“The traditional way of protecting data focuses on control,” says de Boer. “Control over networks (‘We have locked the data away in the data center’), control over devices (‘We have enabled AES-256 encryption on all mobiles and encrypted the full disks on Windows’), apps (‘Everyone uses our container solutions') and control over services (‘We only give authorized people access to the application').”
Dan Plastina, who runs Microsoft’s rights management offerings, including Azure RMS, says that companies are beginning to realize that protecting the perimeter and devices is no longer enough and they need a data-centric approach.
“You had a perimeter once, but over the years you’ve punched a lot of holes in that wall,” says Plastina. “Data is not being saved where you want it to be saved. Whether you like it or not, this is happening. What I see is that people are recognizing the problem is a lot bigger than they thought, and I think some organizations are at the point where they're realizing that identity and data are the things they need to focus, on as opposed to classic device management. Device management is not going away but the concept that data and identity need to be married together more aggressively is definite resonating.”
He describes the core of rights management as “identity-bound data protection; you encrypt the file so that only the right person has access to it.”
Some industries have already adopted rights management, particularly finance, automotive and manufacturing. “They’re people who either want or have to protect data,” says Plastina. “There are organizations that have a lot of IP and want to protect it, and then there’s PII and financial data inside banks. Some financial organizations we work with protect a lot of documents every day with rights management.”
But rights management is important for a far broader range of industries, he maintains. “Your data is travelling to different repositories and stores. Data goes to the cloud, it’s given to partners; that content is clearly not within your control any more. This technology is at a point where people ought to be paying attention. The usage of data in their companies is absolutely past the limit; their data is all over the place and they have no idea.”
The problem isn’t with the quality of the technology, and most organizations have mature identity management that will allow them to use rights management technology. “The most common challenge is not technical but cultural,” de Boer explains. “You should expect the changes in common workflows to be harder to plan for and accomplish than solving technical issues.”
That means not being too ambitious as you start using rights management and avoiding both leaving too much up to users and locking down data too much. “Most successful deployments start small, with policies applied to the most sensitive repositories. Then monitor use, learn as you go, and detect deficiencies. Eventually, you can expand to more complex use cases.”
Sign up for Computerworld eNewsletters.