Why Enterprise Digital Rights Management (EDRM) has an edge over Data Loss Prevention (DLP)?
The biggest boon to enterprises is the advent of the concept of data collaboration. Effective collaboration calls for data sharing not only within an enterprise but also amongst different enterprises.
This sharing of data at a granular level leads to a situation where everyone has access to all information available in the enterprise without any security.
While the admin or the owner of the data can decide which data can be accessed via access controls, this doesn’t guarantee that the data will remain in the secured locations of the enterprise. This means that while access controls are a great start for ensuring data security, they are not good enough.
What is DLP system and what does it require?
To address this security gap and enforce data security policies enterprises resorted to Data Loss Prevention (DLP) tools.
DLP is a set of tools and techniques used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
DLP systems require:
- A set of rules as to how the system can identify and classify the data that needs to be protected
- A system/application to scan company data to check whether it matches with the defined rules
- The ability to specify what happens if the data matches the rule
Unfortunately, DLP systems have their problems.
While DLP’s ability to scan, detect data patterns, and enforce appropriate actions reduces the risk of losing sensitive data, it does not provide any protection when users must send confidential information outside the organization’s perimeter.
What is EDRM?
Let’s look at what an Enterprise Digital Rights Management (EDRM) is before we compare the two. Enterprise Digital Rights Management also known as Information Rights Management embeds protection directly into files that travel along with them throughout their entire lifecycle.
Why EDRM is better than DLP in data collaboration
Now let’s compare the two solutions mentioned above to truly understand the advantages of using an EDRM solution over DLP.
Protection beyond the perimeter – Traditional DLP solutions investigate what data is trying to leave the system and decide whether it should leave the system or not.
It is very difficult to formulate policies to decide which type of data can leave the organization and therefore might lead to creating several “false positives”.
Therefore, DLP solutions generally resort to data classification. But data classification is a cumbersome job for the IT professional to determine as only the users will know what is important and what is not.
Not only that DLP uses classification to control the flow of unstructured data in use cases like sending email attachments, saving files on shares, local directories, and USB drives. DLP only provides control over networks, and devices, apps, and services.
Whereas in EDRM, data classification is done so that there is identity-bound data protection; the file is encrypted so that only the right person has access to it even if it travels all over. It assures the protection of data beyond controlled boundaries.
Granular Level Encryption – To enforce DLP, an agent (software tool) is always needed on the device. DLP might resort to storage encryption; i.e encrypting data while it passes to storage devices, such as individual hard disks, tape drives, or the libraries and arrays that contain them.
Although storage encryption may sound like a good way to ensure data safety, it requires an application–agnostic tool on your device to decrypt it. EDRM encrypts the file at a granular level and not just the storage. It assumes that the environment is not secure.
That is why in collaboration use cases EDRM is the only viable solution because you cannot always control the environment of your partners and encrypting at the level of individual files, volumes, or columns in a database may be necessary, particularly since data is shared with other outside users.
Access and Usage Control Feature – Unlike DLP, EDRM has data usage or user privilege control inside the application. This powerful feature is a technically complex one but it has a great impact on the user experience.
Microsoft Information Protection (MIP) access and usage control creates a good user experience while hiding the complexity.
The core of the access control feature, the Microsoft ID enables additional levels of validation and ensures that only the assigned person has access to the file.
The usage control (USCON) feature is the new enhancement to the access control feature. This feature makes the entire EDRM security very robust as no one can access data out of its secured environment.
Usage control allows you to define what happens inside the application. Therefore, EDRM offers better data security controls when compared to DLP solutions.
Here is the comparison and main difference between Data Loss Protection (DLP) Vs. Digital Rights Management (DRM):
|Objective||Prevent data leakage. This is done by controlling data distribution||Prevent unauthorized use. This is achieved by controlling user privileges for digital content|
|Technical approach||Agent-based control for storages (USB, file share), file transfers, output, email, etc.||File encryption, access control and privilege control (inside applications based on plug-ins)|
|Approach prerequisite||Data is classified based on process context or data content||Data is classified based on process context or data content|
|Technical support||Device and platform specific, application agnostic, file type specific in case of content classification||Device agnostic, platform and application specific, file type specific in case of content classification|
|Solution complexity||Limited||High; it requires automation for reducing complexity|
|Protection effectiveness||Inside of controlled IT environments (on endpoint devices with DLP agent installed and DLP protected cloud services)||On all devices and IT / cloud environments regardless of the infrastructure security|
|Security controls||“Binary” (allow or block the action)||Granular access and privilege control (view, edit, copy, print, export, etc.)|
|Security controls (incl. change) after data sharing||No||Yes|
|Usage fault tolerance||Limited (e.g. immediate breach when a file is sent to the wrong recipient or when using copy and paste option)||Robust (user can have the file, but it is useless without access authorization; copy and paste option is covered by the privilege control) even in case of ransomware attacks|
|GDPR compliance||No. There is no forwarding control||Yes (using access expiration date is required)|
While organizations achieve the highest security level by complementing DLP with a DRM approach, DRM can be considered as a replacement of DLP if all business-critical use cases are covered by it. However, the critical success factor for a DRM adoption is an automated integration in those processes.
SECUDE is the leading data-centric security provider for SAP enterprise and CAD software. Its products and solutions apply appropriate labelling and protection defined in Microsoft Information Protection (MIP), the de-facto standard for rights management to the data and files downloaded from SAP and CAD software.
Comments are closed.