[Editor's Note: In the first installment of this two-part series in the June 2011 issue of KMWorld, author Robert Smallwood wrote about the critical nature of electronic document security, the use of enterprise rights management (ERM) software in safeguarding information and Microsoft's role in the ERM market. The second part of this series includes a sampling of other vendors in the e-document security space.]
In addition to Microsoft, Adobe is a major player in enterprise rights management (ERM). Adobe has a large installed presence of its LiveCycle Rights Management, which provides data-centric security with user access and control policies to documents. It supports various types of data including PDF and Flash Video-and also native formats including Word, Excel, PowerPoint and select computer-aided design (CAD) and computer-aided three-dimensional interactive application (CATIA, marketed by IBM) output formats. This is done by the client software that authenticates users with the server when opening up a document. It can provide protections without server interaction over a specified period of time. LiveCycle Rights Management includes detailed audit trail reporting for rights protected information, document version control and expiration, and dynamic watermarking.
Early entrants into the enterprise rights management marketplace included Sealed Media, which was acquired by Oracle (oracle.com) in its early 2006 acquisition of Stellent, and Authentica, which was purchased by EMC later that year. But the promised integrations and additional development have apparently been slow to arrive.
Steve Coplan, a senior analyst at The 451 Group, says, "Looking at the ERM technology acquisitions that Oracle and EMC made, they really haven't done much additional development or integration, and, in fact, most of the original development teams have moved on. As a result, the technology has gotten a little long in the tooth, and they're falling behind, compared to the competitive field."
Brian Hill, senior analyst with Forrester Research, agrees, "It's fair to say that some of the infrastructure vendors who acquired ERM companies have fallen short on the promise of integration with their enterprise content management offerings and improved ease of deployment, which would allow for more widespread adoption. This has opened the door for other players in the market."
Rising stars and additional players
Some of the rising stars and additional players in the enterprise rights management market include:
Avoco Secure offers enterprise rights management software to link security policies to an individual's or group's identity to enforce the access to and use of digital assets, but it goes further, offering digital signing and information card provisioning linked to digital identities. The software uses an individual's (or group's) identity and other forms of authentication to enforce security policies for access control or verified digital signatures. The software encrypts content and authenticates users to control what they are allowed to do with that content. Customers are able to design completely electronic steps for processing transactions.
The company began with supplying the software to the defense sector and expanded into commercial applications. It reaches its customers through a partner network. Avoco Secure's suite of products allows digital signatures to be added to content (a digital signature is the equivalent of a handwritten signature that can be used to sign a digital document on a computer or online, so that documents no longer need to be printed, signed and mailed or faxed back-making it possible to create workflow systems that push documents along the signing process, while maintaining an audit trail of signatures).
Its product, secure2sign for Word, allows users to digitally sign a MS Word document or form using a digital certificate to identify the signatory. It supports multiple signatures on a document as well as sectional signing--both features are requirements if a document is to be part of a workflow process involving multiple parties. In addition, it allows signatories to apply a time-stamp, at the time of signing. Avoco Secure also offers that capability for MS Excel documents, and HTML or xHTML web forms, which is useful in applications such as insurance claim submission and mortgage loan applications.
Check Point Software Technologies has an appetite for acquisitions: Last year it purchased an early entrant in the enterprise rights management market, Liquid Machines. In 2009, it bought FaceTime Communications' application database and Nokia's Security Appliance business. In response to an inquiry, the firm issued the following statement: "In order to protect corporate data, computers, devices and infrastructure, organizations need to deploy a holistic and multilayered security approach. The first step is to define and implement strong data security policies. Businesses need to establish the appropriate privacy settings and clearly define who is entitled to access specific types of information, as well as what confidential data is visible and to whom. Second, businesses need to implement specific data security solutions that secure their sensitive data in multiple forms and throughout its life cycle: data at rest, data in motion and data in use. They must choose an approach that can effectively prevent data loss before it occurs, rather than just detect it, after it occurs."
Covertix is led by CEO Alon Samia, who says, "Our software is next-generation enterprise rights management, as compared to the offerings of the major infrastructure and content management vendors." When asked to define which features set his firm's software apart from established players, Samia replies, "We do content- and context-based policy assignment. The owner of the document can decide context level rules, which means not just who, but where--that is, it's not just who you are, but where you are. So, for instance, you may be able to print a financial document in the accounting department, but not in the IT department. Or you may access a file on your desktop, but not on your laptop. Everyone now knows that even authorized users can go bad and misuse internal documents, or leave the organization and take them with them. It happens every day."
Samia believes that part of the problem with flagging ERM implementations lies not only in the complexity of policy management, but in the actual approach to ERM projects, "Implementing this type of security requires a phased approach," he says. "You have to pilot and fine-tune. For instance, some ‘violations' are actual valid uses, so you have to go back and refine your policies. And you continue to do that as you roll out the system to handle more document types and departments."
FileOpen Systems is an early provider of rights management, with deep Adobe roots. It delivered protections for Adobe products initially in 1997. Since then, the firm has added support for MS Office, BlackBerry and other formats. Although noted analysts assert that Microsoft leads this market, FileOpen may be flying underneath their radar, claiming to have millions of users in more than 1,000 corporations. Customers have the choice from toolkit, server or hosted options. The software utilizes its own proprietary viewer, which obviates the need for client software.
Elizabeth Murphy, VP of sales and marketing, says, "We've experienced a significant sea change in recent years caused by high-profile security leaks and loss of revenue due to piracy of intellectual property and online document sales. What's becoming more and more apparent is that the exchange of electronic data is so widespread and so easy that it's impossible for most companies to protect without implementing security tools."
GigaTrust has close ties to Microsoft, stating it is "the only provider of ‘intelligent rights management' that extends and enhances the capabilities of Microsoft's RMS." GigaTrust's technology is based on XrML (extensible rights markup language), although that standard "never really went anywhere," according to Coplan at The 451 Group. He describes GigaTrust as "a pure-play ERM provider." The ERM software is deployed through Microsoft Windows and Microsoft Office. The company did not respond to press inquiries, but according to its website, GigaTrust's client-server architecture automatically applies policies to Outlook-based e-mail and desktop files, including non-Microsoft Office documents on PCs running Office 2000 or Office 2007. The GigaTrust Web filter software dynamically applies the same policies to content delivered from databases, Windows, SharePoint Services portals and websites using Internet Information Services (IIS).
InDorse Technologies has caught the eye of some leading industry analysts with its ability to make file protection simple and scalable in an increasingly Web 2.0-enabled, device-agnostic, cloud-based business environment. Rob Marano, president and CEO, says, "Our company was founded to provide solutions that protect a company's important files without disrupting business flow or requiring intensive network configuration. In today's increasingly cloud-based and SaaS-based business environment, files are being shared more and more to conduct business. However, traditional information security solutions are unable to handle the move from silo-based IT security to the cloud. Given the shift away from internal servers, it was important to create a solution that was in lockstep with this trend. InDorse was built with the mindset that no software would be required and users would not be forced to change their daily routine."
When InDorse's ERM software is deployed, even authorized users are stopped from downloading large quantities of files in limited settings from remote locations. A trail of forensic data that captures who is downloading or opening files provides immediate accountability--before files can be leaked. What sets the company apart? Marano says, "InDorse products do not require any client software, automatically enforce usage and protection policies for sensitive business files, and actively and passively track and trace the files for life."
NextLabs began as a provider of data loss prevention (DLP) solutions, then moved upstream into enterprise rights management to offer a more complete security solution, which it terms "information risk management." The software is based on eXtensible Access Control Markup Language (XACML) from the standards body OASIS (oasis-open.org). XACML is a way of articulating policy, a core XML schema for representing authorization and entitlement policies, which allows standardization of access control routines across platforms.
Although players like Oracle are involved in XACML, NextLabs is currently the only company offering ERM based on the standard. That standardization and simplification allows for a drastic reduction in policy creation and maintenance. What else is unique about the firm's approach? Andy Han, VP and GM of products with NextLabs, says, "We offer transparent rights management, and we're able to apply rights to any file type or any application. We have ‘content awareness' built in, so based on the context of the file, we can determine rights. Also, we don't base policies on individual user identities, but base them on attributes and roles, so it is much more flexible and easier to maintain."
Zafesoft offers "the only solution that provides content security with edit," according to the website. "Users can edit, copy, paste, etc. All information remains ‘zafe' (fully secure), including copy of copies and derivatives taken from one file to another." ‘Zafed' content looks and behaves like the original, and is encrypted locally. Sandeep Tiwari, CEO, says, "We secure information in its native format, allow users to access and edit documents in their native format--we don't force them to use a proprietary viewer." The solution is cross-platform, supporting Windows, Mac and Linux. Presently, Zafesoft has fewer than 10 customers, but it had only been marketing the product for several months at press time. The Autonomy pattern search engine is used to search content for patterns and to secure the content.
Forrester's Hill sums up the enterprise rights management marketplace this way: "ERM products are still mostly geared toward protecting documents inside an enterprise. Our customers tell us it's still just too difficult to share documents across company boundaries, even with enhancements like MS Active Directory federation services. We expect new lightweight collaboration features will allow for more casual business-to-business collaboration, without requiring armies of lawyers and IT staff. In our view, purchases of one-off ERM solutions will trail off, in favor of more complete solutions, such as those integrated with DLP technology, content management infrastructure and other risk mitigation solutions."
Organizations will struggle with securing internal documents and sifting through the myriad of security solutions available, but the bestsecurity tool is to make information governance a priority, a part of the organization's culture.