Deployment tips for enterprise rights management

If you are evaluating or deploying data loss prevention or enterprise rights management technologies, here are some tips we have collected while helping organizations over the past few years. This particular list covers a deployment that spans internal and external users, such as a corporate board book for public companies with a board of directors.

How will non-employee participants authenticate? Organizations today use LDAP or Active Directory to internally authenticate users. For your non-employee board members, or accountants, partners, or customers – they will also need some form of authentication to your organization. This could also be LDAP, or even stronger security with a one-time-password (OTP) token or a public key infrastructure (PKI)-based smartcard or USB token. Alternatively, we have seen many organizations build their own authentication system using a relational database. Whatever mechanism you choose, make sure that it can tie into your rights management engine directly or through a service provider interface and that the policy server is able to create a single policy that contains participants from multiple directories. That way, a protected document is able to be exchanged seamlessly across the organizational boundary. Beware of encryption/rights management systems that are only tied to an internal or external email address and not another unique identifier. Otherwise, when Joe Smith (jsmith@domain) leaves and Jane Smith (jsmith@domain) joins – Jane could open Joe’s old documents simply because the email address was recycled.

How will external participants access your network? One option is to set up an IPSEC VPN for remote users to have internal access to authorized servers – including the content repository and the rights management server. Alternatively, SSL VPN is another lighter weight option. If the web service for rights management is available externally, it’s important to utilize account lockout features for potential brute force and denial of service attacks.

How will protected documents be stored/delivered? Today, many file servers, portals, and content management systems are already providing storage level security and file access control. However, once the document leaves the virtual file cabinet, it loses those controls and subsequent auditing – unless the files are protected with enterprise rights management. Large organizations have numerous vendors and versions of content management systems, portals, and file servers. If files are to be exchanged across business units or divisions, it’s important that rights management system is independent of any one content management system. Note that some vendors are attempting to use rights management as a way to lock in a whole suite of products together across the desktop and server, so look for flexibility and integration options. Once the files are protected, distribution should be possible via web, file shares, email, CD/DVD, and USB storage so as not to disrupt the workflow participants existing process using those methods. Rights management provides protection independent of storage and transport. If a protected file ends up somewhere it shouldn’t, the built-in protections still enforce access.

Protect files inbound or outbound? Identify whether you want the source files in the repository to be rights managed and/or only the copies. Look for a rights management system that can apply rights automatically as documents are entered into a repository and apply rights only as documents are copied out of the repository. There are pros/cons of each, so it really depends on your workflow and deployment goals. For instance, if all your inbound files are protected – you have extra encryption at the file level, should the repository be compromised. The challenge is that not all search systems may be able to index a protected file. Further, if you need to change rights management systems, you will have a lot of files to convert. Outbound protection can automatically encrypt files as they are being requested from the repository, leaving the original files untouched. This facilitates searching and flexibility in rights management deployment. A hybrid approach is to store one version of the file unencrypted in its source form and also automatically create a rights managed copy for external distribution outside the repository.

How will you classify your documents? It is important to have an information classification system to create a list of policies with corresponding users and groups. If you have too many policies, it will be difficult for individuals or even automated systems to determine what policy should be applied. This article provides additional recommendations on setting up information classification.

How will you identify sensitive documents? Once the documents are assigned a policy, it is important to mark those documents with the policy. This can be done either as part of the original source document template, part of a document stamping procedure on the server, or through a dynamic watermark on the document as applied by the enterprise rights management system. With the dynamic watermark, the policy can change on the document as well as provide additional information in the visible watermark such as the viewer’s name, email address, and/or date/time viewed. If the document then ends up somewhere it shouldn’t, you have a detective control to trace the source of unauthorized distribution.

How will authorization lists be maintained? A rights management policy needs to identify users or groups as authorized recipients. While users can be manually maintained in a policy, more dynamic organizations should look at groups and external authorization capabilities. For example, a group referenced by the rights management server could tie to an existing mailing list, or fileserver access list. HR systems can be configured to automatically populate directory groups based on reporting structure, so a “legal-all” group can dynamically include the entire legal department – even as employees join and leave the organization. Authorization within a content management system or custom system can be integrated to a policy definition through a service provider interface.

What are your end-user software limitations? Some document protection mechanisms require additional desktop software to be deployed and others do not. Most IT organizations are looking to limit the management of software they deploy internally. This can make it difficult to deploy rights management to the desktop, especially when exchanging files outside your organization – if additional software is required to open the document. Verify whether the security software requires administrative rights on the system and the compatibility with operating system vendors and versions. Adobe has integrated security natively into PDF as supported by Adobe Acrobat and Reader 7.0 and higher on Mac, Windows, and Linux platforms. The native enterprise rights management capabilities are utilized via webservice calls to the Adobe LiveCycle Rights Management server, so no additional software is required by recipients to view the protected document. Adobe has partnered with other IT providers to include rights management in their native applications and supported formats, such as PTC, Hitachi/Lattice3D and multi-function peripheral vendors like Ricoh. Adobe also provides plug-ins for Microsoft Office and Dassault CATIA native file formats so rights management policies can be consistently applied across a variety of applications and formats.

How will your users be trained? Once a system is deployed, it’s important for users to be trained on its use, including which policies to use on which applications and file formats under which circumstances. Options range from instructional text on employee portals, to doorhanger and poster campaigns, to mandatory online training classes.

How will your system scale? With an increasing number of employees, partners, and customers accessing sensitive information– it’s important that your enterprise rights management system will scale to meet the needs of the growing community. Look for high availability systems that support J2EE clustering (eg WebLogic, WebSphere, JBoss) and scalable databases (Oracle, DB2, SQLServer, MySQL).

Will your administrators become insiders? If an administrator has access to sensitive information, that could make them an insider – depending on the content. While deploying an enterprise rights management system, look for segregation of duties where different administrators have access to different systems. For instance, one administrator may manage the repository of sensitive board book documents but another administrator manages the enterprise rights management server. Neither administrator would individually be able to view a sensitive document because access to the document and authorization to open it are both required.

What will you do when policies are broken? After deploying enterprise rights management, you will find an increase in policy violations. This includes internal and external people opening protected documents without access rights and watermarked documents found in unauthorized places. A strong communication and non-disclosure policy should be in place to address violations. Further, if violations require notification of law enforcement – be prepared to answer whether your compromised information was marked as confidential, whether the recipients knew what your confidential information classification policies are, whether the information was protected with information security, and has a quantifiable value to it.

These tips coupled with enterprise rights management, such as Adobe LiveCycle Rights Management, provide added assurances that your intellectual property and personally identifying information is protected and the corresponding policies/laws are more enforceable.