Oracle IRM, the official blog

Trent Henry, an analyst from the Burton Group, has recently blogged about the future of what it refers to as Enterprise Digital Rights Management (E-DRM), more commonly these days refered to as IRM. Trent blogs his views on the future of IRM after he was approached by numerous people at a recent Burton conference in Prague. They were all asking, "Where is E-DRM going?" He confirms how the space has changed significantly in the past 18 months, the two leaders in the space have now been acquired into larger companies. Authentica into EMC and SealedMedia into Oracle.

Trent makes the observation that one area being focussed on is the fact that IRM brings with it yet another set of users, groups and policies that are to be managed by the enterprise. One way to mitigate this is by integrating the IRM system with the enterprise content management (ECM) system so that the security can be managed in ECM and applied automatically, via the integration, to the document security solution.

"It’s clear that vendors are solving one typical objection to E-DRM: the management of yet another silo of policies." Trent Henry, VP and Research Director Burton Group

This is one approach that Documentum, a content management company, have focused on. The Authentica IRM technology is now embedded into the Documentum content management system, allowing the access to content be managed and controlled from the content management system itself. Oracle have also released a similar integration where Oracle IRM can be integrated with the Oracle Content Server to allow for the automated protection of content as it is checked into the content management system. Oracle however believe this is only part of the total IRM solution. IRM is a core technology that applies not only to content within the repository, but also to the protection of data exported from financial, engineering and other applications such as Agile, Hyperion and Siebel. We also recognize that only a small percentage of the content actually resides in the repository, if your IRM solution only works on the document repository, what do you do about all the other content?

This is why Oracle IRM is not only working to be integrated with the content repositories and applications, but also to integrate with identity management technologies and collaboration systems like Oracle's Beehive. To enable these integrations the Oracle IRM server in its next release, 11g, is porting the entire server into the Oracle Fusion Middleware environment. This allows for other development groups within Oracle to put IRM functionality into their own systems. It also allows customers to integrate IRM with their home grown custom applications. One customer I spoke to recently had a requirement to leverage a large application they had already built to manage the rights concerning employees that fall under foreign national compliance regulations. With the new Oracle IRM server they can simply integrate with this customised application which already contains all the users, groups, rights, roles and policies.

Trent goes onto speculate where this is all is going:

• We have cautious optimism that E-DRM will continue to receive uptake, even though today’s deployments tend to be relatively small and tactical.

• We expect vendors to enhance protection, making use of trusted platform modules for integrity validation and hardware cryptomodules for improved cryptography handling.

• We expect additional integration between rights management and content management solutions.

• Ultimately, we think there will be interesting synergies between virtualization and E-DRM, where mobile workloads (on virtual machines) and the sensitive content they contain can be managed, tethered, and persistently secured via rights-management no matter where a machine image lands.

A pretty long time indeed Oracle IRM has been in development since 1997 and was in first commercial use back in 2000. Now we are seeing an increase of activity in this space and 2008 could be a good year for IRM, helping industries plagued by information loss from all areas.

Martin goes on to comment that, "There are some reasons why IRM isn’t adopted widespread today. One is the complexity of the concepts. Without understanding PKIs and Public Key encryption it is impossible to really understand IRM."

I respectfully disagree, most IRM technologies go to great lengths to hide from the end users any complexity involved in IRM. Good IRM solutions put very little barriers in the way of the user creating and correctly classifying sensitive content. The Oracle IRM solution for instance requires that a user only choose the "context" of the content to create a secure document. They need know nothing at all about the PKI or encryption infrastructure underneath.

In response to my disagreement Martin continues; The end user does not necessarily need to understand the concepts behind. But the architects and admins have. That's what I've meant. So I agree: There are IRM solutions out there which are relatively easy to use - once they are implemented. But even while the vendors claim that implementation is easy as well I think that there is a lot of knowledge required by the architects and admins, which is an obstacle in adoption.

I have even worked with a customer to, in one day, integrate the Oracle IRM system via its API through .NET into SharePoint. In 8 hours the customer had content automatically sealed, in memory, as it was checked into a SharePoint library. Users automatically logged in to the IRM Desktop via the SharePoint interface and rights managed from the SharePoint system so that going directly to the IRM service to assign rights to content was not necessary.

The reason Oracle IRM is so easy to deploy, technically, is that for the first 8 years of its life there were a very small number of deployment consultants available. Therefore we needed to engineer a product which could be implemented in a small amount of time without having to charge the customer weeks of consultancy fees.

However I do agree with Martin when it comes to the business. IRM solutions are often purchased to address the need to protect sensitive information that is flowing across many boundaries within the business. There are a lot of touch points involved: the authors of content, the approvers, the end users - internal and external. Therefore the greatest obstacle in deploying IRM is understanding how the business wishes to implement it. Consider also that IRM is often deployed at senior executive level and above, IT and security groups are understandably cautious in quickly bringing new technologies in front of these people.

Martin then states that, "If you use IRM for any type of information there is no necessity anymore for the classical access control approaches."

True, strictly speaking if you are using IRM you could do without classical perimeter-based access control, but like all security products IRM is even more secure when used in conjunction with other security products – layered security. Lock the front door AND set the alarm. IRM is not a replacement for existing security applications, it should work alongside because IRM still relies on the most insecure of all components, the end user. Mistakes can happen, people can be given rights to content when they should not have, documents can be misclassified by mistake. Therefore IRM should always be deployed to complement and work with existing technologies and processes to reinforce the enterprise security model.

This leads Martin to state, "You're right saying that more layers are better. What I meant to express is: IRM is an approach which can be consistently used for any type of information at any stage, e.g. when stored as well as when transported. That isn't true with any access control approach. Thus, you could build a complete security model with IRM but you can't do it with classical approaches. Thus, the need for these approaches (detailed file server ACLs and so on) decreases. And I believe that, once IRM is implemented, there is a lot of room to improve your security management for information because you can at least simplify the access control approaches used before.

Absolutely! Existing access control mechanisms surround the perimeter of information. Companies are implementing identity management solutions in an attempt to centralize the control of these access systems, however they still rely on technologies which only secure enterprise perimeters. IRM uses encryption to shrink the perimeter down to the individual units of information - documents and emails. In some ways it is the 101st perimeter, a consistent, “virtual” perimeter that stays with all copies of your most sensitive information, everywhere they go.

Great article Martin, lets hope your thoughts are indeed reflected across the industry over the coming year.

One way to guarantee annoying your employees, ban them from using cool and useful technologies. This is exactly what Jim Hereford from NextSentry seems to be suggesting. In his podcast with MacVoices he describes the risk with mass storage devices being used in the enterprise and calls for the banning of iPods and other cool devices. Even commenting that the PDA/phone is a risk.

His solution? NextSentry develops a product called Active Sentry, a perimeter security technology which monitors activity on your computer and prevents the copying of data to CD/DVD, USB devices, and instant messaging networks. It also controls printing, forwarding of emails etc. In effect it locks down the corporate desktop to ensure a user cannot copy information outside the boundaries of the controlled enterprise. Bizarrely Active Sentry doesn't work at all on Macintosh operating systems... how odd they would have an interview with someone from MacVoices.

But what if you legitimately want to share information across these perimeters? The following are a few simple use cases I come across in my working week.

• I want to legitimately email documents to an external party, such as a customer or partner.
  
• Weekly I backup my important files, often the most sensitive, to a remote drive. I have had two laptop hard disk failures in the past year!
  
• For me, the quickest way to copy files between machines is via USB flash drives. Countless times I am sharing documents with my co-workers in meetings by passing a USB drive around.
  
• I attend meetings using a shared computer hooked up to the projector, I carry my presentations and supporting documents on a USB flash drive and then copy them to the shared machine.
  
• I use my iPod to listen to the excellent Digital Planet broadcast from the BBC as well as Oracle podcasts which I sync from the office before I drive home.
  

I'm sure there are many more cases where users in the enterprise environment need to use sensitive data across classic network boundaries. How frustrated would you be if a technology like Active Sentry kept interfering with your working day?

Lisa Vaas posts on the eWeek security watch blog picking up on the fact that, Banning the popular devices would be an unpopular move. Employers themselves are using iPods for convenient employee training. NextSentry's release referred to an Oct. 25, 2006 Wall Street Journal article that described some examples, such as National Semiconductor spending $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements.

Unpopular indeed! This is a great example of how companies are using new technology to share information with their users using a very familiar device.

She also mentions other rising technologies which are attempting to control the flow of sensitive data. "As portable storage devices shrink in size and gain in storage capacity, they pose an ever greater risk to organizations. Third-party security products have emerged to address this threat. For example, Safend markets an auditor that keeps an eye on every port in an enterprise, from USB to WiFi and Bluetooth. Another Safend product allows the definition and enforcement of security policies to control how ports and devices are accessed. DeviceLock is in the same space, as is SecureWave."

So the message from the above is one which describes a need to constantly keep looking for new security holes in your environment. Purchase a technology to plug that hole and then prevent your employees from using new devices and ways of sharing information!

You could of course take a much more balanced approach and implement Information Rights Management (IRM). Because IRM protects documents and emails directly (not indirectly as a side effect of protecting the perimeters within which some of the copies are stored), you do not need to be so strict about the locations to which the content is ultimately copied or forwarded. You do not need the draconian approach of banning all these really useful devices such as USB drives and iPods. It doesn't matter where the information ultimately ends up, IRM ensures only authorized users gain access.

Oracle IRM has long realized, by working with many large corporate environments, that security must come hand in hand with usability. If the security of a technology interferes too much with the end users existing workflows, it ultimately is less effective. Users find ways around the security mechanism, such as working on sensitive documents on home machines because the corporate desktop is too painful to use. Oracle IRM therefore places as much emphasis on the user experience as it does on its patented security techniques.

These Data Loss Prevention (DLP) and content monitoring technologies do have some very useful features however. They can use natural language filters to look for content that is deemed sensitive and then take remedial action. This would work very nicely with IRM, ensuring that if a user is moving content past a monitored point and it has not been protected with IRM, if could be automatically sealed at the perimeter.

So free up your employees. Don't ban their devices. Stop trying to monitor an ever increasing array of storage devices, file sharing networks, and cool technologies. Instead use IRM to protect the document throughout its entire life cycle – from creation to archival, no matter where it goes, no matter who tries to open it.

Jon Oltisk, a senior analyst at Enterprise Strategy Group recently posted the article titled ERM: The forgotten data security space. He comments on the ERM space, now more usually called IRM, as a forgotten technology with regards to data security. DLP is also discussed as another technology which addresses the problem of trying to protect your sensitive data.

He comments on two particular ironies that have resulted in the past few years in consolidation of these two technology spaces.

Ironic point No. 1: DLP vendors are now adding ERM-like functionality like data usage policy enforcement into their products. I guess this means that as users get a better understanding about their data and how people use it, they realize that they need better ways to control these activities.

Very true, DLP only protects at a gateway where the information passes. Such as a firewall or virus scanner. Yet there are so many ways in which content can be distributed, such as copying to USB flash keys, sent via non-corporate email, shared of peer to peer networks such as Gnutella and KaZaA. IRM however applies the controls at the document or email level, therefore it doesn't matter where or how the content is distributed, IRM persists the security.

Ironic point No. 2: ERM vendors like Adobe Systems, Liquid Machines, and Microsoft that were able to ride out the market storm are now in high demand. Users finally recognize the value here.

Thankfully for me, also very true... although Jon forgot to mention the market leader in IRM, i'll excuse him this one time. Oracle IRM, formerly SealedMedia, is the market leader in terms of large-scale enterprise deployments. He closes his rather short article stating that, "ERM, as an adjunct to DLP or as a standalone security suite, will ultimately benefit users and investors alike.".

Indeed, in fact DLP and IRM are both on an intersecting path via either partnerships, acquisition or development. Both aim to control the distribution and access to an organizations most sensitive content but do so in very different ways. IRM is designed to offer persistent information security controls at the content level. DLP mostly grew from outbound acceptable use content filtering, such as virus scanners and is still regarded as quite a new technology. DLP would be wise to seek partnerships where mature IRM technologies, like Oracle IRM, can be integrated alongside.

When DLP and IRM are combined, it provides a solution which moves the enterprise closer to the goal of having its corporate protection policies actually applied to their masses of unstructured sensitive content that is being distributed everywhere. Then if you consider adding to the mix GRC style applications and auditing technologies, the enterprise is very close to complete control and deep visibility of its data in use well beyond it's physical and virtual perimeters.

I plan to write a more detailed article DLP and IRM comparison, keep an eye on this blog.

Carl Weise was speaking at an AIIM conference on DRM and was asked about how IRM technologies play into the same space. Carl is an ECM/ERM/EMM Instructor with over twenty years of senior level records management and project management experience in the financial, IT, manufacturing, electric power and legal environments. He is also a regulatory compliance and risk management expert.

He recently blogged about his own research into IRM and found some limitations. I'm not aware of what research Carl did, although it seems mainly based on the Microsoft technology, but I want to highlight some of the limitations he discusses and explain how they don't affect the Oracle IRM technology.

First he states;
"After permission for the file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself."

This is true of most IRM technologies, but not Oracle IRM. One of the most important decisions in the early design of Oracle IRM, back in the late nineties, was to separate the rights from the content. The content itself does not have any knowledge of who has rights to it, it only knows of its own classification, e.g. mergers and acquisition documents or an engineering document containing valuable intellectual property. All the rights to the content are stored on the IRM server and cached to the local IRM Desktop when in use. They are then applied to content at the time of access. This is crucial to an effective and scalable IRM solution. If the content itself contains any information about the rights, then what happens when these rights change? Do you redistribute the content?

Carl goes on to highlight some of the deficiencies of an IRM solution, saying IRM cannot protect;

• Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spy ware.

Actually Oracle IRM can prevent against this to a large degree. When accessing content using the Oracle IRM Desktop it is decrypted to a safe, protected location. The rendering application, such as Microsoft Word or Adobe Acrobat, is instantiated and the Oracle IRM Desktop gets its teeth into those apps to protect the environment. Finally the decrypted content is then handed off, in a secure manner, to the rendering application. This means the content is persistently protected from programmatic attack by Trojan horses and spy ware. This is most important when talking about the Office suite of documents which have a very open object model for programmatic control. Oracle IRM has a very sophisticated technology which prevents applications from accessing the object model for sealed Office documents.

Carl continues his analysis of what IRM cannot protect against;

• Restricted content from being hand-copied, or retyped, from a display on a recipient’s screen.
  
• A recipient from taking a digital photograph of the restricted content displayed on a screen.
  
• Restricted content from being copied by using third-party screen-capture programs.
  

This is an interesting area of discussion. The Oracle IRM technology has quite advanced protection against screen grabbing. There is the basic protection when pressing the Print Screen button in Windows but also advanced protection against third party screen grabbers. This functionality is implemented in many areas by protecting Windows/DirectX API calls and also monitoring video memory.

This does not however protect against someone retyping information, discussing the content of documents verbally or using a digital camera and literally taking a photograph of the screen. But there is still great value in implementing screen grab protection. Security is all about barriers, nothing is 100% secure. So having the protection is at least one barrier to protecting the information. It is also a very good way to inform an end user that content is protected. The Oracle IRM team have spent the past 10 years not only making the technology secure but also making the end user experience as smooth and transparent as possible. Therefore most end users don't really know they are using protected content until they do something like take a screen shot. At this point they see an image like the one below where only the area on the screen the content is being displayed is protected.

Note that other IRM technologies are not as mature in this respect, they disable the ability to screen grab entirely when protected content is open. Oracle just protects the area on screen sealed content is being displayed, therefore allowing the end user to continue to grab any unprotected content.

Most users when seeing the fact the screen protection exists are quite surprised. Combine this with the knowledge that every single time you opened a piece of sealed content it is audited with things like your username, IP addresses, location and name of the file you opened. Most users feel that they need to be very careful about repurposing sensitive information, even verbally, because the author/owner of the content is aware they've consumed the information.