Content management vs. DRM

Digital rights management as applied in the enterprise is primarily another mechanism for control that enables and ensures compliance with laws, such as the Sarbanes-Oxley Act, by creating an audit trail of use and attempted use.

Over the last few years we’ve seen content-management systems (CMS) that focused pretty much exclusively, on Web content evolve to meet, sometimes embrace and occasionally supplant traditional document-management software.

Today, content management has become big business and is starting to become a true enterprise service. What does an enterprise CMS look like? Apart from all the usual features (workflow, versioning, media libraries and so on), it includes comprehensive user authentication and rights enforcement.

You might be saying, “Surely, what you are proposing, nay, extolling, sounds like digital rights management, which I clearly recollect you dissed only a few weeks ago.”

Indeed, young Jedi, I was somewhat disparaging and did refer to DRM as digital rights restriction.

But the difference lies in the intention. DRM as desired by the Recording Industry Association of America and the Motion Pictures Association of America, assumes that you can control how users work with content. This is despite the screamingly obvious fact that without special hardware to make DRM solutions truly robust, any kid with half a clue can make sure the best-laid plans of mice and marketers “gang aft agley” (Scottish for “go really wrong”).

These could be described as the worst-laid plans, or plans that even mice would not lay.

DRM as applied in the enterprise is a very different beast. It is primarily another mechanism for control that enables and ensures compliance with laws, such as the Sarbanes-Oxley Act, by creating an audit trail of use and attempted use.

I had a chat with the very pleasant folks at SealedMedia about the company’s SealedMedia Express product, which makes sure content is distributed only to those who are authorized as recipients and puts constraints on its use.

And, no, a user can’t use screen grabbing to acquire the data. The most a miscreant could do would be to photograph the screen with a camera. You can’t stop anyone who is hellbent on violating the confidentiality of your documents. The true value of DRM is to enable accountability and auditability; that matters more than any other functions that DRM can provide.

What got me thinking about this was a recent story in Network World about a Government Accountability Office report last year that cited 51 weaknesses at the Securities and Exchange Commission (SEC). Since then, the SEC has corrected or mitigated only eight of them, and 15 new vulnerabilities have been discovered.

The biggest failures were in, you guessed it, a lack of adequate controls over passwords, a failure to implement auditing and monitoring mechanisms “to detect and track security incidents,” and a lack of user-access controls.

What amazes me is that products are out there and tested in enterprise-scale organizations. There is simply no excuse for not having addressed the problem.

The truly surprising thing is that in the post 9/11 world, with such a huge amount of lip service paid to national security, we have the ludicrous spectacle of a key government financial institution with a critical economic role having document security that wouldn’t be tolerated in even the smallest commercial financial operation.

Why is no one being held accountable? Why in the ranks of shrill posturing politicians is there no one willing to go to bat over this? (Then again, even though Sony BMG compromised thousands of government networks with its DRM systems, no heads rolled.)

These organizations and the public don’t seem to care enough to do anything. That is until some kind of IT Pearl Harbor happens to some public institution.

Of course, such an event may have already occurred. If they don’t care enough to fix the problem, would they care enough to ‘fess up when their worst-laid plans have gang aft agley?

Cries of outrage to Gibbsblog or sound off to backspin@gibbs.com.