Software makers ready desktop lockdown

All it takes is a quick run through the headlines to see why some software makers might think there's a market for products that lock down common types of business documents by restricting access to authorized recipients.

But the market for such tools remains small and fragmented, despite recent entries by high-profile players Microsoft and Adobe Systems. Analysts expect the market to grow slowly for at least the next few years, as companies wait for the technology to mature and IT budgets to loosen.

The relative youth of this technology is evidenced by the fact that it doesn't have an agreed-upon name yet. Various software makers use "enterprise rights management," "document rights management" and "information rights management" to refer to similar technology. Others simply use the blanket term "digital rights management" (DRM), though that is more commonly linked with technology employed to prevent unauthorized copying of movies, music and other published content.

"Right now, you're talking about technology that's very immature and doesn't really work very well," said Scott Lundstrom, senior vice president of AMR Research. "I have yet to see security implemented in (an enterprise DRM) system that hasn't been able to be circumvented in a week."

He likens the existing technology to a hook latch on a screen door. "It'll keep your neighbor out, but it won't keep out a burglar. It's just enough to keep an honest person honest," Lundstrom said.

Whatever you call them, the various enterprise DRM products are inspired and enabled by similar forces. Ubiquitous e-mail has made it easier than ever to pass around documents. At the same time, ever-present Internet access has made it feasible to use server-based software to restrict access to corporate documents.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Enterprise DRM packages from Microsoft, Adobe and specialists such as Authentica use a central server to generate and store information on permissions for documents, e-mail messages and other corporate content. Those permissions restrict who is able to open an item and what they can do with it--copy and paste, edit, forward, print, and so forth. Documents can also become inaccessible after a set expiration date or if a more up-to-date version becomes available.

Such restrictions are meant to solve an array of corporate problems, from big-ticket headaches like leaked documents that can expose company secrets or pose legal liabilities to the challenge of making sure everyone's working from the current price list.

Selena Wilson, Microsoft's director of Windows security product management, said there's little trouble convincing businesspeople of the value of enterprise DRM. Microsoft entered the market late last year with Rights Management Services (RMS), an add-on to Windows Server 2003 meant to handle access restrictions for a wide range of corporate data. Office 2003, the latest version of Microsoft's widespread productivity package, allows RMS-based restrictions to be built into common types of documents.

"Every time we present RMS to business decision-makers, they just immediately get it," Wilson said.

One Authentica customer that's gotten it is San Francisco-based CaseCentral, which provides Internet-based depository management for complex litigation.

CaseCentral used Authentica technology to create secure, online versions of the "data rooms" companies typically maintain during merger and acquisition negotiations to provide controlled access to financial reports and other sensitive documents. With Authentica's DRM, electronic versions of such documents can be embedded with restrictions that permit only limited access by authorized parties, explained CaseCentral CEO Christopher Kruse.

The upshot is that corporate lawyers can access the documents they need without time-consuming travel or worrying about information falling into the wrong hands. It's an approach that can only work with a sturdy DRM system, Kruse said.

"There really isn't much more confidential stuff in the business world than what we protect," he said. "We make sure people can't copy or even take a screenshot of a document. And the minute someone drops out of the bidding, we can shut off all their access to documents."

Lack of interest
But businesses like CaseCentral are still a tiny minority. Outside heavily regulated sectors such as banking, which have already developed industry-specific approaches to document security, there's been little visible interest to date in enterprise DRM.

Reasons include the relative immaturity of the market. Microsoft's product has been available for only four months, and Adobe won't introduce its Policy Server until late this year. That leaves a handful of specialists, led by Liquid Machines, Sealed Media and Authentica.

Even for businesses that do start to think about document security, their huge collections of content, often stored on individual hard drives, can make it tough to develop a comprehensive approach to enterprise DRM, said Joshua Duhl, an analyst for research firm IDC.

"People don't want to admit there's a content problem," he said. "And if they do, people have to have a sense of what's worth securing and what isn't, which can be very difficult to sort out."

The scope of material an enterprise DRM system secures can also make companies reluctant to commit to a software maker. Microsoft's entry into the field sparked fears the company could use secure document format to lock out competing productivity products and other applications.

"I've heard some concerns that (RMS) would make it a requirement to upgrade applications, that you could lock down formats in some way so third-party applications wouldn't be able to open and view them," said Ray Wagner, an analyst for research firm Gartner.

Such concerns have many businesses waiting for a more open approach to enterprise DRM. Lundstrom doesn't expect the field to take off until there are open standards for encryption and other security components.

"DRM could be one of the first big open-source wins" for enterprise applications, he said. "Customers would really see value in open, standards-based robust encryption...When you get into security and encryption as an intellectual discipline, the people driving that forward are completely focused on open source and peer review."

Even for businesses that are OK with a proprietary approach to enterprise DRM, it can be tough to sort out the different approaches offered by current suppliers, IDC's Duhl said.

"There's limitations to every one of these vendors," he said. "Whether its company size or viability questions or just the fact it's Microsoft, there are lots of issues that people have to sort through."

Then customers must determine which offering matches their particular business needs. "It's like looking at horses--if you're going to pull a beer wagon, you want a Clydesdale," Duhl said. "If you're going to run a race, you want a thoroughbred."

Key differentiators include the manner in which an enterprise DRM product links up with other applications. Microsoft intends RMS to be a platform product, Wilson said, linked with the Windows Server operating system and capable of securing everything from memos to information in back-end databases. "Our technology is content- and format-agnostic," she said. "Customers can apply the same template, whether it's a document or a line-of-business application."

For now, however, RMS only works with documents generated by Office 2003, a significant factor for the vast majority of Microsoft customers that take their time in updating to the latest versions of key applications.

Adobe's Policy Server will be limited too, working only with documents based on the company's Portable Document Format (PDF). Adobe executives have said the product builds on several key advantages of the widespread PDF format, including its ability to ensure document fidelity and compatibility with a wide range of operating systems.

"The cross-platform aspect is very important to the clients we talked with," said John Landwehr, group manager for security solutions and strategy at Adobe. "They really want a system that will integrate well into a heterogeneous environment."

But for companies that haven't already adopted PDF and Adobe's accompanying Acrobat products for document distribution, Policy Server is a non-starter, said Gartner's Wagner.

"They have a pretty nice set of tools if you're willing to modify your whole system to be PDF-based," he said. "That's been a limiting factor for DRM all along--people aren't going to change the way they work just to accommodate a security solution...You want this to be as minimally intrusive on the user as possible."

Specialty players
Aside from the big guys, enterprise DRM has a handful of specialty players whose products typically work with most common document formats--from e-mail messages to AutoCAD architectural drawings.

Variables include how a system deals with workers when they don't have Internet access. Microsoft's RMS requires at least an initial check-in with the rights server, while products such as Liquid Machines' self-titled server software allow document creators to set offline permissions.

"We find most people want to raise their level of security, but they don't want to make it difficult for people to do their jobs in a mobile work force," said Ed Gaudet, vice president of product strategy and marketing for Liquid Machines, based in Lexington, Mass.

Competing products also differ in how much you can do with a document once it leaves the author's desktop. Authentica, of Waltham, Mass., promises some of the most detailed control, allowing authors to change permissions for a document while somebody else is using it.

"We give very granular control," said Authentica CEO John Bruce. "I can watch on my desktop and see how someone is interacting with a document once they get it. And if I decide I don't like what they're doing, I can change the settings then and there."

Another variable in enterprise DRM products is policy settings that IT administrators can employ to ensure a basic level of security for all documents. Policies are important to ensure that enterprise DRM doesn't get in the way of workers doing their jobs, said George Everhardt, CEO of Sealed Media, based in Los Gatos, Calif. At the same time, detailed controls need to be available to workers who want to get more involved. The key is finding the right balance for a particular business.

"Our fundamental premise is that there is no magic technology button you press and then everything's secure," Everhart said. "Any good security process involves people. The process has to be easy to use and totally secure. If it's intrusive, workers will figure a way to get around it. If it's too easy, the bad guys will figure out ways to get around it."

Everhart and executives of other enterprise DRM specialists said they aren't worried about major players such as Microsoft and Adobe entering the market. Instead, they see the moves as bolstering their position with potential customers who don't want to be restricted to working with particular types of documents or authoring applications.

"It's been like a validation," said Authentica's Bruce. "For the longest time, I've talked to folks about DRM and they keep asking, 'Is there a business there?' Now we've got two major vendors standing alongside us and saying, 'This is important.' It's nice to find the world is turning in our direction."

Attention from Adobe and Microsoft helps, agreed Mark Patton, Sealed Media's vice president of marketing. So does support from content management software makers such as market leader Documentum, a Sealed Media partner. But the biggest incentive may be the type of incidents that have caused embarrassment and legal headaches for Microsoft and others.

"All it takes is for a CEO to get burned one time on a leaked document, and their interest level in this kind of technology goes way up," Patton said.