Enterprise document security and Digital Rights Management

Enterprise Document Security & DRM.

Enterprise document security has had an increased uptake as corporations extend their document protection measures to prevent not just document leakage but also control how users use documents.  Digital Rights Management adds an extra layer of security controlling document use and is a flexible alternative to traditional enterprise document security solutions.

One of the commonest problems the Enterprise has to resolve is document content security inside the Enterprise – commonly known as Enterprise Document Security.  There are many examples of sensitive corporate documents that must be accessible internally but also must be kept within defined groups of people.  They are not intended for general distribution outside the Enterprise.  These typically include:

  • Internal policies and procedures
  • Internal standards
  • Price lists
  • Financial documents including budgets, results, potential mergers or acquisitions
  • Restructuring plans
  • Client/customer analyses
  • Product manuals
  • Internal training documents

At first glance you might think that the normal computer operating systems had this problem sorted and fixed long ago, but things don’t always work how you think.  The document security controls normally provided with operating systems are ‘access’ controls which are focused around who is able to access documents rather more than what they can do with and to them.  This is a rather broad brush approach.  Usually you can say who can read a document, but that may not stop a user from printing it or screen grabbing it.  You could stop printing by forbidding access to the printer, but that would stop the user from printing anything – probably not in the plan.

Similarly a user may be able to save a document, and therefore can save it anywhere, or only in permitted folders.  But users may be able to send the documents outside as email attachments or upload them to an FTP server because they have access to those services.  Or have them synced to Dropbox or something similar.

Enterprise document security solutions

As you can imagine, a variety of enterprise document security products and services have been developed to try and remedy these problems.  Systems have been developed that forbid the use of USB or ‘flash’ drives even if installed on the hardware.  Email suppliers have developed scanning techniques to try and detect documents that should not go out, unless encrypted for a specific recipient.  This has the problem that a valid document format the scanner does not recognize will be refused and that documents containing reserved words as part of their normal structure will also be refused.  Scanning systems must therefore be treated with some caution.  Forbidding the use of Bring Your Own Device (BYOD) has been tried, although usually the more senior management insist on using phones and tablets for speed and convenience so you end up having to accept all the flexibility.

But what can you do about it?

Putting up network barriers does not solve the problem because users have too many ways round or through them, so one has to protect the actual document and content directly.

Enterprise Digital Rights Management

This is where Enterprise Digital Rights Management (Enterprise DRM or Enterprise Rights Management) steps in.  But this means introducing a whole series of controls that don’t exist in the ordinary operating system, including:

  • Controlling printing – stopping printing or limiting the number of prints
  • Controlling IP or range(s) of IP addresses to be supported so that confidential documents can only be viewed at the office
  • Stopping Print Screen and screen grabbing
  • Authorising individuals or groups to use information subject to your controls
  • Preventing off-premise BYOD use
  • Stop the ability to pass on uncontrolled documents
  • Having timed use of documents
  • Be able to suspend or cancel document use in realtime if necessary.

These are all ‘Digital Rights Management’ class controls rather than just access controls, so you will need to use a separate system to administer and control your protected documents.

Integrating Enterprise DRM

In larger organizations having a separate enterprise document security system can introduce extra requirements, such as:

  • Integration with Single Sign On (SSO) systems for administration
  • Automation of new document protection
  • Ability to require users to be online or allow offline
  • Automation of secured document distribution
  • No key management requirements
  • Allowing Internet access to documents.

SSO integration offers the ability to secure the process of logging on multiple times to internal systems, a big problem with users and password management techniques (and the patience of the administrators?).

Usually there is a Document Management System (DMS) that is used to marshal and collate new documents.  Sometimes these are produced by collaboration.  But document protection and allocation needs to be consistent for the target user audience, so automating this process can be critical to achieving accuracy and consistency of the results.  These are capabilities needed to satisfy such standards as ISO 9001 Quality management.  So an Enterprise DRM system must provide an API interface to allow the DMS to include document protection processing as part of its publishing process if it is going to be efficient.

Enforcing Enterprise Document Security

Increasingly, there is no ‘perimeter’ that can be defined for much of the Enterprise.  The Institute for Defence Analyses (IDA) noted in 2015 that the Jericho Forum concludes that, “De-perimeterization diffuses the strict boundaries between the internal and external network, requiring organizations to authenticate and encrypt all IT services which are made available.”  Enterprise Digital Rights Management class technologies go a considerable way to meeting those requirements.

The rapid move to cloud services has moved both applications and data away from traditional administration and control and created new exposures.  It has also created the need to provide cloud based document security servers to evaluate requests from would-be document users and enforce a full range of controls wherever the users and data are, particularly when they are physically separate.

There are also needs to allow users access to documents when a control server is not available (on the airplane, at other untrusted premises, where network access is difficult or patchy) and these needs have to be catered for.  Sometimes the requirement is to be able to access from different machines – in the office a desktop, on the move a tablet, but the service must be capable of acting seamlessly.

And just as users need to be able to access mail when they are out of the office, there is a requirement to see protected documents, even in ‘hostile’ environments such as Internet cafes.  And to use document protection methods that do not leave temporary copies of unprotected documents on uncontrolled devices.

This is a very similar situation to publishers selling books to customers who may work with any device they wish and on any network they happen to be on.  It does not fit the network access or SSO type of regime because customers cannot be registered conveniently into domains or given network logons in order to access protected materials.  Indeed, there are some very good security reasons why you would not want insiders to have access to critical resources from outside networks, especially if they can perform administrative functions.

Enterprise Document Security and Document Auditing

Apart the from the document protection and control requirements of an enterprise document security solution, there are ‘audit’ controls needed for some documents:

  • Has the user opened the document (read it)?
  • When was the document opened?
  • Has the user printed the document?

These can be required for compliance monitoring and reporting, or for health and safety purposes, or as part of continuing professional study.

Many quality standards, such as ISO9000, include the requirement to demonstrate that awareness has taken place as a demonstration of the enterprises commitment to quality.  This is increasingly the case in heavily regulated enterprises such as those in the financial and medical sectors.

Locklizard Enterprise Digital Rights Management

Locklizard products deliver the document DRM class controls to meet all of these Enterprise Document Security requirements, with the ability to be loosely integrated into existing document handling technologies – allowing the Enterprise to increase the security and usefulness of protected documents.