Securing the Corporate Content: Post Delivery Protection

The promised market domination of digital rights management (DRM) has not panned out in the enterprise as CSOs have overwhelmingly gravitated to protecting corporate content via lower total cost of ownership solutions built around SSL-secured browser access to document repositories and web portals. These approaches rely on trusting the person accessing corporate network resources to be responsible with confidential content.

But there are mission critical assets of the corporation that are valuable enough to warrant extended protection against leakage of confidential information once it has been delivered to a remote user. Manufacturing businesses use post delivery protection techniques to save repeated production and distribution costs of paper documents, pharmaceutical and healthcare organizations use DRM methods to meet HIPAA compliance, and all industries use secure content solutions to protect consumer privacy while sharing information along the supply chain. The technology to enforce an enterprises content security policy on remote desktops is known as post-delivery protection. This article re-examines post delivery protection and makes recommendations on where it may fit in the CSO security arsenal.

PDP refers to technologies that provide the tightest set of constraints on the end-user, the recipient of the corporate content. It enforces corporate policy on what the end-user can do with the content after secure delivery. With PDP, the corporation has complete confidence of compliance with the corporate security policy even after the content passes from the IT controlled network into a readers PC.

Securing content after delivery to an authenticated recipient works with software at the end-user desktop. This software is frequently mobile code that automatically executes within a contained browser environment, or it can be a custom application that must be pre-installed on the desktop. In all cases the software controls the ability to save the unencrypted content to local storage once the content is written to disk it is too easy to bypass mechanisms enforcing the security policy. The policy rights that are enforced at the desktop include:

1. Control the ability to forward the content by email to reduce unauthorized electronic distribution.
2. Control the ability to print hardcopy to reduce the unauthorized paper distribution. Printing includes watermarking to allow printing for local use while discouraging propagation of paper copies.
3. Control the ability to cut and paste to prevent unauthorized incorporation of intellectual property into another piece of content
4. Control the number of times content can be viewed or printed to protect usage based revenue schemes
5. Control the content of record to facilitate the retirement of obsolete versions over the Internet
6. Control user access rights to centrally revoke access for users that no longer have a business need to view the content.

The above technology can bring enticing business benefits. Usage based royalty and pay-per-view schemes may be introduced for on-line access, customer privacy can be protected while deploying highly personalized services, operational expenses may be curtailed by reducing paper distribution, and mission critical intellectual property can be guarded while sharing with business partners. All of these are enhanced with PDP approaches.

The post delivery model has great promise for enterprises wishing to realize operational and revenue generating possibilities of the Internet without being burned by rampant disclosure of sensitive material. However, there are major challenges in providing post delivery protection for the CSO:

1. The operational costs to an enterprise can be daunting. The overhead in registering users of the post delivery protection service, managing policies for users and content, and supporting users from the help desk does not scale easily for large deployments.
2. The end-user experience is necessarily invasive. A user preferring to use the application interface must download and install an application that will enforce post-delivery rights. The alternative forces users to interface to their applications via an on-line browser, which may not be the best choice.
3. The CSO has to fight the perception that the enterprise does not trust its employees and partners. Communication is important to assure the users that it is the corporate content that is the issue and that the post delivery protection capability is necessary to protect the organization.

The Internet is a tremendous tool for enterprises to use in sharing intellectual property with customers, partners, and suppliers. It is an instant distribution network that any corporation can use to improve communications while lowering operating costs. The trend of focusing on the security of the enterprises content will continue to grow as IT managers realize that network and perimeter security only solves part of the problem. The CSO should apply PDP to those areas that have high-value, a manageable number of users, and a business application that can be extended with PDP. There is a place for PDP in the enterprise with these guidelines:

1. Do not over-engineer the solution – focus PDP level protection where there is a high value of the intellectual property with a limited user community. Examples would be bet-your-business research plans that require tight controls once the collaboration phases are over.
2. Look for applications where a post delivery protection program can piggyback application deployments with identity management and provisioning processes. Bundle the PDP deployment with a necessary application or application upgrade to enhance end-user acceptance and gain an improved TCO.
3. Look for innovative ways to use secure content techniques to provide revenue generating business-to-business services, where the enterprise retains ownership of the data. This may be a rental fee to access content on-demand, or creating user-registered access to teaser summaries of separately purchased reports.

Post delivery protection products are destined to become an integral component of document production systems, web content portals, information delivery networks, and application service provider products. Until then, there are proven technologies from vendors such as Probix, Authentica, SealedMedia, and InterTrust that provide PDP protection. These are important technologies for protecting the most critical shared corporate content.