By Mandy Pang, Senior Product Manager at Nextlabs and Ron Kaplan, Security Strategist at NextLabs
In today’s collaborative world, eDRM (Enterprise Digital Rights Management) is proving to be one of the most effective ways to share documents with partners. EDRM is a technology that enables companies to restrict access to documents containing sensitive information, both inside and outside the corporate firewall. The way it works is documents are rights protected using AES encryption and then policies are applied to control access and usage rights (view, edit, print, etc.). If a user is not entitled to view the document, he cannot open it. If he is entitled to view the document, usage may be restricted.
There are two primary models in use today. The most common approach embeds a single static policy or template into a rights protected document. In this approach, rights are defined at the time a document is protected. When a user opens a rights protected document, a rights management client (software on the client device) requests the user’s access and usage rights for that particular document from a rights management server. The rights management server returns user rights back to the client to allow, disallow or restrict usage.
The newer model uses attribute-based policies. Attribute Based Access Control (ABAC) policies are stored in a repository separate from the documents they manage. When a user tries to open a rights protected document, the eDRM system dynamically evaluates attributes about the user’s identity, document metadata and the context of the request to determine user rights to the document. Unlike embedded static policy, user rights are determined dynamically at run time.
Documents protected with attribute-based policies can evaluate a wide array of information to determine user rights. ABAC policies can gather more data about the user than is inherent in the user’s role, including things such as citizenship, primary office location, active projects or any variable that resides in an external system. Equally significant, ABAC policies can consider the context of the user’s request, such as the IP address, time of day, whether access is from a personal mobile device or a company owned computer. Attributes enable companies to enforce fine-grained policies that would otherwise not be possible. The same ABAC policies are used to control a diverse range of data and systems across the enterprise.
With embedded policies, rights management is bound to a single policy per document. If a given document is subject to multiple policies such as export control, IP and SOX, the single policy for that document is no longer sufficient. This approach increases the number of policies, which quickly explode to a point where the number of policies is unwieldy and costly.
Since ABAC-based policies are independent of the physical document, multiple policies can enforce controls over a single set of documents. Policies can incorporate many variables so you need fewer policies to enforce the same level of controls.
The major benefit of using ABAC policies is access and usage control is centralized, dynamic and determined at runtime. The result is a very small number of policies control a wide array of information and documents.
To summarize, the use of attribute-base policies for eDRM provides significant advantages over the legacy approach, which embeds a single policy with fewer controls per document.