Enterprise DRM (digital rights management) shares DRM's basic concept of controlling content use. However, it goes beyond unauthorized-copy protection to help stop sensitive information from being read, altered, or shared outside an origination -- while not interfering with users' work, including their ability to collaborate with colleagues. As such, it's an important complement to other data leak solutions, such as network scanners.
Any enterprise DRM solution should have three characteristics. Security is foremost; documents, communications, and licenses should be encrypted, and documents should require authorization before being altered. Second, the system can't be any harder to use than working with unprotected documents. Lastly, it must be easy to deploy and manage, scale to enterprise proportions, and work with a variety of common desktop applications.
With these requirements in mind, I tested two notable enterprise DRM solutions, Liquid Machines Document Control 6.0 and SealedMedia E-DRM 5.0.
Liquid Machines Document Control 6.0
Liquid Machines' Document Control enforces document access and usage policies, including open, read, save, and printing. A Policy Server, which integrates with AD (Active Directory) or LDAP, allows business users to centrally manage roles and policies; designated managers may also audit access and usage violations. On the client side, the Liquid Machines Policy Droplet plug-in enforces your policies -- and allows properly authorized users to modify rights.
Although this architecture is fairly standard, Liquid Machines bests competitors in one area: It is policy-server-agnostic. You can install Liquid Machines stand-alone or together with Microsoft's Windows RMS (Rights Management Services); in the latter case, Liquid Machines' more flexible policy management is available to RMS.
Document Control 6.0 doesn't ship with pre-built policies for specific industries or regulatory compliance, which is common practice with many enterprise security offerings and shortens setup. Still, it provides solid information control for protecting IP, works well in secure outsourcing operations, and allows enterprises to establish policies to comply with corporate governance and consumer privacy regulations.
Setting up policies and defining who can access files is clear-cut with Document Control's Web-based administration console. Rights are assigned to directory accounts by role, which makes large-scale implementations go quickly. I created roles -- such as a financial department analyst -- and then placed AD users within this role.
Maintenance is similarly simple; to revoke rights, for example, just remove a user from the appropriate role rather than editing individual user accounts. The disadvantage in pinning rights to AD or LDAP accounts is that you can't easily allow outside users -- including partners or offshore workers -- to access documents they may need.
As opposed to RMS, Document Control 6.0's policies allow auditing, so you'll know exactly which changes were made, and by whom. Thus, you can confidently delegate policy administration to department heads or other non-IT staff. Furthermore, this solution enhances RMS's global policy expiration -- you may expire document access to one group of users but not others. This feature's missing from RMS.
The Policy Droplet management plug-in functioned in various native applications, including Microsoft Word and Visio, without any extra steps. For example, if printing was disallowed, then that action was reliably blocked.
The software clearly shows which policies apply to the document so that users always know what else they can and can't do -- and whom to contact to change permissions. Policy Droplet allowed me to quickly choose the policy to apply when I created a new file; alternately, enterprises can automatically apply a corporate default policy to new documents.
A further example of Document Control's tight security is that documents remain protected when converted to Adobe Acrobat. Additionally, the initial protection policy was carried forward when I saved portions of the original document to general formats, such as .txt and .csv.
Likewise, I didn't find any gaps in how rights were handled. Policy changes were immediately sent to users' PCs and enforced right away, including revocations, new rights, and time extension of existing rights. I designated offline rights so that trusted employees could use files when they were off the network but that limited access to a specific number of days. This forces users to connect from time to time, ensuring they will receive the most current policies. Auditing information is stored in a Microsoft SQL database, which I easily queried using a Web form.
Document Control 6.0 is somewhat unusual because it protects more than 65 applications and file formats, which is more than SealedMedia's solution. Although I didn't have the chance to test them all, Liquid Machines offers separate products for controlling e-mail, as well as gateways for BlackBerry, Documentum, file shares, and Google Mini searches. That said, I think it would be advantageous to offer the e-mail module as a standard feature because e-mail is such an essential part of how information travels inside and outside organizations.