Andrew Jaquith

A few days ago, my colleague Chris McClean asked the excellent question, "Is Risk Management Compatible with ERM?" I saw the headline come across my RSS reader and I thought, "Cool! I'd love to read what Chris thinks about enterprise rights management," a technology that I cover as part of my data security coverage. I'd advise you to read his post, which is excellent.

As you may know from Chris' post, the ERM Chris was referring to was actually Enterprise Risk Management, a way of estimating and managing security risks — not Enterprise Rights Management. All of which led me to wonder, should we rename the data security category I was thinking of? I concluded that we should.

Enterprise rights management, loosely defined, refers to products that allow enterprises to enforce confidentiality and need-to-know restrictions on documents. Sample products in this category include Microsoft's Rights Management Services (RMS), Liquid Machines ERM, and Adobe LiveCycle. Most of these products use the acronym ERM explicitly in their marketing materials. Needless to say, it has nothing to do with enterprise risk management. Ah, the difference four letters makes!

Here's the thing, though. The reason "my" ERM is called ERM is to distinguish it from digital rights management (DRM), a largely discredited technology used to enforce publisher's rights on consumer music and video files. The upscaling of DRM to ERM, to me, is a little silly. The acronym arose from the desire to take an arguably confusing three-letter acronym (TLA) and adapt it to enterprise use, with the results being an even more confusing TLA. And it raises questions. Whose "rights" are being enforced? The "enterprise's," sure, but what does that mean? The issue here is much closer to a privileges, entitlements, and authorization issue, not "rights." Nobody will call the lawyers because someone's "enterprise rights" were violated. Surely we can apply a little more precision to the term we use to describe technologies meant to enforce access rights on documents?

And what do you know? The authors of the Orange Book have already got a term that approximates what this whole area is: labeling. The Orange Book dates from the early 1980s and is formally known as the US Department of Defense's Trusted Computer System Evaluation Criteria. The data labeling term is used in the Common Criteria also. It's a standard term in government and intelligence circles, but not seen as often in the commercial sphere.

Here's what the Orange Book says about data labeling: "Access control labels must be associated with objects. In order to control access to information stored in a computer, according to the rules of a mandatory security policy, it must be possible to mark every object with a label that reliably identifies the object's sensitivity level (e.g., classification), and/or the modes of access accorded those subjects who may potentially access the object." Sounds just like what what ERM is doing, no?

So, here's what Forrester will do in our future coverage. The ERM (enterprise rights management) acronym will vanish, except as a "bridge" term to jog memories. In the future, we will practice "truth in labeling" and call this ERM thing data labeling

I will continue to read Chris' blog posts, of course, and I hope you will too. Best of all, he'll have the ERM TLA all to himself!
[posted by Andrew Jaquith]