IT, security, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. Some terms may be confusing since different companies use different terms for the same thing.
This Enterprise DRM Glossary will be updated regularly and provides clarity for leaders and practitioners. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users.
We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.
CAD Security
Centralized Policy Management
Data-centric Security
Data Loss Prevention (DLP)
Digital Rights Management (DRM)
Encryption
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Information Rights Management (IRM)
Insider Threat
Intellectual Property Theft (IP Theft)
Microsoft Azure Information Protection (AIP)
Microsoft Purview Information Protection
PDF Security
Permission
Personally Identifiable Information (PII)
Print Protection
Provisional Permission
Secure File Sharing
Secure Print
Unstructured Data
Zero Trust Document Protection
CAD Security
CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.
CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. The primary reasons are:
- the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
- the weakness of traditional CAD file password protection,
- the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.
Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.
In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example, 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.
Source: Enterprise DRM Glossary. Reference: How to Protect CAD FIles and Workflows Against IP Theft (Fasoo Blog)
Centralized Policy Management
A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions. Compare this to the built-in PDF password protection feature provided by Adobe.
From the organizational perspective, the latter means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. It also forces users to become security experts.
In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go. This includes changing policies for a user or group at any time, regardless of where the document resides.
Users can be granted the right to maintain complete control over their documents, in those situations where it’s warranted. This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control of the organization.
For example, a Finance user creates a document and it is encrypted upon saving it. All users in the Finance group automatically have access to the document. The user decides she needs Legal to review the document, so she can manually grant them access. If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal. The organization maintains control.
For solutions without centralized control options, like Microsoft AIP, it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.
Data-centric Security
The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.
Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.
Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to
- Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
- Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.
Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.
Source: Enterprise DRM Glossary. Reference: Data-centric security is key to resiliency, cyber risk report says (VentureBeat), Protect-first Approach to Data-centric Security (Fasoo Brief), Data-centric Security (Fasoo Archive)
Data Loss Prevention (DLP)
Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization.
To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions.
Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP.
Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file-sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing.
Source: Enterprise DRM Glossary. Reference: DRM and DLP: Comparison Made Simple (Fasoo Blog), Data Loss Prevention (NIST Computer Security Resource Center Glossary)
Digital Rights Management (DRM)
Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.
In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.
Source: Enterprise DRM Glossary. Reference: What is Digital Rights Management? (Fortinet Cyber Glossary)
Encryption
The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key.
Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).
Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.
Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). Fasoo uses AES 256-bit encryption which is a symmetric key encryption using block ciphers. This is the same encryption the National Security Agency (NSA) and banks use to protect sensitive data. Using FIPS-validated modules means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government.
Source: Enterprise DRM Glossary. Reference: To Encrypt or Not to Encrypt (Fasoo Blog), Encryption (Fasoo Archive)
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies to any device throughout the entire document lifecycle.
By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing of sensitive content with unauthorized users within and outside the organization’s IT perimeter.
Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, and industry observers agree.
According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”
Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.
Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM Whitepaper
Information Rights Management (IRM)
See Enterprise DRM
Insider Threat
An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.
Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.
The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.
Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog), Insider Threat Report (Fasoo Resources)
Intellectual Property Theft (IP Theft)
The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.
In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).
Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.
Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.
In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.
How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.
Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:
- EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
- Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
- EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.
In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage.
Source: Enterprise DRM Glossary. Reference: IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat (Fasoo Blog); What’s the Biggest Challenge Manufacturing Companies Face in Their Fight Against IP Theft? (Fasoo Blog)
Microsoft Azure Information Protection (AIP)
Azure Information Protection (currently known as Purview Information Protection) is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
See Microsoft Purview Information Protection for current information.
Source: Enterprise DRM Glossary. Reference: FAQ: Five Top Questions About Fasoo Enterprise DRM vs. Microsoft AIP, What is Azure Information Protection? (Microsoft)
Microsoft Purview Information Protection
Purview Information Protection (formerly known as Azure Information Protection and Microsoft Information Protection) is a data protection solution developed by Microsoft. It is part of the larger Microsoft Purview suite of tools that lets organizations discover, classify, and protect documents and emails. It was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Source: Enterprise DRM Glossary. Reference: How does Fasoo Enterprise DRM (EDRM) compare to Microsoft Purview Information Protection? (Microsoft)
PDF Security
Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.
Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.
In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.
One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.
Source: Enterprise DRM Glossary. Reference: Document Protection: How to Secure a PDF? (Fasoo Blog)
Permission
Permissions are required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission or upon requesting provisional permission.
Source: Enterprise DRM Glossary. Reference: World’s Steel Manufacturing Leader Adopts Fasoo Enterprise DRM (Fasoo Sucess Stories)
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.
Source: Enterprise DRM Glossary. Reference: What is Personally Identifiable Information? (Department of Homeland Security), What Unstructured Data is Sensitive? (Fasoo Brief), PII Data Breach Archives (Fasoo Blog)
Print Protection
see Secure Print
Provisional Permission
When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by the policy.
Source: Enterprise DRM Glossary. Reference: Fasoo Enterprise DRM White Paper (Fasoo)
Secure File Sharing
Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.
Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed.
Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control of if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.
Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)
Secure Print (Secure Printing)
Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.
Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:
The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.
Source: Enterprise DRM Glossary. Reference: Document Security: What Is Secure Print? (Fasoo Blog)
Unstructured Data
85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, emails, videos, blogs, customer support chat logs, and social media.
Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.
Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.
Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.
Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.
Source: Enterprise DRM Glossary. Reference: What Is Unstructured Data And Why Is It So Important to Businesses? An Easy Explanation for Anyone (Forbes Enterprise Tech); Structured vs. Unstructured Data (Datamation); What Unstructured Data is Sensitive? (Fasoo)
Zero Trust Document Protection
Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.
The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data, and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.
The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector.
Source: Enterprise DRM Glossary. Reference: “5 data protection tips for maintaining trust in the Zero Trust era,” in Financial Services: How to Boost Your Remote Work Surveillance; 3 Top Document Protection Takeaways from the May 2021 Executive Order on Cybersecurity (Fasoo Blog)
*
