Published: 01 Oct 2006
Enterprise Rights Management software is being adopted by businesses to secure their most valuable documents and sensitive content.
Matt Kesner has had a front-row seat in the entertainment industry's battle against piracy. Over the years, his Silicon Valley law firm has defended Napster against the music industry and fought on behalf of ReplayTV when Hollywood took the digital video recorder maker to court. So it's ironic the law firm recently embraced enterprise rights management (ERM) internally.
When Fenwick & West LLP takes on mergers and acquisitions, intellectual property, tax and other types of cases, its 250 attorneys and 300 staffers gain access to millions of sensitive documents, from patent information to detailed financial reports that include revenue and sales projections.
Kesner, the firm's CTO, took his first stab at securing client data five years ago by getting rid of paper and moving documents online. He built extranets, with password protection and 128-bit SSL encryption, where Fenwick's lawyers and clients could view documents and communicate via discussion forums. He also gave access to third parties, such as opposing lawyers in litigation cases or potential buyers in acquisitions.
The security was good, but it wasn't enough. The extra-nets didn't prevent people from printing and saving files, or forwarding extranet passwords to others. Clients facing new regulations wanted assurance that their proprietary information was safeguarded. And in merger and acquisition situations where rival companies see each others' confidential information, clients wanted guarantees that their intellectual property wasn't stolen if a deal fell through.
Kesner tackled the problem with ERM. While consumer digital rights management technology protects music and movies, enterprise rights management software allows businesses to restrict who can access documents, what they can do with them and for what length of time.
"We're involved in cases where the primary assets of our clients are great ideas, and they don't want their great ideas widely shared," Kesner says. "With enterprise rights management, we can control access and keep their secrets."
Enterprise rights management is technology that allows corporations to continuously control and protect documents, email and other corporate content through the use of encryption and security policies that determine access rights.
Industry analysts say ERM software is an innovative tool that could stem the rising tide of corporate data breaches throughout the nation. The technology can limit document access to specific computers, place expiration dates on access rights, and prevent people from saving, printing and cutting and pasting documents. Each time users try to access a protected document, they have to go through an authentication process to prove they have the right to view it. So even if electronic documents fall into the wrong hands, they're protected, says Trent Henry, analyst at the Burton Group.
"If a user means to send a sales report to Joe A., but inadvertently sends it to Joe B., the rights management technology prevents Joe B. from opening it," Henry says.
While analysts give ERM high marks, it's still a nascent market with a small--but increasing--number of companies deploying the technology. It's not cheap, either. For a 3,750-user installation, ERM software costs an average of $300,000 plus $66,200 in annual maintenance costs, says Jon Oltsik, senior analyst at Enterprise Strategy Group.
Despite its cost and infancy, here's a look at three businesses that have taken the plunge:
Company: Fenwick & West LLP
Fenwick & West was an early adopter, choosing ERM software by startup SealedMedia, a company recently acquired by Stellent.
Kesner took advantage of SealedMedia's free 30-day trial, tested it with several clients and was wowed by the results. His law firm's clients use hundreds of data types, including Microsoft Office, Adobe Acrobat, accounting databases, architectural drawings and computer-aided design documents--all of which SealedMedia supports.
In addition to the software's broad support, he was impressed by its ease of use. For the firm's lawyers, clients and outsiders to access protected files, they download a small plug-in to their computers. When they try to open protected files on the extranet, the plug-in checks in with Fenwick & West's servers to make sure they have the right to access the documents. It takes about five minutes to get most users up and running.
"We wanted a comprehensive solution that doesn't restrict certain data types and can be as transparent as possible for the user," Kesner says.
Installation wasn't hard and took about four hours this spring. Kesner had to integrate the SealedMedia software with EMC's eRoom and Microsoft's SharePoint collaboration software that he used to build 800 extranets.
The SealedMedia software is spread across two Windows-based servers, one an encryption server and the other a database server that houses policies. Kesner then attached the SealedMedia servers to multiple servers that house the collaboration software. Those servers, in turn, connect to a storage area network housing three terabytes of client data.
To test the security, Kesner tried to hack into the system to view the protected documents; he couldn't break through.
Since implementing ERM, 20 clients, totaling 100 users, have taken advantage of the technology. Kesner, who sets up the initial security policies, allows his clients to determine how stringent the policies are for protecting their documents.
For example, if the firm is helping a client find a buyer, it can allow potential buyers access to the extranet to view documents. Because SealedMedia requires a plug-in to view protected documents, the law firm can limit access to just one or two computers at the potential buyer's headquarters, and it can limit the amount of time the material can be viewed, such as one day or one week. Policies can also ban the ability to save or print.
"You can share data that you might not normally share, unless you were in a locked room, having a face-to-face meeting," he says. "And if a party drops out of a case or a bidder expresses they are no longer interested, we shut down their rights."
The technology generates detailed reports on who accesses information and what they do with it, so clients facing government regulations have proof that their information is secured. "It offers them peace of mind that they're operating within the regulations," Kesner says.
In the future, the law firm plans to activate Sealed-Media's email support, so clients who prefer to use ERM to protect email and attachments can do so.
Kesner says it's difficult to put a dollar figure on the software's ROI, but says the technology improves customer service and gives the firm a competitive edge. The extranets, for example, make document management more efficient, while ERM secures the data.
"Their [clients'] expectations are that law firms are stodgy and not tech-savvy, so they're pleased that we are (tech-savvy)," he says. "We've had no complaints, just compliments."
Company: Fluor Corporation
Solution: Adobe's LifeCycle Policy Server
Fluor Corporation's knowledge management system works like a dream, but executives recently discovered security and document-control issues that could give them nightmares.
The Fortune 500 construction and engineering company has 35,000 employees in 25 countries who build, repair and maintain oil refineries, manufacturing plants and power plants. In 1999, executives built an online knowledge management system to serve as a collaboration tool for employees to share ideas and best practices on everything from technical issues to marketing and sales strategies.
A year ago, however, Fluor's global quality assurance officer found two problems with the system: how to protect the most confidential documents in the knowledge database, and, with users' penchant for downloading files onto their hard drives for easy access, how to ensure employees are working off updated corporate materials.
Those problems led the company to ERM. Because Adobe's PDF format is the company's standard, Randy Fix, Fluor director of automation, recently purchased Adobe's ERM product, LifeCycle Policy Server. After a successful three-month beta, he began deploying the technology this summer.
"It's an intellectual property leakage issue," Fix says. "There are certain documents that are critical. Some are project management manuals. Some are 1,000 pages long and very confidential. We just want to protect them and limit access to a small group of people."
Fluor already had some control over content. When using Adobe Acrobat to author PDF documents, employees can set policies that prevent people from printing or cutting and pasting text. But that didn't prevent staffers from passing confidential documents to clients, whether by accident, malice or simply because they didn't know the information needed to remain private.
Another concern was employees taking documents to a new employer if they left the company. In the past, company officials caught several staffers downloading documents before leaving the company.
Fix is slowly rolling out the ERM solution to protect about 20 best practices that are managed by the company's quality assurance leader. The technology will force employees to authenticate themselves to view the protected files. If unauthorized users somehow get access to the files, they will be stymied by the authentication process and won't be able to view them, Fix says.
Tips from the Frontline
ERM can boost security, but there are some things to keep in mind to ensure a successful deployment. Here are some lessons and tips from those who have deployed ERM and from industry experts:
FIND a vendor that supports all the applications and file formats you use in your organization.
PROTECT only your company's most critical information in order to avoid a policy management headache.
BE AWARE that the disaster-recovery process for documents protected by ERM is arduous.
IDENTIFY the problem you're trying to solve; if it's document-centric security, then ERM is for you. If it's access control, look at identity management.
DON'T let rapid market consolidation stop you from deploying ERM.
Sources: Matt Kesner, Fenwick & West; Trent Henry, Burton Group; Jason Elizaitis, Fairfield Greenwich Group; Jon Oltsik, Enterprise Strategy Group.
"We are ensuring that our knowledge doesn't suddenly become public domain information," he says.
Many Fluor employees are road warriors, so it's convenient for them to download materials from the knowledge database. If employees download the protected materials, Fix plans to require workers to re-authenticate themselves every three or five days after the initial download.
That will serve two purposes: if employees want to access the protected documents while traveling, such as on an airplane, they have a three- to five-day grace period where they can view documents offline and without re-authentication. And when employees must re-authenticate, the LifeCycle Policy Server will check to see if a new version of the document is available. If there is an update, it will prevent them from accessing the document and force them to download the new version. That will stop employees from using the same document for years without knowing whether Fluor had updated the original documents or deactivated them.
Fluor plans to run Adobe LifeCycle Policy Server on a Windows server in the network's DMZ, where it sits between the corporate network and the Internet. As requests come in to view protected files, the Adobe software accesses an LDAP server for authentication and a database where user policies are stored.
Fix considered rival offerings, including EMC's Authen- tica, but it offered extra features he didn't need. He also considered Microsoft's Rights Management Services software, but Microsoft's offering only managed Microsoft Office products.
He wasn't swayed either by the rapid consolidation in the ERM market, a posture Enterprise Strategies Group's Oltsik says is sound thinking. "There's limited risk in buying now," Oltsik says. "If you have a department with very confidential data, you have an issue now that you need to address. You will get value out of the current applications."
Fluor, meanwhile, will use ERM for the company's most sensitive documents--about five percent of the 250,000 stored in its knowledge management system, Fix says. Eventually, he will make ERM available to the entire organization. Fix, who is in charge of setting the security policies, says a slow rollout of the technology is necessary so he can gauge its administrative requirements. "We want to see how much time will be spent managing rights," he says.
Fix expects mixed user reaction. Some will understand why it's necessary but others will see it as another hurdle in doing their work. He believes the technology is worth the time and money spent: "The licensing cost is minimal compared to the costs of intellectual property leakage."
Company: Fairfield Greenwich Group
Vertical: Financial services
Solution: Liquid Machines
Fairfield Greenwich Group simply wanted to add another layer of security.
The investment firm, which manages $10 billion in hedge funds, has a firewall, antivirus protection, antispyware software, access controls and Windows authentication. But about 18 months ago, it conducted a security audit and decided more protection was needed for its most critical data, including client lists, financial statements, portfolio models and the company's network infrastructure documentation, which includes network passwords and IP addresses.
"Just in case someone did get in, we can protect the 20 to 30 documents that need serious protection," says Jason Elizaitis, the firm's director of IT.
After poring through IT magazines, he chose ERM software from Liquid Machines for its ease of use.
Liquid Machines software installs a pull-down menu on Microsoft Office applications and Adobe Acrobat. If authors of documents feel they need to protect them with ERM, they click on the pull-down menu to set the policies.
Elizaitis installed the Liquid Machines software in one day. He's running it on a Windows server that connects to Active Directory for authentication and a SQL Server database that houses the policies.
Elizaitis says the technology works as advertised: "The copy protection travels with the data. If someone comes in the office, sticks a USB key [into a system] and takes a Word document and walks out, they can't read it."
His advice to those considering ERM is to keep the policies simple: Decide which documents need extra protection, but don't try to protect everything.
"A lot of people will be tempted to go crazy with policing and lock down everything," he says. "But you can drive yourself insane and end up with a ton of polices to maintain."
Elizaitis practices what he preaches. When he installed the technology, he developed three policies, and he has not changed them since, because they are working, he says. One policy limits document access to employees only. Another policy limits sensitive network information to the IT department. The last policy limits marketing materials to the firm's lawyers. To meet a Securities and Exchange Commission requirement, the lawyers must approve marketing materials before staff can use them, he says.
"The price was right and the added peace of mind it gave us was worth it," Elizaitis says.