Rights of Passage

Enterprise rights management software ensures that sensitive documents and e-mail can be circulated and don't end up in the wrong hands.

When Corning Inc. began selling products for military and aerospace use, the optical-fiber and cabling product manufacturer needed a way to show that it was following export controls and handling sensitive documents properly. "The government regulations are very explicit," says James Scott, director of knowledge and information management. To meet those requirements, the Corning, N.Y.-based company deployed enterprise rights management (ERM) software from Liquid Machines Inc.

Corning's research and development staff uses the software to encrypt critical documents and apply rules that determine not just who has access to the files but also whether they can print, copy or forward them to others. The system also establishes a chain of custody, providing an audit trail of who accessed a document when and what they did with it. "We can put our hands on our hearts and say we know we are compliant," Scott says.

Government contractors such as Corning aren't the only organizations thinking about document security these days. Recent high-profile data thefts and government regulations covering everything from financial disclosure to customer privacy have businesses worrying about where sensitive e-mail is going. IT organizations are struggling to control both dissemination of and access to corporate data contained in e-mail messages, Word documents or other electronic document formats. Leaked customer data or an untimely release of financial information can lead to public embarrassments as well as legal fines.

But Corning, like many other organizations with large R&D investments, has another concern: protecting documents pertaining to intellectual property that it's developing. "Many companies are very lax in their understanding and use of [ERM] as a way to protect their intellectual property," Scott says.

ERM Inside

Like digital rights management software, ERM products lock documents by encrypting them. But while DRM focuses on the consumer, ERM systems are designed to support document security policies both within and between businesses and to provide an audit trail.

In an ERM system, a policy server stores encryption keys, authorizes user access to documents and maintains policy templates that store rules that dictate what users in different roles can do with different classes of documents. Users then apply those policies to documents as they create them. Most products require users to run agent software or plug-ins designed to work with specific applications, such as Microsoft Word or Internet Explorer. Others, such as Microsoft Corp.'s Rights Management Services (RMS), require that applications be modified to natively support the ERM system's application programming interfaces (API). Most also require an identity management infrastructure.

"If you don't have an enterprise directory, it will be more challenging," says Trent Henry, an analyst at Burton Group in Midvale, Utah.

The ERM market, initially dominated by many small vendors, was given a big boost in the past couple of years with the entry of Microsoft and Adobe Systems Inc. Both RMS and Adobe's LiveCycle Policy Server require applications to be rewritten to support their APIs. As a result, application support is very limited. Adobe's product supports PDFs only, although the company says third parties provide agents for some other applications. Microsoft's system supports only Office 2003 documents. It relies on third parties to offer centralized policy management features and provide agents to support noncompliant applications.

Other vendors focus on providing an agent software overlay rather than relying on third parties to rewrite their applications. Companies such as Authentica Inc. in Lexington, Mass., have more-established products but offer relatively limited application support. Most support Office, Acrobat, HTML and Outlook documents, as well as common image formats, such as TIFF. But few support files created for other applications, such as computer-aided design systems.

Legal Challenge

Application support issues held back Fred Pretorius' Microsoft RMS installation at Mintz, Levin, Cohn, Ferris, Glovsky and Pope PC. The Boston-based law firm wanted to use ERM to protect documents both internally and when routed among its six regional offices. "You don't want someone to just forward things out," says Pretorius, acting director of information services.

Although the practice uses an all-Microsoft IT infrastructure, desktops had to be upgraded to Office 2003 before RMS could be deployed. And that couldn't happen until compatibility problems with the law firm's enterprise content management system were resolved. In the interim, Pretorius could have used third-party agent software on desktops to allow office applications to work with RMS. He passed on the work-around.

"It's the interaction of these add-ins that sometimes causes problems," he says. "You're better off waiting for Microsoft than dealing with the integration nightmares."

The system is now in pilot, with a full rollout expected this month. It wasn't difficult to set up, and users find the interface easy to use, Pretorius says. But he wasn't able to avoid other integration issues related to antivirus, e-mail archiving and enterprise content management systems. Once content is encrypted, it can't be scanned. Without adequate safeguards on the desktop, some users could encrypt infected files and spread a virus by routing them to others.

Pretorius' e-mail archiving software, Veritas Software Corp.'s KVS Enterprise Vault, doesn't have rights to view encrypted files and therefore can't index them for searches. But he says users are willing to live with that for now. "It's an ease-of-use concern against security," Pretorius says.

Microsoft product manager Piyush Lumba says Veritas is looking into building RMS support into its KVS product. Other vendors have formed partnerships with key vendors such as Veritas and EMC Corp.'s Documentum unit.

IT should consider the implications of the widespread application of encryption to documents throughout the organization, says Burton Group's Henry. It could affect business continuity plans by slowing down the data-recovery process. Other challenges include the long-term archiving of content encrypted with proprietary techniques and the ongoing management of the keys to access it.

Currently, RMS lacks the centralized controls Pretorius would prefer. "Users have to remember to protect their content," he says. Pretorius says he'd like to layer on more-sophisticated policy services from Meridio Inc. or Liquid Machines that he hopes could be configured to automatically apply a rights management policy based on the user's role or the type of content being created.

Corning's Scott would rather not automate that process. "We want our users to think about document classification overtly," he says. The more immediate problem, he says, is creating document security "roles and rules," classifications and policies that fit business needs. These must also be consistent with document classifications used in other areas, such as the corporate records information management and content management systems.

"You have to think ahead of time about what are the roles, the groups, and go through the homework of creating policies," says Henry.

That process can take more than a year, adds Scott, but he says it's essential to avoid "classification by exception." For Corning, that process was especially difficult because Scott identified few other companies that could serve as a model. While many have three or four classifications for paper documents, few have addressed electronic documents. "We have not found many leading examples," he says.

Going Outside

Extending the protection of documents outside of the corporate firewall presents a different set of challenges. A user who receives a document must receive authorization from the issuing policy server before it can be opened, so those services must be made accessible from the Internet. Recipients of protected documents must be authenticated when they first open them and may be required to do so each time they view the files, or users may be issued a "lease" that allows access for a specified period.

When National Occupational Competency Testing Institute Inc. (NOCTI) needed to protect Web pages used for securing its online testing services, RMS alone wasn't sufficient. "It could not enforce the rights through a browser for a machine that was not a member of my domain," says Shawn Davis, IT manager. He uses GigaMedia Access Corp.'s GigaTrust product, which is built on top of RMS.

With GigaTrust, clients use a plug-in for Internet Explorer. GigaTrust hosts Microsoft RMS, which issues the encryption keys to unlock requested HTML test pages once registered users log into the testing Web site. Test takers can view and interact with Web pages, but they can't print or cut and paste content.

Because the client PC had to request a new license to retrieve each Web page and then decrypt it, load times were as long as eight seconds. "That was a killer for us," Davis says. After GigaMedia modified its software to allow local caching of the client-access certificate, load times dropped to about two seconds. Half of that time is taken up in decrypting the file, Davis says. The performance is now acceptable.

Dealing with document certificate expirations is another issue. If the defaults aren't set correctly for a given use case, IT managers could end up taking an angry call from the CEO, who could be locked out of files on his laptop when traveling. While NOCTI requires tight controls on lease times, Microsoft's Lumba says his company is more liberal, enabling rights to encrypted e-mail content for a year.

With 15% of NOCTI's customers using online testing, and demand growing at 30% to 40% a year, document security has been a critical part of obtaining new business. "It's been a big deal for us. The fact that we're using this technology has been a primary selling point for our customers," Davis says.

ERM technology is still maturing, says Henry. He describes current users as early adopters and says nascent industry standards aren't yet fully developed. For example, there are no established standards for agent software, encryption, key management or a common rights markup language. That could be a problem for large enterprises if business units end up using different products, he says, and it makes scalability outside of the enterprise more difficult. ERM systems are also expensive and may average $100 to $200 per seat and $1 million or more for enterprisewide deployments.

Nonetheless, ERM works well for "tactical" applications where security needs are high, Henry says. Protection of intellectual property, business-to-business e-mail containing sensitive content such as price lists, or strategic information shared among executives are all good places to start. And he warns that some users, particularly executives, may balk at the technology if it's too complicated.

But that's not a problem with executives at Pretorius' firm. "The enthusiasm for this is very high," he says. RMS has been reliable, Pretorius says, and with Service Pack 1 already out, he thinks there's no reason not to go forward. "I don't think anyone needs to wait," he says.

ERM in Action

Microsoft’s RMS is a good example
of how an ERM system works.

1. The document creator receives policies from the server, which caches them for off-line use.

2. The author applies the policies to a document. The file is encrypted automatically, and rights are persistently attached.

3. The author distributes the file.

4. The recipient opens the file. The software agent or Dynamic Link Library within the application calls the policy server, which validates the user and allows the application to open the file. The application renders the file and enforces assigned rights, such as the ability to view, print, copy/paste or forward.

5. A log of events is sent back to the server to create audit trails.
ERM in Action

Source: Microsoft Corp.

5 power user tips for Microsoft OneNote
Shop Tech Products at Amazon