The DRM/DLP Conundrum
Digital Rights Management (DRM) solutions encrypt content at a document level making use of access and authorization criteria from identity infrastructure to prevent the misuse, modification, loss or theft of intellectual property and sensitive information.
In contrast Data Leakage Prevention (DLP) solutions monitor for content on networks and endpoints based on defined criteria such as tags in documents, key word searches and so forth. As content is scanned and the criteria of the search parameters are met, rules are triggered. In less sophisticated solutions, these triggered rules result in some type of alert, typically an email to an administrator who makes decisions and inquiries based on established response procedures. In more sophisticated solutions, content can actually be interdicted or quarantined by the solution based on a rule set.
At first blush, DRM and DLP appear to be competing and mutually exclusive solutions that take different approaches to solving the same issue. There have been equal amounts of controversy and confusion in the market place regarding these types of solutions, which in many ways has slowed the maturity of the solution sets and their mainstream acceptance in the market place.
Both of these solution sets have their pros and cons and some vendors attempt to convince potential customers that their solutions will solve all of their problems in the area of information and data leakage. The fact of the matter is that the majority of these solutions, when deployed as a single solution, provide only partial protection against loss or disclosure of data or information. Other vendors make the caveat that their solutions only provide protection against the inadvertent or accidental loss or disclosure of data or information. These solutions make no specific claim to guard against deliberate loss or disclosure of data and information.
It is important that security practitioners not be lulled into a false sense of security if one of these solutions is deployed and advertised within an organization as the "Silver Bullet" of information and data protection.
These two seemingly competing technologies have some striking similarities to another set of technologies that came to the forefront of the security industry a few years ago. In the early part of the decade, Intrusion Detection Systems (IDS) started to mature and move towards mainstream acceptance and adoption by the security community at large. Not long after that Intrusion Prevention Systems (IPS) were introduced and presented by many as the logical evolution of IDS. Not long after the introduction of IPS, there were proclamations by many information security pundits that IDS was dead, long live IPS! The evolution of the technology has for the most part played out and in the final analysis there is a place in the enterprise for both technologies.
Recently, although on a somewhat smaller scale, a similar proclamation was made regarding DLP technology solutions. Once DLP and DRM technologies are examined, it becomes apparent that there is a place in any enterprise that requires comprehensive monitoring and enforcement of its data classification policies to protect its data and information from improper use.
Going back to the analogy that was drawn between these technologies and the IDS/IPS technologies, it became apparent that you use IPS technologies where you new what you wanted to block and were very certain that only specific inappropriate traffic was going to be affected. In areas where that certainty was not there, it became apparent that you use IDS technologies to monitor, alert, respond and institute change in the environment to eliminate unwanted traffic as it was identified.
Similarly the same approach can be used with regard to DRM and DLP technologies being deployed in the enterprise. A DRM solution can be deployed for information that has been properly classified and is resident in known information stores. Once subject to an enterprise policy of a DRM solution, that information is protected during its lifecycle and can be retired at the proper time based on an organizations retention policy, or when there is suspicion of inappropriate use of that information.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.