Enterprise DRM products protect documents from prying eyes

Enterprise DRM (digital rights management) shares DRM’s basic concept of controlling content use. However, it goes beyond unauthorized-copy protection to help stop sensitive information from being read, altered, or shared outside an origination -- while not interfering with users’ work, including their ability to collaborate with colleagues. As such, it’s an important complement to other data leak solutions, such as network scanners.

Any enterprise DRM solution should have three characteristics. Security is foremost; documents, communications, and licenses should be encrypted, and documents should require authorization before being altered. Second, the system can’t be any harder to use than working with unprotected documents. Lastly, it must be easy to deploy and manage, scale to enterprise proportions, and work with a variety of common desktop applications.

With these requirements in mind, I tested two notable enterprise DRM solutions, Liquid Machines Document Control 6.0 and SealedMedia E-DRM 5.0.

Liquid Machines Document Control 6.0

Liquid Machines’ Document Control enforces document access and usage policies, including open, read, save, and printing. A Policy Server, which integrates with AD (Active Directory) or LDAP, allows business users to centrally manage roles and policies; designated managers may also audit access and usage violations. On the client side, the Liquid Machines Policy Droplet plug-in enforces your policies -- and allows properly authorized users to modify rights.

Click for larger view.

Although this architecture is fairly standard, Liquid Machines bests competitors in one area: It is policy-server-agnostic. You can install Liquid Machines stand-alone or together with Microsoft’s Windows RMS (Rights Management Services); in the latter case, Liquid Machines’ more flexible policy management is available to RMS.

Document Control 6.0 doesn’t ship with pre-built policies for specific industries or regulatory compliance, which is common practice with many enterprise security offerings and shortens setup. Still, it provides solid information control for protecting IP, works well in secure outsourcing operations, and allows enterprises to establish policies to comply with corporate governance and consumer privacy regulations.

Setting up policies and defining who can access files is clear-cut with Document Control’s Web-based administration console. Rights are assigned to directory accounts by role, which makes large-scale implementations go quickly. I created roles -- such as a financial department analyst -- and then placed AD users within this role.

Maintenance is similarly simple; to revoke rights, for example, just remove a user from the appropriate role rather than editing individual user accounts. The disadvantage in pinning rights to AD or LDAP accounts is that you can’t easily allow outside users -- including partners or offshore workers -- to access documents they may need.