Oracle IRM, the official blog

A bit late notice, but i've just been asked to attend the Gartner IAM summit in San Diego next week. I'll be available to discuss and demonstrate Oracle Information Rights Management, details of the summit below.

Oracle is a Premier sponsor at the Gartner Identity and Access Management Summit this November 9 - 11, 2009 in San Diego, CA. Attendees will have the opportunity to meet with Oracle experts in a variety of sessions, including demonstrations during the showcase receptions. Oracle Customer Case Study and Solution Provider Session Oracle Solution Showcase Receptions Oracle Face to Face Meetings November 9 - 11, 2009 Sheraton San Diego 1380 Harbor Island Drive San Diego, CA 92101 Benefits of Attending Increase your company's agility and security by improving your IAM knowledge, and be better prepared to handle the current issues surrounding your IAM environment. Fine tune and maximize your IAM-related projects by leveraging the experience of an increasing network of peers. Better manage your own IAM-related initiatives by using Gartner's unbiased advice and information specific to your situation. Gain insight into which tools could enhance your IAM implementations, and possibly put your company one step ahead of the competition. Improve your company's security, efficiency, effectiveness, business agility, and productivity, by learning how to better manage your own IAM infrastructure. Click here to view the agenda and to find out more about the Gartner IAM Summit. Date 09-November-2009 To 11-November-2009 Venue Sheraton San Diego Street Address 1380 Harbor Island Drive City San Diego State CA Zip 92101 Country United States

Whilst responding to an RFI I needed to describe how information rights management was positioned against many other types of technologies that use encryption to protect documents and emails. I thought it would make sense to write up the response on the blog. The diagram below really highlights how information rights management is at the leading edge of using cryptographic technologies to protect your confidential information.

Information security is a crowded and confusing marketplace. Many security solutions are really infrastructure security, because they secure IT infrastructure and users from information (for example anti-virus, anti-spam, intrusion detection). Some information security solutions only attempt to secure information from external attack (for example firewalls).

This diagram above illustrates the evolution of "information-centric" solutions that, by securing information directly, attempt to secure information from accidental or deliberate leakage by internal and external users. This diagram is not entirely even-handed in that it does not show the benefits of earlier solutions, just their critical shortcomings - but the idea is to show how IRM for the first time sufficiently solves these limitations to be the first truly enterprise-viable "information centric" solution.

Information-centric security started with products like PGP, which used public key infrastructure (PKI) encryption to encrypt information, and provided document and email encryption products. Products like PGP have two killer shortcomings. Firstly they ask busy non-technical business people to understand and personally manage the principles of PKI cryptography - pass phrases, public keys, private keys, digital signing, encryption, decryption, public key rings, certificates, etc. And then, after jumping through all these PKI hoops, the PGP-like technologies still just pass the decrypted information off into the clear (decrypted) to the document and email applications, from which they can easily and untraceably be redistributed - there is no post-delivery protection or tracking. Invasive to user workflows and with dubious benefits (most leaks are made, accidentally or deliberately, by end users - not by eavesdropping on networks) these solutions have over a long period gained minimal traction. Many people have briefly played with PGP, or something like it, but it is rare to meet someone who still does.

"In-delivery" secure email products built on the encryption capabilities of PGP-like products, in an email context. As organizations began to see email as their leading vector for information leakage (deliberate or accidental - how often have you sent a confidential email to the wrong user?) they sought solutions for securing email. Almost all of these solutions operate by intercepting outbound emails, and for those marked or scanned as being confidential, they place them on an SSL-protected web site and send on a replacement email with a link back to the original email on the SSL-protected web site. When the users follow the link to collect the email they are typically required to authenticate and the original email is then obtained over a secure SSL connection. So the shortcomings of these solutions are clear - again they provide no post-delivery security (authorized users can still save out in the clear and forward), they only defend against eavesdropping (which is a much less common threat than redistribution) and is ultimately an email-only point solution. While email remains the leading means of sharing information, there is also a huge amount of sharing via file shares, web, USB devices, etc.

The next major evolution of "information centric" security, which is currently generating significant interest, is gateway- or desktop-based filtering/monitoring. These technologies install software agents into gateways (such as email servers or web servers) or desktops that monitor outbound information flows, and scan the outbound emails, attachments and web pages for confidential information (such as social security numbers). It remains to be seen how effective these solutions are in practice, because they tend to be primarily passive (they are often detuned to prevent them blocking outbound information flows as a result of false positives) and act more as a deterrent; because they must monitor a bewildering number of perimeters in a modern network to be effective; and must sift through a staggering amount of legitimate traffic looking for a hopefully small amount of illegitimate traffic. But the fundamental shortcoming of these filtering/monitoring solutions is that they are effectively enterprise spyware: spying on internal information flows. Unfortunately most sensitive business processes involve sharing confidential information with external parties, and they are never going to allow your organization to spy on their networks to protect your information. So it would seem absurdly incomplete to spy on your own employees and then send the same confidential information unprotected and untracked into the networks of your partners, customers and suppliers.

Nevertheless there are considerable synergies between monitoring/filtering technologies and IRM - to help automate the sealing/classification of information. This is seen in the recent integrations between both DLP vendors and IRM vendors.

Oracle Information Rights Management (IRM) is very much an evolution from all these earlier technologies. It uses the PKI encryption from PGP-style products, but hides all the complexity from end users. It uses the close integration with leading email clients of secure email. It shares the same desktop agent and policy server profile of desktop filtering, but is only active in the context of sealed/classified information. But unlike preceding solutions Oracle IRM provides pro-active, post-delivery protection and tracking; works just as well outside the firewall as inside; has a classification-based rights model that completely hides all the complexity of encryption and makes policy management straightforward; and secures documents, emails and web pages regardless of how they are shared - so Oracle IRM it is a significantly more complete solution.

Over the weekend a document containing confidential information from one of the most secretive panels in Congress was floating about on an peer-to-peer network. Apparently a junior member of staff went home to work on the memo and stored the document on a computer that also ran peer-to-peer networking software. The inevitable happened and the document was whisked away to the file sharing network to be available to thousands of other computers.The 22 page report contains details of sensitive ethics probes involving more than 30 lawmakers and aides compiled by the ethics committee in the House of Congress.

The ethics committee is one of the most secretive panels in Congress, and its members and staff members sign oaths not to disclose any activities related to its past or present investigations. The 22-page "Committee on Standards Weekly Summary Report" gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies. The leaked document, which was reported to the Washington Post, caused Democrat Zoe Lofgren, chairwoman of the House Ethics Committee, to interrupt House voting. She announced that the Washington Post had obtained a confidential ethics report and the newspaper had been contacting lawmakers named in the document. She described the release of the sensitive document, as a form of hacking. This incident highlights the dangers of not correctly protecting your most confidential information. Unfortunately the blame is usually pointed at the person who didn't follow instructions on how to handle such data. In this incident the member of staff was fired and the committee "is taking all appropriate steps to deal with this issue,". According to house administration rules, they require that if a lawmaker or staff member takes work home, "all users of House sensitive information must protect the confidentiality of sensitive information" from unauthorized disclosure. I wonder what technologies are actually implemented to aid lawmakers and staff with actually protecting this information.

"I regret to report that there was a cyberhacking incident of a confidential document of the committee," Zoe Lofgren, (D CA)

Information Rights Management could have easily helped avoid this situation. The memo could have been encrypted and secured allowing the employee to work on the document where ever they wished. Then if the document had been transmitted across a peer-to-peer network, it would've been useless to anyone else because IRM ensures only authorized users can gain access to sealed content. This would've saved Congress the embarrassment and also saved the member of staff their job.

Finally I gave in, too many people kept saying... "you should have a twitter feed for your blog updates". Many in Oracle are embracing modern methods for communicating information about our technology and I decided to jump on the band wagon. You can follow Oracle IRM on twitter and also be a fan of our Oracle IRM page on Facebook.

Oracle has built an excellent website for people to share sample code and personal projects with the Oracle community. Over the coming months we are going to be sharing a lot of code we have been using for many years to help customers build rich IRM solutions.

The first project to hit this website is our HotFolders capability which monitors folders for new content and automatically seals documents to a preconfigured classification. Martin Lambert (Oracle IRM creator and HotFolders author) has just uploaded the latest version, 1.7, of this sample project.

Access the project here, https://oracle-irm-hotfolders-java.samplecode.oracle.com/, note that you will need to register a free Oracle Technology Network account. 1.7 brings some new features;

• Post-sealing action plugins - v1.7 introduces a simple plugin architecture for extending the functionality of Oracle IRM Hot Folders. This allows Java developers to easily implement post-sealing actions for files sealed to the correct classification in designated folders (either automatically sealed by Oracle IRM Hot Folders or sealed to the correct classification before being added to the folder).
• 'Shovel' file-moving plugin - The Shovel plugin moves correctly sealed files to a new location derived from its current location by regular expression matching. A use case is where a Data Loss Prevention (DLP) solution quarantines sensitive files to a quarantine folder where it is sealed by Oracle IRM Hot Folders and then returned by the Shovel plugin to its original location. The source code for Shovel is provided to assist developers in creating their own plugins.

Keep an eye on the blog, we plan to be releasing a whole raft of new sample projects and sample code over the coming months.

Just a quick note to say that within the next 2 weeks we will be releasing version 10.1.3.5.2 of the Oracle IRM Desktop. This desktop comes with the following updates;

• Support for the recently released Windows 7 operating system
  
• Support for sealed PDF's opened with Adobe Reader 9.2
  
• Sealed email support for Lotus Notes 8.5
  
• Support for 27 different languages including Japanese, Chinese and Korean.
  
• There have also been changes in the layout of the control panel and an improved user interface.
  

This is a major release of the IRM Desktop and we expect most customers to upgrade to it after familiarization with the subtle design differences. Release notes will be made available at the time of release to Oracle Technology Network.

This morning Symantec announced the latest incarnation of their data loss prevention (DLP) technology, version 10. DLP technologies allow organizations to do discovery and monitoring of enterprise perimeters to detect the flow of sensitive information. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted. However combining DLP with IRM means you don't have to restrict the end user by blocking their attempts to collaborate. Instead encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

We've been working with Symantec over the past month to build an integration between Oracle IRM and DLP creating the most powerful security solution of any IRM and DLP combination. Oracle IRM is the leading rights management solution for enterprise-scale document and email security. Combining these features with Symantec's leading DLP solution means customers can now have rich monitoring and detection capabilities. Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.

We've just announced two webcasts for Oracle IRM, one in November and one in December. Click on the registration links below to join me live for a presentation and demonstration of information rights management done Oracle style :)

Secure Your Confidential Documents and E-Mail Everywhere They Are Stored and Used Controlling access to confidential information has never been more important. News agencies continue to report on data breaches resulting from criminal hacking, lost laptops, and incorrectly addressed e-mail. As public awareness grows, enterprises are not only required to implement preventive controls, but also to audit and demonstrate continuous compliance. Oracle's complete information security solution manages data access everywhere data is used, stored, copied, and forwarded--even after leaving your servers. Join us for a FREE live Webcast to learn how Oracle Information Rights Management enables companies to: Control and audit access to sensitive documents and e-mail wherever they reside, even after they have been shared with customers, partners, and suppliers Revoke access to secured content after employees leave or partnerships end Manage access to sensitive content without granting access to IT administrators Scale security across tens of thousands of documents and users, based on clear information classification policies Register now for this FREE Webcast on either Thursday, November 19, 2009, or Thursday, December 3, 2009. Don't miss the chance to learn how you can secure your confidential content--even beyond the firewall. Register Now For your convenience, this Webcast will be presented twice. Register for the Webcast date of your choice. Thursday, Nov. 19, 2009 10 a.m. PT / 1 p.m. ET Thursday, Dec. 3, 2009 10 a.m. PT / 1 p.m. ET Simon Thorpe Oracle Information Rights Management security expert, Oracle

Copyright © 2009 Oracle and/or its affiliates. All rights reserved. Contact Us | Legal Notices and Terms of Use | Privacy Statement

Wow, a busy two days at Oracle Open World. All the IRM team are around the demoGrounds booth W105 in Moscone West helping customers and the public learn about Oracle IRM working with the wide range of Oracle applications, content solutions, portals and of course security technologies.

From left to right, Ryan Carroll - VP IRM development, Andy Peet - IRM product manager, Martin Lambert - IRM founder and Oracle CTO

Unfortunately James Wallace-Hadrill, one of our European consultants was unable to make the conference due to a last minute customer engagement. Therefore his IRM presentation slot has fallen to myself (which i'm still working on at 10pm) and you can join me at 1:30pm on Thursday in Moscone South, room 304. If you don't get chance to be there due to travel arrangements, no worries i'll be recording all the presentation and demonstration material and putting it on our YouTube channel later in the week.

So if you are at Open World, come by W105 and say hi, we've got some very cool technology we can show you.

When talking with customers they often ask if Oracle IRM is a DRM technology. I thought I would therefore go over the main differences between the consumer technology world of DRM and the business world of IRM (or ERM/EDRM). First lets detail what the acronyms stand for.

• IRM - Information Rights Management
  
• DRM - Digital Rights Management
  
• EDRM - Enterprise Digital Rights Management
  
• ERM - Enterprise Rights Management
  
• RMS - Rights Management Services, specific to the Microsoft IRM technology
  

Whilst at first glance it might seem like all of these technologies do the same thing, DRM is the odd one out and the others can be grouped together. In the early days IRM technologies were initially labeled as ERM in an attempt to separate them from DRM, the term IRM came later as the market matured. For simplicity sake in this article, technologies such as ERM, EDRM and RMS will be discussed under the acronym IRM unless specifically mentioned.

What is the difference between DRM and IRM?

All of the technologies above use encryption to protect digital content and apply some form of rights control so the owner of the information can control who can open it, that is where the similarities end and confusion begins. There are some general statements which can be made to define the differences between the two.

• DRM refers to technologies that control access to common media formats, such as music, video and digitally published material (e.g. high value financial analysis reports)
• IRM refers to technologies which control access to enterprise generated content, such as HR documents, patient health records, company financial reports, sensitive email communication
• Most enterprise based technologies (although not Oracle IRM) were developed from either an existing DRM technology, or at least from the same ideals and methods

The first two points are very important with regards to how the technologies are perceived by end users and the main goal for the implementation of the technology. Consider the following scenarios.

1. You purchase a favorite song in a digital form and download to your computer. You want to play this song on both your laptop, mp3 player and also in your home CD player. Yet due to a technology used by the retailer that sold you the song, you can only play the music on a limited number of devices.

2. Your doctor stores your health information on his laptop inside documents that are encrypted and use rights controls to ensure only your doctor and authorized medical staff can open them.

DRM applies to the first situation and consumers are typically unhappy that technology is trying to dictate what they can do with content they've purchased. People are used to playing their music on a variety of devices and want to copy the information to whatever device they wish. DRM is typically about protecting the rights of the content owner from being abused, the consumer of that information doesn't necessarily care about the mis-use of the content. This has led to a constant battle between DRM technologies and the users, with thousands trying to break/hack the DRM so they can use content as they wish.

IRM however addresses a very different issue. It is about helping businesses keep secrets a secret. That information might be your health records, your personal HR data at your place of work, it might be the intellectual property your company owns which allow it to keep ahead of the competition and keep you employed. End users have a very different view of IRM, they want to use it, it helps protect them and their companies data.

So DRM focuses mainly on protecting business to consumer type content, where IRM focuses on enterprise content. This is important because it drives the technology in different ways. For instance, consider the following.

DRM protects a single file which is to only be opened by the purchaser, so the rights are embedded and delivered with the file. This works in a DRM model, because you want only the end user to access the content. IRM typically is used in different scenarios, such as;

IRM protects a single file which is to be opened by 500 sales employees. After 6 months, 1/2 of the employees leave the company taking a copy of the file with them and another 250 people are hired. Of these people, 15 were promoted to manager and their rights to the document is increased so they are allowed to print copies.

To support the above you can't store any rights specific information in the document itself because the rights do change over time. You need to have a way to change rights to the document with having to re-distribute it. Oracle IRM does this by separating the rights from the content. Oracle IRM has, from day one, kept all rights information outside the file itself and on the network server. Access and rights are granted at the point when the document is opened. Locally cached rights, an authenticated user and the encrypted document, all come together at once.

Other IRM technologies have been developed from DRM technologies or they have used the same design methods. This is what prevents them from being truly enterprise scalable.

Finally, IRM can be used to solve some DRM problems. Oracle IRM has been successfully implemented by publishers to protect high value content in PDF documents. This is a classic business to consumer model but Oracle IRM, due to it's scalable and more effective implementation of encryption, works and can deliver an effective solution.

There has been a lot of partner activity with IRM recently, more information will be coming out over the next few months. Right now one partner in Germany, Sealed Solutions GmbH, has just teamed up with a vulnerability assessment and management company, Outpost24, to bolster it's information rights management practice.

Sealed Solutions are a leading provider of Oracle IRM services in Germany and the partnership with Outpost24 will increase their ability to fulfill major GRC (Governance, Risk and Compliance) requirements with vulnerability assessment and management best practices to ensure the protecting and handling of customer's confidential information and data.

Norbert Bacher, CEO Sealed Solutions GmbH, was quoted as saying, "With the technology provided by Outpost24, we are now able to secure and protect not only confidential e-mails and other sensitive information like we do with our Information Rights Management solutions, but are pleased to now be able to protect our customer's organizational centerpiece - 'the network'. Both from the inside, as well as the outside. Outpost24's Vulnerability Management solutions are an excellent complement to our current Information Rights, Security and GRC solutions."

A central concept of the Oracle IRM solution is the security context. So what are contexts and how do they help you protect sensitive information in a secure, usable, and manageable way? In the Oracle IRM solution, a context represents a set of related information and the rights of users to work with that information. For example, a typical enterprise might use the following contexts to manage the rights to access and work with some of its most sensitive information:

To protect a sensitive document from unauthorized access and modification, all you need to do is seal it to the relevant context. Once sealed, the document is protected by the rights defined for the context.

For example, sealing the board minutes to the sensitive board communication context, as shown above, might ensure that the minutes are accessible only to the board members and their personal assistants. To simplify the assignment of different rights to different users, each context contains roles such as Contributor, Reviewer, and Reader. A particular user might be a Contributor in sensitive board communication and a Reader in confidential engineering research.

Contexts and Security

Rather than allowing individual users to configure rights for individual documents, the Oracle IRM solution simply requires users to select the appropriate context for those documents, as shown for the board minutes above. Once sealed, all documents in a context are automatically subject to any future amendment to the rights - no matter who created the documents or how many copies have been distributed within and beyond the enterprise. Contexts ensure that rights management is not arbitrary. Users cannot simply invent new policy for particular documents or emails, so the enterprise retains overall control of information security and has a powerful mechanism for implementing any corporate classification policies.

Contexts and Usability

Any solution that is not easy to use is unlikely to provide the security that an enterprise is seeking. Rather than requiring users to consider in detail what rights are appropriate for particular documents, Oracle IRM simply requires users to seal documents to the appropriate context. Further, Oracle IRM controls the right to seal documents such that, for example, only board members and their personal assistants can create new documents in sensitive board communication. Thus, the enterprise can be confident that only authorized users contribute to each context. By creating contexts that relate very clearly to enterprise business processes and exposing users only to contexts that are relevant to their role, an enterprise can be confident that information will be protected appropriately because users can easily understand what is required of them and are not exposed to detailed choices that they might use inconsistently.

Contexts and Manageability

The simplicity of contexts and roles means that day-to-day rights management tasks are handled by the most appropriate business users. In many live deployments, the rights to board documents are managed by the PA of the CEO or Company Secretary and is as simple as assigning roles to users and groups.

By avoiding the need to manage and propagate the rights to thousands of individual documents, the solution can scale to meet the needs of even the largest enterprise. Finally, contexts enable policy changes to be applied at any time to thousands of documents - regardless of where those documents are. Rights can be assigned and unassigned as required without having to locate and modify each of the documents.

Standard Roles for Enterprise Rights Management

Finally, to help organizations to quickly deploy and create contexts the Oracle IRM solution provides a standardized set of roles that are ready to be assigned out-of-the-box - roles such as Contributor, Reviewer, and Reader.

Each role defines a set of rights that are appropriate to that role. For example, a Contributor has the right to create and edit sensitive documents, whereas a Reviewer can only edit existing documents and change tracking is enforced. These roles are then assigned to users for particular workflows and information classifications. Commonly these assignments are done by group membership inside your corporate user directory. So by simply adding a user to one or more groups in say Active Directory would immediately give them access to thousands documents secured against those classifications, and vice versa, they leave the organization and their account is deleted from Active Directory, all the documents they had copied to their USB device are now useless.

Where necessary, the standard roles can be tailored or extended, but Oracle has used the experience gained from numerous enterprise deployments to provide a set of roles that meet the needs of most clients. So what are the standard roles and what do they allow users to do?

Standard Roles Overview

Out-of-the-box, Oracle IRM provides five standard roles for controlling access to sensitive documents and email:

Contributors are the people who are authorized to create and edit documents in a particular context. They can open and search and print documents that are sealed to the context. Reviewers are authorized to edit sealed documents and email, but change tracking is enforced. They can also open and search and print sealed documents and email but are not authorized to create new sealed documents or email - they can only review or reply to documents and email created by Contributors. The Reader role allows opening, searching and printing of sealed documents but they cannot create or edit. The Reader (no print) is the same except they obviously have no rights to print.

Finally Item Readers are authorized to open and search particular sealed documents. This allows for people to be added to contexts which contain large amounts of protected information and yet they can only open a few identified documents. This role is designed to be the exception to the rules defined by all the contexts on the system, otherwise it managing lists of users rights to specific documents becomes quickly unmanageable.

Oracle also recognizes the need to control access to these roles so that they are assigned appropriately. Oracle IRM therefore defines standardized administrative roles, the most significant being:

Context Owners are authorized to assign roles, and are typically the owners of confidential information and work flows. System Owners are authorized to create new contexts and make the initial assignment of the Context Owner role. Their involvement in a particular context might end soon after that initial assignment.

If you want to learn more about Oracle IRM, please have a look at our simple online demo or contact us for a more in depth evaluation.