The Vault

Pairing digital rights management (DRM) with content-aware data classification (offered by most DLP vendors including McAfee, Symantec, WebSense and Trustwave) ensures that highly sensitive information is automatically protected while less important information is not. Integrating DRM and DLP is critical to a holistic data protection and IT security strategy.

But enterprise digital rights management (aka information rights management or IRM) and data loss prevention (DLP) have historically been perceived as stand-ins for one another or as competing services.

This false perception stems from the fact that both DLP and DRM vendors use similar jargon to describe their services: wrap data in protection, file security, secure sensitive data, access permissions, selective encryption, remediation and enforcement. But feature priorities for DLP and DRM vendors are quite different and are in fact complementary to one another.

As a technology, DLP was designed to identify sensitive data (in motion, in use or at rest) and then perform basic remediation/enforcement actions based on the data’s classification (e.g. allow, encrypt, block or quarantine). But giving admins and users advanced remediation powers and policy-based access and protection controls like automatic encryption, geo-fencing, IP-fencing, read-only modes and the capability to revoke and adjust access to data after it’s been shared have not been high on DLP vendors’ agendas. Wrapping advanced controls around data is the specialty of digital rights management (DRM/IRM).

On the other hand, enterprise DRM solutions historically focused solely on DRM-encryption and providing end users with controls over how data was shared and what recipients could do with it. This meant that the security of a document was left solely up to any old end user, and the importance or sensitivity of the data was not weighed properly prior to its dispersion. Obviously, this posed a threat to corporate security and was viewed as a flaw in the DRM solutions of old. The CISO, risk managers and CTOs of today may also think DRM solutions rely only on end-user actions, which may contribute to the failure of many organizations to adopt DRM technology and implement it enterprise-wide.

But as one can see, despite content-aware data classification and loss prevention (DLP) and enterprise digital rights management (eDRM, IRM) evolving separately, they’ve become natural complements to one another. They solve two pieces of a common, widespread problem in our BYOD (bring your own device) business world: How can IT identify sensitive information across the entire organization and apply policies to protect that data from accidental sharing or theft? And how can individual users further enforce that protection (not sidestep it) on a case by case basis? In short, DLP and DRM should be integrated. Doing so will maximize benefits gained by both technologies.

This is especially true with modern-day DRM solutions that allow IT admins and risk managers to set enterprise-wide, granular policies for how files, data and folders can be shared inside and outside the corporate network. The security of a document is no longer dependent on how vigilant or knowledgeable an individual end user is. Instead, admins can take data classifications determined by their DLP solution and set company-wide DRM policies to sufficiently protect data. They can choose to lock it down completely, only allow sharing within the organization, limit sharing to certain geographic locations, IPs and email domains, limit the number of times something can be viewed or shared, or restrict access to shared documents to read-only and prevent printing, screen capturing and apply watermarks to shared documents.

As DRM technology matures and becomes more advanced, it reinforces the sensibility of integrating digital rights management and content-aware data loss prevention solutions. In fact, failure to integrate DRM and DLP significantly handicaps both solutions at any organization.