What's In a Name? Announcing Truth in Labeling

Andrew Jaquith

A few days ago, my colleague Chris McClean asked the excellent question, "Is Risk Management Compatible with ERM?" I saw the headline come across my RSS reader and I thought, "Cool! I'd love to read what Chris thinks about enterprise rights management," a technology that I cover as part of my data security coverage. I'd advise you to read his post, which is excellent.

As you may know from Chris' post, the ERM Chris was referring to was actually Enterprise Risk Management, a way of estimating and managing security risks -- not Enterprise Rights Management. All of which led me to wonder, should we rename the data security category I was thinking of? I concluded that we should.

Enterprise rights management, loosely defined, refers to products that allow enterprises to enforce confidentiality and need-to-know restrictions on documents. Sample products in this category include Microsoft's Rights Management Services (RMS), Liquid Machines ERM, and Adobe LiveCycle. Most of these products use the acronym ERM explicitly in their marketing materials. Needless to say, it has nothing to do with enterprise risk management. Ah, the difference four letters makes!
Here's the thing, though. The reason "my" ERM is called ERM is to distinguish it from digital rights management (DRM), a largely discredited technology used to enforce publisher's rights on consumer music and video files. The upscaling of DRM to ERM, to me, is a little silly. The acronym arose from the desire to take an arguably confusing three-letter acronym (TLA) and adapt it to enterprise use, with the results being an even more confusing TLA. And it raises questions. Whose "rights" are being enforced? The "enterprise's," sure, but what does that mean? The issue here is much closer to a privileges, entitlements, and authorization issue, not "rights." Nobody will call the lawyers because someone's "enterprise rights" were violated. Surely we can apply a little more precision to the term we use to describe technologies meant to enforce access rights on documents?

And what do you know? The authors of the Orange Book have already got a term that approximates what this whole area is: labeling. The Orange Book dates from the early 1980s and is formally known as the US Department of Defense's Trusted Computer System Evaluation Criteria. The data labeling term is used in the Common Criteria also. It's a standard term in government and intelligence circles, but not seen as often in the commercial sphere.

Here's what the Orange Book says about data labeling: "Access control labels must be associated with objects. In order to control access to information stored in a computer, according to the rules of a mandatory security policy, it must be possible to mark every object with a label that reliably identifies the object's sensitivity level (e.g., classification), and/or the modes of access accorded those subjects who may potentially access the object." Sounds just like what what ERM is doing, no?

So, here's what Forrester will do in our future coverage. The ERM (enterprise rights management) acronym will vanish, except as a "bridge" term to jog memories. In the future, we will practice "truth in labeling" and call this ERM thing data labeling

I will continue to read Chris' blog posts, of course, and I hope you will too. Best of all, he'll have the ERM TLA all to himself!
[posted by Andrew Jaquith]


re: What's In a Name? Announcing Truth in Labeling

Andrew .. though I support the cause of reducing the number of TLAs that we need to deal with, "Data labeling" for what is now called ERM/E-DRM/IRM would hardly be justice.When I hear "data labeling" I think of the classification aspect of DLP systems which can, based on defined patterns, scan and "label" data. The labels are then used by the DLP system to allow/deny activities.How about E-DRM ( an Four-Letter-Acronym for a change ! ) or simply IRM ?Incidentally in your post you forgot to mention some of the largest IRM ( thats what I prefer to call it .. ) vendors like Oracle, Seclore and Fasoo ..

re: What's In a Name? Announcing Truth in Labeling

Dear Andrew,stumbling across your post for exactly the same reason you stumbled across Chris' with whom we discussed by the way yesterday I smiled at reading about the confusion this TLA created.Hope you find a suitable acronym for your topic (I'm more on the risk side).But being responsible for the GRC solution at IDS Scheer I do not agree that ERM (R as Rights) has nothing to do with ERM (R as Risk)! Some of the most severe risk events were triggered by not having or using appropriate rights management and labeling for sensitive data. So there is in the end a connection of ERM with ERM that goes beyond the TLA used. ;-)Martin

re: What's In a Name? Announcing Truth in Labeling

Andrew,While it is true that some ERM technologies spun (or morphed) out of DRM for commercial media, and that's why the RM label has stuck, I don't think using a DoD term to rename it is particularly helpful. Most of the people I come across in my consulting practice (www.giantstepsmts.com) who are looking at ERM solutions (or developing ERM technologies) are not in the defense space, and to them this may as well be a foreign language. The term data labeling means nothing to them.Having said that, the term "policy management" has been used -- as has IRM (Information Rights Management), the term used by Oracle and EMC, two market leaders you don't mention in your post. Policy management is not bad because it refers to a scenario that often leads to successful adoption of ERM/IRM/whatever, in which information usage policies are written down in ways that are crisp, unambiguous, and readily implementable in technology. ERM technology provides proactive management of information use policies, whether corporate or industry.Maybe "Information Policy Management" is a better term? I dunno.

re: What's In a Name? Announcing Truth in Labeling

Hi Andrew:I enjoyed reading your interesting and provacative blog on ERM. This reminds me of Gartner's Content Monitoring and Filtering and DLP debates a few years back. Gartner used CMF as the category while the market, driven largely by Vontu, began using DLP. However, Gartner refused to use DLP in their research notes. Consequently, Gartner clients would inquire (using web site and phone) with the DLP label (no pun, really). Based on the number of DLP inquiries on the Gartner web site, they were forced to change CMF to DLP.For all the points made above, data labeling is not optimal. Information Rights Management is better; however in 2003, Microsoft defined IRM as the application's (i.e. Office IRM) implementation (i.e. a feature) of ERM technology. This construct would also apply to Oracle/EMC's use of ERM technology, which largely is positioned as a feature to their Content Management applications. Just look at Oracle's web site: you'll find IRM under ORACLE CONTENT MANAGEMENT SOLUTIONS. Similarly, EMC lists IRM under CONTENT MANAGEMENT and as DOCUMENTUM IRM SERVICES. Microsoft positions its Rights Management Services (RMS) platform under the "Information Protection" solution and category. The other two platform vendors, Adobe and Liquid Machines, use ERM (interestingly, Adobe at one time actually used IRM, but changed to ERM).Gartner has consistently used E-DRM even though this has the issue with Electronic Document Records Management (EDRM). DRM, with all its baggage and consumer emotion, has already been defined for the worse. In hindsight ERM, which was intended to leverage technical familiarity and apply it to a B2B problem (vs. the B2C focus of DRM) while at the same time shorten it from E-DRM, struggles with the negative association DRM. We can debate the word "rights" and its application, but file and resource "access rights" have been used for more years than most of us have been in computing. I don't believe people confuse ERM with Thomas Paine or Amnesty International.In the end, the market will determine the correct label for the technology/solution as it always has in the past. Until a better category emerges, I will continue to support Enterprise Rights Management (ERM).

re: What's In a Name? Announcing Truth in Labeling

Wow. Great comments!This is exactly the sort of discussion I like to have with smart, passionate people. See also Rich Mogull's excellent post here: http://securosis.com/blog/sorry-forrester-data-labeling-is-not-the-same-as-drm-ermAs a result of everyone's insightful comments, I am re-considering whether renaming the ERM category to "data labeling" is actually a good idea. I've considered tacking on "enforcement" to the end (making it DLE) to make it less passive and to address the management layer that I was clearly implying but did not spell out in my post (a concern of Rich's and Pete's). It might also make sense to change the "D" from "data" to "document," which is more precise. But I might roll it back entirely to E-DRM or use IRM because the market is so well conditioned to those acronyms (Ed's point).That said, I believe it is important to think critically about market segmentation and category naming. When a category name doesn't accurately characterize what products in that category do, or if it has outgrown its usefulness, it should be scrapped. We are clearly there with "ERM." Nearly everybody seems to agree that it sucks. But nearly everyone also agrees that that even though it sucks, it's an acronym that is fairly well recognized. "DLP" suffers from the same problem.On that note, here's a funny story that I've told in private many times. At a previous analyst firm we refused to use the DLP three-letter acronym. We called it CBM, short for "content and behavior monitoring," not too dissimilar to what Gartner called it.Here's the funny part: one day a vendor comes in for a briefing. Right at the start, I stated that we don't use that acronym here (DLP); we prefer CBM. Their product manager asked, "Why is that?" My response, "because Big Brother was already taken." Much nervous laughter ensues. Then I added: "Well if you don't like that, why don't we just call it 'Employee Surveillance' and be done with it?" Even more nervous laughter.To make a long story short: I offer no firm conclusions today. But I'm still looking for a better category name.