Oracle IRM, the official blog

Encrypted Document Ownership: Whose File is it Anyway?

2009-11-14T23:37:46Z

A frequently asked question is: "What happens when the person who encrypted a number of files leaves the organization?". The concern behind the question is that an organization might find itself locked out of its own information assets, with critical business processes being held up while administrators figure out how to regain control so that policy can be amended as required.

A related question is: "What happens when an author changes role?". Most IRM solutions reserve special privileges for the original authors of documents, such that they may retain access after moving away from a particular project or role, creating security and compliance issues. They may also continue to be called upon to modify policy for those documents long after they have moved out of the relevant position.

With most solutions, the reponse is not to worry because a superuser can always identify all of the documents owned by the outgoing user and transfer their ownership to someone else. Unfortunately, this means that IT override of access rights is a matter of routine, as staff turnover is an ongoing process. It also means that the new owner suddenly becomes responsible for, potentially, a large number of documents protected in a variety of ways by someone who can no longer be referred to for clarification.

With Oracle IRM, the answer is much cleaner. In standard deployments, the solution places no particular significance on who authored a document - documents belong to their classifications rather than to the individuals or applications that created them. If an author leaves the organization or the project, their documents continue to be protected according to classification policy. The author himself may well lose access rights because his account has been deleted, or because his rights have been updated to reflect a change of responsibilities within the organization.

The focus shifts, therefore, to the classification or context managers. What happens when they move on? In most cases, the role of classification manager is shared by a small number of business users, so the depature of one has no impact. If not, the departing user simply transfers their responsibility to an appropriate successor. This is a simple task that does not involve IT intervention and does not involve revisiting each of the individual documents.

And what of the admin burden for the incoming classification manager - suddenly responsible for managing rights to, potentially, thousands of documents? Well, one of the key benefits of the classification model is that the new manager can think in terms of policy for one classification rather than for thousands of distinct documents.

So, Oracle IRM does not suffer the administrative overhead that staff turnover creates for rival solutions. The overall policy set is small, it is managed by a small subset of users, and the responsibility is easily transferrable without IT intervention. There is no need for IT to be granted rights to override policies defined by the business.

New Oracle IRM Desktop released and supports Windows 7

2009-11-11T20:17:12Z

Released today is the latest version of the client software in the Oracle IRM technology suite, the IRM Desktop. As part of the move of the technology into Oracles Fusion Middleware platform the new release now supports the following 27 languages!

Arabic	German	Portuguese
Chinese - Simplified	Greek	Portuguese - Brazilian
Chinese - Traditional	Hebrew	Romanian
Czech	Hungarian	Russian
Danish	Italian	Slovak
Dutch	Japanese	Spanish
English	Korean	Swedish
Finnish	Norwegian	Thai
French	Polish	Turkish

To ensure compatibility with the latest platforms we have also added support for;

Windows 7 operating system
Adobe Reader 9.2
Lotus Notes 8.5

Other headline features in this new release are;

Right-click Unseal option

If you have the right to save a sealed document as an unsealed copy (that is, to unseal a document), you can now do so by right-clicking the file name or icon and selecting the Unseal command (for example, in Windows Explorer or on the Windows desktop). This feature is available only for individual files: it is not available for multiple files, that is, at folder level.

Choices about what happens to the unprotected originals of sealed files

In previous releases, the original version of a sealed file was always retained in its unsealed state. In this release, the former behavior remains the default, but you can also choose to move the original file to the Recycle Bin or to "not retain" it. These options are available on the Desktop Sealing tab of the Oracle IRM Desktop Options dialog. If you choose the "Do not retain" option, the original file will be removed after a sealed version has been created. This is a normal file system deletion, not a complete destruction of the file, so if you are concerned that this does not provide adequate security, you may want to consider further action.

You can download this version from the Oracle Technology Network (OTN). More information can also be found in the release notes.

Oracle IRM at the Gartner Identity and Access Management Summit 2009

2009-11-05T18:22:25Z

A bit late notice, but i've just been asked to attend the Gartner IAM summit in San Diego next week. I'll be available to discuss and demonstrate Oracle Information Rights Management, details of the summit below.

Oracle is a Premier sponsor at the Gartner Identity and Access Management Summit this November 9 - 11, 2009 in San Diego, CA. Attendees will have the opportunity to meet with Oracle experts in a variety of sessions, including demonstrations during the showcase receptions.

Oracle Customer Case Study and Solution Provider Session
Oracle Solution Showcase Receptions
Oracle Face to Face Meetings

November 9 - 11, 2009

Sheraton San Diego
1380 Harbor Island Drive
San Diego, CA 92101

Benefits of Attending

Increase your company's agility and security by improving your IAM knowledge, and be better prepared to handle the current issues surrounding your IAM environment.
Fine tune and maximize your IAM-related projects by leveraging the experience of an increasing network of peers.
Better manage your own IAM-related initiatives by using Gartner's unbiased advice and information specific to your situation.
Gain insight into which tools could enhance your IAM implementations, and possibly put your company one step ahead of the competition.
Improve your company's security, efficiency, effectiveness, business agility, and productivity, by learning how to better manage your own IAM infrastructure.

Click here to view the agenda and to find out more about the Gartner IAM Summit.

Date	09-November-2009 To 11-November-2009
Venue	Sheraton San Diego
Street Address	1380 Harbor Island Drive
City	San Diego
State	CA
Zip	92101
Country	United States

Oracle IRM and the evolution of "information-centric" security

2009-11-04T23:38:17Z

Whilst responding to an RFI I needed to describe how information rights management was positioned against many other types of technologies that use encryption to protect documents and emails. I thought it would make sense to write up the response on the blog. The diagram below really highlights how information rights management is at the leading edge of using cryptographic technologies to protect your confidential information.

Information security is a crowded and confusing marketplace. Many security solutions are really infrastructure security, because they secure IT infrastructure and users from information (for example anti-virus, anti-spam, intrusion detection). Some information security solutions only attempt to secure information from external attack (for example firewalls).

This diagram above illustrates the evolution of "information-centric" solutions that, by securing information directly, attempt to secure information from accidental or deliberate leakage by internal and external users. This diagram is not entirely even-handed in that it does not show the benefits of earlier solutions, just their critical shortcomings - but the idea is to show how IRM for the first time sufficiently solves these limitations to be the first truly enterprise-viable "information centric" solution.

Information-centric security started with products like PGP, which used public key infrastructure (PKI) encryption to encrypt information, and provided document and email encryption products. Products like PGP have two killer shortcomings. Firstly they ask busy non-technical business people to understand and personally manage the principles of PKI cryptography - pass phrases, public keys, private keys, digital signing, encryption, decryption, public key rings, certificates, etc. And then, after jumping through all these PKI hoops, the PGP-like technologies still just pass the decrypted information off into the clear (decrypted) to the document and email applications, from which they can easily and untraceably be redistributed - there is no post-delivery protection or tracking. Invasive to user workflows and with dubious benefits (most leaks are made, accidentally or deliberately, by end users - not by eavesdropping on networks) these solutions have over a long period gained minimal traction. Many people have briefly played with PGP, or something like it, but it is rare to meet someone who still does.

"In-delivery" secure email products built on the encryption capabilities of PGP-like products, in an email context. As organizations began to see email as their leading vector for information leakage (deliberate or accidental - how often have you sent a confidential email to the wrong user?) they sought solutions for securing email. Almost all of these solutions operate by intercepting outbound emails, and for those marked or scanned as being confidential, they place them on an SSL-protected web site and send on a replacement email with a link back to the original email on the SSL-protected web site. When the users follow the link to collect the email they are typically required to authenticate and the original email is then obtained over a secure SSL connection. So the shortcomings of these solutions are clear - again they provide no post-delivery security (authorized users can still save out in the clear and forward), they only defend against eavesdropping (which is a much less common threat than redistribution) and is ultimately an email-only point solution. While email remains the leading means of sharing information, there is also a huge amount of sharing via file shares, web, USB devices, etc.

The next major evolution of "information centric" security, which is currently generating significant interest, is gateway- or desktop-based filtering/monitoring. These technologies install software agents into gateways (such as email servers or web servers) or desktops that monitor outbound information flows, and scan the outbound emails, attachments and web pages for confidential information (such as social security numbers). It remains to be seen how effective these solutions are in practice, because they tend to be primarily passive (they are often detuned to prevent them blocking outbound information flows as a result of false positives) and act more as a deterrent; because they must monitor a bewildering number of perimeters in a modern network to be effective; and must sift through a staggering amount of legitimate traffic looking for a hopefully small amount of illegitimate traffic. But the fundamental shortcoming of these filtering/monitoring solutions is that they are effectively enterprise spyware: spying on internal information flows. Unfortunately most sensitive business processes involve sharing confidential information with external parties, and they are never going to allow your organization to spy on their networks to protect your information. So it would seem absurdly incomplete to spy on your own employees and then send the same confidential information unprotected and untracked into the networks of your partners, customers and suppliers.

Nevertheless there are considerable synergies between monitoring/filtering technologies and IRM - to help automate the sealing/classification of information. This is seen in the recent integrations between both DLP vendors and IRM vendors.

Oracle Information Rights Management (IRM) is very much an evolution from all these earlier technologies. It uses the PKI encryption from PGP-style products, but hides all the complexity from end users. It uses the close integration with leading email clients of secure email. It shares the same desktop agent and policy server profile of desktop filtering, but is only active in the context of sealed/classified information. But unlike preceding solutions Oracle IRM provides pro-active, post-delivery protection and tracking; works just as well outside the firewall as inside; has a classification-based rights model that completely hides all the complexity of encryption and makes policy management straightforward; and secures documents, emails and web pages regardless of how they are shared - so Oracle IRM it is a significantly more complete solution.

Peer-to-peer network exposes document detailing US Congress ethics probes

2009-11-02T17:12:26Z

Over the weekend a document containing confidential information from one of the most secretive panels in Congress was floating about on an peer-to-peer network. Apparently a junior member of staff went home to work on the memo and stored the document on a computer that also ran peer-to-peer networking software. The inevitable happened and the document was whisked away to the file sharing network to be available to thousands of other computers.The 22 page report contains details of sensitive ethics probes involving more than 30 lawmakers and aides compiled by the ethics committee in the House of Congress.

The ethics committee is one of the most secretive panels in Congress, and its members and staff members sign oaths not to disclose any activities related to its past or present investigations. The 22-page "Committee on Standards Weekly Summary Report" gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies.

The leaked document, which was reported to the Washington Post, caused Democrat Zoe Lofgren, chairwoman of the House Ethics Committee, to interrupt House voting. She announced that the Washington Post had obtained a confidential ethics report and the newspaper had been contacting lawmakers named in the document. She described the release of the sensitive document, as a form of hacking.

This incident highlights the dangers of not correctly protecting your most confidential information. Unfortunately the blame is usually pointed at the person who didn't follow instructions on how to handle such data. In this incident the member of staff was fired and the committee "is taking all appropriate steps to deal with this issue,". According to house administration rules, they require that if a lawmaker or staff member takes work home, "all users of House sensitive information must protect the confidentiality of sensitive information" from unauthorized disclosure. I wonder what technologies are actually implemented to aid lawmakers and staff with actually protecting this information.

"I regret to report that there was a cyberhacking incident of a confidential document of the committee,"
Zoe Lofgren, (D CA)

Information Rights Management could have easily helped avoid this situation. The memo could have been encrypted and secured allowing the employee to work on the document where ever they wished. Then if the document had been transmitted across a peer-to-peer network, it would've been useless to anyone else because IRM ensures only authorized users can gain access to sealed content. This would've saved Congress the embarrassment and also saved the member of staff their job.

Follow Oracle IRM on Facebook and Twitter

2009-10-28T05:32:18Z

Finally I gave in, too many people kept saying... "you should have a twitter feed for your blog updates". Many in Oracle are embracing modern methods for communicating information about our technology and I decided to jump on the band wagon. You can follow Oracle IRM on twitter and also be a fan of our Oracle IRM page on Facebook.

New version of Oracle IRM HotFolders released

2009-10-28T04:22:46Z

Oracle has built an excellent website for people to share sample code and personal projects with the Oracle community. Over the coming months we are going to be sharing a lot of code we have been using for many years to help customers build rich IRM solutions.

The first project to hit this website is our HotFolders capability which monitors folders for new content and automatically seals documents to a preconfigured classification. Martin Lambert (Oracle IRM creator and HotFolders author) has just uploaded the latest version, 1.7, of this sample project.

Access the project here, https://oracle-irm-hotfolders-java.samplecode.oracle.com/, note that you will need to register a free Oracle Technology Network account. 1.7 brings some new features;

Post-sealing action plugins - v1.7 introduces a simple plugin architecture for extending the functionality of Oracle IRM Hot Folders. This allows Java developers to easily implement post-sealing actions for files sealed to the correct classification in designated folders (either automatically sealed by Oracle IRM Hot Folders or sealed to the correct classification before being added to the folder).
'Shovel' file-moving plugin - The Shovel plugin moves correctly sealed files to a new location derived from its current location by regular expression matching. A use case is where a Data Loss Prevention (DLP) solution quarantines sensitive files to a quarantine folder where it is sealed by Oracle IRM Hot Folders and then returned by the Shovel plugin to its original location. The source code for Shovel is provided to assist developers in creating their own plugins.

Keep an eye on the blog, we plan to be releasing a whole raft of new sample projects and sample code over the coming months.

Advanced notification of release of Oracle IRM 10.1.3.5.2 Desktop

2009-10-27T23:21:07Z

Just a quick note to say that within the next 2 weeks we will be releasing version 10.1.3.5.2 of the Oracle IRM Desktop. This desktop comes with the following updates;

Support for the recently released Windows 7 operating system
Support for sealed PDF's opened with Adobe Reader 9.2
Sealed email support for Lotus Notes 8.5
Support for 27 different languages including Japanese, Chinese and Korean.
There have also been changes in the layout of the control panel and an improved user interface.

This is a major release of the IRM Desktop and we expect most customers to upgrade to it after familiarization with the subtle design differences. Release notes will be made available at the time of release to Oracle Technology Network.

Oracle IRM and Symantec DLP version 10 integration announced

2009-10-27T17:02:52Z

This morning Symantec announced the latest incarnation of their data loss prevention (DLP) technology, version 10. DLP technologies allow organizations to do discovery and monitoring of enterprise perimeters to detect the flow of sensitive information. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted. However combining DLP with IRM means you don't have to restrict the end user by blocking their attempts to collaborate. Instead encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

We've been working with Symantec over the past month to build an integration between Oracle IRM and DLP creating the most powerful security solution of any IRM and DLP combination. Oracle IRM is the leading rights management solution for enterprise-scale document and email security. Combining these features with Symantec's leading DLP solution means customers can now have rich monitoring and detection capabilities. Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.

Oracle IRM Webcast: Secure Your Confidential Documents and E-Mail Everywhere They Are Stored and Used

2009-10-23T19:35:07Z

We've just announced two webcasts for Oracle IRM, one in November and one in December. Click on the registration links below to join me live for a presentation and demonstration of information rights management done Oracle style :)

Secure Your Confidential Documents and E-Mail Everywhere They Are Stored and Used

Controlling access to confidential information has never been more important. News agencies continue to report on data breaches resulting from criminal hacking, lost laptops, and incorrectly addressed e-mail. As public awareness grows, enterprises are not only required to implement preventive controls, but also to audit and demonstrate continuous compliance.

Oracle's complete information security solution manages data access everywhere data is used, stored, copied, and forwarded--even after leaving your servers. Join us for a FREE live Webcast to learn how Oracle Information Rights Management enables companies to:

Control and audit access to sensitive documents and e-mail wherever they reside, even after they have been shared with customers, partners, and suppliers
Revoke access to secured content after employees leave or partnerships end
Manage access to sensitive content without granting access to IT administrators
Scale security across tens of thousands of documents and users, based on clear information classification policies

Register now for this FREE Webcast on either
Thursday, November 19, 2009, or Thursday, December 3, 2009. Don't miss the chance to learn how you can secure your confidential content--even beyond the firewall.

Register Now

For your convenience, this Webcast will be presented twice. Register for the Webcast date of your choice.

Thursday, Nov. 19, 2009
10 a.m. PT / 1 p.m. ET

Thursday, Dec. 3, 2009
10 a.m. PT / 1 p.m. ET

Simon Thorpe
Oracle Information Rights Management security expert, Oracle

Oracle IRM at Open World 2009

2009-10-14T03:21:17Z

Wow, a busy two days at Oracle Open World. All the IRM team are around the demoGrounds booth W105 in Moscone West helping customers and the public learn about Oracle IRM working with the wide range of Oracle applications, content solutions, portals and of course security technologies.

From left to right, Ryan Carroll - VP IRM development, Andy Peet - IRM product manager, Martin Lambert - IRM founder and Oracle CTO

Unfortunately James Wallace-Hadrill, one of our European consultants was unable to make the conference due to a last minute customer engagement. Therefore his IRM presentation slot has fallen to myself (which i'm still working on at 10pm) and you can join me at 1:30pm on Thursday in Moscone South, room 304. If you don't get chance to be there due to travel arrangements, no worries i'll be recording all the presentation and demonstration material and putting it on our YouTube channel later in the week.

So if you are at Open World, come by W105 and say hi, we've got some very cool technology we can show you.

IRM, ERM, EDRM, DRM! What does it all mean?

2009-10-09T17:38:58Z

When talking with customers they often ask if Oracle IRM is a DRM technology. I thought I would therefore go over the main differences between the consumer technology world of DRM and the business world of IRM (or ERM/EDRM). First lets detail what the acronyms stand for.

IRM - Information Rights Management
DRM - Digital Rights Management
EDRM - Enterprise Digital Rights Management
ERM - Enterprise Rights Management
RMS - Rights Management Services, specific to the Microsoft IRM technology

Whilst at first glance it might seem like all of these technologies do the same thing, DRM is the odd one out and the others can be grouped together. In the early days IRM technologies were initially labeled as ERM in an attempt to separate them from DRM, the term IRM came later as the market matured. For simplicity sake in this article, technologies such as ERM, EDRM and RMS will be discussed under the acronym IRM unless specifically mentioned.

What is the difference between DRM and IRM?

All of the technologies above use encryption to protect digital content and apply some form of rights control so the owner of the information can control who can open it, that is where the similarities end and confusion begins. There are some general statements which can be made to define the differences between the two.

DRM refers to technologies that control access to common media formats, such as music, video and digitally published material (e.g. high value financial analysis reports)
IRM refers to technologies which control access to enterprise generated content, such as engineering intellectual property, HR documents, patient health records, company financial reports, sensitive email communication
Most enterprise based technologies (although not Oracle IRM) were developed from either an existing DRM technology, or at least from the same ideals and methods

The first two points are very important with regards to how the technologies are perceived by end users and the main goal for the implementation of the technology. Consider the following scenarios.

1. You purchase a favorite song in a digital form and download to your computer. You want to play this song on both your laptop, mp3 player and also in your home CD player. Yet due to a technology used by the retailer that sold you the song, you can only play the music on a limited number of devices.

2. Your doctor stores your health information on his laptop inside documents that are encrypted and use rights controls to ensure only your doctor and authorized medical staff can open them.

DRM applies to the first situation and consumers are typically unhappy that technology is trying to dictate what they can do with content they've purchased. People are used to playing their music on a variety of devices and want to copy the information to whatever device they wish. DRM is typically about protecting the rights of the content owner from being abused, the consumer of that information doesn't necessarily care about the mis-use of the content. This has led to a constant battle between DRM technologies and the users, with thousands trying to break/hack the DRM so they can use content as they wish.

IRM however addresses a very different issue. It is about helping businesses keep secrets a secret. That information might be your health records, your personal HR data at your place of work, it might be the intellectual property your company owns which allow it to keep ahead of the competition and keep you employed. End users have a very different view of IRM, they want to use it, it helps protect them and their companies data.

So DRM focuses mainly on protecting business to consumer type content, where IRM focuses on enterprise content. This is important because it drives the technology in different ways. For instance, consider the following.

DRM protects a single file which is to only be opened by the purchaser, so the rights are embedded and delivered with the file. This works in a DRM model, because you want only the end user to access the content.

IRM typically is used in different scenarios, such as;

IRM protects a single file which is to be opened by 500 sales employees. After 6 months, 1/2 of the employees leave the company taking a copy of the file with them and another 250 people are hired. Of these people, 15 were promoted to manager and their rights to the document is increased so they are allowed to print copies.

To support the above you can't store any rights specific information in the document itself because the rights do change over time. You need to have a way to change rights to the document with having to re-distribute it. Oracle IRM does this by separating the rights from the content. Oracle IRM has, from day one, kept all rights information outside the file itself and on the network server. Access and rights are granted at the point when the document is opened. Locally cached rights, an authenticated user and the encrypted document, all come together at once.

Other IRM technologies have been developed from DRM technologies or they have used the same design methods. This is what prevents them from being truly enterprise scalable.

Finally, IRM can be used to solve some DRM problems. Oracle IRM has been successfully implemented by publishers to protect high value content in PDF documents. This is a classic business to consumer model but Oracle IRM, due to it's scalable and more effective implementation of encryption, works and can deliver an effective solution.

Sealed Solutions partners with Outpost24

2009-10-08T17:20:33Z

There has been a lot of partner activity with IRM recently, more information will be coming out over the next few months. Right now one partner in Germany, Sealed Solutions GmbH, has just teamed up with a vulnerability assessment and management company, Outpost24, to bolster it's information rights management practice.

Sealed Solutions are a leading provider of Oracle IRM services in Germany and the partnership with Outpost24 will increase their ability to fulfill major GRC (Governance, Risk and Compliance) requirements with vulnerability assessment and management best practices to ensure the protecting and handling of customer's confidential information and data.

Norbert Bacher, CEO Sealed Solutions GmbH, was quoted as saying, "With the technology provided by Outpost24, we are now able to secure and protect not only confidential e-mails and other sensitive information like we do with our Information Rights Management solutions, but are pleased to now be able to protect our customer's organizational centerpiece - 'the network'. Both from the inside, as well as the outside. Outpost24's Vulnerability Management solutions are an excellent complement to our current Information Rights, Security and GRC solutions."

Oracle IRM contexts, a smart way to implement your corporate classification policies

2009-10-07T05:04:37Z

A central concept of the Oracle IRM solution is the security context. So what are contexts and how do they help you protect sensitive information in a secure, usable, and manageable way? In the Oracle IRM solution, a context represents a set of related information and the rights of users to work with that information. For example, a typical enterprise might use the following contexts to manage the rights to access and work with some of its most sensitive information:

To protect a sensitive document from unauthorized access and modification, all you need to do is seal it to the relevant context. Once sealed, the document is protected by the rights defined for the context.

For example, sealing the board minutes to the sensitive board communication context, as shown above, might ensure that the minutes are accessible only to the board members and their personal assistants. To simplify the assignment of different rights to different users, each context contains roles such as Contributor, Reviewer, and Reader. A particular user might be a Contributor in sensitive board communication and a Reader in confidential engineering research.

Contexts and Security

Rather than allowing individual users to configure rights for individual documents, the Oracle IRM solution simply requires users to select the appropriate context for those documents, as shown for the board minutes above. Once sealed, all documents in a context are automatically subject to any future amendment to the rights - no matter who created the documents or how many copies have been distributed within and beyond the enterprise. Contexts ensure that rights management is not arbitrary. Users cannot simply invent new policy for particular documents or emails, so the enterprise retains overall control of information security and has a powerful mechanism for implementing any corporate classification policies.

Contexts and Usability

Any solution that is not easy to use is unlikely to provide the security that an enterprise is seeking. Rather than requiring users to consider in detail what rights are appropriate for particular documents, Oracle IRM simply requires users to seal documents to the appropriate context. Further, Oracle IRM controls the right to seal documents such that, for example, only board members and their personal assistants can create new documents in sensitive board communication. Thus, the enterprise can be confident that only authorized users contribute to each context. By creating contexts that relate very clearly to enterprise business processes and exposing users only to contexts that are relevant to their role, an enterprise can be confident that information will be protected appropriately because users can easily understand what is required of them and are not exposed to detailed choices that they might use inconsistently.

Contexts and Manageability

The simplicity of contexts and roles means that day-to-day rights management tasks are handled by the most appropriate business users. In many live deployments, the rights to board documents are managed by the PA of the CEO or Company Secretary and is as simple as assigning roles to users and groups.

By avoiding the need to manage and propagate the rights to thousands of individual documents, the solution can scale to meet the needs of even the largest enterprise. Finally, contexts enable policy changes to be applied at any time to thousands of documents - regardless of where those documents are. Rights can be assigned and unassigned as required without having to locate and modify each of the documents.

Standard Roles for Enterprise Rights Management

Finally, to help organizations to quickly deploy and create contexts the Oracle IRM solution provides a standardized set of roles that are ready to be assigned out-of-the-box - roles such as Contributor, Reviewer, and Reader.

Each role defines a set of rights that are appropriate to that role. For example, a Contributor has the right to create and edit sensitive documents, whereas a Reviewer can only edit existing documents and change tracking is enforced. These roles are then assigned to users for particular workflows and information classifications. Commonly these assignments are done by group membership inside your corporate user directory. So by simply adding a user to one or more groups in say Active Directory would immediately give them access to thousands documents secured against those classifications, and vice versa, they leave the organization and their account is deleted from Active Directory, all the documents they had copied to their USB device are now useless.

Where necessary, the standard roles can be tailored or extended, but Oracle has used the experience gained from numerous enterprise deployments to provide a set of roles that meet the needs of most clients. So what are the standard roles and what do they allow users to do?

Standard Roles Overview

Out-of-the-box, Oracle IRM provides five standard roles for controlling access to sensitive documents and email:

Contributors are the people who are authorized to create and edit documents in a particular context. They can open and search and print documents that are sealed to the context. Reviewers are authorized to edit sealed documents and email, but change tracking is enforced. They can also open and search and print sealed documents and email but are not authorized to create new sealed documents or email - they can only review or reply to documents and email created by Contributors. The Reader role allows opening, searching and printing of sealed documents but they cannot create or edit. The Reader (no print) is the same except they obviously have no rights to print.

Finally Item Readers are authorized to open and search particular sealed documents. This allows for people to be added to contexts which contain large amounts of protected information and yet they can only open a few identified documents. This role is designed to be the exception to the rules defined by all the contexts on the system, otherwise it managing lists of users rights to specific documents becomes quickly unmanageable.

Oracle also recognizes the need to control access to these roles so that they are assigned appropriately. Oracle IRM therefore defines standardized administrative roles, the most significant being:

Context Owners are authorized to assign roles, and are typically the owners of confidential information and work flows. System Owners are authorized to create new contexts and make the initial assignment of the Context Owner role. Their involvement in a particular context might end soon after that initial assignment.

If you want to learn more about Oracle IRM, please have a look at our simple online demo or contact us for a more in depth evaluation.

Taking the pain out of PKI, a modern approach to encryption

2009-10-05T22:26:55Z

I was recently approached with a problem where an organization wanted to tie encryption directly to a smart card which the user carried with them. The requirement was that the device stored the cryptography keys that would be used in decrypting any information that the owner of the device is authorized to access. This led to a set of discussions which I've edited into the following article. Note that it is wise to have a basic understanding of cryptography before reading any further, some of the concepts can be quite technical.

The idea

The requirement asks for all sensitive data to be encrypted so that only those who are authorized have access to the keys which decrypt the information. Because the source of the information may come from numerous locations, such as different database systems, applications, documents, emails, there is a desire to try and centralize the management and application of the cryptography.

In this particular case the idea was to use random symmetric keys (session keys) to encrypt the data. The session keys are then encrypted to the public keys of the smart cards to which the data is being sent, which can only be decrypted by the smart card private key.

Database encryption

One of the first problems with this approach is that it cannot really be applied to database encryption, where all the encryption/decryption is done on the server-side by the database server (or server plugins or network interceptors). With Oracle database, only valid clients of the database can decrypt the content and these don't have access to the keys on the smart card.

The problem

The idea as described above has long been used within first generation PKI products such as PGP. While cryptographically very sound it has serious usability flaws. The most important flaw is that if a thousand end users are to access the same piece of data then the session key for the data must be re-encrypted a thousand different times (to the public key of each user) and sent to each to each of the thousand users. If there are a thousand data items then a million encrypted session keys must be distributed between the thousand end users. I'm sure you can see where this is going.

Before server-based second generation PKI solutions, products would simply bundle the encrypted session keys in with the encrypted data. The encrypted data swelled in size (keys are not small) and different versions of the same data proliferated as new per-user encrypted session keys were added and removed. Before there were more than a few hundred users the system quickly becomes unmanageable and requires significant infrastructure. Returning to the thousand user and thousand data item example: assuming 256-bit keys, the best possible overhead per data item is 32kb (in practice a lot more), but the killer problem is the proliferation of new versions of the same data with different key sets (as recipients are added/removed). This results in people have the same document on their computer and they can open one, but not the other, because there are different keys encrypting the data. Yet the content of the document is the same. This quickly becomes very confusing for the end user as well.

To address these short calls, second-generation encryption solutions moved the key management to servers (instead of including the encrypted session keys in the encrypted data) but all this has done is move the exponential complexity to the server.

One example of this move is the implementation in Microsoft RMS. All documents are encrypted using their own random symmetric session key. This key is then encrypted to the public key of the RMS server, until it is re-encrypted to a Windows-generated public key of the end user when the user obtains a first-use license. The per-file, per-user session key must then be stored on the desktop if offline access is desired. There are several usability problems with this. First, the per-file, per-user session key can only be recovered while online, so all first uses of encrypted documents must be while offline (not good when an important business executive gets on a plane, loads a DVD and cannot access its encrypted content). Then, if a user has potential access to many thousands of documents (generally the case in large organizations) the volume of the per-file, per-user licenses (which not only include keys but rights) precludes the repeated synchronization of those licenses from the server to the end user desktop. For Microsoft RMS this means administrators are forced to choose between offline use (cache use licenses on desktop in perpetuity) or possible future centralized revocation, they cannot have both. Yet both offline use and revocation are both critical capabilities of RMS.

The solution

The problem above outlines that trying to tightly tie the cryptography used to protect the information to the user results in an unmanageable, unusable system where keys are tightly coupled with each copy of data they have encrypted. The solution is to separate the keys from both the content and the user and provide a logical model which applies these at the right time with an intelligent offline caching system.

Oracle IRM is an example of such a solution and offers a third generation of PKI. It generates symmetric keys for each classification of information. These keys are then securely shared with users authorized for those classifications and stored in encrypted offline caches tied to their Windows login. Documents are then secured against these classifications and encrypted against these keys.

Cryptographically this may appear at first glance less secure than per-file keys, but consider that all RMS files are encrypted using random symmetric keys derived from a single RMS server private key that can never be rotated. Oracle IRM files are encrypted from one of a set of per-classification keys that are cryptographically completely separate from each other and any other IRM server keys. These keys can be rotated and even destroyed without decommissioning the entire IRM server (and all the content managed by it).

While you can argue about the cryptography, the usability benefits are profound. A typical end user may only need to synchronize a handful of classifications and per-classification keys, resulting in Oracle IRM being able to provide hands-free offline working and timely revocation (because of the ease of repeated sync). Combined with per-classification role based access control (as opposed to Microsoft's 'ad hoc' per-file, per-user rights) this makes Oracle IRM usable at volume (users and files). Security without usability is no security at all.

Getting back to the smart card issue. Oracle IRM is about centralized key management, so it is unlikely that the smart card private key should be directly involved in the data encryption/decryption. The smart card is best placed to provide strong authentication and therefore the end user's IRM desktop agent which then requests access to that end user's set of per-classification keys. With such a solution you could protect millions of documents and share them with a million people, with one simple change on the server you can revoke access to every single copy of that information ever made to all million users!