In today’s cloud reality, data leaks are at an all-time high. There are daily headlines about high-profile leaks that cost companies and people dearly despite already having data protection software installed.
Traditional data protection has been about locking down data behind the corporate firewall and closely monitoring user activity in the cloud. From a user’s point of view, this manifests as:
- restrictions on my actions and demands on time,
- technology regularly prompting me to identify myself and justify my actions,
- bugs, crashes, and conversations with IT when the software doesn’t work right, and
- difficulty collaborating with people in other departments, at other companies, or who don’t specifically use my company’s tech.
Heavy use of data protection technology slows down the user’s workflow and leads to a poor user experience. And worse, even with all this technology deployed, data still leaks, often because frustrated users have found ways of circumventing the technology in order to get their work done with greater ease.
Information Rights Management – a new frontier in data protection and user experience
There is growing interest in a different form of data protection called Information Rights Management (IRM). IRM uses a combination of identity, encryption, and access control technology to protect sensitive data files and emails themselves. Rather than lock down the data, the data is free to travel into the cloud and beyond, allowing users to quickly and easily collaborate in any environment without all the extra overhead.
In How to Select the Right EDRM Solution, Gartner says:
“Organizations need to assess data protection solutions for their ease of use and suitability for their end-user and administrative populations […]. This is the capability that will affect the success of deployments the most, and it should be weighted most heavily in the evaluation.”
I believe that IRM (also known as EDRM) can be the solution to data protection through a simple frictionless user experience. But only if done right. Early attempts at IRM were wrought with usability problems, but new players in the space have made significant advances in the usability offered by these systems with more opportunity for innovation still to come.
In this article, we talk about how focus on usability can provide an easier, more freeing user experience and better data protection as users embrace the technology rather than circumvent it. But only if the user experience is done right!
No User Install, No Client “Agent”
Most data protection solutions require that every user in the enterprise needs to install the software on their machine in the form of an “agent” or add-in that integrates into applications like Microsoft Word and Outlook. Invariably, these add-in’s are error-prone, slow down the user, and swamp the IT department with bugs and issues, especially when the solution is deployed to thousands of users in the enterprise. A bad experience all around.
Some solutions try to offer an “agent-less” experience by asking the user to go to a website to view a sensitive document so that they don’t have to install software on their computers. This can work for the rare top-secret document, however, most organizations have a lot confidential files and email that need to be protected day-to-day. Asking users to authenticate to a website multiple times a day to view sensitive emails, documents and images is a poor experience.
The best data protection solutions are agent-less and native, meaning they require no software to be installed on the user’s machine, but allow users to continue using their native applications like Microsoft Word, Outlook and Gmail to view common data formats like email and office documents.
No Extra Steps, Warnings or Errors
Most data protection requires the user to take action each time they want to protect a document. It can also prompt the user with warnings and errors. This can be highly frustrating.
Consider the scenario where the user is in a hurry to send an important document. Just as they attempt to send it, they are prompted with a warning, such as: “Cannot send. This violates the security protocol, please take corrective action.” Or, “Would you like to encrypt this document? If so please select if you would prefer AES128 or AES256 encryption.” (Most users won’t know what AES256 is or whether they should encrypt. So, they’ll probably decline to encrypt for fear of slowing down their work.)
Alternatively, some solutions won’t protect any data unless the user explicitly presses a “Send Secure” button (which they never use), or offer a “Security On/Off” toggle that can be even more confusing and fail to actually protect the right data at the right time.
The best data protection solutions avoid this problem by making data protection decisions behind-the-scenes, based on data classification or automation. Many enterprises already classify their data, so data protection can be applied automatically, e.g., every time a document is classified as “Confidential” it can automatically trigger encryption and access controls without having to prompt the user. It could also automatically detect sensitive information such as credit card numbers to drive appropriate protection decisions for PII behind the scenes.
Most data protection solutions, especially Information Rights Management solutions like Microsoft RMS, are optimized for Windows and for use within a single company or department with ActiveDirectory identities, and focusing on a limited number of file types like .docx and .xlsx. Ten years ago, this covered the majority of business scenarios.
Today’s business collaboration needs are far more varied. Users at work and at home use a variety of platforms including Mac, iOS, Android, Gmail. They collaborate on a variety of different files beyond MS Office documents. And they expect to collaborate with businesses and with individuals through email, cloud sharing services like OneDrive, Box and Dropbox, and through a variety of cloud applications, such as Salesforce.com. All of that with a “single sign-on” experience where they’re not providing passwords and clicking through authentication steps every time.
If data protection works until I need to share the data with a Mac or mobile user, then in today’s world, it actually doesn’t work because it’s a bad user experience.
And if it works but I have to create another user ID and password and enter it each time I need to protect a document, then it actually doesn’t work because it’s a bad user experience.
A great data protection experience protects data:
- across all major file types and platforms,
- within the enterprise, in cloud collaboration with other businesses and in collaboration with outside individuals/consumers,
- using existing identities from ActiveDirectory, Ping, Okta, Facebook, LinkedIn, etc.,
- interoperating with other data protection technologies like legacy Microsoft RMS, and
- even when offline.
In short, today’s users expect it to just work. If data protection means daily operations are blocked or slowed down in any scenario, then that is an unacceptable experience for all involved.
Flexible Policy for Ever-Changing Business Processes
Often poor usability is not the result of software products themselves, but the way they’ve been set up to be used in an environment. In data protection, if you set up a policy that is too strict or does not clearly match your business processes and users’ needs, it leads to a poor user experience. Or, perhaps you do set up policy correctly, but your data or business processes change over time and a policy no longer matches.
Gartner notes, “data and its related classification do not remain static entities over the course of their lifetime. Some solutions require that an asset be republished whenever the entitlements attributed to a protected element are updated or modified.”
This is poor user experience! Not practical, and often not even possible.
The best data protection solutions offer rich and flexible data protection policy that can be adapted even to data that has long since left the organization.
User Experience Advice to Security Groups and Vendors
Information Rights Management is emerging as a new opportunity for protecting data against leaks, especially in cloud and mobile collaboration scenarios where traditional firewall and data loss prevention software is proving insufficient and frustrating users along the way.
For security groups, it’s no longer enough to buy based on a demo or a limited trial within IT. A trial of the solution with a large number of real-world users, in B2B and B2C, is a must. The user experience can be evaluated by simply collecting feedback from administrators and users (qualitative feedback), and can be measured with benchmarking (e.g., how long it now takes to send and consume a protected document, and other relevant metrics). Vendors should be prepared to support this.
The key to data protection success, and Information Rights Management in particular, is a truly frictionless user experience. The key questions vendors and security groups need to ask themselves include:
- Does the solution work without any user install or agent?
- Does it add steps to the user’s workflow?
- Does it continually prompt for authentication, or unexpected warnings and errors?
- Does it truly protect on all platforms, with all file types? In cloud sharing with businesses and individuals? Even when offline?
- Does it have a flexible policy that can be easily changed over time?