Enterprise rights management (ERM), a/k/a information rights management (IRM), is an offshoot of DRM technology designed to protect company confidential information instead of commercial media content. With it, sensitive documents can be protected from unauthorized access even when they aren’t housed in content management systems or other repositories inside corporate firewalls.
Although enterprise applications of DRM date back to the late 1990s, the bulk of activity in the ERM market took place in the 2003-2006 timeframe. At the beginning of that period, Microsoft released its Windows Rights Management Services (Windows RMS) ERM product. By the end, two of the earliest standalone ERM companies, Authentica and SealedMedia, had been acquired by major content management vendors — EMC (Documentum) and Oracle respectively. It appeared then that the ultimate destiny of ERM was to be a bullet-point feature of enterprise content management (ECM) systems.
The ERM market began to consolidate after 2006. I found it difficult to keep up with ERM after that, because companies that adopted ERM technology were loathe to talk about it publicly, and ERM got nowhere near the level of media scrutiny that consumer media DRM gets.
Consolidation left only one standalone high-end ERM vendor in the US market: Liquid Machines. (Fasoo of South Korea is the largest standalone ERM vendor by installed base worldwide, and there are smaller-scale standalone ERM vendors in the US market, such as Vitrium and Confidela.) Liquid Machines had developed its own ERM technology and subsequently added support for the Microsoft Windows RMS engine.
Those of us who followed this market closely during this period wondered what would happen to Liquid Machines — or more particularly, who would acquire it. The question boiled down to whether it would be another ECM vendor, such as Open Text or IBM, or possibly an enterprise IT security technology vendor like Symantec or McAfee, both of which had developed partnerships with Liquid Machines.
Four years later, the answer has finally come: the Israeli IT security company Check Point Technologies completed an acquisition of Liquid Machines last week. Terms of the deal were not disclosed. Check Point is about half the size of McAfee by revenue, or one-sixth that of Symantec.
Liquid Machines has one major point of differentiation from most other ERM technologies. Many other ERMs integrate with users’ desktop applications, such as Microsoft Office and Adobe Acrobat, by making use of those applications’ plug-in APIs and essentially taking over their input and output functions so that they can handle encrypted files and check users’ credentials. Both Authentica and SealedMedia work this way.
Liquid Machines has a different approach, which is known as application rewriting. In this approach, Liquid Machines examines the executable code of a desktop application like Word, Excel, or Acrobat and determines where input and output is done. Then it patches the machine code — at runtime — so that it calls the Liquid Machines ERM engine (or the Microsoft RMS engine) instead of the application’s own I/O routine. If the file is encrypted, the ERM code checks user credentials, decrypts the content, and does the I/O (assuming the credentials check out).
This code examination process needs to be done only once per application; it is not unlike code instrumentation for performance benchmarking. The great advantage of application rewriting is that it can, at least in theory, be used with any user application, including custom-developed applications.
Liquid Machines’ ERM technology complements Check Point’s. Check Point started as a pioneer in the firewall space and has added other security technologies over the years, such as full disk encryption, virtual private networking, and data loss prevention (DLP).
The acquisition of ERM technology by a major IT security vendor should help expand the ERM market by increasing awareness of ERM among security professionals. When I led a market study of ERM in 2008, we found that IT security executives’ familiarity with ERM had grown since a 2005 study but still was not very high. ERM is fundamentally unlike perimeter security (such as firewalls and DLP) in that it’s not transparent to users. Check Point should help close that familiarity gap, and in doing so, create opportunities for other ERM technologies.
Symantec had given indications back in 2008 that it was preparing to enter the ERM market. Check Point’s acquisition may hasten that development. If that happens, then it will be interesting to see how the functional overlap between ECM and security vendors plays out in the market.
Bill, thanks very much for this informative post, which serves as both a retrospective and an update on the ERM ecosystem.
The lack of acceptance of ERM within organizations can be traced ultimately to a fundamental lack of understanding of ERM technology and practices by those responsible for organic security. I agree with you that this interesting move by Check Point will bring attention to ERM…
Thanks for the interesting post Bill. It will be interesting to know whether Check Point’s latest acquisition will force Symantec and McAfee to pursue an ERM acqusition.
As John said in his comments a lack of understanding of ERM has resulted in the slow growth we have seen to date. My observation is that Asia Pacific are probably the leaders in terms of acceptance of ERM, with the Americas following and Europe well behind.
A lot of education is still required for ERM for it to be accepted as a superior information security tool. It will be interesting to see how the next 12 months pans out.
I agree that education is needed to promote ERM acceptance. But there are two other factors in the US/European markets that inhibit acceptance as well.
One, on which I touched lightly in my article, is that it is intrusive to users instead of transparent as perimeter security technologies are. It is necessary for users to proactively set usage policies on documents if they want to override what may be restrictive defaults. This breeds backlash, especially in applications where highly-paid knowledge workers are involved, such as the “virtual deal room” application in investment banking and M&A. Such backlash is less common among the ERM applications found in Asia, which are mostly in the manufacturing area, e.g. the huge installations at Samsung and Hitachi.
The second reason is what Americans refer to as a NIMBY (Not In My Back Yard) attitude among IT security executives. I had discussions a few years ago with IT security officers in pharmaceutics and financial services. Their attitude was that they did not want to assume responsibility for the kinds of information leaks that ERM could help plug: they’d rather see that covered by written policies (many of which are imprecisely worded and/or ignored) than by technology. On the other hand, a Wall Street CSO said to me that if that kind of information leak made the front page of the Wall Street Journal, it would be his job to plug it immediately. This is what happened at the US Dept. of Veterans’ Affairs, where a leakage of large amounts of personal information in 2006 led to massive adoption of ERM — about quarter of a million users, possibly the largest ERM deployment to date.
Thanks for your response Bill. The lurking question for me is the way ERM is deployed. I do not believe ERM should deployed enterprise wide unless it is absolutely necessary. For it to be acceptable it has to be deployed in the business units that work with sensitive information only. As long as vendors and consultants continue to push for enterprise wide deployments when it is not required, there will always be push backs.
The other concern I have about ERM is that many consultants are pushing ERM as an IT security tool that the CISO or CSO should take responsibility for. This should not be the case. Departments that hold sensitive information should take ownership of security for such information.
Interesting article, although the acquistion of Liquid machines is not entirely surprising given the level of VC funding.
I would argue that with many millions of end-users worldwide that, FileOpen Systems has by far the widest deployment in the ERM sector.
VDRs, are in fact highly active users of ERM with most of the leading providers, (Intralinks, V-Rooms, Investran, Perfect Translations , ShareVault, and many others) using FileOpen’s technology.
I have been familiar with FileOpen since Sanford ran the company out of his apartment a few blocks away from me on the upper west side of Manhattan. I consider FileOpen to be primarily a publishing industry vendor rather than in the ERM market. And there’s no question that FileOpen is a de facto standard in certain publishing industry segments.
But even so, I believe that Fasoo is the largest standalone ERM vendor by installed base: over 800 customers worldwide including over a million seats at Samsung.