A few weeks ago, I met with a group of customers representing the government institutions of a small Asian nation. For a variety of geo-political reasons it was apparent that for a relatively small country they spend quite a bit of money on their national defense. And so it was no surprise that every other question turned to security.
Securing content has long been an integral part of every decent Enterprise Content Management (ECM) system on the market. Most offerings provide solid authentication and access control (often called permissions). Robust auditing is a requirement not just for security but also for many compliance applications. For example, the 21 CFR Part 11 regulation in the Pharmaceutical industry is big on auditing and electronic sign-offs.
But what most of these security capabilities don't consider is that they are really securing the system and not the content. Yes, the repository is very secure but the content wants to be used, and to be used, it cannot just sit in a secure repository. Even the most basic use such as viewing usually means taking the content out of the repository where all of the fancy authentications and permissions become irrelevant. Indeed, as soon as users have the right to read a document and open it with their desktop application, the document is controlled by the users and not by the content management system (CMS). The users can save it on their flash drive, forward it via email or post it on Facebook. Not much security if you ask me.
During the meeting, I explained to the customers the two ways to secure content outside of the repository. The first method is using encryption via rights management - sometimes referred to as information rights management (IRM) or enterprise rights management (ERM). This approach is based on the same technology as digital rights management (DRM) which dates back to the mid 90s with companies such as Intertrust. DRM was the entertainment industry's attempt to control content piracy by encrypting the content and requiring users to apply a key that would control what they are allowed to do with it.
The vendors in rights management in the enterprise market applied the same approach by extending the repository permissions to content outside of the repository. But as we've seen with DRM, rights management really gets in the way of usability. The key distribution becomes a challenge and the users struggle to encrypt and decrypt their content. This inconvenience was so significant that consumer companies such as Sony and Apple eventually abandoned DRM altogether.
In the enterprise space, most rights management vendors got acquired by the bigger players who now rule this market - Oracle acquired Sealed Media (via Stellent), EMC got Authentica and Microsoft built their own RMS which OpenText integrates with to offer a solution for it's own repository. But because of the user inconvenience, rights management deployments are usually limited to specific applications such as deal rooms or contracts management.
The other way of securing content is much newer and more innovative: content tethering. Its main idea is to address the key security weakness of a secure repository - which is controlling the content when it leaves the repository - by not letting it ever leave. It's not a surprise that this approach has yet again been pioneered by the media companies. The most notorious example is YouTube which allows any user to view the content on their site but also make it available on any other site, blog, RSS reader, portal or mobile device by providing a simple widget that can be easily embedded in such applications. That’s done by copying a short snippet of code that YouTube makes readily available to anyone.
With the widget approach, the YouTube content can be easily used by any application but - and here is the beauty of this technology - the content never leaves the YouTube repository. The widget displays the content straight from the YouTube repository while YouTube retains complete control and security of the content. The content cannot be downloaded unless explicitly permitted (sorry Wikileaks) and the content owner can update it any time or take it down which is something YouTube has to do regularly to please those pesky media companies crying about copyrights infringement.
The content tethering works not just for video. SlideShare does the same for PowerPoint slides, Flickr does it for pictures and RSS feeds do it for news articles. And just as DRM found its use in the enterprise, the same is happening with content tethering.
OpenText (yes, my employer) has released an enterprise version of widgets that allow customers to tether content residing in the Enterprise Library, a highly secure repository. Leveraging our own set of content viewers (remember that little Spicer acquisition in 2008?), the OpenText Widget Services work with virtually any type of content from documents to rich media. The widgets can be embedded via tiny code snippets into any web site, blog, portal or mobile site. And with tethering, customers have a new way to secure their content while making it widely available to users who don't need any pre-requisite software on their devices and who don't need to worry about how to decrypt that darn contract I'm supposed to review by noon today.
And that's an interesting solution for security sensitive customers like the security sensitive folks from Asia I met the other day.
Securing content has long been an integral part of every decent Enterprise Content Management (ECM) system on the market. Most offerings provide solid authentication and access control (often called permissions). Robust auditing is a requirement not just for security but also for many compliance applications. For example, the 21 CFR Part 11 regulation in the Pharmaceutical industry is big on auditing and electronic sign-offs.
But what most of these security capabilities don't consider is that they are really securing the system and not the content. Yes, the repository is very secure but the content wants to be used, and to be used, it cannot just sit in a secure repository. Even the most basic use such as viewing usually means taking the content out of the repository where all of the fancy authentications and permissions become irrelevant. Indeed, as soon as users have the right to read a document and open it with their desktop application, the document is controlled by the users and not by the content management system (CMS). The users can save it on their flash drive, forward it via email or post it on Facebook. Not much security if you ask me.
During the meeting, I explained to the customers the two ways to secure content outside of the repository. The first method is using encryption via rights management - sometimes referred to as information rights management (IRM) or enterprise rights management (ERM). This approach is based on the same technology as digital rights management (DRM) which dates back to the mid 90s with companies such as Intertrust. DRM was the entertainment industry's attempt to control content piracy by encrypting the content and requiring users to apply a key that would control what they are allowed to do with it.
The vendors in rights management in the enterprise market applied the same approach by extending the repository permissions to content outside of the repository. But as we've seen with DRM, rights management really gets in the way of usability. The key distribution becomes a challenge and the users struggle to encrypt and decrypt their content. This inconvenience was so significant that consumer companies such as Sony and Apple eventually abandoned DRM altogether.
In the enterprise space, most rights management vendors got acquired by the bigger players who now rule this market - Oracle acquired Sealed Media (via Stellent), EMC got Authentica and Microsoft built their own RMS which OpenText integrates with to offer a solution for it's own repository. But because of the user inconvenience, rights management deployments are usually limited to specific applications such as deal rooms or contracts management.
Rights Management controls content permissions outside the repository |
Widgets can be easily embedded |
The content tethering works not just for video. SlideShare does the same for PowerPoint slides, Flickr does it for pictures and RSS feeds do it for news articles. And just as DRM found its use in the enterprise, the same is happening with content tethering.
Widgets enable tethering for any type of content |
And that's an interesting solution for security sensitive customers like the security sensitive folks from Asia I met the other day.