Sizing Up Enterprise Rights Management

By John Wagley

After an incident several years ago in which a manager sold some of the company’s intellectual property to a competitor, the executive search firm Sterling-Hoffman did some brainstorming on ways to fortify its data protection. The company, based in Mountain View, California, decided to go with a software solution that would secure the data no matter the format or storage location.

Called enterprise rights management (ERM), this type of software has seen slow but steady growth in the number of users since its introduction several years ago. ERM ties security directly to data—whether in the form of Microsoft Office documents, Adobe Acrobat products, or e-mails. It does this in part by encrypting them and in part by controlling access.

To open and decrypt those documents, users must have an agent downloaded onto their computer along with the proper password. But users can’t access just any document, and what they can do with the document will be limited as well, based on the rights assigned. Companies can set up rights policies based on various factors, including workflow or an employee’s position. Restrictions can be placed on whether documents can be modified, e-mailed, or printed; the software can also be programmed to delete a document after, say, 30 days or three years, to match a company document retention policy.

“We can create a really cool training program that no one else has, and we can be sure it won’t be backed up or e-mailed to a friend at a company across the street,” says Sterling-Hoffman CEO Angel Mehta.

Sterling-Hoffman’s enterprise rights management software is from Waltham, Massachusetts-based Liquid Machines, one of several ERM vendors. It lets users control more than 65 applications and file formats.

Among its features is the ability to remove an employee who leaves the company from the active directory, says Edward Gaudet, a Liquid Machines vice president. That helps companies ensure that departing staff do not later access proprietary data.

Given what it can do, it may seem surprising that more companies aren’t using ERM software. Ray Wagner, a Gartner research vice president, estimates that it is only used by about 2 to 5 percent of companies. He says one reason its use hasn’t grown faster is that companies often turn to less comprehensive, more pointed, security applications.

ERM can also be more costly. Many vendors charge an initial licensing fee, and then scale the cost based on the number of users. Companies looking to implement ERM broadly across their enterprise can expect to pay more than $1 million annually, say experts.

At Liquid Machines, prices start at about $50,000. Along with 100 users, this includes client and server software, annual maintenance, and installation services. Depending on their number, additional clients cost between $36 and $60.

Mehta says that the company’s IT staffer found the software “relatively easy” to install for use by the approximately 200 company employees. Experts say that ERM implementation can be more challenging at larger organizations.

For Sterling-Hoffman, the adoption of ERM was driven by global business growth. CEO Mehta says his company needed it largely because it wanted to expand operations into India, but worried about the potential for data theft and corporate espionage. The ERM software provided the protection they sought.

Liquid Machines’ clients range across industries and in size. Customers include Goldman Sachs, Wells Fargo, and CIBC Bank as well as Chico’s, a specialty clothing store chain based in Florida.

One key differentiator between ERM products concerns their architecture. Some vendors build rights management directly into their applications. An example is Microsoft, with its Windows Rights Management Services. Other vendors, such as Liquid Machines, use a plug-in approach.

The built-in, or platform approach can provide tighter integration and be easier to deploy, according to Trent Henry, a senior analyst at the Burton Group headquartered in Midvale, Utah. But firms such as Liquid Machines can often support more applications and can give users more versatility in setting controls, he says.

Most vendors support common documents, such as those from Microsoft Office, says Henry, but users should look closely to see whether a vendor supports the documents they want to secure.

The level of security could be higher when using a company such as Liquid Machines, according to Gartner’s Wagner. It is less widely used than products from companies such as Microsoft, he says, and may, therefore, be a less attractive target to hackers.

Other articles in this month's Technofile:




The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.