For large organizations, scalability and performance are very important considerations. Oracle’s Information Rights Management technology has been designed to operate within a global environment. It is not only capable of scalability and performance, but it has some unique characteristics that make solving these problems much less demanding. The product is not purely server-centric; it uses a patented distributed rights management model which has been core to the system since its creation in 1997. Other IRM technologies are now attempting to implement similar models, but only Oracle’s IRM has been using such features from the very start.
Content classification and offline use
Although it is possible to configure the system so that each user requires a specific role for each document, it is more normal to group related documents together in various classifications. They are normally organized in a matrix by sensitivity, by department and by subject. Classifications also usually follow the organizations Information Security Policy, with definitions such as Top Secret, Highly Confidential, etc. This results in classifications such as “2008 Project X (Top Secret)” or “2008 Senior Executive Communications (Highly Confidential)”.These classifications for document groupings apply to a wide variety of sensitive information, such as intellectual property, board communications, product development, research data, legal contracts, medical records, employee details and so on. Hence, it can be configured that users require only one role for all top secret board communications, and another for all proprietary product development documents.
The system is further configured to specify how long each user may cache that role, from zero to infinity. Normal options would be 3 hours, 1 day, 3 days, and 1 week. The choices made in deciding on this length of offline use are around balancing the usability and security of the technology. For example, you would likely give a senior executive 1 week offline access to content to ensure as they travel on planes and away from network connectivity, they have access to the content. This increases usability, but you forfeit some security, because potentially they can access content for a week offline without the organization being able to change and revoke access, although this is complemented by the synchronization functionality mentioned later. However for maybe an external auditor, you may give them a reader only role which has an offline period of 3 hours. This reduces usability, because every 3 hour the IRM client will need to verify rights on the server, but security is increased because you can now quickly revoke access.
This role/right caching can be different depending on the classification of content the user is accessing and is crucial to enabling offline working and therefore use on airplanes and in other offline situations, it also dramatically reduces server demand and allows users to continue working during server outages.
Server synchronization
| Furthermore, the product has the capability to synchronize a user’s rights automatically to their desktop. The server enables you to configure a rights synchronization schedule for all Oracle IRM clients. Synchronization helps ensure that users always have a fresh copy of their rights and allows for changes to these rights to be automatically and transparently distributed to end users. By default, the settings specify that all clients should synchronize every working day during standard office hours as in the diagram. You can add or delete synchronization time windows as required. When an IRM client connects to the server for the first time, the server sends the synchronization schedule to the client. Synchronization begins shortly afterwards, and continues as defined by the schedule. They key point here being that synchronization means offline usability AND timely revocation. Even if the offline period is 7 days, revocation latency remains about 24 hours. Users cannot avoid revocation without compromising their own day-to-day usability. |  |
For most users, the first connection to the IRM server occurs when they open the first document sealed against that server. This means that users typically get a complete set of their rights shortly after opening their first sealed document. This is a powerful and unique feature. ALL user rights are synced which means that they may open one document sealed to one classification, but they have cached their rights to open documents sealed to other classifications. Imagine the scenario where an end user sits on a plane and opens a sealed email for the first time. If they have the rights to do so they will be allowed even if they have never opened such content before.
To avoid all clients attempting to synchronize at once, each client selects a random time during the specified time window so load on the server is balanced. This synchronization schedule works hand in hand with the offline period. If someone is offline and 3 days into a 1 week offline period to a classification, they may use a wireless connection to retrieve email. Automatically in the background the IRM client will sync their rights and top up all rights giving the user another 1 week period to go offline without requiring a network sync. However, conversely a user may have had rights revoked on the server and the next time they get a network connection, those changes will be synced to the client. This means that even though someone may have a week offline access to content, it is possible to make changes to those rights earlier via opportunistic synchronization.
Highly available environments
Naturally, it is appropriate to create a high availability environment for the server to run in, but the product characteristics mean that a perfectly adequate environment can be created at low cost. Ultra-specialist hardware or knowledge is not always required.
The above diagram illustrates a typical high availability server configuration. The product is designed so that very little specialist IRM knowledge is required to create a high availability server environment. Rather, we allow other elements of a standard overall high availability infrastructure to play their part as normal. These include existing high availability databases, hardware and network infrastructure and server monitoring. To this end, the IRM Server is stateless.
There will typically be a production IRM Server and a standby server. These both rely on the same high availability database, which is on a network more secure than the DMZ. Organizations typically implement this according to their existing standard approach for high availability database operations, using Oracle or SQL server on appropriate redundant hardware, with appropriate monitoring.
Hence, creating a high availability IRM server solution is identical to creating a high availability web server solution. Standard systems monitoring is used to monitor the production IRM server. When failover to the standby is required, network traffic distribution devices such as Cisco Local Director divert traffic appropriately, and the stateless secondary server can simply take over.
