DRM, ERM and...IRM?

One of the things that we've always tried to do at Digital ID World is help people see how certain categories of vendors fit into the industry map. You can see this clearly in some of the some of the schedules from past conferences, as well as in articles that we've written. Examples would include things like geo-location technologies (most of which are identity-based), trusted computing (both NGSCB and the TPM work being done by the TCG), and in areas like rights management.

"Rights Management", however, presents its own difficulties that stem (in part) from category confusion and misnomers. While some folks rail against DRM, it is important to realize that when they say "DRM" they mean "end-user DRM" like iTunes, and not the type of rights management that occurs within the enterprise, or ERM (enterprise rights management).

ERM fits squarely in the "Control" category of our industry map, as it seeks to control the access and authorizations associated with information flow both inside and outside of an organization. The vast majority of ERM is based upon identity mechanisms, while end-user facing DRM tends to be based upon usage or device mechanisms (instead of identity mechanisms - which they should be, but that's a screed for another day). Thus, ERM might more properly be called "IRM," or Identity Rights Management.

The most common use case for ERM focuses on the ability to limit the forwarding, copying/pasting, and alteration of a sensitive email. Microsoft (which has the RMS, or Rights Management Server) illustrates the example well when they show the email that the CEO sends to senior management, where the CEO is able to go down a list of check boxes, limiting what can be done with he/she sends.

Beyond that scenario, you can begin to find some more interesting ones -- like what was highlighted in a recent eWeek article about Sealed Media. Specifically, the article refers to Sealed Media's ability to "conduct detailed audits of their [user's] data access and distribution records to comply with federal regulations." What's particularly interesting about this is that ERM is now not simply in our "control" category, but also simultaneously moving into the "analyze" category (the one that deals with auditing for compliance).

Identity-based enterprise rights management has been a nascent industry that we've been trying to cover for several years. Articles like the one pointed to above (and augmented by some phone calls that Phil and I have had with vendors) are starting to show that ERM is now more than just an idea - its a serious deployment technology with real use cases and real benefits. Law Offices, hospitals, government agencies and large corporations are finding ERM to be an essential part of their auditing, comliance and identity strategy.

Its all about controlling access, granting authorization, and auditing the prior two -- and that's all about identity.