Data Loss Prevention and Enterprise Rights Management

Data Loss Prevention (DLP) has been a hot topic lately based on increased intellectual property and personally identifying information (PII) leaks. A number of vendors are offering desktop and server systems to monitor traffic and determine whether sensitive content is going somewhere it shouldn’t. It’s like a reverse firewall – instead of keeping malicious outside traffic from coming in, it’s keeping malicious inside traffic with sensitive information from going out.

The challenge with these systems is that a very complex rule set needs to be developed to determine whether the content is sensitive and authorized to be delivered from the sender to the recipient. While searching for credit card and social security numbers can be easy, documents such as product strategies, CAD drawings, intraquarter finances, and board of director minutes can be much more difficult to track.

Implementing an information classification system is a critical step in any kind of information assurance initiative. If you don’t know what your sensitive information is, it’s difficult to protect it and determine who the authorized recipients are.

If you’re considering host and/or network based DLP, you may want to consider an extension or alternative by deploying enterprise rights magagement (also known as information rights management – IRM, or even digital rights management – DRM). One such product is Adobe LiveCycle Rights Management (formerly Policy Server)

Enterprise rights management provides persistent protection across data in storage and data at rest, inside and outside an organization. You aren’t limited to protections from access controls on a content management system or portal that only protect the document inside the virtual file cabinet. You aren’t limited to VPN, SSL, or S/MIME secure email sessions that only protect the content in transport. You also aren’t limited to protecting only your end-points, this technology provides persistent access control at the file level – no matter where the file goes or how it got there. A protected file is controlled by a server based policy rule which determines whether the authenticated recipient is allowed to view the document. Further, application level permissions can restrict what an authorized viewer can do with the document – such as printing, modifying, and copy & paste clipboard functions.

Adobe’s LiveCycle Rights Management solution provides dynamic policies which can change after a document has been published and distributed. If a previously authorized recipient changes roles or leaves an organization completely – the document will no longer open, no matter how many copies were made to hard drives, USB keys, and CDs/DVDs. This dynamic policy engine can be integrated with a content management system so the same groups/roles/permissions that protect the file inside the virtual file cabinet are persistent to the file after it leaves the repository. Further, this dynamic protcol allows documents to be remotely version controlled and even revoked. So if the primary copy changes on the server, recipients have enforced versions on the desktop. As part of the LiveCycle Enterprise Suite, rights management can be programatically integrated into structured business processes that are generating documents and reports in bulk and routing electronic forms with sensitive financial or healthcare information. The rights can also be applied in ad-hoc workflows on the desktop with two clicks, e.g. Secure -> Insider Restricted.

IT organizations know that deploying software has become more difficult. The typical DLP vendors require desktop software to enforce infromation distribution. If you are sharing sensitive information outside your organization with customers, partners, suppliers, or government agencies – good luck telling them that they need your flavor of DLP end-point monitoring software requiring administrative mode install. If an employee or outside user doesn’t have end-point software installed, they can still interact with sensitive data without your knowledge. Even with the DLP software, printing, copying & pasting, and modifying isn’t usually restricted. With rights managed files – recipients cannot open a file unless they have an application with rights management and permission to open the file from the server – which also enforces what can be done when the file is open.

Adobe’s enterprise rights management software is built into PDF with Adobe Acrobat and Adobe Reader, version 7 and higher – across OS platforms. Further, Adobe has partnered with PTC and Lattice3D so their CAD software applications are natively incorporating enterprise rights management without additional plug-ins. The upcoming release of the Adobe Integrated Runtime (AIR) is also incorporating rights management to natively protect video files in Adobe Media Player. Great for protecting training videos and employee meetings with sensitive information that should not be available to unauthorized recipients. Multifunction peripherals and devices (MFP / MFD) are also including native Adobe rights management – such as Ricoh. Even native Office and Dassault CATIA documents can be protected – but those applications do require a a separate plug-in in order to view a rights managed document.

With enterprise rights management on all these native file formats, a protected document can accidentally or maliciously travel anywhere inside or outside an organization and provide added assurances that only the authorized recipients are available to view it. So while most DLP vendors only detect and block questionable traffic at end points, enterprise rights management persistently enforces access independent of storage, independent of transport.