The wrongs of enterprise rights management
This isn’t a post about consumer DRM, which I think has been covered well enough before by Cory and others (though some of the Bob=Carol issues still apply). Enterprises have a load of stuff that they need to (or are obliged to) protect. This is a post about the issues that I see with entitlements enforcement products using encryption that pitch themselves at enterprise use cases:
- Identity Management Integration. Most stuff will happily integrate with the usual directories, but this isn’t enough in a world is flat enterprise. What about customers, suppliers, offshore development centres, outsourced workers – are these people really going to find their way to the directory? Some try to deal with this using PKI, but that just brings the onset of another pain with key distribution. If PKI really worked as advertised a decade ago then we’d all be quite accustomed to working with key selectors, and we’d all have a bunch of private keys to fuss over; but we aren’t and we don’t. Information cards do a great job of hiding the complexity of PKI, and when the identity metasystem becomes more ubiquitous I’m sure that it will help with this problem. Until then I hand victory to the identity based encryption (IBE) guys. This is a solved problem, just not yet ubiquitously.
- Client Integration. ‘If you want to do business with me then please just install this plugin’. This is an unreasonable request for business partners, doubly so for customers. This problem only gets solved by standards. Initially it will be the de facto standards of the most popuilar client software providers, but ultimately it must be open standards that support user choice.
- Content classification. Enforcement depends on policy, and to write a meaningful policy one must understand the assets that the policy refers to. Manual classification of information assets can (painfully) be made to work in a small silo, but to make anything to scale to an enterprise it needs to be highly automated. To succeed at automating this process means dealing with the multiple dimensions of content (search), specific regulatory requirements (which can often be dealt with by regex), internal taxonomies (e.g. URI stubs), who actually creates and uses stuff (something that I’ve heard called ‘identity for data’, or ‘chain of custody’) etc. Most of what I’ve seen attempts to do a few of these things, but I’ve not yet seen a complete solution to this multi-dimensional problem.
- Reinventing entitlements services. This probably isn’t a fair point (in 2008), and is a recent addition to this list that I’ve been carrying around in my head for some time. I think it will however become more important as entitlements services emerge to become ‘directories 2.0’ (which is probably a worthwhile topic for an entirely different blog post). The point is that roles and policies should really not need to be defined separately for each enforcement point, and at the end of the day ERM is just another policy enforcement point (PEP) – so it would be great to see something that could make use of existing policy administration infrastructure.
Of course ERM is just one means of dealing with the broader anti-data leakage (ADL) / data leakage prevention (DLP) problem, though I feel that most of the points above apply equally to ADL/DLP products.
Filed under: security | 8 Comments
Tags: ADL, cryptography, DLP, DRM, encryption, ERM, idm, PKI