Enterprise DRM Back to the Fore

Our security manager had lost funding for his effort to protect IP, but the CIO puts it back on the table.

The CIO called me into his office recently to show me something. I’ve learned that when he wants to show me something, I should be prepared to spend some long nights at work. That’s what happened this time as well.

What he wanted to show me was related to digital rights management. I have mentioned before that I have tried to deploy enterprise rights management to protect our company’s intellectual property. With DRM, one can encrypt a document and then “wrap” it in a digital envelope that applies certain permissions or policies to it. Permissions can be as simple as a list of authorized recipients, and policies can do things like restrict the recipients’ ability to copy and paste, save, print or send.

My initial attempt at deploying DRM was not very successful. As the project manager, I had defined most of the requirements, researched vendors and selected a single vendor to conduct a pilot. I had even gone so far as to have a Solaris server configured, and all that was left to do was to obtain the rights management server software. But then funding for the project was “deferred.” That was just a nice way of telling me it had been cut.

I still haven’t seen any funding. When I was hired here, I was told that protecting intellectual property was a priority, so you would expect executives to be excited about deploying DRM. It’s quite funny, actually, when I think about the countless hours I’ve spent researching and conducting project management meetings for various initiatives that have never received funding. I don’t mind doing the work; I always learn something, since most initiatives involve either new and emerging technologies or something I’ve deployed in the past but need a refresher on.

As the manager, though, I have to be careful not to get too involved in projects, since I have a department to run and don’t have time for things like configuring servers. That was thrown to the side, however, when the CIO called me in.

He had spent the previous evening playing around with the Microsoft Windows Rights Management Services (RMS) client and demonstrated it to me using his Microsoft Passport. Passport, now called Live ID, was designed as a universal log-in service. It’s supposed to let users log into many Web sites using one account, though it has never really caught on. But RMS can use Live ID as a valid credential to encrypt and verify a user’s association with a document or some other electronic content. My CIO was so excited, he wanted to set up a demonstration for a group of executives on the Intellectual Property Protection Steering Committee. His idea is that if he can convince them that RMS is a worthwhile technology, they will fund an initiative to revisit DRM.

RMS is an appealing method for DRM, since the client and server software are freely available and most Microsoft Office applications are already RMS-enabled. There is a per-seat cost once deployed, but there is no initial cost for the software.

Passport Problems

I agreed to a proof-of-concept deployment of RMS, but we won’t be using Live ID credentials. Live ID requires users to create the identification, which could cause some problems. I created a Passport ID many years ago, using my Yahoo e-mail address for validation. Unfortunately, I wasn’t able to use the same ID within my company, since I couldn’t bind my corporate e-mail address to my existing Passport ID.

So instead, we’ve installed the Microsoft Rights Management Server. The idea is that the RMS client will talk to Active Directory to obtain the location of the RMS server. (You have to configure what is called a “service connection point” within your corporate Active Directory infrastructure.) Once the client makes the connection to the server, it obtains the policies that apply.

This has turned out to be a clean and easily controlled method for deploying RMS. The installation of the server software took all of 10 minutes. For our proof-of-concept demonstration, we created two policies. The first we called the Intellectual Property Protection Steering Committee Only, or IPPSC-Only, policy. A document or e-mail with that policy applied can be opened by only the half-dozen members of the group with read-only privileges. With this policy, we’re demonstrating that we can allow a small group of people to share documents among themselves. If you’re not a member of the group, you won’t be able to open the document or e-mail, even if you’re an employee of the company.

The other policy, which we called Internal Use Only, allows anyone in the company with a domain account to open a document or e-mail. There are no other restrictions, so as long as you’re an employee, you should have full control over any document or e-mail that has this policy attached.

I had our Windows expert create an install package so that the client could be installed with minimal effort by the end user. Remember, the audience for this test is a bunch of executives. If they have to click though a lot of install screens, they’ll claim that the software isn’t user-friendly.

The presentation to the steering committee went well, but naturally there were a number of questions, all beginning with “suppose.” For example, “Suppose that I needed to view a protected document at a customer site,” or, “Suppose I wanted to send a protected document to someone who wasn’t an employee.” I have a list of about 15 such questions that I will have to research and answer. But the goal of this proof of concept was to introduce a group of executives to a technology that, if deployed properly, could prevent the theft of intellectual property and save the company money. I believe I accomplished that goal. For now, I’ll just sit back and wait for the checkbook to open.

What Do You Think?

This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security

To find a complete archive of our Security Manager’s Journals, go to computerworld.com/secjournal


Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon