Towards data-centric security: Enterprise Digital Rights Management (EDRM)

As corporate boundaries erode, a traditional perimeter-based security may not be able to effectively protect companies’ data assets. To address this growing risk, there is a need to apply protection on the data level and to secure data throughout the entire lifecycle, i.e. when it is created, stored, used or exchanged between employees, partners and external parties, until it is finally archived or deleted.

Enterprise Digital Rights Management in a few words

As Deloitte cyber security practitioners, we witness a growing interest in data-centric security among our clients. A technology that has gained particular popularity and that frequently appears on our customers’ security roadmaps is Enterprise Digital Rights Management (EDRM). EDRM technology has been around for several years, but its availability on mobile devices and compatibility with widely used collaboration and email platforms enabled its recent expansion. It is a combination of identity and access management and encryption. EDRM-protected content is encrypted and coupled with a protection policy that specifies permissions for different users and user groups, such as view, edit, download, print, save or forward. For a user to access protected content, authentication is needed. Based on the identity, the user is granted permissions in accordance with the protection policy. In contrast to a traditional, application-oriented identity and access management solution, EDRM protection stays with the content and ensures it is secured independently of the application, device or access location. EDRM is typically used to protect highly sensitive documents and emails exchanged and accessed by multiple parties. Prominent examples include board memos, commercially sensitive documents, such as product design documents, M&A (merger and acquisition) plans, financial reports, or customer information.

A content owner is empowered to revoke or change access rights at any time, or to set the expiration date so that once the content is no longer sensitive, access rights are relaxed or removed. The protection granularity is solution- and vendor-specific, and ranges from protecting a document library or a folder, a single file, to only protecting a confidential part of a file.

Implementation observations and recommendations

EDRM offers effective data protection capabilities, it is a recent technology and its impact on the existing business processes needs to be carefully evaluated. For instance, there are some common pitfalls associated with EDRM, such as content over-protection, inappropriately blocked access or impact on e-discovery capabilities. To address these concerns, we advise our clients to take a structured and phased implementation approach. This includes a careful selection of use cases and identification of business benefits, proof-of-concept and pilot deployments, impact assessments and close involvement of business stakeholders. Furthermore, EDRM is not only about technology: having a robust governance structure, proper training and awareness of the user community are important success factors as well.

Finally, our experience shows that EDRM is most effective when combined with other data-centric protection technologies, such as DLP (Data Loss Prevention). EDRM and DLP have complementary capabilities, which can be leveraged to provide a more cohesive data protection architecture. For instance, a DLP solution is able to detect sensitive data and apply EDRM policy to restrict access to identified data.

If you would like to have an initial conversation about EDRM and Deloitte’s approach to making it a success, please get in contact with our team.