Enterprise DRM products protect documents from prying eyes

End-users perform a one-time install of the Desktop Sealer application, which opens sealed documents either after asking for a log-in or automatically based on existing Windows NT domain credentials. Installing Desktop Sealer also embeds its functions into Office applications, which allowed me to use various security features with minimal added work. For example, to seal a document to a particular Context, I merely used a toolbar button or the File/Save menu and chose the appropriate Context name. The sealing cryptography has very little overhead, typically enlarging a document by less than 1 percent.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

When I mailed this sealed document to a colleague who had appropriate read-edit rights, it opened without requiring any extra steps. If someone else attempts to open the document, SealedMedia provides a clear status message indicating why the operation failed and whom to contact for assistance. Additionally, SealedMedia prevented users from extracting the temporarily unsealed data by disabling copy/paste and many other application functions.

SealedMedia’s overlaid approach -- which architecturally is kernel-level security -- appears more tamper-proof and flexible than Microsoft’s RMS, which embeds rights management into an application. For one thing, SealedMedia works with vintage versions of Windows and Office, as well as Lotus Notes and Acrobat Reader, whereas Microsoft’s own solution works only with newer Office and OS versions.

Besides ensuring that documents can be opened only during specified time periods, SealedMedia has very good cache management. For instance, if someone is offline, I could still control how long they could access a document. Policy changes, such as revoking access, take effect immediately for online users. Because of the Context grouping, I also easily rescinded a whole team’s access when a project was completed.

Audit trails allowed me to view every action performed on a sealed document, and the time it occurred. However, E-DRM 5.0 has only elementary log searching and reporting.

Balancing your options

Liquid Machines and SealedMedia are relatively balanced when comparing their general characteristics. SealedMedia’s setup went quickly, and E-DRM 5.0 offered strong security without sacrificing usability. Although you can’t protect as many file formats with SealedMedia as you can with Liquid Machines, bonuses with SealedMedia include pre-configured security groups, which I feel is a more scalable architecture, and standard e-mail protection -- all reasons it scored higher.

Liquid Machines is more flexible in the choice of licensing server. But this decision means some compromises in the method used for protection, limiting the system to newer Office applications. I would have liked to see native e-mail integration -- it’s available separately, but you’ll have to pay more for it -- and better ways to accommodate offshore partners.

Finally, both solutions integrate with various third-party content management applications, including EMC Documentum. I mention this broader content management aspect because of its growing importance as enterprises search for ways to protect content repositories. So if you want to combine your content management system with a DRM solution, both Liquid Machines and SealedMedia will allow you to do so, although I would probably lean toward SealedMedia’s open, Web services architecture in such a scenario.

Click for larger view.