DRM might be coming back to the enterprise

Digital rights management might be coming back to the enterprise, experts say, as long as usability issues don't get in the way.

You might remember the technology from a decade or so ago. Companies were worried about employees accidentally sending sensitive files to the wrong recipients -- or to the right recipients, who then shared them with others without permission.

But it turned out that enterprises had much bigger security issues to worry about. Employees or partners accidentally sending a document to the wrong person accounted for less than 1 percent of all security incidents, according to the most recent Verizon Data Breach Investigation Report.

Partners deliberately stealing data accounted for about half of 1 percent of incidents.

Meanwhile, according to a recent report from Frost & Sullivan, eDRM systems have historically been siloed by their abilities to handle different file formats, were difficult to use, and expensive to deploy and customize.

But with renewed interest in cyber security, increased compliance requirements and significant advances in usability and pricing models, enterprise DRM has a new opportunity to make its mark.

"I am seeing growth in this area," said David Monahan, research director at Enterprise Management Associates. "Since the Snowden releases, there has been a significant increase in the desire and use of encryption and other services to protect data by various means."

According to Monahan, vendors in this area are reporting significant double-digit growth, with some seeing 50 percent to 100 percent and higher revenue growth.

Eric Ogren, founder and principal analyst at Ogren Group, also said that he's seen growth in this area.

"I am seeing upticks in growth in this category, mostly driven by the need for employees to easily share sensitive information," he said. "Files are always distributed outside the range of corporate security, typically up and down the supply chain. So this trend extends file security beyond the walls of the enterprise."

According to Frost & Sullivan, the biggest adoption of this technology is in the financial services industry, in the government sector and in healthcare.

The big, established players, like IBM, Microsoft, Citrix and Box, have or are working on enterprise-level security for their file sharing platforms.

And there are dedicated vendors as well, such as Vaultize, WatchDox, Accellion, Fasoo, Syncplicity, Seclore and Egnyte.

One of the newest vendors in this space is FinalCode, which makes a product that encrypts and locks down files so that recipients can be prevented from printing, sharing or saving local copies while still allowing them to view the files, or even edit them, using standard business applications like Microsoft Word.

"Not only is the encrypted file only available to authorized persons, but usage can be tracked," said Hiroshi Wada, IT manager of corporate planning, Pioneer Service Network, a Japanese car and home electronics services company. "More so, as a file is taken, it can be deleted remotely."

For example, FinalCode can be used DropBox-style, where employees drop files into a network folder. FinalCode can be deployed to monitor the folder and automatically secure any files dropped into it. FinalCode can also be used in combination with existing file-sharing infrastructure, including that of Box, DropBox, EMC, Oracle, and Microsoft.

"It eliminates the setup of secure file transfers, credentials, and other cludgy or complicated technology," said a CISO at a Boston-based financial firm who did not want to be quoted by name.

For example, he said, executives can drop in legal documents that need to be communicated with outside counsel, he said.

Another use of FinalCode is integration with data loss prevention software -- an outgoing document containing sensitive information would be automatically encrypted and secured without any additional action required on the employee's part.

"We want to keep our confidential data confidential but we don't want to kludge up the workflow process," he said.

The company has been testing out FinalCode for the past few weeks, and will be rolling it out to the highest-risk users first, then in a phased approach to everyone else at the company.

How it works

Different vendors approach the problem in different ways. Some allow browser-based access to the shared documents, for example.

FinalCode does not. It requires first-time recipients to install the FinalCode application, which then processes security and encryption for the most common business document types -- Office documents, PDFs, video, audio and image files, and some CAD documents.

FinalCode can be used to, say, allow recipients to edit documents but not to save local copies, make printouts, or take screen shots.

The full client application is available for Windows, and a limited client is available for iOS and Android mobile devices that allows viewing but not editing.

The company plans to release a Macintosh version as well.

There are no plans for browser-based access, however.

"In a browser-based application, people can copy and paste data, take screenshots, and forward the information," said FinalCode COO Scott Gordon. "The browser has limited security controls."

Another restriction is that the documents can only be accessed while the recipient is online. This could be problematic for people working outside the office, or while traveling.

"We're working on a way to open the files if you're in an airplane," he said. "It's on the road map, but not in the product right now."

When it comes to usability and security, he said, there will always be some trade-offs.

"There's no such thing as complete frictionless security," he said. "Security always comes with a level of friction. We're trying to balance user experience and control."

A high degree of transparency is required to gain wide acceptance, said Ogren Group's Ogren.

"Users have to be able to use any document creation tool they want, any storage capability they want, and any distribution mechanism they want," he said -- requirements that would be hard for any security vendor to meet.

"Inconvenienced users will revolt, throw out the product, and disparage IT," he said.

But if a vendor is able to overcome the usability obstacles, the business benefits are compelling, he added.

"The business can send out sensitive or regulated information without having to sweat disclosure issues from the endpoint," he said. "The files can even be automatically deleted when they become superseded or otherwise obsolete."

The crucial parts are user friction at both the sender and the recipient end, agreed Enterprise Management Associates' Monahan, who will be publishing a study this fall about interest in enterprise digital rights management.

"People indicated that they are happy to use security if it doesn't cause a problem with the parties they are trying to share it with, as that impacts their business revenues," he said. It also can't impact internal users because that could hurt productivity.

"If security gets in the way, people will bypass it to do what they think they need to," he said. "A solution that embeds itself into the existing technology, processes and workflows is crucial for acceptance."

In the study, based on an enterprise survey about file collaboration security, 75 percent of respondents expressed a high or very high level of concern about the risk of data leakage of sensitive files being shared, and half said that there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information in their organization.

"Companies like FinalCode that protect data at the file and operating system level are in a good place right now," Monahan said. "With the recent impacts on Sony, there is a resurgence of attention on protecting internal data. This is going to keep expanding. The crucial point is the user friction at both ends. That is why many previous data protection solutions have not gotten popular support and are only used by those organizations requiring the utmost in protection."