DRM vs. ERM: The Battle for Control of Your Data

There is a secret battle raging within your enterprise and in your home: control of electronic data. It’s being waged by the world’s largest IT vendors and global entertainment giants. The outcome of this battle will have an impact on you, your company and your use of digital content and information.

Understanding the various technical implications, business impacts and benefits is critical in solving a top concern in most companies: How do I protect and control my confidential electronic information, intellectual property and regulated data from getting in the hands of unauthorized recipients?

Different Issues

Over the last three years, Digital Rights Management (DRM) and Enterprise Rights Management (ERM) have gained market momentum and interest from consumers, enterprises, industry pundits and legislators due to the increased copyright issues involving digital media and leakage of sensitive data. However, though rights management technologies share common concepts, there are major differences between the technical implementations, usage scenarios and socioeconomic issues.

So why the confusion? Although Digital and Enterprise Rights Management share common technical concepts (i.e. encryption to control access to data and application- or device-level functionality to control usage.), they are as different as securing a home and securing a bank. Below are three success vectors and the inherent differences with each approach:

1. Balance: Security and User Experience — For each of these technologies, the road to adoption is driven by optimal end-user experience. In both DRM and ERM cases, history is littered by the ghosts of burned-out attempts which failed to balance control with usability. If the technology doesn’t support the end-user’s normal workflow and usage requirements with the content, it will be rejected and ultimately fail to reach ubiquity.

DRM focuses on securing static content tied to a per-user access and usage license. With over 90 million iPods sold and 2 billion songs purchased on iTunes, Apple with its FairPlay DRM appears to have achieved the proper balance between user experience and security.

This will change, however, as the industry and users demand interoperability between media devices and more adaptable usage models within media-authoring tools for media sampling purposes. Witness Jobs’ recent manifesto on why DRM will ultimately not work for music.

In comparison, ERM focuses on controlling dynamic content that is tied to fluid business processes. Unlike music files, electronic content in documents, files and e-mails constantly changes as it moves throughout the collaborative phase of its lifecycle. In fact, in many business scenarios ranging from product development to board communications on mergers and acquisitions, the information contained early in the formative lifecycle is more valuable than later once it is “published” or in its final static form.

ERM enables this collaborative control and persistent security as information leaves its boundary — whether that boundary is desktop or back-office applications, a content repository, the intranet domain, or corporate network perimeter — and is used in external scenarios with third-party partners, suppliers and customers.

Given either approach, data loss represents real financial damage measured in millions of dollars in revenue, future sales or market value based on identity or intellectual property theft.

2. Problem: Content Monetization vs. IP Control and Compliance — The drivers associated with each approach are different. DRM is designed to optimize the monetization of digital content while protecting the interests of copyright holders.

By contrast, ERM controls access to and usage of IP or regulated content across a business process workflow or lifecycle. Unlike DRM, which tends to be static and published content (one song to one consumer), ERM focuses on controlling information throughout its lifecycle (many documents accessed by many authorized users). This lifecycle is often highly collaborative — from cradle to grave — and includes collaborating with content authors, editors, contributors, reviewers and approvers.

It means controlling content that begins its life within a desktop application such as Excel gets saved to a file-share or content management system, is edited across a workflow that may include several different users, published to presentation and PDF formats, distributed to other employees via e-mail, archived, sent to tape storage and eventually expired based on retention policies.

With ERM, customers also leverage the ability to audit and log information and access and usage for compliance reporting purposes. These controls and auditable records must persist at all times, providing an evidentiary-quality trail of who had what data, what actions and usage occurred on the data, and what unauthorized attempts were made on the data.

3. Partners: The Ecosystem and Implementation Options — Both approaches include the notion of a Policy Server in which rights are defined and granted, an encryption mechanism to control access to the data, and a software client or device which enforces the policy (which authenticated user has what rights based on the content).

DRM integrates at the media format and device level, with the two most common systems offered by Apple and Microsoft.

The Apple DRM software, called FairPlay, is exclusively tied to the protected, or encrypted, Advanced Audio Coding (AAC) format, iPod media player and the iTunes online store.

Microsoft is more open with Windows Media DRM in that it licenses components of the DRM platform to other vendors for use, unlike Apple, which locks the consumer into using the iPod to play music purchased online through iTunes (other usage restrictions apply, such as the number of computers to which you can copy the protected file, etc.).

With ERM, the controls are tied to the native applications, which have the ability to produce and consume protected data in several formats.

For example, Microsoft Word alone supports a number of file formats (.doc, .txt, .xml, .dot, .rtf, .wps, .htm, and .html). ERM enablement is accomplished with a provider’s Software Development Kit (SDK) and associated Application Programming Interfaces (APIs) and delivered using one or more of the following approaches: natively by the application vendor, through a plug-in, or by an ERM integration agent.

ERM solutions with SDKs include Microsoft’s Rights Management Services (RMS) and Adobe’s Policy Server. Liquid Machines provides an integration agent with out-of-the box support for Microsoft RMS. ERM vendors-by-acquisition include EMC and Oracle, both of which use plug-in approaches to application enablement and do not offer an SDK.

Pros and Cons

Each approach has its advantages and disadvantages. ISVs have been slow to adopt the currently-available SDKs; however, an ERM integration agent can be used to enable applications on behalf of the SDK and provide cross-application control such as secure clipboard, the ability to support all of an application’s file formats interchangeably, and enterprise-class management of multiple applications, which simplifies distribution, upgrades and integration.

Whether you are a user, IT manager or business leader, you are required to limit access to confidential data to authorized users. As a steward of customer and corporate data, understanding the difference between the often controversial Digital Rights Management and Enterprise Rights Management is critical to your organization’s agility and long-term success with controlling electronic information.