ERM: The forgotten data security space

With information technology, you can look at problems and solutions in lots of different ways. For end users and academics, this can lead to a lot of experimentation, skunk works projects, and trial-and-error. But that is not the case when it comes to technology vendors. Start-ups also see lots of ways to solve problems, but they are bound by business plans, directors, and funding to pick their battles and build focused solutions. Some make the right choice and get lucky, some don't.

As an example, I offer two different solution types for data security: Data Loss Prevention (DLP) and Enterprise Rights Management (ERM). These two segments are focused on protecting confidential and private data but each took a bit of a different approach. At a high level, DLP solutions sort of assume that you don't know where your confidential data is or what people are doing with it so you need some way to prevent bad things from happening. Alternatively, ERM assumes that you do know where the data is and what people should be doing with it so you need automated tools for policy enforcement.

ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.

These two related product segments have had vastly different fortunes. DLP became the toast of the town with a number of visible acquisitions. Port Authority was scooped up by Websense, EMC grabbed Tablus, and Symantec purchased Vontu. Others like Orchestria and Vericept continue to do well as independent companies. ERM players didn't fair quite as well, however. Companies like Authentica and Sealed Media were purchased at discounted prices while others simply shut their doors.

DLP initially proved to be a better financial bet, but ultimately there are a few ironies in this victory:

Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.

Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.

Like comedy, timing is everything when it comes to technology start-ups. Believe me, I learned this lesson first-hand. The DLP guys found a goldmine while ERM companies faded away. What's old is new again, however. ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

I've been involved in encryption ad ERM for many years now and can concur with your analysis entirely, that the time is now for ERM. As our home and working life opens up into the Cloud the need for information control becomes even more prevalent and how to do this in a seamless and effective manner is the next step for ERM and access control technologies.
On this note, our company have made headroads with this and as an example recently have been involved in helping an educational service provider to prevent the risk of cyberpredation on student records - the full press release can be found here http://www.prweb.com/releases/2008/07/prweb1103824.htm
Susan Morrow

[SimonThorpe]

Jon, very insightful comments. I agree that ERM, actually what we usually call IRM, is now suddenly seeing a big increase in interest from many markets and industries as the persistant examples of data loss leak into the global media.

I've responded in a bit more detail on my blog, http://blogs.oracle.com/irm/

[SimonThorpe]

Actually here is a link directly to the article on my blog.

http://blogs.oracle.com/irm/2008/07/response_to_jon_oltsik_on_erm.html