Over the last few years, we’ve seen content-management systems (CMS) that once focused pretty much exclusively on web content evolve to meet, embrace and occasionally supplant traditional document management software.
Today, content management has become big business and is starting to become a true enterprise service. What does an enterprise CMS look like? Apart from all the usual features (workflow, versioning, media libraries and so on), it includes comprehensive user authentication and rights enforcement.
You might be thinking it’s starting to sound like digital rights management (DRM).
The difference between CMS and DRM lies in the intention. DRM as desired by the Recording Industry Association of America and the Motion Pictures Association of America, assumes that you can control how users work with content. This is despite the screamingly obvious fact that, without special hardware to make DRM solutions truly robust, any kid with half a clue can make sure the best-laid plans of mice and marketers gang aft agley (Scottish for “go really wrong”).
These could be described as the worst-laid plans — or plans that even mice would not lay.
DRM as applied in the enterprise is a very different beast. It is primarily another mechanism for control that enables, and ensures, compliance with laws such as the Sarbanes-Oxley Act, by creating an audit trail of use and attempted use.
I had a chat with the very pleasant folks at SealedMedia about the company’s SealedMedia Express product, which makes sure content is distributed only to those who are authorised as recipients and puts constraints on its use.
And, no, a user can’t use screen grabbing to acquire the data. The most a miscreant could do would be to photograph the screen with a camera. You can’t stop anyone who is hell-bent on violating the confidentiality of your documents. The true value of DRM is to enable accountability and auditabil-ity — that matters more than any other functions that DRM can provide.
What got me thinking about this was a recent story in Network World about a US Government Accountability Office report last year that cited 51 weaknesses at the Securities and Exchange Commission (SEC). Since then, the SEC has corrected or mitigated against only eight of them, and 15 new vulnerabilities have been discovered.
The biggest failures were in, you guessed it, a lack of adequate controls over passwords, a failure to implement auditing and monitoring mechanisms “to detect and track security incidents”, and a lack of user-access controls.
What amazes me is that products are out there and tested in enterprise-scale organisations. There is simply no excuse for not having addressed the problem.
The truly surprising thing is that in the post 9/11 world, with such a huge amount of lip service paid to national security in the US, there is the ludicrous spectacle of a key government financial institution, with a critical economic role, having document security that wouldn’t be tolerated in even the smallest commercial financial operation.
Why is no one being held accountable? Why in the ranks of shrill posturing politicians is there no one willing to go in to bat over this? (Then again, even though Sony BMG compromised thousands of government networks with its DRM systems, no heads rolled.)
These organisations, and the public, don’t seem to care enough to do anything. That is until some kind of IT Pearl Harbour happens to some public institution.
Of course, such an event may have already occurred. If they don’t care enough to fix the problem, would they care enough to ’fess up when their worst-laid plans have gang aft agley?