There are some things that rights management will never be able to protect you from, like an employee snapping a photograph of their screen with a smartphone, but that’s not a technology issue; it’s a management problem (and at that point, the employee can’t claim that they shared the information accidentally).
Typically, rights management deployment runs into two issues, says Plastina. “Either people left everything up to the users or they went crazy in terms of the breadth and said ‘I’m going to protect everything’.” Neither approach works well. “IT leaders don't have a good sense of what is sensitive or not,” he notes, so business leadership needs to be involved in deciding what to protect. You don’t need as many policies as you might think, either; policies for strictly confidential, confidential, internal and public data will cover most companies.
He suggests starting by thinking about your most sensitive data and where it’s stored. “Not all of your data is sensitive. If 5 percent of your data is top secret, take that 5 percent and focus your energy on that. If you're in the candy bar business, then SAP is the bulk of your sensitive data; logistics, order information, inventory, financials.” That data is secure until you run a report and create a PDF or an Excel file and start mailing it around. “In that case, go purchase Halocore from SECUDE and focus on SAP and mark it company internal; all that data will be encrypted at birth and it can’t leak outside the company. That quickly starts to put a leash on your data.”
The next step might be partitioning internal email; for example, messages and documents sent within the HR and legal teams. “Today the entire company’s worth of data is accessible to everyone in the company. If the very sensitive data is rights protected then that partitioning will enforce itself and IT will be notified that Dan in legal is trying to access documents from HR,” Plastina explains, “and someone would be able to take action.”
He suggests a simple trick for getting teams to opt in to classifying and labelling their own content; “Turn on RMS; no-one will notice that it’s on. Then go to a department like HR or legal and send them an email marked as ‘Do Not Forward’ and tell them that they can’t forward it, and include a screenshot showing them how to do it.” It’s just human nature. “They're going to look at it, try to forward it, realize they can't - and start using it themselves. Now you have partitioned data in your organization.”
You can’t rely on ad hoc classification, but being too restrictive is also counterproductive, Plastina notes. “Organizations will need to show some restraint. Start by going after email and SAP but with policies that are somewhat flexible so you keep productivity.” It’s also going to show you what the real workflow is in your business, which might not be what you think. Remember that rights management has to apply to executives, who will have to accept some changes to their workflow. “Given the recent large-scale data loss events in the news, it may not require as much effort as you think to obtain buy-in,” de Boers suggests.
Sign up for Computerworld eNewsletters.