I just finished up my last of 4 presentations here in Orlando and am enjoying a nice PB&J and merlot here in my room. Too much travel really kills the taste buds for hotel food.

Today’s presentation was on data security; the area I’ve been focusing on during my 5 years as an analyst. And when you talk about data security you have to talk about DRM.

Enterprise DRM is quite different from consumer DRM, even if they both follow the same basic principles. One of the biggest differences being enterprise DRM is focused on reducing the risk of exposure, consumer DRM on eliminating it (you know, the mythical perfect security).

There are a few third party DRM vendors but Microsoft and Adobe are the big elephants in the room. But even those behemoths struggle for more than a workgroup-scale deployment (oh, they may sell seats but few people use it day to day). Which, as we struggle with problems like information leaks, seems pretty weird. I mean here we have a technology that can stop everything from unapproved email forwarding, to printing, to cutting and pasting. Seems pretty ideal, so what’s the problem?

All that capability comes with a price- not sticker price, but deep enterprise integration with every single application that needs to read the content.

But that’s not the big problem. The big problem is DRM relies on the people creating documents actually remembering to turn on the DRM, then understanding which rights to apply, and then figuring out who the heck is supposed to have all those various rights.

I can barely remember my family, never mind which of my far flung coworkers should be allowed to print the doc I just sent them. Thus most DRM deployments don’t make it past the workgroup.

Now imagine if the rights were automatically applied, or at least suggested, based on the content of the document. If there’s a credit card number one set of rules is applied. If it’s an engineering plan, or a secret marketing doc (based on the verbiage inside) different rules are set. All based on central policies. Sure, it won’t catch everything, but it’s a heck of a lot better than not doing anything.

Hmm… I wonder where we could find a policy based tool capable of taking action based on deep content inspection using advanced linguistic, statistical, or conceptual analysis?

Oh yeah- content monitoring and filtering, often called information leak prevention.

CMF will save DRM. It will make it viable outside the workgroup by taking everyday decisions out of the hands of overworked employees, while applying central policies based on what’s actually in the files. It won’t work every time, and users will often have to confirm the correct rights are applied, but it’s the only way enterprise DRM is viable.