Traditional data protection has been about securing data behind the corporate perimeter, locking down IT systems and endpoints with firewall and data loss prevention (DLP) technology. Now there is an increasing recognition that traditional data protection is not working. Faced with the new realities of cloud, shadow IT, BYOD, increasing collaboration with 3rd parties, and “last mile” endpoints like USB devices… no matter how well you secure data behind the perimeter, your data will eventually leak.
In their DLP magic quadrant analysis, Gartner said “At present, even with extensive DLP coverage across endpoints, networks and data repositories, there are still gaps and data flows where data can leak. The better answer is a data security strategy focused on securing the data itself, as opposed to trying to secure every system that comes in contact with sensitive data.”
What Gartner is talking about is a revival of Digital Rights Management (DRM) technology, that embeds encryption directly in a company’s valuable data assets themselves – their sensitive files and e-mails – so that even if the data does leak beyond the perimeter, it’s still protected.
Much like AI and Blockchain, Digital Rights Management technology is an extremely attractive concept that has had implementation challenges, but is now starting to overcome those implementation obstacles to go mainstream, most notably Microsoft Azure Information Protection (AIP). Here’s a look at what to expect.
What is Digital Rights Management?
Digital Rights Management is a form of encryption and access control embedded directly within the data itself, so that wherever the data goes, protection and privacy follow it. There are 4 classic components to DRM:
1. Persistent Encryption
DRM embeds protection directly within the data itself, so that wherever the data goes, even if it leaks into the wrong hands, it’s still protected. This is known as Persistent Encryption. With traditional encryption, I encrypt data and send it to you, and you decrypt it. But you can then leak the decrypted data to another person, which is a huge security risk. With Persistent Encryption, I send you encrypted data and you can decrypt it because you on the policy, but if you then leak it to someone who is not on the policy, they are not able to decrypt it. In supply chain security, where data isn’t locked down but continually being passed around into the hands of potentially hundreds or thousands of collaborating users, this is essential.
2. Granular access control
Collaborators are only granted the minimum level of access required for their role. For example, when collaborating on a contract, company A can grant company B permission to read and comment, but not edit, print or copy-paste. Some very sophisticated DRM solutions can even protect against taking a photo of the screen by use of visual watermarks or even allowing the user with read access to only view a segment of the document at a time.
3. Visibility and Traceability
DRM lets you track where your sensitive data is and who’s trying to access it, whether that data is inside or outside your company perimeter. Advanced IRM solutions provide alerts if it falls into the wrong hands, and an audit trail that shows how data leaked every step of the way. This allows you to monitor your supply chain, detect attempted breaches, and identify untrustworthy collaborators, within your organization and with partners.
4. Kill Switch
DRM lets you revoke access to data that has left your building, on demand, or on a timer. If an employee is leaving your company or if you are stopping work with a partner, you can revoke access to any data that is in their hands, even if they dumped it onto a USB stick. If data is particularly sensitive, you could set it to self-destruct after a time period, e.g. after 24 hours.
Emerging DRM Vendors, Big and Small
For Digital Rights Management to go mainstream, there needs to be a growing movement of analysts and vendors evangelizing this technology that embeds protection into sensitive data, so that even if the data leaks, that protection follows it wherever it goes. And this is happening.
Large companies like Microsoft are advertising their legacy RMS solution under the new name Azure Information Protection, or AIP. Independent vendors Virtru and Seclore are also gaining momentum, and Vera was recently acquired by HelpSystems. Expect to see more players emerge and more major wins in the coming years.
User ExperienceIn How to Select the Right DRM Solution, Eric Ouellet of Gartner says
“Organizations need to assess data protection solutions for their ease of use and suitability for their end-user and administrative populations […] This is the capability that will affect the success of deployments the most, and it should be weighted most heavily in the evaluation.”
Many of the emerging Information Rights Management vendors will lead with a message about great user experience. We will begin to hear about the different approaches to user experience. The best DRM tools will integrate transparently into current business workflows. Users should not have to deal with a new user experience or require a lot of training to start protecting important business information. Transparent integration into Microsoft Outlook and Office are very important as these are the primary business tools for most workers. An example of a change of workflow that could confuse users would be an DRM that requires the user to use a different Send button (other than normal Outlook Send) when they want to protect an email. The optimal situation is for the protection to be transparent to the user. Integration of Information Rights Management with classifications tools seems to be a trend that makes use of IRM easier. The user only has to decide on the appropriate classification of the information and the protection is applied transparently.
Supply Chain Security
CSO Online lists supply chain attacks as one of the major data threats. Even small-to-medium size businesses can have hundreds of collaborating partners and suppliers and with traditional perimeter security. All it takes is one of your partners accidentally leaking data to accidentally compromise your most sensitive data.
Digital Rights Management solutions take a different approach where they protect the data itself so that even if a supply chain partner is hacked or accidentally leaks your data into the wrong hands, the data itself is still encrypted and protected.
In practice however, most DRM vendors today don’t easily support external partners, severely limiting the promise of protecting data wherever it goes. Microsoft AIP, for example, requires collaborating partners to use their Active Directory identities, and even then configuring the system to recognize different companies’ identities seamlessly is reportedly a challenge. This can frustrate partners and slow down the speed of business, forcing users to find insecure workarounds.
In contrast, vendors are extending support beyond Active Directory to a new ecosystem of identity management standards. This includes players like Ping and Okta in the enterprise world, SAFE-Biopharma in the medical space, as well as the Oauth standard implemented by the likes of Google and LinkedIn.
As growing concern for supply chain security emerges, expect IRM vendors to tackle how they tap in to the identity management ecosystem to ensure data is protected, but still usable, across the entire supply chain. For more on this topic in depth, see our article on protecting data from leaking in the supply chain here.
A New Paradigm Requires Education
Digital Rights Management promises a new paradigm of data protection for the modern cloud age, but for many vendors today it falls on deaf ears. Jeremy Wittkop, CTO of Intelisecure, told me “DRM solutions are the future of data security. But for them to go mainstream we need to pitch them as an extension of more familiar content analytics and data classification technologies. I think much of the resistance to adopting technologies like this are based on both a lack of understanding of the true challenges associated with data security and the unwillingness to abandon technologies that organizations have invested so much in. There’s a significant amount of education that needs to take place and many executives are desperate for an easy solution.”
Wittkop goes on in his post on The Future of Information Security. “These are exciting capabilities, but it also necessitates that organizations think of protecting their information in new and far more comprehensive ways, deciding not only to block or allow information to traverse a network segment at a specific moment of time. They must also define the parameters of acceptable use of information for both internal and external users. In most organizations this has never been done before.” In 2018, expect vendors, analysts, and consultants to emphasize training and education on data protection best practices such as the development of such data protection policies, as well as a common industry terminology to emerge.
Success at Scale
As with any emerging paradigm, especially in the security world, Digital Rights Management technology will not go mainstream until it has been proven to work at a large scale.
Shaun Marion, CISO of Honeywell, told me “Honeywell has 140,000 employees, about 90,000 of which have some form of device (laptop, desktop, phone, etc.). Several months back, we announced the divestiture of two large businesses which will take that number down to about 70,000 devices. Imagine in the future we make another acquisition. I have to prepare to balloon from 70,000 to 100,000+ within a matter of months. The tools we have need to be able to flex to that level.”
Expect IRM vendors to be testing the scale and the variety of successful deployments, driven by innovative enterprises that see the potential and will partner with these vendors to help them get to scale. In addition, GDPR regulations will drive even very large enterprise to adopt DRM because long-term DRM is a natural fit for GDPR’s encryption, “privacy by design”, and “privacy by default” requirements.