Quocirca's Straight Talking: Does DRM make sense for business?

It could alleviate compliance headaches...

It could alleviate compliance headaches...

While digital rights management has sparked plenty of controversy in the consumer realm, Quocirca's Jon Collins sees how the technology could be practical for enterprises looking to enforce their data policies.

The interest in digital rights management (DRM) technology in the workplace seems to be mounting, with products from companies such as Adobe and Microsoft putting their marketing muscle behind the technology.

Is there really anything to this or is it just a way of extending already-bloated tools to add some justification to the idea of an upgrade?

First it's worth distinguishing corporate DRM from consumer DRM, which sets controls on how music, video and games can be accessed and distributed. While the underlying technologies (encryption, identity management and so on) may be shared, corporate DRM differs in that it is more about setting controls on documents and other files to ensure they are read, stored, printed, forwarded and otherwise used in an agreed manner. For example, with corporate DRM, if a corporate standards document was flagged as 'company internal only', an email tool would reject attempts to send it outside the company, inadvertently or otherwise. It is this corporate flavour I'm talking about.

At first glance DRM does look opportunistic, in that there is little left for purveyors of unstructured information (or documents, as you and I call them) to add to their tools. Platforms such as Microsoft Exchange and Lotus Notes already have capabilities beyond the ken of most companies to exploit them. Simple features such as shared folders as well as more advanced workflow capabilities lie largely idle as most people use only a small subset of such capabilities.

In the shape of encryption, basic rights protection has been around for years. Most email clients offer the possibility of encrypting or digitally signing an email but it is a rare message indeed that features such marks. There are a number of reasons why not, not least that individuals don't even know the features are there. Once they do, they have to have sufficient reason to use them, as well as the knowledge that the person at the other end will know what to do with the result.

A similar criticism could be levelled at DRM were it considered only as a tool for individuals. As a corporate tool to be used across a standardised infrastructure, however, we have a different picture.

Companies are looking at DRM as an enforcement mechanism for corporate standards, not just for their own sake but in order to demonstrate compliance with external regulations. Within the corporate environment, DRM becomes an enabler of new mechanisms. It enables traceability - knowing who has seen what - and therefore affords better control over the document production process. It offers facilities such as time limits on documents, ensuring the expiry of guidelines or allowing a certain number of accesses, entering into the realms of more consumer-oriented DRM.

There are several processes that have been considered outside the remit of corporate IT - for example, the electronic distribution of payslips or other personal information. Mechanisms such as these enable a fairly high level of trust to be built into the system and therefore give it wider scope inside the boundaries of the corporation. In future there may be a wider scope for DRM, including managing supplier and customer information, purchasing orders, preparing invoices and the like. But for now dealing with internal needs is enough. Indeed, if we can't get this bit right, there is little chance of achieving it with those outside the periphery.

A company wanting to implement DRM needs to take certain prerequisites into account. First, while there are DRM software companies such as SealedMedia and Authentica whose products can deal with a variety of document formats, it is preferable to have a standardised software environment in place to minimise the operational overhead. Second, you will need to understand what the current policy drivers are for documents within the company. For example, organisations with an up-to-date quality plan may already have defined several categories of documents and a policy for which employees can access them. DRM is about process as much as it is about technology, so it is important to ensure the correct mechanisms and policies are in place to support the DRM applications.

With these criteria in mind, the Adobe and Microsoft solutions each have their strengths and weaknesses. Microsoft's offering has the 'seamless integration' advantage - perhaps the phrase should be taken with a pinch of salt but from a usability standpoint it is no doubt beneficial to have the DRM facilities available from within the Office toolset.

Adobe's path starts where Office leaves off, acting as an electronic version of a printer that can transport formatted copy as needed - even onto mobile devices. Adobe has the advantage for certain purposes in that the PDF format is recognised as a legal document, a point which Microsoft is no doubt keen to address.

In helping to reduce risks, DRM can be seen as a component of a company's security environment. It should only ever be seen as a partial security mechanism, however. It can enforce policy such that an individual is aware when he is doing something he shouldn't but it cannot prevent absolutely documents from being copied.

There is a definite need for corporate DRM, and it is good to see the major software vendors stepping up to the plate. Just don't expect it all to happen automatically.