Enterprise rights management
While Quinlan and Crager home in on how to keep their customers' personal data secure, Bill Leo, CIO at management consultancy Oliver Wyman Delta Organization & Leadership in New York, is putting in place technology that will help him lock down his firm's own intellectual assets.
"We author many industry reports on organizational change and leadership development. We want to make sure that that intellectual capital doesn't fall into the wrong hands to be used in a competitive nature," he says.
In the past, users were able to download reports to their laptops. "People were walking around with our entire intellectual database on their computers," Leo says.
Today, Leo is piloting an enterprise rights management (ERM) system that will control access to and retention of the company's intellectual assets. Using a combination of Microsoft Office SharePoint Server and Microsoft Active Directory, authors can set policies that govern who can view and distribute their reports.
In the first phase of the new system, Leo is focusing on rolling out internal access rights management for more than 200 employees worldwide by year-end.
Once an employee creates a report, he loads it into the SharePoint repository and assigns it access rules. For instance, he can designate it for internal use only and make only a brief description of the report viewable.
The Web server-based system protects documents from being downloaded, copied or sent into unsecured environments. "No one can distribute a report later because it does not reside locally," Leo says.
Employees can search through the database via Active Directory, and depending on their access rights either view reports or receive information about who to contact for access to the documents. "By incorporating SharePoint with Active Directory, there is a single point of governance around the data," he says.
In the second phase of this ERM project, Leo wants to enable document sharing between employees and external users, such as customers and business partners, on a limited basis. Toward this end, he is evaluating digital rights management (DRM) tools that tack privileges onto specific files such as Adobe Systems' Adobe Document Center.
"DRM allows for different criteria to be established for document management such as one-time-only printing, making document viewing computer-specific, and retaining and expiring documents according to policies," he says.
Leo has coupled this project with acceptable use education, explaining to employees that the ERM system has been put in place to protect corporate assets. He also works closely with the business units to develop criteria for access rights. "If it were up to me, I'd say nothing is allowed. But I can't speak to what's sensitive and what's not. IT is the custodian of the information, not the owner," he says.
Most important is coupling ERM with strict policy enforcement as well as intrusion-detection/prevention systems, says Nemertes' Antonopoulos, an admitted DRM skeptic. "There is no way you can stop a determined person from stealing data. Anything that can be viewed, heard or consumed in any way by an end user can be copied," he says regarding his concern about DRM's effectiveness. At least ERM involves a closed system with enforceable policies, he adds.