DRM is not just the use of standard encryption technologies to provide confidentiality for data it is much more. Here is a shortlist of some of its features and use cases:
DRM adds an extra layer of access controls on top of the data object or document.
The ACL determines who can open the document and what they can do with it and provides granularity that flows down to printing, copying, saving, and similar options.
Because DRM contains ACLs and is embedded into the original file, DRM is agnostic to the location of the data, unlike other preventive controls that depended on a file location.
DRM protection travels with the file and provides continuous protection.
It is useful for protecting sensitive organization content such as financial documents.
However, it is not limited to documents;
DRM can be implemented to protect emails, web pages, database columns, and other data objects.
DRM is useful for setting up a baseline for the default Information Protection Policy; that is, all documents created by a certain user, at a certain location, receive a specific policy.
DRM requires that all users with data access have matching encryption keys.
This requirement means strong identity infrastructure is a must when implementing DRM, and the identity infrastructure should expand to customers, partners, and any other organizations with which data is shared.
It requires that each resource be provisioned with an access policy.
Each user accessing the resource is provisioned with an account and keys.
- Provisions should be made securely and efficiently for the implementation to be successful.
- Automation of provisioning of DRM resource access policy can help in implementing that goal.
- Automated policy provision can be based on file location, keywords, or origin of the document.
- Access to resources can be granted on a per-user basis or according to user role using a role-based access control (RBAC) model.
- Provisioning of users and roles should be integrated into DRM policies.
- Because in DRM most of the classification is in the user responsibility or based on automated policy, implementing the right RBAC policy is crucial.
- Identity infrastructure can be implemented by creating a single location where users are created and authenticated or by creating federation and trust between different repositories of user identities in different systems.
- Carefully consider the most appropriate method based on the security requirements of the data.
- Most DRM implementations force end-users to install a local DRM agent either for key storage or for authenticating and retrieving the IRM content.
- This feature may limit certain implementations that involve external users and should be considered part of the architecture planning before deployment.
- When reading DRM -protected files, the reader software should be DRM aware.
- The latest versions of Adobe and Microsoft products have good DRM support, but other readers could encounter compatibility issues and should be tested before deployment.
- The challenges of DRM compatibility with different OSs and different document readers increase when the data needs to be read on mobile devices.
- The usage of mobile platforms and DRM should also be tested carefully.
- DRM can integrate into other security controls such as DLP and document discovery tools, adding extra benefits.
Following are the key capabilities common to DRM solutions:
Persistent protection: Ensures that documents, messages, and attachments are protected at rest, in transit, and even after they’re distributed to recipients
Dynamic policy control: Allows content owners to define and change user permissions (view, forward, copy, or print) and recall or expire content even after distribution
Automatic expiration: Provides the ability to automatically revoke access to documents, emails, and attachments at any point, thus allowing information security policies to be enforced wherever content is distributed or stored
Continuous audit trail: Provides confirmation that content was delivered and viewed and offers proof of compliance with your organization’s information security policies
Support for existing authentication security infrastructure: Reduces administrator involvement and speeds deployment by leveraging user and group information that exists in directories and authentication systems
Mapping for repository ACLs: Automatically maps the ACL-based permissions into policies that control the content outside the repository
Integration with all third-party email filtering engines: Allows organizations to automatically secure outgoing email messages in compliance with corporate information security policies and federal regulatory requirements
Additional security and protection capabilities: Allows users additional capabilities such as these:
- Determining who can access a document
- Prohibiting printing of an entire document or selected portions
- Disabling copy, paste, and screen capture capabilities
- Watermarking pages if printing privileges are granted
- Expiring or revoking document access at any time
- Tracking all document activity through a complete audit trail
Support for email applications: Provides interface and support for email programs such as Microsoft Outlook and IBM Lotus Notes
Support for other document types: Other document types, besides Microsoft Office and Adobe PDF, can be supported as well