of and access to corporate data contained in e-mail messages, Word documents or other electronic document formats. Leaked customer data or an untimely release of financial information can lead to public embarrassments as well as legal fines.

But Corning, like many other organizations with large R&D investments, has another concern: protecting documents pertaining to intellectual property that it's developing. "Many companies are very lax in their understanding and use of [ERM] as a way to protect their intellectual property," Scott says.

ERM Inside

Like digital rights management software, ERM products lock documents by encrypting them. But while DRM focuses on the consumer, ERM systems are designed to support document security policies both within and between businesses and to provide an audit trail.

In an ERM system, a policy server stores encryption keys, authorizes user access to documents and maintains policy templates that store rules that dictate what users in different roles can do with different classes of documents. Users then apply those policies to documents as they create them. Most products require users to run agent software or plug-ins designed to work with specific applications, such as Microsoft Word or Internet Explorer. Others, such as Microsoft Corp.'s Rights Management Services (RMS), require that applications be modified to natively support the ERM system's application programming interfaces (API). Most also require an identity management infrastructure.

"If you don't have an enterprise directory, it will be more challenging," says Trent Henry, an analyst at Burton Group in Midvale, Utah.