If you pay $1.99 to download an ebook for your Kindle, it\u2019s protected by DRM that stops you from sharing the contents, and if Amazon wants to, it can revoke the document so you can\u2019t read it any more. Is your company\u2019s current price list protected nearly as well?With information rights management (often known as enterprise DRM, short for digital rights management), you could make sure that price list was only shared with your customers, blocking them from sending it on to your competitors and automatically blocking it at the end of the quarter when you come out with new prices. Or you could share specifications with several vendors in your supply chain during a bidding process and then block everyone but the winning vendor from opening the document after the contract is finalized. You can make sure that contractors aren\u2019t working from out of date plans by making the old plan expire when there\u2019s an update. Tracking and visibility is useful for compliance as well as security; you could track how many people had opened the latest version of the employee handbook, or see that a document you\u2019d shared with a small team was being actually read by hundreds of people.Rights management is a mature enterprise technology \u2013 versions of it have been in Windows Server since 2003, for example \u2013 but while Gartner analyst Mario de Boer notes that \u201cEDRM is more popular than it ever was,\u201d he also says \u201centerprise-wide deployments are still rare.\u201dA recent survey by secure collaboration vendor Intralinks found that only 53 percent of enterprises classify information to align with the access controls that are supposed to be protecting it. That\u2019s especially problematic during confidential but time-sensitive processes like mergers and acquisitions; if you\u2019re worried about a deal falling through, it\u2019s tempting to start mailing unprotected Excel files around rather than jumping through hoops to grant access correctly.That\u2019s probably why one survey of executives involved in M&A by Ansarada (whose Secure Office service is designed for sharing documents during the M&A process) found that 71 percent had suffered data loss. And you don\u2019t have to be the NSA to suffer from insider attacks; early this year U.K. media regulator Ofcom discovered that a former employee had downloaded six years\u2019 worth of data about TV broadcasters before leaving, and promptly offered it to their new employer, a rival broadcaster.With rights management, Ofcom could have made those documents worthless because once the employee left, they would have lost their rights to open the documents \u2013 and they could have been blocked from printing them or copying the contents as well. New data privacy laws like the EU General Data Protection Regulation will make those kinds of losses even more expensive.[Related: DRM could be making a comeback in the enterprise]\u201cThe traditional way of protecting data focuses on control,\u201d says de Boer. \u201cControl over networks (\u2018We have locked the data away in the data center\u2019), control over devices (\u2018We have enabled AES-256 encryption on all mobiles and encrypted the full disks on Windows\u2019), apps (\u2018Everyone uses our container solutions') and control over services (\u2018We only give authorized people access to the application').\u201dDan Plastina, who runs Microsoft\u2019s rights management offerings, including Azure RMS, says that companies are beginning to realize that protecting the perimeter and devices is no longer enough and they need a data-centric approach.\u201cYou had a perimeter once, but over the years you\u2019ve punched a lot of holes in that wall,\u201d says Plastina. \u201cData is not being saved where you want it to be saved. Whether you like it or not, this is happening. What I see is that people are recognizing the problem is a lot bigger than they thought, and I think some organizations are at the point where they're realizing that identity and data are the things they need to focus, on as opposed to classic device management. Device management is not going away but the concept that data and identity need to be married together more aggressively is definite resonating.\u201dHe describes the core of rights management as \u201cidentity-bound data protection; you encrypt the file so that only the right person has access to it.\u201dSome industries have already adopted rights management, particularly finance, automotive and manufacturing. \u201cThey\u2019re people who either want or have to protect data,\u201d says Plastina. \u201cThere are organizations that have a lot of IP and want to protect it, and then there\u2019s PII and financial data inside banks. Some financial organizations we work with protect a lot of documents every day with rights management.\u201dBut rights management is important for a far broader range of industries, he maintains. \u201cYour data is travelling to different repositories and stores. Data goes to the cloud, it\u2019s given to partners; that content is clearly not within your control any more. This technology is at a point where people ought to be paying attention. The usage of data in their companies is absolutely past the limit; their data is all over the place and they have no idea.\u201dAvoiding extremesThe problem isn\u2019t with the quality of the technology, and most organizations have mature identity management that will allow them to use rights management technology. \u201cThe most common challenge is not technical but cultural,\u201d de Boer explains. \u201cYou should expect the changes in common workflows to be harder to plan for and accomplish than solving technical issues.\u201dThat means not being too ambitious as you start using rights management and avoiding both leaving too much up to users and locking down data too much. \u201cMost successful deployments start small, with policies applied to the most sensitive repositories. Then monitor use, learn as you go, and detect deficiencies. Eventually, you can expand to more complex use cases.\u201dThere are some things that rights management will never be able to protect you from, like an employee snapping a photograph of their screen with a smartphone, but that\u2019s not a technology issue; it\u2019s a management problem (and at that point, the employee can\u2019t claim that they shared the information accidentally).Typically, rights management deployment runs into two issues, says Plastina. \u201cEither people left everything up to the users or they went crazy in terms of the breadth and said \u2018I\u2019m going to protect everything\u2019.\u201d Neither approach works well. \u201cIT leaders don't have a good sense of what is sensitive or not,\u201d he notes, so business leadership needs to be involved in deciding what to protect. You don\u2019t need as many policies as you might think, either; policies for strictly confidential, confidential, internal and public data will cover most companies.He suggests starting by thinking about your most sensitive data and where it\u2019s stored. \u201cNot all of your data is sensitive. If 5 percent of your data is top secret, take that 5 percent and focus your energy on that. If you're in the candy bar business, then SAP is the bulk of your sensitive data; logistics, order information, inventory, financials.\u201d That data is secure until you run a report and create a PDF or an Excel file and start mailing it around. \u201cIn that case, go purchase Halocore from SECUDE and focus on SAP and mark it company internal; all that data will be encrypted at birth and it can\u2019t leak outside the company. That quickly starts to put a leash on your data.\u201dThe next step might be partitioning internal email; for example, messages and documents sent within the HR and legal teams. \u201cToday the entire company\u2019s worth of data is accessible to everyone in the company. If the very sensitive data is rights protected then that partitioning will enforce itself and IT will be notified that Dan in legal is trying to access documents from HR,\u201d Plastina explains, \u201cand someone would be able to take action.\u201dHe suggests a simple trick for getting teams to opt in to classifying and labelling their own content; \u201cTurn on RMS; no-one will notice that it\u2019s on. Then go to a department like HR or legal and send them an email marked as \u2018Do Not Forward\u2019 and tell them that they can\u2019t forward it, and include a screenshot showing them how to do it.\u201d It\u2019s just human nature. \u201cThey're going to look at it, try to forward it, realize they can't - and start using it themselves. Now you have partitioned data in your organization.\u201dYou can\u2019t rely on ad hoc classification, but being too restrictive is also counterproductive, Plastina notes. \u201cOrganizations will need to show some restraint. Start by going after email and SAP but with policies that are somewhat flexible so you keep productivity.\u201d It\u2019s also going to show you what the real workflow is in your business, which might not be what you think. Remember that rights management has to apply to executives, who will have to accept some changes to their workflow. \u201cGiven the recent large-scale data loss events in the news, it may not require as much effort as you think to obtain buy-in,\u201d de Boers suggests.If you have a \u2018do not forward\u2019 policy for email sent by your senior leadership team, you might want to give executives the ability to unprotect messages and then protect them, so they can share them with their own leadership team. \u201cIf that executive loses as thumbnail of documents no-one would be able to open them,\u201d points out Plastina, \u201cbut it doesn\u2019t become so oppressive that the executive doesn\u2019t want to do it and tries to get around it.\u201dProtect now, get sophisticated laterMicrosoft is also working on improving the experience of automatically classifying and protecting documents inside Office, to be more like the data leakage protection features it already has, using the Secure Islands technology it recently purchased. As you type in a credit card number, Office will suggest that the document needs to be marked as confidential \u2013 but there will also be an option for the user working on the document to say that\u2019s a mistake and change the classification back to internal (the way you can with Exchange data leakage protection today). The Office integration will be available as a private preview in the near future, and the Secure Islands tool is shipping now.Once you have data that\u2019s labelled and rights managed, there are opportunities to get control beyond the usual file sharing and email. Microsoft recently bought Adallom; the technology is now called Cloud Application Security and Plastina suggests it will turn into a kind of data leakage protection for data going to cloud services. \u201cIt can sit in the network as proxy or squat on APIs, so it\u2019s capable of working outside the classic productivity endpoint. Imagine a cloud access security broker capable of blocking the upload to Salesforce of something that\u2019s secret.\u201dRights managed documents will be a key area for machine learning, both for tracking misuse and automatically classifying documents. Another Microsoft acquisition, Equivio, can do classification for legal documents today, and Plastina says Microsoft has plans to build on that. \u201cYou feed it a bunch of documents and tell it \u2018go find more like this. Imagine an organization has a petabyte of data and they have users actively classify some content.Once you have say 100MB of well classified content, the concept is you could use Equivio to say \u2018I know these are top secret M&A files, classified by label; now go find a bunch [of matching documents] with no tags and classify those in bulk\u2019. If you have a petabyte of historical data you want that labelled; you can't just protect the new stuff or what\u2019s being edited now.\u201dIf you\u2019re looking for those advanced features, you\u2019ll still want to start using rights management today, he points out. \u201cThe best approach is to focus on the basics: classify, label and protect. Start there, and once that's done monitoring and responding are a lot easier. There's no ability to monitor and respond if you have no signals.\u201dDe Boers agrees that you should be considering rights management now rather than later. \u201cCIOs should plan for a data-centric approach to information protection, and EDRM takes a central position in such plans. All CIOs that value collaboration and that understand the inflexibility of infrastructure borders around islands of sensitive data should investigate EDRM.\u201dFlexibility is key to adopting rights management. Secure Islands will help you find documents that need protecting, and turn protection off if it\u2019s not needed.