One of the more interesting developments in the enterprise digital rights management (EDRM) market is the combination of EDRM with data loss prevention (DLP). Rather than relying on users to properly classify documents and apply the proper EDRM rights, the DLP tool will automatically apply rights based on the content inside the files.
One of the biggest obstacles to an EDRM deployment is integrating the process with a user's workflow.
This combination is potentially quite powerful. One of the biggest obstacles to an EDRM deployment is integrating the process with a user's workflow. It's difficult to train users, especially at scale, to appropriately apply EDRM rights when they create documents. While static policies can handle some of this (such as applying rights to any file saved in a directory), in practice we find this often interferes with a business process as much as relying on manual application of rights.
Integrating EDRM into a DLP system
Integrating DLP may overcome some of these issues. Your organization can create policies that apply rights based on the contents of files. Thus if the DLP tool detects a file with a customer account number, it can automatically apply a standard set of rights governing that kind of information. Or imagine that any file with a particular project number is automatically assigned rights for that project group, but restricted from being accessed by other teams.
- Most of the existing combinations analyze stored files. Rights are applied after running a scan of stored data, or when a user manually asks for rights to be applied. Thus set a comfortable scan window on the user’s endpoints or in a shared storage repository. Since the details vary so greatly across tools, it's critical to understand exactly what processes are supported.
- Start with discretionary policies that allow the users to change EDRM rights. This offers reasonable security while interfering less with business process. The first time the engineering team in usable to exchange an important document with another employee, your odds of the EDRM project continuing decline.
- Clean your directory server for the team initially involved; ensure all the right users are in the right groups since all policies will tie to their directory accounts.
- Start with a simple, unambiguous policy, and test it on the DLP side in monitoring mode before engaging EDRM enforcement. This lets you work out any mistakes and false positive/negative issues before they interfere with someone getting their day-to-day job done. Remember that keyword and pattern matching policies especially are prone to false positives until you tune them.
- Strive for near-real-time classification and application of rights. As mentioned earlier, this depends on your tool of choice, but reduces the window of exposure for the data.
About the author:
Rich Mogull is founder and CEO of security consultancy Securosis. Send comments on this article to firstname.lastname@example.org.