Even with the right tools, ERM deployments can be challenging. A potentially hairy issue is convincing customers, particularly at other companies, to agree to install IRM software on their client systems.
"ERM's limitation is, if I want to share documents with a partner or [outside] customer, I have to install a client and have that be part of my security domain," says Oltsik.
This can make the other firm's IT staff quite nervous. In most instances ESG is aware of, where a company successfully deployed IRM security on partner sites, the firm had "lots of clout in their market ecosystem," Oltsik notes.
One way to minimize resistance is to pick an IRM product whose client code is relatively unobtrusive and nonproprietary.
BCA, for example, stopped using LockLizard's IRM product because it required installing a proprietary PDF reader that was not Adobe's, Chow says. "For our client base, that just wouldn't work." In contrast, FileOpen supplies a plug-in to users' existing Adobe readers that can be installed in 30 seconds, he adds.
Even so, customers still balk sometimes, Chow says. "IT says, 'What is this -- is this clean? What kind of information is it sending back to you? We need a security audit on this plug-in.' "
Some partners' IT departments simply refuse, in which case BCA asks the company to sign an agreement under which it promises not to share or abuse proprietary information. "We actually find that very effective," Chow says.
Before deploying an ERM platform, businesses need to define the policies that IRM and DLP controls will enforce. This can be quite challenging, especially if a company wants to protect a wide variety of information both inside and outside the corporate firewall.
Oltsik advises starting with a small number of policies and enforcement mechanisms, "or you'll have users, help desk personnel and policymakers struggling" to cope with the new rules. It's also wise to hire an experienced professional service provider that can help sort through policy and enforcement issues, he adds.
If you plan to deploy a complex set of policies, pick an ERM product that provides development tools and some kind of rules engine for managing and deploying policies. Most ERM policy tools are largely proprietary and stand-alone at the moment. However, some IRM and DLP vendors have been partnering to provide an integrated policy system.
Even more promising is growing industry support for Extensible Access Control Markup Language (XACML), an industry standard that would enable different policy engines to share information. A number of ERM vendors have tied into Microsoft's Active Directory (AD) and Rights Management Services, enabling their products to automatically propagate AD access rights.
Link to existing enterprise apps
That would be a big help to BCA, which is considering using FileOpen's IRM, or perhaps DLP, to "impose controls on internal employees so they can't just send out unencrypted research to whomever," says Chow. The research firm's IT group currently uses AD to push user access-rights policies to various internal security systems, but not to FileOpen. "If we do deploy IRM internally, we might tie it into AD," says Chow.
Of course, simpler ERM installations that do not involve complex security rules may not require a policy engine.
Select Milk Producers, for example, uses LockLizard's IRM product to provide its customers and board members, who are all dairy farmers, with secure access to the information on its Web server. "These are dairy farmers, not high-end users, and sometimes they don't log off or save passwords to their Web site," says Craig Card, Select Milk's systems hardware analyst. The dairy farmers are also often competitors with one another, and only some are board members; therefore, it's important they get access only to the information they are entitled to.
"LockLizard provides security that works automatically, with minimal user involvement," says Card. The DRM product has no policy engine, but with only about 125 users and 25 board members, manually setting up the policies wasn't a big deal, he adds.
Similarly, BCA has so far deployed only a limited number of FileOpen's access controls on the research documents it sells to customers, Chow says. "Some of our clients pay us a lot of money for research. If you tell them they can only read a document online and not print it, or if their access rights expire after such-and-such a date, you can lose the client."
Indeed, successful ERM implementers need to walk a fine line between meeting security priorities and not stepping too hard on customers' toes, whether external or internal, industry sources agree.
At Flextronics, for example, "we wanted to be proactive, not reactive" when it came to enforcing security rules, says Bauer. "Most security tools use a traffic-cop model: OK, I caught you speeding -- but the guy gets away with speeding first. [ERM] helps us prevent people from speeding so we don't have to give a ticket."