Tip

EDRM-DLP combination could soon bolster document security management

One of the more interesting developments in the enterprise digital rights management (EDRM) market is the combination of EDRM with data loss prevention

    Requires Free Membership to View

(DLP). Rather than relying on users to properly classify documents and apply the proper EDRM rights, the DLP tool will automatically apply rights based on the content inside the files.

One of the biggest obstacles to an EDRM deployment is integrating the process with a user's workflow.

This combination is potentially quite powerful. One of the biggest obstacles to an EDRM deployment is integrating the process with a user's workflow. It's difficult to train users, especially at scale, to appropriately apply EDRM rights when they create documents. While static policies can handle some of this (such as applying rights to any file saved in a directory), in practice we find this often interferes with a business process as much as relying on manual application of rights.

Integrating EDRM into a DLP system 
Integrating DLP may overcome some of these issues. Your organization can create policies that apply rights based on the contents of files. Thus if the DLP tool detects a file with a customer account number, it can automatically apply a standard set of rights governing that kind of information. Or imagine that any file with a particular project number is automatically assigned rights for that project group, but restricted from being accessed by other teams.

  • Most of the existing combinations analyze stored files. Rights are applied after running a scan of stored data, or when a user manually asks for rights to be applied. Thus set a comfortable scan window on the user’s endpoints or in a shared storage repository. Since the details vary so greatly across tools, it's critical to understand exactly what processes are supported.
  • Start with discretionary policies that allow the users to change EDRM rights. This offers reasonable security while interfering less with business process. The first time the engineering team in usable to exchange an important document with another employee, your odds of the EDRM project continuing decline.
  • Clean your directory server for the team initially involved; ensure all the right users are in the right groups since all policies will tie to their directory accounts.
  • Start with a simple, unambiguous policy, and test it on the DLP side in monitoring mode before engaging EDRM enforcement. This lets you work out any mistakes and false positive/negative issues before they interfere with someone getting their day-to-day job done. Remember that keyword and pattern matching policies especially are prone to false positives until you tune them.
  • Strive for near-real-time classification and application of rights. As mentioned earlier, this depends on your tool of choice, but reduces the window of exposure for the data.

About the author:
Rich Mogull is founder and CEO of security consultancy Securosis. Send comments on this article to feedback@infosecuritymag.com.

This was first published in December 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.