This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners: Simply the best."
Download it now to read this article plus other related content.
Tips from the Frontline
ERM can boost security, but there are some things to keep in mind to ensure a successful deployment. Here are some lessons and tips from those who have deployed ERM and from industry experts:
FIND a vendor that supports all the applications and file formats you use in your organization.
PROTECT only your company's most critical information in order to avoid a policy management headache.
BE AWARE that the disaster-recovery process for documents protected by ERM is arduous.
IDENTIFY the problem you're trying to solve; if it's document-centric security, then ERM is for you. If it's access control, look at identity management.
DON'T let rapid market consolidation stop you from deploying ERM.
Sources: Matt Kesner, Fenwick & West; Trent Henry, Burton Group; Jason Elizaitis, Fairfield Greenwich Group; Jon Oltsik, Enterprise Strategy Group.
"We are ensuring that our knowledge doesn't suddenly become public domain information," he says.
Many Fluor employees are road warriors, so it's convenient for them to download materials from the knowledge database. If employees download the protected materials, Fix plans to require workers to re-authenticate themselves every three or five days after the initial download.
That will serve two purposes: if employees want to access the protected documents while traveling, such as on an airplane, they have a three- to five-day grace period where they can view documents offline and without re-authentication. And when employees must re-authenticate, the LifeCycle Policy Server will check to see if a new version of the document is available. If there is an update, it will prevent them from accessing the document and force them to download the new version. That will stop employees from using the same document for years without knowing whether Fluor had updated the original documents or deactivated them.
Fluor plans to run Adobe LifeCycle Policy Server on a Windows server in the network's DMZ, where it sits between the corporate network and the Internet. As requests come in to view protected files, the Adobe software accesses an LDAP server for authentication and a database where user policies are stored.
Fix considered rival offerings, including EMC's Authen- tica, but it offered extra features he didn't need. He also considered Microsoft's Rights Management Services software, but Microsoft's offering only managed Microsoft Office products.
He wasn't swayed either by the rapid consolidation in the ERM market, a posture Enterprise Strategies Group's Oltsik says is sound thinking. "There's limited risk in buying now," Oltsik says. "If you have a department with very confidential data, you have an issue now that you need to address. You will get value out of the current applications."
Fluor, meanwhile, will use ERM for the company's most sensitive documents--about five percent of the 250,000 stored in its knowledge management system, Fix says. Eventually, he will make ERM available to the entire organization. Fix, who is in charge of setting the security policies, says a slow rollout of the technology is necessary so he can gauge its administrative requirements. "We want to see how much time will be spent managing rights," he says.
Fix expects mixed user reaction. Some will understand why it's necessary but others will see it as another hurdle in doing their work. He believes the technology is worth the time and money spent: "The licensing cost is minimal compared to the costs of intellectual property leakage."
This was first published in October 2006