An Evaluation Checklist for Enterprise Rights Management (ERM) Solutions

1. A Seclore Whitepaper An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions A comprehensive checklist for choosing the right EDRM solution

2. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions need to outsource and collaborate with third parties and temporary partners is also giving rise to new business demands - particularly in the area of user experience. Enterprise Digital Rights Management (EDRM)1 is a technology that controls the access and usage of information in stand-alone files and emails (known as ‘unstructured’ information). If you are considering EDRM technology for your enterprise, this white paper would help you fully consider and evaluate the latest capabilities available in the current generation of EDRM products. EDRM solutions have been available in one form or another for more than a decade. However, new technology trends such as Cloud Computing and mobile device usage are raising expectations and pushing the boundaries of EDRM capabilities. The increased Capabilities Vendor 1 Vendor 2 Breadth and Depth of Usage Controls Ability to restrict file access and usage to specific users and / or user groups Ability to restrict editing of files Ability to restrict printing of files Ability to restrict copying content from a file to an external location Ability to restrict file access to a specific computer Ability to restrict file access to a specific mobile device Ability to restrict file access on any mobile device Support for watermarked viewing of files2 Support for watermarked printing of files2 Ability to restrict screen grabbing via the Prnt Scrn key Ability to restrict screen grabbing via third-party screen capturing tools (e.g. SnagIt, Camtasia) Ability to restrict screen sharing via conferencing tools (e.g. Webex, GotoMeeting etc.) Ability to restrict file access via remote connections (e.g. Windows RDP) Ability to restrict file access on virtual environments (e.g. VDI, Citrix environments, virtual machines) Ability to restrict file access and usage based on date and time Ability to restrict file access and usage based on time period (no. of days) 1Also known as Information Rights Management (IRM) | 2 Also see ‘Watermarking Capabilities’ section

3. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Breadth and Depth of Usage Controls (continued) Ability to expire all copies of a file remotely at any time Ability to protect files with built-in automatic expiration date Ability to restrict file access while offline Ability to allow file access while offline Ability to restrict offline file access and usage to a specified time period (e.g. until 5 days, after which the user must go online and authenticate at least once) Ability to restrict file access to a particular IP address or a range of IP addresses User-Driven File Protection Ability to protect one or multiple files simultaneously Ability to Right Click on a file and enable protection Ability to have differential rights for individual user or user groups for the same file Ability to protect email body and attachments while sending emails Automatic File Protection Ability to monitor and automatically protect files in a network-monitored folder location Ability for a child folder to inherit permissions from the parent folder Ability for a child folder to have different permissions than the parent folder Ability to automatically protect email body and attachments (from the server side) without any user intervention Ability to automatically protect files on download from an ECM or ERP system (integration)

4. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Automatic File Protection (continued) Ability to automatically protect files based on discovery being by a content / context aware system like DLP, Classification, Discovery or CASB systems (integration required) Ability to automatically protect a file based on the classification selected by the user Email Security Ability to act as a Mail Transfer Agent (MTA) and protect incoming emails automatically without any user intervention Ability to provide for in-use Protection for emails and attachments Ability for automatic rule-based protection of emails and attachments based on dynamic criterion e.g. sender, receiver, subject line, X-header tags Ability for automatic protection of emails generated by enterprise applications Ability for automatic protection of emails based on X-header fields tagged by DLP systems Ability for automatic protection of emails based on X-header fields tagged by Discovery and Classification systems Support for classifying emails and attachments from Outlook Support for classifying emails and attachments from Outlook for the web or Outlook Web Access (OWA) Ability to view and reply to protected emails from the browser – without an email client (e.g. Outlook) Ability to view and reply to protected emails (body and attachments) on mobile devices (iOS and Android) Tracking Emails: Ability to track protected emails from Outlook itself Revoking Email Access Remotely: Ability to revoke access to protected emails from Outlook itself Co-existence with Email Archival tools: Ability to un-protect emails before they are archived

5. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Access Methods (Desktop, Mobile, Agentless) Ability to access to a file without installing any software Ability to edit a file online in the browser Ability to access to a file on any Operating System or Platform – via a browser Ability to access to a file while offline Support for watermarked viewing on mobile devices ( iOS and Android) Support for editing supported formats on mobile devices (iOS and Android) Availability of native client for Mac for accessing protected files Availability of native client for Windows that can be installed without administrative privileges Ability to access and protect files of all supported formats by installing a single agent Ability to automatically and seamlessly on-board users to access protected files Ability to access a file with a temporary One-time Password (OTP) without creating an account Watermarking Capabilities Ability to enforce watermarked viewing of protected files Ability to enforce watermarked printing of protected files Ability to enforce watermarked viewing of protected files in the browser Ability to change watermark content Ability to customize the font and color of watermark content Ability to display dynamic watermark content: date and time of file access Ability to display dynamic watermark content: username of the user accessing the file Ability to display dynamic watermark content: classification of the file

6. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Watermarking Capabilities (continued) Ability to display a mixture of static and dynamic content in the watermark Ability to display a watermark for file access on mobile devices (iOS and Android) Ability to fetch the file watermark from integrated 3rd party applications File Format, Application, and Operating System Support Support for Microsoft Office files: doc, docx, xls, xlsx, ppt, pptx Support for Microsoft Office macro files: docm, pptm, xlsm Support for PDF files Support for txt and other ASCII-based files Support for OpenOffice formats: odt, ods, odp, odf, odg Support for image files: jpg, jpeg, bmp, png, gif, tiff Ability to provide identity–based encryption and time-based and location-based controls for any file format Support for all major Microsoft Office versions: 2010, 2013, 2016 Support for all major OpenOffice versions: 4.x Support for major Adobe Reader versions: XI, DC Support for major LibreOffice versions: 6.x Support for Microsoft Outlook for email protection Support for Outlook on the web for email protection Support for protecting the email body as well as the attachments Support for all major Windows versions: 7, 8, 8.1, 10 Support for protecting files on Mac OS Support for accessing protected Microsoft Office files on Mac OS in a native application (Microsoft Office)

7. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 File Format, Application, and Operating System Support (Continued) Support for iOS devices via native apps Support for Android devices via native apps Information-Centric Audits and Activity Logging Ability to provide a web-based audit trail and dashboard for all activities performed on all files by all users Ability to provide real-time auditing Ability to send instant email alerts to file owners for unauthorized file activities Ability to send a daily digest to file owners summarizing all the day’s file activities Ability to restrict access to audit logs based on administrative access (e.g. allowed to view only the audit logs of their group/OU) Ability to filter activity logs based on specific criteria Ability to export activity logs for monitoring purposes, so that information can be tracked wherever it goes, not just within the organization Ability for File Owners to track usage of their protected documents Ability to log unauthorized attempts to access and use a file Ability to log file activities while offline Ability to log forensic audit details (machine name, IP address, file path etc.) Ability to export audit logs to other reporting and log correlation tools (e.g. BI, SIEM etc.) Ability to log access to audit logs for administrators and power users Ability to log administrative activities (e.g. policy creation) Ability to provide unified view of major risk and usage parameters

8. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Information-Centric Audits and Activity Logging (Continued) Ability to monitor file usage and license utilization Ability to provide trend analysis on various parameters Ability to provide overall system health and utilization/adoption analytics Ease of Administration Ability to automatically assign a protector license to any user who attempts to protect a file Ability to register new users automatically while protecting a file, to eliminate the burden of manual user on-boarding Ability to revoke and modify access to files dynamically – even after file distribution Ability to create power users (business users) for managing groups/ OUs and performing administrative tasks, such as creating policies, assigning licenses etc. Ability to control the creation and usage of protection policies Ability to transfer the ownership of one or multiple files to another user Ability to revoke access to one user on multiple protected files simultaneously to facilitate user off-boarding Ability to replicate all permissions of one user to another user on multiple protected files simultaneously Ability to transfer all permissions of one user to another user on multiple files simultaneously - to facilitate user off-boarding and on-boarding Ability to allow anyone to request access to a file directly from the file owner – with no IT support needed Ability to register new users automatically (and give them file access) if the file owner grants their request

9. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Federation Ability to directly inherit (federate) access policies and user permissions from an integrated application in real-time - every time the file is accessed Ability to directly inherit (federate) the information owner from an integrated application in real-time - every time the file is accessed Ability to directly inherit (federate) watermark content from an integrated application in real-time - every time the file is accessed Ability to directly inherit (federate) file classification from an integrated application in real-time - every time the file is accessed Ability to directly inherit (federate) user identities from an integrated application in real-time - every time the file is accessed User Authentication and Integration with IAM and Identity Federation Systems Ability to authenticate users via the Windows Active Directory Ability to authenticate users via other IAM systems Ability to authenticate users via identity brokers and SAML-based identity stores Ability to provide Single sign-on (SSO) capabilities with the Windows Active Directory Ability to authenticate users from multiple IAM systems through a single server Support for multi-factor authentication Automatic deletion and addition of users based on corresponding changes in identity stores Ability to provide a built-in Identity Management system for external user creation and management Ability to authenticate using Google login credentials (Single sign-on or SSO)

10. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Integration with Enterprise Applications (ECM, ERP, DLP, MDM etc.) Ability to integrate with ECM systems and protect files upon download Availability of ready, plug-and-play connectors for leading ECM solutions, such as IBM FileNet and Microsoft SharePoint Availability of Online viewer / editor which can be embedded in 3rd party applications Support for full content search even for protected files uploaded into a ‘protected’ folder/library in an ECM/DMS system, thus ensuring that security doesn’t interfere with the normal user experience Ability to integrate with ERP and transactional systems Ability to integrate with DLP systems for automatic file protection based on discovery at end points or the network layer Availability of ready, plug-and-play connectors for leading DLP solutions, such as Symantec DLP, Forcepoint DLP, Digital Guardian DLP and McAfee DLP Ability to integrate with EMM and MDM systems such as BlackBerry, AirWatch, MobileIron etc. Ability for DLP to scan contents of a protected file APIs and SDKs for Application Integration Availability of SDKs in Java Availability SDKs in C/Win32 Availability of SDKs in .NET Ready Connectors for Enterprise Applications Availability of a connector for Microsoft Active Directory Availability of a connector for Microsoft SharePoint Availability of a connector for IBM Content Navigator Availability of a connector for Symantec DLP to protect discovered confidential content Availability of a connector for McAfee DLP to protect discovered confidential content

11. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Ready Connectors for Enterprise Applications (Continued) Availability of a connector for Forcepoint DLP to protect discovered confidential content Availability of a connector for GTB DLP to protect discovered confidential content Availability of a connector for CA Single Sign-on to authenticate users via Single Sign-on General Security and Key Management Ability to keep keys and content separate at all times Ability to encrypt and decrypt files at their original location without sending them to the server Support for secure communication protocols (HTTPS) for client-server communication Support for segregation of duties and powers amongst administrators, power users, and end users Ability to plug custom encryption algorithms to protect files Ability to integrate with a Hardware Security Module (HSM) i.e. use keys generated by the HSM for encryption Availability interfaces to enable content scanning of protected documents Ability to allow copying of data to another file based on the permissions the user possesses on the destination file Ability to ensure that the output of the ‘Save as PDF’ option is a protected copy Ability to allow saving a file in PDF format without requiring Full Control permission Ability to discard the available offline permissions of the user – and use the newly fetched online permissions, if any – once the user opens the file while online Ability to restrict copying of content via cell referencing (within Excel)

12. An Evaluation Checklist for Enterprise Digital Rights Management (EDRM) Solutions Capabilities Vendor 1 Vendor 2 Deployment and Architecture Support for a load-balanced environment Support for High Availability (HA) Support of Disaster Recovery (DR) and failover processes Support for seamless migration from on-premise to cloud-based deployment Support for common databases such as Oracle and Microsoft SQL Server Hosting Availability as a hosted service on the cloud or deploy on premise Support for cloud-based system on a private cloud Support for seamless migration from cloud-hosted to on-premise deployment Maintenance and Support Segregated administrative functions and tasks Availability of a web-based administrative interface Support for automated patching of apps using app stores Basic, in-app troubleshooting capabilities that can be easily run by end users themselves Support for automatic and silent client upgrades Availability of 24x7, SLA-bound support Availability of installation report detailing agent installations throughout the organization

13. About Seclore Seclore offers the market’s first fully browser-based data-centric security solution, which enables organizations to control the usage of files wherever they go, both within and outside of the organization’s boundaries. The ability to remotely enforce and audit who can view, edit, copy, screen share, and redistribute files empowers organizations to embrace mobility, file-sharing, and external collaboration with confidence. With over 6000 companies in 29 countries using Seclore to protect 10 petabytes of data, Seclore is helping organizations achieve their data security, governance, and compliance objectives. Learn how easy it now is to keep your most sensitive data safe, and compliant. Contact us at: info@seclore.com or CALL 1-844-4-SECLORE. USA – West Coast 691 S. Milpitas Blvd.#217 Milpitas CA 95035 1-844-473-2567 India Excom House Second Floor Plot No. 7 & 8 Off. Saki Vihar Road Sakinaka, Mumbai 400 072 +91 22 6130 4200 +91 22 6143 4800 Gurugram +91 124 475 0600 Europe Seclore GmbH Marie-Curie-Straße 8 D-79539 Lörrach Germany +49 7621 5500 350 Singapore Seclore Asia Pte. Ltd. AXA Tower, 8 Shenton Way Level 34-01 Singapore – 068811 +65 8292 1930 +65 9180 2700 UAE Seclore Technologies FZ-LLC Executive Office 14, DIC Building 1 FirstSteps@DIC Dubai Internet City, PO Box 73030, Dubai, UAE +9714-440-1348 +97150-909-5650 +97155-792-3262 Saudi Arabia 5th Floor, Altamyoz Tower Olaya Street P.O. Box. 8374 Riyadh 11482 +966-11-212-1346 +966-504-339-765 USA – East Coast 420 Lexington Avenue Suite 300, Graybar Building New York City NY 10170 © 2019 Seclore, Inc. All Rights Reserved.