Access control using authentication and authorization works well for limiting how people use digital resources in a controlled environment, such as the corporate network. But traditional access control schemes do not work as well when the people or resources are outside of the organization's direct control.
Documents released under non-disclosure agreements illustrate this problem. Once the document has been released to someone outside your organization, that person could make unlimited copies, send the document to your competitor, and so on. Encrypting or password protecting the document does little to deter this unwanted behavior, because the person receiving the document must unlock it to use it. The authorization schemes we've discussed don't address the problem either, because access control depends on a trusted environment. Absent another solution, we're left with trust and legal remedies.
Digital rights management (DRM) is an attempt to address these problems. Rather than merely controlling the actions that an entity can perform on digital resources, DRM provides mechanisms for controlling the particular uses to which a digital resource can be put. This is a tough problem, and as we'll see, good solutions are sufficiently draconian that they impose a significant burden on users and have raised the ire of digital rights activists.
Digital leakage is the loss, whether intentional or inadvertent, of confidential data in digital form. The loss might take the form of a trade secret sent to a competitor, the premature release of financial data to an analyst or market, or the leak of embarrassing information to the media. Digital leakage occurs from seven primary sources:
Employees sometimes steal valuable confidential information for personal use or to sell.
Confidential information is sometimes accidentally distributed. This can happen when an email containing confidential data is addressed to the wrong person.
Computer theft and hacking results in the release of confidential data despite the best efforts of computer security professionals.
Employees, partners, and customers often do not understand the real value of information that your organization has shared with them and do not adequately protect it.
Changing alliances result when relationships between the organization and employees, partners, and customers end, leaving these entities in possession of information to which they are no longer entitled.
Lost or stolen devices can result in the loss of information more valuable than the device itself. Often, companies sell used computers that contain confidential data.
Disgruntled employees and others may maliciously redistribute or otherwise release confidential information.
Digital leakage is costly. A survey published by PricewaterhouseCoopers and the American Society for in Industrial Security[*] in 1999 found that on average, large organizations lost confidential or proprietary information 2.45 times in a year and each incident cost an average of $500,000. The survey estimated that the cost of digital leakage in the Fortune 1000 in a single year was $45 billion.
[*] American Society for Industrial Security and PricewaterhouseCoopers. "Trends in Proprietary Information Loss Survey Report," http://www.pwcglobal.com/InformationLoss/.