Why DRM and Customer managed Keys are Important for Information Security and Data Privacy

DRM coupled with customer-managed keys (CMKs) in a HSM device allows users to have control over their data and facilitate compliance with regulations.

8 May 2014

Why DRM and Customer-managed Keys are Important for Information Security and Data Privacy

Ever wonder what your company is doing to uphold data security and privacy? If you aren’t already thinking about this, you should be. It seems like almost every day there’s another data breach in the news, and the subject of ‘where to house your data’ and how to prove where it has been housed has never been more relevant.

The benefits of information sharing and collaboration are clear, but with great benefits, also come detrimental risks to the organization - data leakage in particular. Companies that lose data and don’t follow the laws around collaboration and information sharing can be at risk of brand damage, litigation and fines. It’s important now more so than ever to uphold the proper data privacy protection. It’s become much more difficult to maintain control of business information and activity due to the shift of organizationally-defined information governance to user-defined information governance. Preserving data security and data privacy is paramount.

Which brings me to recent news you may have seen in GigaOm and Forbes, Intralinks has acquired docTrackr, a leader in document security solutions. docTrackr’s innovative security and digital rights management (DRM) technology addresses enterprise concerns by giving users complete control of their information and data, no matter where documents are stored or shared. Without DRM, it’s easy for sensitive information to become lost – which is why file sync and share applications like Dropbox and Box are among the most blacklisted applications in the enterprise. Even with data encryption and other security measures in place, files can be copied, printed or shared, making data leaks a potential risk. Intralinks’ platform supported DRM in the past, but integrating docTrackr‘s advanced technology will further establish Intralinks’ lead in the market. This is possible through a unique plugin-free design and open SDK which safeguards content, provides security and access control at rest, in transit and in-use - regardless of the location or device.  In addition, docTrackr’s technology provides enriched business insights around document activity (i.e. how long the document was open etc.), along with rich policy controls that dictate when or when not to apply protection based on smart policy decision making – truly an innovative approach to policy management for sync and share apps. Any company selling to the Enterprise should be offering granular access control (e.g folder, sub folder, file level access control) with per file encryption and DRM content controls (e.g print, edit, view) through the full content lifecycle (create, archive, dispose).

And let’s not forget data privacy. In the age we live in, data leakage is not uncommon. The Edward Snowden debacle has sparked a global debate on privacy. In all, Snowden is thought to have leaked about 1.7 million documents without the NSA’s authorization. The NSA, which is tasked with gathering foreign intelligence and safeguarding the US government’s information systems, is in an exclusive position to observe and monitor communications globally. Other countries have the ability to monitor domestic telecommunications, not many have the resources to see foreign traffic – know that for those that do there are many actions organizations can follow to protect their information (and their customers’) from being shared with the government. For example, just check out this chart to see some of the NSA’s major surveillance programs and countermeasures organizations can take to maintain data privacy.

Even major technology companies like Facebook have begun exhibiting a level of transparency around government requests for customer data to make surveillance practices of nations more visible.  Government requests put businesses collecting information in a tricky bind. Organizations have legal obligations to protect information in one jurisdiction and requirements to turn that information over in another.  Many organizations are unaware of data regulations in different countries and jurisdictions, making it very difficult to confirm whether or not their file sync and share vendor has the right safeguards in place to protect their information. One might think that only local governments can have access to a said company’s information, but that’s not always the case. Even if an organization is headquartered in one jurisdiction and houses its data there, when you share information in another jurisdiction, that jurisdiction could have the right to access to your data too – making it very difficult for organizations to decide where to house their data.

Deciding where to store your information securely requires an understanding of the data protection regulations in different geographies and jurisdictions. Data privacy laws may likely continue to evolve and could possibly become even more complex overtime.

In light of this, Intralinks also announced a new service called “customer managed keys”. DRM coupled with customer managed keys (CMKs) in a dedicated Hardware Security Module (HSM) device allows users to have complete control over their data and facilitate compliance with regulations driven by the nature of the content and/or geographic location  - further strengthening the security and privacy of your data. The CMK service provides customers with the ability to create, expire, delete & rotate customer keys without requiring full re-encryption of existing content. In addition, customers have high availability and backup support for an enterprise-grade deployment. A few vendors who offer DRM capabilities have approached their design with the plug-in model that makes users download and install a thick client for viewing and editing protected content. These plug-in models have architectural design challenges (like users can only search unprotected files) and may rely on third party add-ons for advanced document controls and security. In my opinion, this can severely impact the user experience and hamper adoption on a wide-scale.

Essentially, we feel that data owners should be able to control who has access to their information, and CMKs help make this a reality. Intralinks’ acquisition of docTrackr and announcement of CMKs reflects the company’s pledge to security and data privacy.  As you know, DRM is vital to securing content shared outside of the firewall and CMKs allow companies to keep control over their content without hindering information sharing.  Fundamentally, integrating docTrackr’s DRM capabilities will better enable CIOs to secure, control and track all content that leaves the enterprise without compromising the end user experience.  Stay tuned to our blog to see what we have planned ahead.