Aberdeen’s research findings show a renaissance in the deployment of enterprise rights management technologies, both current and planned in the near term.
A Renaissance in Enterprise Rights Management
Business Context: To Share, and to Protect
Here are two types of risk related to enterprise data.
- The “rewarded” types of risk, which are about using enterprise data to enable the organization’s pursuit of innovation, strategic opportunities, collaboration and integration of business processes.
- The “unrewarded” types of risk, which are about protecting enterprise data from a host of threats, vulnerabilities and exploits, and complying with a complex array of requirements from regulators, business partners and customers.
Table 1 summarizes some high-level attributes of each type.
Enterprise data needs to flow freely to the users and business processes that need it, when and where they need it. And accordingly, data today is flowing more freely outside the traditional boundaries of the enterprise.
At the organizational level, Aberdeen’s 1Q 2015 study of more than 130 companies provides additional insights into the dynamics of the current context for accessing and using data throughout the extended enterprise, for example:
- Enterprise end-users do their work from combination of traditional desktops, laptops, tablets and smartphones on average, about 1.6 devices per user
- On average, about 2% of traditional PCs and laptops are lost, stolen or unaccounted for before they reach the end of their natural replacement/refresh cycle – but for smartphones, the average is greater than 5%.
- In addition to the common occurrence of lost or stolen devices, 75% of respondents in Aberdeen’s study experienced one or more security-related incidents in the last 12 months – and only 25% of these were the result of the successful exploit of a vulnerability by a malicious, external attacker. Three times as many were the result of simple human error, or the well-intended actions of users who were just trying to get their jobs done.
It’s clear that enterprise data must be shared, but at the same time it needs to be protected. The fact that enterprise IT and security teams are focusing on both, as opposed to just one or the other, underscores the slow but steady shift in the perception of information security from that of being an obstacle, to one of being an enabler.
Six Strategies for Safeguarding Sensitive Data
Aberdeen’s research has consistently shown that to address the challenging task of simultaneously sharing and protecting their sensitive data, organizations have implemented a wide range of technical security controls – but a closer look reveals that even the most complex mix of technologies actually reflects just six basic strategies:
1. Do Nothing
• Not all data needs to be protected – which makes identifying and classifying enterprise data a foundational step in any enterprise security plan.
2. Protect and manage access to a centralized data store
• Enterprise data is commonly centralized in network file shares, enterprise content management systems, or web access management solutions, and access to this data is provided only to those users who are authenticated and authorized to do so.
3. Monitor data as it is being accessed and distributed
• One example of this strategy is the use of content monitoring and filtering technologies, such as data loss prevention and email / web security, to gain visibility into the data that is being accessed and distributed across the organization’s network.
4. Encrypt the data
• The use of encryption to protect the confidentiality and integrity of data is extremely common, in every place that enterprise data can be found-at rest in back-end systems, in motion on the network, and in use at a wide variety of endpoints.
5. Substitute non-data for data
• The easiest way to protect enterprise data is to take it out of the business process in the first place – by using technologies such as tokenization, format-preserving encryption or data masking.
6. Apply persistent controls to the data
• The persistence of controls is a key differentiator of enterprise rights management solutions. These solutions provide capabilities not only for confidentiality, integrity and access controls over enterprise data, but also for fine-grained control over actions which can subsequently be taken on the data – such as the ability to forward, print, cut-and-paste, or save a local copy.
Enterprise Rights Management, Then and Now
Compared to previous years, Aberdeen’s 1Q 2015 study showed a significant jump in current implementations of enterprise rights management, as well as strong indications for near-term deployments. In 2015, 33% of all respondents indicated current deployments; an additional 17% indicated plans to deploy enterprise rights management in the next 12 months. In 2008, 18% of all respondents indicated current deployments.
Table 2 sheds some additional light on how the capabilities of leading enterprise rights management solutions have also evolved to become significantly easier for companies to deploy and manage.
Enterprise rights management solutions can range from extensions to content management solutions to full-fledged rights management “platforms”, and solution providers can range from smaller specialists to multi-billion dollar firms.
Rights Management: How Persistence (Still) Pays Off
The benefits of successful enterprise rights management initiatives are not new – for example, in its August 2009 research brief on Enterprise Rights Management : Persistence Pays Off, Aberdeen described how, even then, these solutions were helping top performers to support an increased need for collaboration, while simultaneously safeguarding their sensitive data throughout the extended enterprise by using persistent controls.
- Enterprise data needs to flow freely to the users and business processes that need it, when and where they need it.
- Aberdeen’s research confirms that the traditional tensions between enabling the business on the one hand and managing risk and compliance on the other hand, are at play in what drives organizations to invest in protecting their sensitive data.
- To address the challenging task of simultaneously sharing and protecting their sensitive data, organizations have implemented a wide range of technical security controls.
- Compared to previous years, Aberdeen’s 1Q 2015 study showed a significant jump in current implementations of enterprise rights management, as well has strong indications for near-term growth in deployments.
- Why this change? In addition to the ample motivations provided by disruptive changes in IT and a rapidly changing business context, the capabilities of leading enterprise rights management solutions have also been transforming to become significantly easier for companies to deploy and manage.
- Aberdeen’s analysis of 31 organizations currently using enterprise rights management, compared with 64 organizations that are not, shows that all are after pretty much the same things out of their investments for the security of their enterprise data – but the use of enterprise rights management is correlated with significantly better outcomes.
Aberdeen Group has been an international research partner of Nebula since 2010. With thousands of research documents, growing daily, Aberdeen’s research library helps enterprises and service providers discover the priorities and strategies of best-in-class enterprises.
Besides Nebula’s insight and research services, we also provide services to help large enterprises assess, optimise and manage their enterprise ICT environments.
Should you be interested in finding out more about Nebula’s services or discussing this research, please send us an email indicating your requirements to ContactUs@nebula.co.za.