Oracle IRM, the official blog

Oracle recently released a new website called http://samplecode.oracle.com where employees and Oracle Technology Network members collaboratively build and share sample applications, code snippets, skins and templates, and more. There are several applications which have been written by the Oracle IRM team that are not part of the supported Oracle IRM code base and yet play an important part in the deployment of IRM solutions.

One of the most commonly used applications is called "Hot Folders" which is an application that uses IRM web services to monitor a set of file system folders and automatically seal files copied or moved into them, to associated IRM classifications. This enables organizations to apply IRM consistently and effectively by leveraging the familiar metaphor of placing confidential files "in a safe place".

You can access the project at the sample code website here, note you need to have or create yourself a a free Oracle Technology Network account. This is the Java version of Hot Folders and i'll be uploading the Visual Basic version of this once i've done some sanity testing on the code base. There are other IRM projects in the works, so keep an eye out for some groovy new sample code and applications coming out this year.

I've recently been asked how it is possible to embed Oracle IRM sealed content into a web page like I do on the IRM samples. The current 10g release of IRM only supports IE, therefore I have created some scripts to detect the browser, if the IRM Desktop is installed and then the ability to dynamically write the code for displaying sealed content.

So putting sealed content into a HTML page requires the following;

• Check that the browser being used is supported
  
• Check that the Oracle IRM desktop is installed
  
• Write out the object tag to display sealed content
  

There are a set of scripts i've created that you need to include at the top of your HTML page;
<script language=JavaScript src="scripts/browser_os_sniffer.js"></script>
<script language=VBScript src="scripts/irm_unsealerdetect.vbs"></script>
<script language=JavaScript src="scripts/irm_unsealerdetect.js"></script>
<script language=JavaScript src="scripts/writeSampleCode.js"></script>

Just right click and save as on the links above to get a copy of these files.

Check that the browser being used is supported and the IRM Desktop is installed.

So first off you need to check browser compatibility and ensure the IRM Desktop is installed. irm_unsealerdetect.js contains a function called fnDetectIRMDesktop() which gets called from a function inside writeSampleCode.js called setupSampleCode(), which inturn is called from the HTML <body> tag's onLoad event handler, e.g...

<body class="layout-two-column-right main-index" onload="setupSampleCode()">

These functions set a string called strViewer which, after the page loads, contains one of two things.

• If an installation of the IRM Desktop has been detected, strViewer is the version number of the IRM Desktop.
  
• If no IRM Desktop was detected, strViewer contains a string which details if the browser/os is unsupported or if the Desktop just isn't installed.
  

This variable is then used to determine if the HTML should write out an embed object with the sealed content. In my blog, this check is done in the function fnWriteDivContent(). Click here to see an alert with the current contents of this variable.

So this set of code is a nice way to determine if the end user has the Oracle IRM Desktop installed. I've had customers use this code to do detection and automatically redirect to our download page. Once you know that the IRM Desktop is indeed installed, you can then put into the HTML the code to embed sealed content.

Write out the object tag to display sealed content.

My blog code does this dynamically using the function fnWriteDivContent() but here is the format of the object tag that needs to be in the page.

<object classid='clsid:18CEFFD2-A724-11D3-B647-86BD54000000' width="200" height="200">
<param name=src value="/sealed/sample.sjpg">
<param name=banner value="false">
<param name=noscroll value="true">
<embed
     width="200"
     height="200"
     src="/sealed/sample.sjpg"
     banner="false"
     noscroll="true">
</object>

Pretty simply really, you can see all this in action on the various content in the samples category. Now think about the potential of this. Oracle IRM can protect HTML, JPG, GIF and PNG. These are key formats for web based applications... combine this with the fact there is an Oracle IRM API that allows for the dynamic sealing of content in real time and you are able to build web based applications that can use IRM to protect certain areas of the browser based UI. Good examples of this are banking, financial and engineering web applications or anything that returns personally identifiable information to the browser. I have a demo of this which I hope to be creating a flash video from soon when I get the time.

The following is a very simple set of instructions to demonstrate how easy it is to use Oracle IRM. Below are three sealed documents that have been protected using Oracle IRM. Before you can play with them, you need to create an account and download/install the Oracle IRM Desktop.

• Register an Oracle IRM evaluation account on this blog
  
• Download and install the Oracle IRM desktop, you can do this from the links during the registration process or by going to the Oracle IRM download site
  

Here are three documents which have been sealed. Right click on the following links and save to your computer.

1. Download file Open the Announcement document. You will be prompted to authenticate and to change your password. As you login, please select the Login Automatically option. The announcement is read-only and its header indicates its classification and your IRM identity. The document suggests some simple tests that show how IRM is protecting the document.

2. Download file Open the Business Plan. The Business Plan is editable, but still protected. You can change the content, and cut and paste within the document, and to other documents sealed to the same context, but you cannot paste to an unsealed document. Again, the document contains some simple tests and the header reveals the classification.
   
   
3. Download file The Chairman's presentation is not accessible to you, but provides a constructive denial message that explains that this is a board document and provides contact details of the business users who might grant you access if appropriate. As a user, you can understand why you are denied access, and you know what to do if you think you need to be granted access.
   

Now try sealing a document of your own. Right-click on any Word document and select Seal To.... On the selection dialog, select L2 Sales (Oracle) and click OK. A sealed version of your document is created. Note that you are not offered the option to classify the document as a company announcement or a board document. Your rights constrain that too.

If you want to learn more and use our evaluation service to protect your own documents and look at the technology in more detail, please contact us.

Note: You will need to register an account on our Oracle IRM server and have installed the Oracle IRM Desktop to see the example sealed images in this article.

Oracle IRM has a wide list of supported formats, from Office documents, to PDF, XML, TXT CAD and even images. Protecting images can be very useful, say for instance you have high resolution, copyrighted JPEGs and you wish to control their distribution and use. Or maybe you want to protect a GIF file that contained confidential information about your network infrastructure, like the example below?

Or what if your marketing department needed to securely share a PNG image depicting the next latest and greatest device your company is creating? Loss of such information has been reported several times for companies like Nokia.

This demonstrates how Oracle IRM can simply protect JPEG, GIF and PNG images. Try taking a screenshot of any of the above, or attempt to gain a copy of the native image. We also have the ability to protect images dynamically. So if you had an application that generated images on the fly, such as graphs containing confidential information, the Oracle IRM technology can protect those documents on the fly!

Since 2002 the Oracle IRM technology has supported persistent control and protection of the common Microsoft Office formats, Word, Excel and PowerPoint. In 2008 we released the latest iteration of this mature integration, improving further the end user experience and functionality. Oracle IRM supports these formats when opened in Office 2000 thru to 2007, wider support for IRM documents than Microsoft themselves! For these office formats we provide the following controls:

• Advanced screen protection. Protecting only the area on the screen where secured content is being displayed.
  
• Copy and paste protection. Ensuring that if the user has rights to edit a document, they can only copy and paste information into another secured document.
  
• Powerful Office object model protection. Protecting the content inside the Office application from programmatic attack from the Office Macro and Document Object Model.
  
• Flexible offline caching. Ensuring that end users are able to use content offline, Oracle IRM transparently updates their rights to information offline whilst making sure changes are also reflected.
  
• Dynamic sealed fields. Information about the content and the user can be displayed within the document, like a watermark, such as username, IP address and time of access.

Excel is one of the more feature rich of the formats and this is reflected with the following additional controls:

• Formula visibility Allows you to enable or disable the visibility of formulas in Excel workbooks.   • Interact with cells Allows you to enter data into unprotected cells of Excel documents, allowing you to protect an entire spreadsheet but allow certain cells to be editable.   • Excel link support The ability to display content from one sealed workbook in the cells of another sealed workbook.   • Annotation Provides limited edit rights, allowing you to add comments to Excel documents. So, quite a lot of advanced things you can do when protecting Excel spreadsheets using Oracle IRM! You can experiment with a sealed Excel spreadsheet by registering for an account and downloading the sample sealed Excel file (Pictured right). The formula feature is very cool. It means all the intellectual property taking the form of formulas in your spreadsheets can be hidden whilst still allowing the end user to view the spreadsheet. Combine this with the interact right, and you can securely distribute spreadsheets with complex and valuable formulas yet still allow the end user to manipulate unprotected fields. Try it, download the document pictured to the right.

You can change the numbers in the cream colored fields and see how this affects the graph below. Yet you can't see the formulas that generates the numbers in column B. In the past people would convert such sensitive documents to the PDF format which would ensure the formulas were not accessible, yet loosing all the value and functionality of the Excel format.

Excel link support refers to the facility in Microsoft Excel to set up a link between workbooks by copying data (using Edit - Copy) from a cell in one workbook and then pasting it (using Edit - Paste Special) into a cell in the other workbook. Oracle IRM allows such links between workbooks only if both workbooks are sealed to the same context. This is a subtle yet important feature, Oracle focuses as much effort on the end user experience as it does the security, stability and scalability of the technology. Security does also have an impact, Oracle IRM will prevent unauthorized access to data. This means that if a link is created to a sealed workbook from an unsealed one, or if the user of one sealed workbook is not authorized to see the content of a sealed workbook linked to it, the content of a linked cell will be shown as "#REF".

Oracle IRM provides second to none controls over Excel documents. Consider also that this comes with none of the limitations that Microsoft's own IRM solution brings, such as Active Directory dependencies, requirements to upgrade to newer, more expensive versions of Office and lack of back office compatability and scalability. If you want to learn more and use our evaluation service to protect your own Excel documents, contact us.

One very useful feature of information rights management technologies is the ability to place dynamic fields or watermarks into IRM-protected (sealed) content. If the end user accessing the sealed document has been assigned the rights to print, these dynamic watermarks ensure information about the end user, the document and the time of access are written into the printed copies. It is also a nice reminder to end users whilst content is open that the document is protected.

Note: Dynamic watermarks are different from conventional watermarks in that they can contain information about the end user, and the end user’s environment (e.g. the hostname of the computer on which the content is being opened). Conventional watermarks only contain information about the author of the content, not the end user.

Oracle IRM provides this functionality for PDF, Word and Excel documents and there are a variety of dynamic watermark fields that can be inserted. Note this functionality does not use the native watermarking functionality inside Word, Excel or Acrobat so the use of the word “watermarking” could be misleading. When the Oracle IRM Desktop renders a document it searches for a specific list of fields embedded in the document. These fields are typically included at creation-time from a document template. When it finds a watermark field it replaces the field contents, depending upon the title of the field. Therefore a field with the name, OracleIRM_User, will be replaced with the name of the currently authenticated user.

Below is a sample PDF file that has been sealed and embedded into this page. Note that you require an account on our evaluation IRM server to view this content.

What follows is a list of available IRM watermark fields and a short description of their use:

OracleIRM_ClientIP: Local IP address of the computer accessing content.
OracleIRM_ClientVersion: Version number of the Oracle IRM Desktop.
OracleIRM_Context: IRM classification of the content.
OracleIRM_DefaultURL: URL to the status page shown when contact access is denied.
OracleIRM_FileName: Filename of the content being accessed.
OracleIRM_FilePath: Path to the file being accessed.
OracleIRM_HostName: Hostname of computer accessing content.
OracleIRM_ItemCode: Unique identifier of content.
OracleIRM_Language: Locale of computer.
OracleIRM_LicenceServerName: Name of the IRM service to which the content is sealed.
OracleIRM_Manufacturer: Name of vendor who created the IRM Desktop integration.
OracleIRM_MimeType: Unsealed MIME type.
OracleIRM_PrimaryServerURL: URL of the IRM service.
OracleIRM_PublicationTime: Trusted time and date the content was sealed.
OracleIRM_SealedBy: IRM user who sealed the content.
OracleIRM_Time: Trusted time at which the sealed content was opened.