Enabling digital rights management (DRM) needs caution within enterprises which need to take a cold hard look at the way sensitive or valuable documents are managed, according to the managing director of document security firm Panareef, Anthony Turco.
"The cryptographic abilities of DRM have the potential to create enclaves of 'untouchable' users with no effective supervision. There could easily be situations where documents are encrypted and passed out of an organisation, without that organisation being able see, or indeed audit, what is being sent. You have to think very long and hard as to why you would have this turned on - especially if you need audits of duplication, movement and modification of documents", Turco said.
A major issue for larger enterprises, Turco said, is that enabling DRM may prove costly on a wholesale level, especially if many users are forced to upgrade, with those left behind forced to find "work-arounds" for protected documents.
"The only thing worse than having no protection is having a false sense of protection. DRM, although well suited to for certain applications, does not scale to the levels necessary for integration into all levels of business workflow. DRM works well for some public dissemination - but it is not designed for enterprise workflow," Turco said.
For enterprises facing compliance requirements from privacy and data protection legislation, Turco argues that mandatory systematic classification of documents, or labelling, should be applied when documents are created. This, he says, compels users to think and act about document security in real time while also enabling enterprises to evidence mandatory legislative or regulatory requirements.
"By instituting mandatory document sensitivity labels, you increase user security awareness by default. Where so many organisations fail with this when addressing breaches is the only evidence of a user's awareness of document policy is when they sign the HR forms. You see it in dismissal cases all the time and it can be very costly," Turco said.
While stopping information outflow is one thing, Turco claims the real risk lies in being unaware of the way information is handled, potentially leading to costly clean ups and manual audits. Conversely, blocking information that may change its sensitivity status could also prove costly.
"A person systematically under-classifying sensitive information is actually worse than a disclosure if there is no audit trail…because you may not know what you are dealing with. You need to be able to track and trend how users work with sensitive information, or conversely less sensitive information so that access is not inhibited. It's by no means static: you have an embargo one day and you shout it from the rooftops the next. It's about getting the right fit," Turco said.