Managing Rights Management

Information Week reports a study indicating that 45% of respondents admit stealing corporate data when changing jobs. Commissioned by Enterprise DRM company Liquid Machines, the study reported:

Of the 45% of respondents who said they've taken data with them when they've left a job, some said they simply e-mailed data to a personal address. Others said they walked out the door with the data, usually on a peripheral storage device, tucked in a bag or pocket. Eighty-seven percent said they're allowed to use flash drives, while 69% can use external hard drives. Even MP3 players, which are used by 46% of respondents, can be used as external hard drives.

The study also showed that with so many admitting to taking data with them when they leave jobs, it's no surprise that 53% of respondents said they suspect their companies' intellectual property is being used by the competition. Among manufacturing employees, a whopping 71% said their competition has used their companies' intellectual property. Technology employees agree with this statement 63% of the time.

Bank Technology News reports that Goldman Sachs is implementing Liquid Machine's Enterprise Rights Management for both security and compliance. (Goldman is an investor in Liquid).

...Although it provides an audit trail for document use, ERM doesn't supply compliance with Sarbanes-Oxley financial record dictums, and is overkill for a bank looking only to keeping client records confidential. In addition, adds The Burton Group senior analyst Trent Henry, "there's a fairly significant amount of complexity, and concerns about interrupting work and efficiency."

Because of ERM's nascent presence in the market, for example, many CIOs are unsure how to set rights management in an offline environment-such as when the CFO is on a four-hour flight with his laptop, unable to authenticate his credentials to a spreadsheet file. "What is also going to change," says Henry, "is the burden on individual users." They must understand what sorts of policies and templates to apply when creating documents, so as not to needlessly encrypt an internal memo on, say, office kitchen rules.

BusinessWeekOnline has an interview with attorney Thomas Vinje, who represents Microsoft antagonists, in which Vinje notes:

In February, ECIS filed a new complaint that accuses Microsoft of trying to extend its dominance via planned new products, such as a new operating system for servers. What does that mean exactly?

What Microsoft is trying to do now is bundle digital rights management products into the operating system. We've seen this movie before. We've seen it with Netscape, with RealPlayer (which lost massive market share after Microsoft bundled similar products into Windows).

Microsoft has 70% of the overall server market, they are certainly dominant. Try selling digital rights management products when there is already a usable one in the operating system.

Essential Security Software's Taceo email product has been added to the right hand sidebar list under Email, DRM enabled. Taceo is focused on the numerically large small business market. Taceo is principally an Outlook plugin that can protect files in Microsoft Office and PDF format.

Neil McAllister's InfoWorld article, In Praise of Digital Rights Management, strikes the right balance.  Putting DRM in the hands of very one is, in my view, a most important goal. Snippets:

Federated or multi-organization DRM is, of course, one of the Holy Grails of Enterprise Rights Management. Now GigaTrust has announced a federated DRM service for those who have implemented Microsoft's RMS. Snippets:

TheRegister (UK) has an article describing, among other things, Sun's and Microsoft's collaboration on DRM. Snippets:

Sendmail has announced that it has expanded its Platform Partnership Program to include solutions from Authentica, eleven, Feith and ZANTAZ.  Snippets:

Authentica has announced improvements in its Secure Email and Active Rights Management products. Snippets:

Liquid Machines has announced the general availability of its Document Control 5.0 DRM  and 3.0 Email control that extends Microsoft's Rights Management Services (RMS) on Windows Server 2003.  Snippets:

eWeek columnist Peter Coffee's May 2nd column, "It's Time to Stop Overpackaging and Underprotecting Content" starts out in the right direction but fundamentally misunderstands Digital Rights Management. If I understand what he's saying, it's that creators often fail to implement appropriate security given the nature and context of their information. So far so good.

Here's what I don't understand:

Digital rights management is a common stalking-horse for intrusive restrictions on moving bits from one place to another. Hypothetically, imagine being barred from attaching an Excel spreadsheet to an e-mail unless you give the e-mail service provider your authorization code for document-exchange rights from a registered copy of Microsoft Office.

DigiMarc announced today an upgrade to its ImageBridge watermarking software product for image identification and search capabilities. Snippets:

"As the world's preeminent visual solutions provider, Corbis relies on Digimarc to defend our photographers' copyrights against infringement," said David Weiskopf, Corporate Counsel at Corbis. "We are excited about the enhanced image tracking capabilities offered in ImageBridge 2005. Digimarc continues to help Corbis lead the industry down the path of protection."

Stock photo, entertainment and consumer brand companies publish and distribute valuable digital images extensively in their online marketing and sales efforts. ImageBridge 2005 provides new search services to track these image assets on the Web, enhancing enterprise security and compliance programs.

I recently had a conversation with Sandy Porter, Business Development, at Avoco Secure (“Avoco”), an Enterprise DRM company based in the United Kingdom.  Avoco competes in the document security and rights management space. The company is presently in the early customer adoption phase and is approaching general availability with its document DRM solution, secure2trust (“s2t”).

Before discussing the company and its s2t DRM product, here is some broader background that establishes some context.

Enterprise DRM In The 21st Century

The Enterprise IT world has started to recover from the collapse of the dot com bubble and the consequences of 9/11. We are now witnessing, I believe, the 3nd Coming of DRM. Several Enterprise DRM companies either were founded or got funding and achieved momentum after the turn of the century. There is now a lively and apparently growing international market for Enterprise DRM software products.  Specific competitors are addressed later in this blogicle.

I recently spent time talking with Ian Walsh, Director of Product Marketing for Approva Corporation. Approva provides applications used in conjunction with certain major enterprise software systems that materially increase the management, security, transparency, and auditability of these systems. Approva is a leader in the application domain called Enterprise Controls Management and should be of interest to security professionals, auditors, and corporate executives and business managers and others interested in permissions, entitlements, controls, rights management, and audit information.

Pinon Software has been added to the list of Enterprise DRM vendors.

Blueprint has been added to the Music & Video and Mobile DRM lists

Cauldron Solutions has been added to the Muisc & Video list.

Gord Larose' DRM Dictionary has been added under "related / adjacent"

An article in Government Computer News addresses the lack of progress on information sharing across organizations.

A lack of clear strategies and concepts of operation is holding up progress on information sharing, Martin Smith, director of information sharing for the Homeland Security Department’s CIO Office, writes in a new report.

What's the future of Enterprise DRM vendors such as Authentica, IntraWare, Liquid Machines, SealedMedia, to name a few? What strategies can companies like these employ to ensure not only that they survive, but thrive, especially when the need for Enterprise DRM-enabled applications is so great?

Why do these questions arise at all? Consider the following:

• Microsoft continues to DRM-enable it's major enterprise platforms.
• The Linux community hates DRM;
  • it's oh so not Open Source and
  • there is a growing body of DRM-related patents that are being licensed, but the Open Source community hates software patents as well.
• SUN Microsystems
  • Sun has apparently made peace with DRM, but Sun appears to be moving away from its proprietary version of Unix toward Open Source. How far it will move is another matter.

Where can Enterprise DRM vendors go? There are only three directions: Up, Down, and Sideways.

More in another posting.

Various approaches to cross-platform and cross-application interoperability have been suggested. One idea is an interpreted DRM virtual machine (a Java-like VM but for rights management). However appealing, so far this approach seems mainly to push important difficult security issues down into the DRM-VM.

Cross-application interoperability has been attempted by using a combination of secure viewers with (a) redirectors that trap Operating System calls or network events or (b) a middleware layer that provides services to applications. Redirectors are used by some security applications, [e.g., certain Symantec products] so they have their uses even though significant limitations exist in most cases.  Middleware also presents certain security challenges that can be mitigated, but not fully eliminated, which is one reason why DRM ultimately needs to be rooted in the OS. Even if DRM is rooted in the OS, there are, of course, many OSs running on all kinds of devices.

One US patent application 20030018906, "Method and system for protecting software applications against static and dynamic software piracy techniques," assigned to Liquid Machines describes, among other things, another approach that is very cute (meant as a term of high praise). Its one of those ideas that I wish I had thought of. So what's the idea?

The cuteness entails: A method for protecting a software application module, comprising: rewriting the application module by overwriting executable code at identified authorization points.... and then inserting code that deals with authorization, entitlements, etc.

This rewrite the code approach implies generality: any OS, any application.

Of course, both the Devil and God are in the implementation details.