Enterprise Rights Management

The October 2006 Information Security Magazine features a great story titled Safe Exchanges. It discusses software it calls "enterprise rights management" (ERM):

Enterprise rights management is technology that allows corporations to continuously control and protect documents, email and other corporate content through the use of encryption and security policies that determine access rights.

I found this case study compelling:

Fenwick & West was an early adopter, choosing ERM software by startup SealedMedia, a company recently acquired by Stellent.

Kesner took advantage of SealedMedia's free 30-day trial, tested it with several clients and was wowed by the results. His law firm's clients use hundreds of data types, including Microsoft Office, Adobe Acrobat, accounting databases, architectural drawings and computer-aided design documents--all of which SealedMedia supports.

In addition to the software's broad support, he was impressed by its ease of use. For the firm's lawyers, clients and outsiders to access protected files, they download a small plug-in to their computers. When they try to open protected files on the extranet, the plug-in checks in with Fenwick & West's servers to make sure they have the right to access the documents. It takes about five minutes to get most users up and running.

We're seeing defenses collapse to the level of data, as described by luminaries like Dan Geer. So-called ERM software helps implement this defensive strategy.

ERM, or what might also be called Digital Rights Management (DRM), is no panacea, however. An intruder sitting on a company desktop can read all the documents that the legitimate user can read, at least when the documents are being displayed to the user. Documents cannot be considered "secure" when they must be rendered to users of vulnerable platforms.

I expect to see systems like ERM widely deployed, although I wonder how well they will be accepted when encryption products tend to stump most users. We don't see ubiquitous deployment of encrypted email or documents, even though the technology has been around for years. Perhaps moving the trust decision out of the hands of non-technical users (as must be the case with technologies like PGP/GPG) will help facilitate deployment?