The pressure is on, as never before, to make enterprises accountable for the control and management of personal information on the one hand, and penalise them if they fail to take adequate measures to protect their internal information.

In the US is where the rubber hits the road (or perhaps the Sarbanes-Oxley hits the California Act).  And, slowly but surely, enlightened self-interest (do nothing and you get fined) is persuading people that DRM tools are actually a serious solution to some otherwise painful problems.

Now, whatever you may or may not think about operating systems suppliers, they all do a fair job of providing controls for accessing information on internal networks and servers.  But when information gets out of the enterprise – put on a laptop for senior management, or travelling salesmen, or engineers, or, has to be provided to people who are outside the enterprise – business partners, boards of directors, customers who receive personal or proprietary information, third parties who need to be able to see confidential information but must be prevented from passing it on; then they do not.

The problem is simply that network control concepts always face inwards, assuming that there is some central administrator who has control over those authorized to use services.  But they do not face outwards. 

On the other hand, DRM control systems are not interested in domains or IP addresses, or all those things that appear sacred to systems administrators.  DRM is interested in identifying the machine that is being used to access controlled information.  DRM is a different concept from the access control approach used by network administrators, because it works just as well regardless of where the PC is actually located and prevents unauthorized forwarding or modification.

DRM is a continuing control concept, which is not available in traditional access control systems.  Understanding the need for continuing control, is a vitally important concept in understanding and harnessing the true power of DRM.

Normal access control technologies are ‘all or nothing’ in their approach.  If you have the authority to read something that means you can copy it to wherever you like because your power to read cannot be curtailed.  And if you can write it then you can change it to anything you like and then write it.

DRM controls are much more granular, because they can extend beyond the authority of the person authorised to make use of information.  So DRM controls are able to allow the authorized user to have access to information whilst also having the ability to deny them the authority to pass that information on to others.  By comparison, pure encryption technology (often used to provide confidentiality or secrecy of information when it is being sent from one person to another) does not have the ability to prevent the authorized user from distributing the information they have received to all and sundry – anyone they choose and you as the owner of the information have absolutely no chance of stopping them from doing that!

And that is why DRM controls, even though they have had such a bad press as a result of the way that the music and film industries have attempted to implement them, have a real value and role in protecting information both inside and outside the enterprise boundary.  Enterprises have to be able to share information that is sensitive, from both commercial and personal information senses, without exposing themselves to liabilities because they did not take proper care to protect that information from theft or misuse.

So the questions is not do we DRM, the question is “How soon do we DRM?”