Enterprise DRM products protect documents from prying eyes

Enterprise DRM (digital rights management) shares DRM’s basic concept of controlling content use. However, it goes beyond unauthorized-copy protection to help stop sensitive information from being read, altered, or shared outside an origination -- while not interfering with users’ work, including their ability to collaborate with colleagues. As such, it’s an important complement to other data leak solutions, such as network scanners.

Any enterprise DRM solution should have three characteristics. Security is foremost; documents, communications, and licenses should be encrypted, and documents should require authorization before being altered. Second, the system can’t be any harder to use than working with unprotected documents. Lastly, it must be easy to deploy and manage, scale to enterprise proportions, and work with a variety of common desktop applications.

With these requirements in mind, I tested two notable enterprise DRM solutions, Liquid Machines Document Control 6.0 and SealedMedia E-DRM 5.0.

Liquid Machines Document Control 6.0

Liquid Machines’ Document Control enforces document access and usage policies, including open, read, save, and printing. A Policy Server, which integrates with AD (Active Directory) or LDAP, allows business users to centrally manage roles and policies; designated managers may also audit access and usage violations. On the client side, the Liquid Machines Policy Droplet plug-in enforces your policies -- and allows properly authorized users to modify rights.

Although this architecture is fairly standard, Liquid Machines bests competitors in one area: It is policy-server-agnostic. You can install Liquid Machines stand-alone or together with Microsoft’s Windows RMS (Rights Management Services); in the latter case, Liquid Machines’ more flexible policy management is available to RMS.

Document Control 6.0 doesn’t ship with pre-built policies for specific industries or regulatory compliance, which is common practice with many enterprise security offerings and shortens setup. Still, it provides solid information control for protecting IP, works well in secure outsourcing operations, and allows enterprises to establish policies to comply with corporate governance and consumer privacy regulations.

Setting up policies and defining who can access files is clear-cut with Document Control’s Web-based administration console. Rights are assigned to directory accounts by role, which makes large-scale implementations go quickly. I created roles -- such as a financial department analyst -- and then placed AD users within this role.

Maintenance is similarly simple; to revoke rights, for example, just remove a user from the appropriate role rather than editing individual user accounts. The disadvantage in pinning rights to AD or LDAP accounts is that you can’t easily allow outside users -- including partners or offshore workers -- to access documents they may need.

As opposed to RMS, Document Control 6.0’s policies allow auditing, so you’ll know exactly which changes were made, and by whom. Thus, you can confidently delegate policy administration to department heads or other non-IT staff. Furthermore, this solution enhances RMS’s global policy expiration -- you may expire document access to one group of users but not others. This feature’s missing from RMS.

The Policy Droplet management plug-in functioned in various native applications, including Microsoft Word and Visio, without any extra steps. For example, if printing was disallowed, then that action was reliably blocked.

The software clearly shows which policies apply to the document so that users always know what else they can and can’t do -- and whom to contact to change permissions. Policy Droplet allowed me to quickly choose the policy to apply when I created a new file; alternately, enterprises can automatically apply a corporate default policy to new documents.

A further example of Document Control’s tight security is that documents remain protected when converted to Adobe Acrobat. Additionally, the initial protection policy was carried forward when I saved portions of the original document to general formats, such as .txt and .csv.

Likewise, I didn’t find any gaps in how rights were handled. Policy changes were immediately sent to users’ PCs and enforced right away, including revocations, new rights, and time extension of existing rights. I designated offline rights so that trusted employees could use files when they were off the network but that limited access to a specific number of days. This forces users to connect from time to time, ensuring they will receive the most current policies. Auditing information is stored in a Microsoft SQL database, which I easily queried using a Web form.

Document Control 6.0 is somewhat unusual because it protects more than 65 applications and file formats, which is more than SealedMedia’s solution. Although I didn’t have the chance to test them all, Liquid Machines offers separate products for controlling e-mail, as well as gateways for BlackBerry, Documentum, file shares, and Google Mini searches. That said, I think it would be advantageous to offer the e-mail module as a standard feature because e-mail is such an essential part of how information travels inside and outside organizations.

SealedMedia E-DRM 5.0

First things first: You may have heard that SealedMedia was recently acquired by CMS vendor Stellent. SealedMedia’s tools will continue to be offered as stand-alone products, and they will be integrated with Stellent’s other offerings.

SealedMedia E-DRM is typically deployed with a License Server that manages user authentication and document-access rights; SealedMedia Desktop for viewing and encrypting files; and management tool -- a Web site or server console -- for provisioning users, audit reporting, and administering documents.

E-DRM 5.0 follows a three-tier security model, which allowed me to place the various components (License, Web, database, and directory servers) in the appropriate firewall-protected network zones, yet still allow public Internet access to the License Server. Moreover, you can distribute traffic or have a hot-standby License Server for high availability implementations.

This solution relies on a fundamental Context, which defines a group of documents, the people who can use the documents, and the roles those people can perform, such as opening, printing, or annotating documents. This strategy allows you to set up a full-scale system and manage thousands of documents and users in short order -- typically a day or so -- which would be impractical if you had to attach rights to each document and user individually.

SealedMedia offers pre-configured Context roles and associated workflows appropriate for Board Communications, Mergers and Acquisitions, Protecting Intellectual Property, Regulatory Compliance, and Secure Third-Party Collaboration. SealedMedia follows ISO17799 security-level mappings in these setups, which should help greatly in proving ISO17799 compliance.

Similarly, you can comply with Sarbanes-Oxley regulations for securing and maintaining the integrity of digital records. SealedMedia will restrict and track access to spreadsheets and other financial data, too.

I successfully used the M&A setup and didn’t have any trouble taking the five standard out-of-the-box roles -- contributor, reviewer, reader, no-print reader, and item reader -- and employing them in various Contexts of my own.

Using the system’s management features, I created the initial Context -- unannounced products for a marketing department -- and owners to share administration responsibilities. Owners then assigned roles: for example, who can create, edit, and e-mail documents; who has read access; and those with no access.

End-users perform a one-time install of the Desktop Sealer application, which opens sealed documents either after asking for a log-in or automatically based on existing Windows NT domain credentials. Installing Desktop Sealer also embeds its functions into Office applications, which allowed me to use various security features with minimal added work. For example, to seal a document to a particular Context, I merely used a toolbar button or the File/Save menu and chose the appropriate Context name. The sealing cryptography has very little overhead, typically enlarging a document by less than 1 percent.

When I mailed this sealed document to a colleague who had appropriate read-edit rights, it opened without requiring any extra steps. If someone else attempts to open the document, SealedMedia provides a clear status message indicating why the operation failed and whom to contact for assistance. Additionally, SealedMedia prevented users from extracting the temporarily unsealed data by disabling copy/paste and many other application functions.

SealedMedia’s overlaid approach -- which architecturally is kernel-level security -- appears more tamper-proof and flexible than Microsoft’s RMS, which embeds rights management into an application. For one thing, SealedMedia works with vintage versions of Windows and Office, as well as Lotus Notes and Acrobat Reader, whereas Microsoft’s own solution works only with newer Office and OS versions.

Besides ensuring that documents can be opened only during specified time periods, SealedMedia has very good cache management. For instance, if someone is offline, I could still control how long they could access a document. Policy changes, such as revoking access, take effect immediately for online users. Because of the Context grouping, I also easily rescinded a whole team’s access when a project was completed.

Audit trails allowed me to view every action performed on a sealed document, and the time it occurred. However, E-DRM 5.0 has only elementary log searching and reporting.

Balancing your options

Liquid Machines and SealedMedia are relatively balanced when comparing their general characteristics. SealedMedia’s setup went quickly, and E-DRM 5.0 offered strong security without sacrificing usability. Although you can’t protect as many file formats with SealedMedia as you can with Liquid Machines, bonuses with SealedMedia include pre-configured security groups, which I feel is a more scalable architecture, and standard e-mail protection -- all reasons it scored higher.

Liquid Machines is more flexible in the choice of licensing server. But this decision means some compromises in the method used for protection, limiting the system to newer Office applications. I would have liked to see native e-mail integration -- it’s available separately, but you’ll have to pay more for it -- and better ways to accommodate offshore partners.

Finally, both solutions integrate with various third-party content management applications, including EMC Documentum. I mention this broader content management aspect because of its growing importance as enterprises search for ways to protect content repositories. So if you want to combine your content management system with a DRM solution, both Liquid Machines and SealedMedia will allow you to do so, although I would probably lean toward SealedMedia’s open, Web services architecture in such a scenario.