If you pay $1.99 to download an ebook for your Kindle, it’s protected by DRM that stops you sharing the contents, and if Amazon wants to, it can revoke the document so you can’t read it any more. Is your company’s current price list protected nearly as well?
With information rights management (often known as enterprise DRM, short for digital rights management), you could make sure that price list was only shared with your customers, blocking them from sending it on to your competitors and automatically blocking it at the end of the quarter when you come out with new prices. Or you could share specifications with several vendors in your supply chain during a bidding process and then block everyone but the winning vendor from opening the document after the contract is finalized. You can make sure that contractors aren’t working from out of date plans by making the old plan expire when there’s an update. Tracking and visibility is useful for compliance as well as security; you could track how many people had opened the latest version of the employee handbook, or see that a document you’d shared with a small team was being actually read by hundreds of people.
Rights management is a mature enterprise technology – versions of it have been in Windows Server since 2003, for example – but while Gartner analyst Mario de Boer notes that “EDRM is more popular than it ever was,” he also says “enterprise-wide deployments are still rare.”
A recent survey by secure collaboration vendor Intralinks found that only 53 percent of enterprises classify information to align with the access controls that are supposed to be protecting it. That’s especially problematic during confidential but time-sensitive processes like mergers and acquisitions; if you’re worried about a deal falling through, it’s tempting to start mailing unprotected Excel files around rather than jumping through hoops to grant access correctly.
That’s probably why one survey of executives involved in M&A by Ansarada (whose Secure Office service is designed for sharing documents during the M&A process) found that 71 percent had suffered data loss. And you don’t have to be the NSA to suffer from insider attacks; early this year U.K. media regulator Ofcom discovered that a former employee had downloaded six years’ worth of data about TV broadcasters before leaving, and promptly offered it to their new employer, a rival broadcaster.
With rights management, Ofcom could have made those documents worthless because once the employee left, they would have lost their rights to open the documents – and they could have been blocked from printing them or copying the contents as well. New data privacy laws like the EU General Data Protection Regulation will make those kinds of losses even more expensive.
“The traditional way of protecting data focuses on control,” says de Boer. “Control over networks (‘We have locked the data away in the data center’), control over devices (‘We have enabled AES-256 encryption on all mobiles and encrypted the full disks on Windows’), apps (‘Everyone uses our container solutions') and control over services (‘We only give authorized people access to the application').”
Dan Plastina, who runs Microsoft’s rights management offerings, including Azure RMS, says that companies are beginning to realize that protecting the perimeter and devices is no longer enough and they need a data-centric approach.
“You had a perimeter once, but over the years you’ve punched a lot of holes in that wall,” says Plastina. “Data is not being saved where you want it to be saved. Whether you like it or not, this is happening. What I see is that people are recognizing the problem is a lot bigger than they thought, and I think some organizations are at the point where they're realizing that identity and data are the things they need to focus, on as opposed to classic device management. Device management is not going away but the concept that data and identity need to be married together more aggressively is definite resonating.”
He describes the core of rights management as “identity-bound data protection; you encrypt the file so that only the right person has access to it.”
Some industries have already adopted rights management, particularly finance, automotive and manufacturing. “They’re people who either want or have to protect data,” says Plastina. “There are organizations that have a lot of IP and want to protect it, and then there’s PII and financial data inside banks. Some financial organizations we work with protect a lot of documents every day with rights management.”
But rights management is important for a far broader range of industries, he maintains. “Your data is travelling to different repositories and stores. Data goes to the cloud, it’s given to partners; that content is clearly not within your control any more. This technology is at a point where people ought to be paying attention. The usage of data in their companies is absolutely past the limit; their data is all over the place and they have no idea.”
The problem isn’t with the quality of the technology, and most organizations have mature identity management that will allow them to use rights management technology. “The most common challenge is not technical but cultural,” de Boer explains. “You should expect the changes in common workflows to be harder to plan for and accomplish than solving technical issues.”
That means not being too ambitious as you start using rights management and avoiding both leaving too much up to users and locking down data too much. “Most successful deployments start small, with policies applied to the most sensitive repositories. Then monitor use, learn as you go, and detect deficiencies. Eventually, you can expand to more complex use cases.”
There are some things that rights management will never be able to protect you from, like an employee snapping a photograph of their screen with a smartphone, but that’s not a technology issue; it’s a management problem (and at that point, the employee can’t claim that they shared the information accidentally).
Typically, rights management deployment runs into two issues, says Plastina. “Either people left everything up to the users or they went crazy in terms of the breadth and said ‘I’m going to protect everything’.” Neither approach works well. “IT leaders don't have a good sense of what is sensitive or not,” he notes, so business leadership needs to be involved in deciding what to protect. You don’t need as many policies as you might think, either; policies for strictly confidential, confidential, internal and public data will cover most companies.
He suggests starting by thinking about your most sensitive data and where it’s stored. “Not all of your data is sensitive. If 5 percent of your data is top secret, take that 5 percent and focus your energy on that. If you're in the candy bar business, then SAP is the bulk of your sensitive data; logistics, order information, inventory, financials.” That data is secure until you run a report and create a PDF or an Excel file and start mailing it around. “In that case, go purchase Halocore from SECUDE and focus on SAP and mark it company internal; all that data will be encrypted at birth and it can’t leak outside the company. That quickly starts to put a leash on your data.”
The next step might be partitioning internal email; for example, messages and documents sent within the HR and legal teams. “Today the entire company’s worth of data is accessible to everyone in the company. If the very sensitive data is rights protected then that partitioning will enforce itself and IT will be notified that Dan in legal is trying to access documents from HR,” Plastina explains, “and someone would be able to take action.”
He suggests a simple trick for getting teams to opt in to classifying and labelling their own content; “Turn on RMS; no-one will notice that it’s on. Then go to a department like HR or legal and send them an email marked as ‘Do Not Forward’ and tell them that they can’t forward it, and include a screenshot showing them how to do it.” It’s just human nature. “They're going to look at it, try to forward it, realize they can't - and start using it themselves. Now you have partitioned data in your organization.”
You can’t rely on ad hoc classification, but being too restrictive is also counterproductive, Plastina notes. “Organizations will need to show some restraint. Start by going after email and SAP but with policies that are somewhat flexible so you keep productivity.” It’s also going to show you what the real workflow is in your business, which might not be what you think. Remember that rights management has to apply to executives, who will have to accept some changes to their workflow. “Given the recent large-scale data loss events in the news, it may not require as much effort as you think to obtain buy-in,” de Boers suggests.
If you have a ‘do not forward’ policy for email sent by your senior leadership team, you might want to give executives the ability to unprotect messages and then protect them, so they can share them with their own leadership team. “If that executive loses a thumbdrive of documents no-one would be able to open them,” points out Plastina, “but it doesn’t become so oppressive that the executive doesn’t want to do it and tries to get around it.”
Protect now, get sophisticated later
Microsoft is also working on improving the experience of automatically classifying and protecting documents inside Office, to be more like the data leakage protection features it already has, using the Secure Islands technology it recently purchased. As you type in a credit card number, Office will suggest that the document needs to be marked as confidential – but there will also be an option for the user working on the document to say that’s a mistake and change the classification back to internal (the way you can with Exchange data leakage protection today). The Office integration will be available as a private preview in the near future, and the Secure Islands tool is shipping now.
Once you have data that’s labelled and rights managed, there are opportunities to get control beyond the usual file sharing and email. Microsoft recently bought Adallom; the technology is now called Cloud Application Security and Plastina suggests it will turn into a kind of data leakage protection for data going to cloud services. “It can sit in the network as proxy or squat on APIs, so it’s capable of working outside the classic productivity endpoint. Imagine a cloud access security broker capable of blocking the upload to Salesforce of something that’s secret.”
Rights managed documents will be a key area for machine learning, both for tracking misuse and automatically classifying documents. Another Microsoft acquisition, Equivio, can do classification for legal documents today, and Plastina says Microsoft has plans to build on that. “You feed it a bunch of documents and tell it ‘go find more like this. Imagine an organization has a petabyte of data and they have users actively classify some content.
Once you have say 100MB of well classified content, the concept is you could use Equivio to say ‘I know these are top secret M&A files, classified by label; now go find a bunch [of matching documents] with no tags and classify those in bulk’. If you have a petabyte of historical data you want that labelled; you can't just protect the new stuff or what’s being edited now.”
If you’re looking for those advanced features, you’ll still want to start using rights management today, he points out. “The best approach is to focus on the basics: classify, label and protect. Start there, and once that's done monitoring and responding are a lot easier. There's no ability to monitor and respond if you have no signals.”
De Boers agrees that you should be considering rights management now rather than later. “CIOs should plan for a data-centric approach to information protection, and EDRM takes a central position in such plans. All CIOs that value collaboration and that understand the inflexibility of infrastructure borders around islands of sensitive data should investigate EDRM.”