Without question - Microsoft, Oracle and Liquid Machines are all serious vendors in enterprise content management and DRM. How effective is DRM (Digital Rights Management ) for protecting customer data?
My first test of effectiveness of any data security technology is what reference accounts have to say. Unlike IT applications like CRM and ERP, security of customer data and IP is a sensitive area for most executives and they'd prefer not to discuss publicly what they're doing (or not doing).
Looking at the Liquid Machines Web site - not a single case study mentions the name of the client. They are hard selling their products using compliance, which makes me wonder how many of their clients used a ROSI (return on security investment) calculation and built a business justification for the Liquid Machines DRM software. They have this gem on the Web site:
"In order to comply with section 404 of Sarbanes-Oxley, companies must implement internal controls that:
* Expire access to spreadsheets with errors
* Protect data from access and modification by unauthorized users
* Track actions on data as it crosses application and organizational boundaries"
You know what PT Barnum said about a fool being born every minute but sarbox 404 says nothing of the sort. A CEO of one of my clients put it best when he said, " I don't want to get any financial reports in Excel, I want everything straight from the financial systems - if you cannot get if from the GL or AP or AR - then fix the reports."
Manipulation of data in Microsoft Excel is the original sin of fudging, manipulating and stealing.
Reading the above marketing copy, underscores that too many technology vendors are spending venture capital trying to build franchises around Sarbox and GLBA instead of fixing the reports and eliminating root causes of fraudulent reporting.
While use of DRM inside a corporate setting with well controlled and configured policy, procedures and systems can be effective (although expensive to maintain), I just don't see DRM as an effective security countermeasure for customer data and IP outside the perimeter.
However, one needs to match the right security countermeasure to the right asset vulnerability. If the vulnerability is an insider that may be able to access sensitive information outside his department, then I can see how DRM would mitigate the risk of unauthorized access.
However, there is a common misunderstanding of the meaning of a trusted insider. By definition - if a trusted insider has all the rights she needs in the DRM system to access critical IP and customer data - she can upload it to that data to her Gmail account.
In other words, DRM is not an effective security countermeasure for data leakage prevention or protecting the digital asset from unauthorized network transfer.
I think that managers are simply not managing content/network/system security like they run their business. With all the compliance - related malarkey from vendors - I just find it hard to accept the true business value of DRM products for protecting customer data.
I want one phone number and a name and 20' of their time - I am always willing to learn new things and hear about great technologies.
But - in the meantime - out of all the prospects who told me in 2006 that were going to prevent data theft with Microsoft DRM; a) None implemented and b) All bit it big time - since it is a matter of public record - none of the Israeli companies who were attacked by competitors with the so-called "Israeli Trojan" (companies like HOT and Pelephone) lost their data from screenshots and keylogs transmitted over open FTP ports.
It is important to note that expensive DRM systems would not have mitigated that threat at all. What is the most effective security control - that will have to wait for another blog entry, another day.
