Securing Sensitive Documentation with DRM

In a perfect world, laptops would never be lost or stolen. Sensitive corporate information would always stay within authorized circles. And everyone would know—and follow—corporate policy without being constrained.

Of course, reality is much different. Headline after headline tells tales of misplaced or stolen laptops computers potentially compromising thousands, if not millions, of personal records by cyber-criminals looking to make a buck. Stories also abound of the exposure of confidential data by employees who simply were unaware of what they should and should not do with corporate information.

Indeed, for the most part, organizations are doing a good job at protecting their environment from incoming threats. Putting a wide range of technologies in place to keep malicious Internet-based threats at bay has become standard operating procedure for many companies with virtually any degree of online presence.

But controlling outgoing information is another story. Unfortunately, employees sometimes download inappropriate information onto their laptops, only to see that laptop and the data it contains fall into the wrong hands.

And laptops are just one area of exposure. Employees may forward a sensitive corporate memo outside the enterprise, even though the document was intended for internal use only.

These concerns are keeping CIOs up at night. And rightly so, since they’re getting pressure from all sides to get a tighter rein on data.

Content Control

These concerns have a growing number of organizations looking for a fully-baked digital rights management tool that helps enforce corporate policy automatically and works across multiple platforms.

Such a solution might make documents accessible only to authorized individuals who must authenticate first before being able to access the documents. It might also prevent users from interacting with it in a way that does not conform to company policy; for example, employees would not be able to download sensitive information or records onto their mobile devices.

While digital rights management is not a new concept and has been around for some time, improvements in technology have made the process much more affordable and applicable to today’s business operations. Furthermore, the emphasis on compliance has caused all of us as CIOs to examine and re-examine every option at our disposal as we continue to address that issue. As such, digital rights management has increasingly become the option of choice for CIOs in their continued attempts to manage information.

As an application, digital rights management solutions might vary from tool to tool, but each starts with a document retention and data classification strategy. After all, before documents can be tagged, their category must be identified and their distribution established. And, as history continues to demonstrate, it’s not enough to simply type “Proprietary Information: For Internal Distribution Only” at the top of a document and expect its circulation policy to be adhered to.

A more effective mechanism might be to wrap data objects themselves in a container of rights. Information, then, could go out to those who are authorized to receive it, but it could not be forwarded to individuals who are not on the approved distribution list.

Timing could be attached to documents so that a highly sensitive document might be accessible by authorized individuals for just the next 24 hours but another document might be accessible by authorized individuals for the next two years.

Any attempts to distribute a document outside its authorized limits would be blocked. And, should a user create a document without identifying its classification and distribution, the document would by default remain inaccessible to anyone other than its creator.

A number of digital rights management tools exist today, and they offer a good starting point for organizations that need to establish greater control immediately. Over time, more comprehensive solutions will likely emerge, especially as organizations continue to respond to industry and government regulations calling for increased information control.

Today, information control has become a pressing, proximate challenge for CIOs and their organizations in industries and countries across the globe. And digital rights management is shaping up to be a highly anticipated remedy.

David Thompson is CIO of Symantec. Prior to joining Symantec, Thompson was senior vice president and CIO for Oracle and oversaw its Global Information Technology group.