Oracle IRM, the official blog

Setting up an Oracle IRM server in a highly available environment

2009-06-17T21:15:19Z

This article is way, way over due. I've had a few requests to describe how the Oracle IRM server can be setup in a high availability environment as described in my blog article here. It is possible to have a setup where more than one IRM server is in production and if one fails requests to the service are served from another IRM server, like the diagram below.

Note that running the Oracle IRM server in fail over mode in this manner is supported but load balancing is not. The IRM server has not been designed nor tested in a load balanced mode simply because the performance of the system is so good you don't need to load balance systems together. Fail over to protect against network and operating system failure is however key for any highly available service.

I must also state the very obvious. Rehearse this setup on test systems BEFORE doing anything with a live production system and when you do install and configure the live server you MUST backup your IRM database.

This article requires you have the following;

A fully working Oracle IRM server
Access to the Oracle IRM database server and schema
A second server with network access to the database server and a valid database ODBC client installed
A network device to monitor and direct the traffic between the two servers

If these are in place you can now install the same version of the IRM server on the second server.

Setting up a second or more Oracle IRM servers for failover

The Oracle IRM server installation process involves the following main activities.

Deploy binaries to local file system, by default in;
- C:\Program Files\Oracle\Information Rights Management
Write some registry keys
Write out a configuration file called server.properties in the properties folder
Build a schema in the database the installer has been pointed at
Create a superuser account

In a highly available fail over environment you configure the server to talk to a single database instance which represents a cluster of nodes. I have however seen customers setup two IRM servers, each with their own database and have a mechanism like log shipping ensure that the standby server database is up to date for when a fail over happens. However my own experiences with log shipping and other methods find that the effort, time and risks involved are such that you might as well configure both database servers in a clustered mode. So in this article i'm going to prepare my IRM server against a common clustered instance of the database.

Before we get into the installation, it is worth understanding the server startup procedure.

Read in the server.properties in the properties folder.
Connect to the database using the connection string sealedmedia.server.persistence.database.odbc.connectionstring.encrypted from the file. Note this is obviously encrypted because it contains the username and password to the database.
Load the plugins as specified in the setting sealedmedia.server.plugins in the properties file.
Read the configuration for the server in from the table [prefix]config where [prefix] is the string from the setting sealedmedia.server.persistence.namespace in the file.
Open and start logging to both the audit and log files as specified by the file stored settings;
- sealedmedia.server.logging.destination
- sealedmedia.server.logging.destination
Open and start logging to the web log file determined by the database stored config setting sealedmedia.server.web.logging.path
Start listening on the ports and IP addresses as specified in the sealedmedia.server.internal.port and sealedmedia.server.internal.bind as well as the .external. equivalents

Forcing configuration settings to the local IRM server installation

The above highlights some configuration information comes from the local properties file and some is gained after the server connects to the database. This presents a problem because there are some settings that reside in the database that might be specific to the local installation, such as logging directories. No worries, because there is a mechanism to have the server get settings from the local properties file and ignore the database. Open the server.properties and look for the line;

sealedmedia.server.persistence.localsettings=

This lists all the other properties which should be read from the local file and not from the database, by default these are;

sealedmedia.server.logging.destination
sealedmedia.server.audit.destination
sealedmedia.server.plugins
sealedmedia.server.component.config.encryption.activated
sealedmedia.server.nt.servicename
sealedmedia.server.external.port
sealedmedia.server.external.bind
sealedmedia.server.internal.port
sealedmedia.server.internal.bind
sealedmedia.server.plugins.port
sealedmedia.server.plugins.bind

There is a slight oddity here in that one more log setting resides in the database which should ideally be a localised one. If you install both IRM servers in exactly the same location, it doesn't matter, but if they change you'll need to add this setting to the sealedmedia.server.persistence.localsettings line;

sealedmedia.server.persistence.localsettings=sealedmedia.server.logging.destination, sealedmedia.server.audit.destination,sealedmedia.server.plugins,sealedmedia.server. component.config.encryption.activated,sealedmedia.server.nt.servicename,sealedmedia. server.external.port,sealedmedia.server.external.bind,sealedmedia.server.internal.port, sealedmedia.server.internal.bind,sealedmedia.server.plugins.port,sealedmedia.server. plugins.bind,sealedmedia.server.web.logging.path

Then create a new line like the one below in the properties file. Note that in the properties file you need to escape all the backslashes so that the line below would have C:\\Program Files\\Oracle\\Infor... and so on.

sealedmedia.web.logging.path=C:\Program Files\Oracle\Information Rights Management\IRMServer\bin\..\log

Another aspect we need to consider is that of caching. It is advisable that all the caches on all the servers are disabled. The modern servers typically used to deploy IRM mean that switching off the caches doesn't really impact performance and only increases slightly the emphasis on the importance of reliable and fast database connection. Switching off the caching means that as you fail from one server to the next you are assured that serviced requests hit data in the database and that stale information is not delivered from the cache or written lazily to the database. Because we want to disable this on both servers we don't need to localize the settings, we can make the change to the values in the database. It doesn't matter when you do it, pre or post install, but here's how to disable all the caching.

Disabling the Oracle IRM server cache

Changes to the settings that reside in the database is done using the smconfig.exe tool that resides in the IRMServer\bin directory. There are three environment variables that are worth setting so you can just run smconfig without passing in the connection details each time. So start a command prompt on your existing IRM server installation and run the following, obviously changing in your own URL, ACCOUNT and PASSWORD;

T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_URL=seal://localhost:2001 T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_ACCOUNT=superuser T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_PASSWORD=p455word T:\Oracle\IRMServer\bin>smconfig -server ping

Important to note here is that this tool uses a port you may not be familiar with, 2001. This is the API port and is what the configuration tools for IRM use. By default this is enabled but you may have switched it off. You can re-enable this by connecting to the server using the Management Console as the superuser and under settings there is an API traffic applet where you can set the port and what addresses the server will listen on. If this is all working then the above ping command should return;

Oracle IRM Server configuration tool. Copyright (c) 1996, 2008, Oracle. All rights reserved.

Connecting to [IRM Server]

seal://localhost:2001 is alive.

Excellent, now lets change the caching settings;

smconfig -setconfig sealedmedia.server.component.account.cache -value no
smconfig -setconfig sealedmedia.server.component.security.cache -value no
smconfig -setconfig sealedmedia.server.component.publisher.cache -value no
smconfig -setconfig sealedmedia.server.component.group.cache -value no

You can check all the settings in the config by running;

smconfig -show config

Installing the Oracle IRM server

Finally time to install the second server, start the installer hit next and ensure you select custom for the setup type.

Then choose your installation directory. Remember that if this is different from your first server you'll need to ensure your web logging root is configured for this local instance.

Setup the ODBC connection to the clustered database using the same account credentials to connect.

This is now the key area of the installation. The second field MUST be changed to be different from the first server otherwise you are going to drop and recreate all the tables for the production system!

The server name might want to reflect the failover server and it doesn't matter what the superusers details are because we will delete this data after install.

Network settings are important, make sure these reflect the public hostname you have for the service and that it is listening on the correct local address. This address will be what the fail over network device will redirect traffic to.

It is typical to have the service start as the local system account.

Logging again is configured locally, you might want to consider having the server write to a shared drive where both servers store logs in a common area. Note if you do this, you may need to change the previous service account details so that the server runs under a user that has permissions to write to the shared folder.

Finally you are ready to go. Before hitting install make sure you've done a backup of the database.

Nearly there! Now lets configure the environment so that the server points to the right data and not the fresh schema it has just created.

First of all stop the Oracle IRM server service
Open the server.properties and change the setting sealedmedia.server.persistence.namespace to reflect the correct namespace which by default is irm
If you need to, edit the sealedmedia.server.persistence.localsettings and add sealedmedia.server.web.logging.path details as explained previously in this article.

Now you can start the second IRM server to test it can connect. Use the Management Console on the local machine to connect to the local instance and just browse a few users to check. You can leave the IRM server running and connected as long as no traffic is directed to it. There is no support for a system which has two IRM servers talking to the database at the same time and could potentially result in corrupted data. The network device needs to be configured to monitor the primary server and when this isn't available, direct the requests onto the secondary. Testing from outside the local network you can determine which server is responding to the requests by using the following URL in any web browser.

http://irm.domain.com:80/ping

This will return;

[IRM Server,SECONDARY_SERVER,5.4 release 5 build 10,19 Jun 2009 19:24:11 UTC]

Where SECONDARY_SERVER is the netbios hostname of the Windows server that the IRM server is running on. This can be a useful URL for any monitoring tool to determine what service is currently active.

As a post clean up activity you may now wish to delete the tables that were created, there are also a few stored procedures, functions and packages depending on the database type you are using. You can drop the ones with any prefix which matches your secondary installation.

Customizing the Oracle IRM status pages

2009-06-15T03:57:01Z

Ok, so very busy end of the year (Oracle Q4 just ended) and i'm really sorry for a lack of activity on the blog. There is some very interesting news on the way however and things are going to liven up significantly... watch this space...

In the meantime a question came through on the grapevine regarding the status pages in Oracle IRM. These are HTML web pages that are displayed to an end user when they don't have access to sealed content or they are for some other reason unloading a sealed document. Our mantra that security is nothing without an adequate user experience and a manageable administrative model is reinforced by these very flexible status pages. So often a security product will deny you access to a file, directory or other resource and all you get is an "Access denied" error with an OK button. Oracle IRM however sends the client to a web page of your choice to display a more informative error message, like the example below.

Out of the box Oracle IRM gives you a set of standard pages which look like the above. These can be customized at three levels. Actually before I go into the customizations its worth knowing of a simple test page that allows you to look at all the possible status codes and pass in some data to see how they render. You can look at our evaluation server test page here.

Basic changes to status pages

Logging into the Oracle IRM Management website and clicking on "Settings" presents you with the dialog below. The first step here is that you can change the organization name that is displayed on the status pages. Not exactly the most uber of customizations, but you have to start somewhere right? You can also change the logo used on the pages to your own, simply replace the org_logo.gif in the folder \smweb\custom. More detail on this can be found in the Oracle IRM core customization guide.

Modifying the distributed web pages

Further reading of the document above details more files you can customize.

support_contact.htm This file, by default, contains a single line of HTML which is a HREF that contains two macros that are place holders for the system email address as per the settings dialog above. This line is then displayed on certain status pages. You can modify this line as you wish, just be careful to ensure whatever HTML you drop in plays safe with the rest of the page. You can see an example of where this would get used here.
footer.htm and header.asp allow you to again modify the HTML that is displayed top and bottom of the status page.
default.css means you can really go crazy with these status pages. There is a good set of style declarations already in this file so you've got a nice place to start from.
Finally there are a set of folders for English, German, Spanish, French and Italian versions of the website homepage. Sometimes the Oracle IRM Desktop will instead of sending you to a status page will redirect you to the basic homepage of the website and depending on the language version of the IRM Desktop you'll see the relavent file from these folders. It is often a good idea to reinforce your corporate security policies on these home pages and maybe link to other resources that an end user would find useful. Remember making the end user experience as smooth as possible is crucial to your security strategy.

Creating your own status pages from scratch

The Oracle IRM Management website has a bunch of logic which you could go changing the ASP pages if you wanted, but you'd be out of Oracle support. Sometimes customers want to do something very different and instead of using these provided files they want to write their own from scratch. This is entirely possible and to venture down this path requires knowledge of the following concepts.

default URL. Every file that is sealed has embeded in it something called the default URL. This is the address which the Oracle IRM Desktop will redirect the end user to when they are unable to open a sealed document. The URL typically looks like this;
http://irmweb.domain.com/status/default.asp?%%allparams%%&%%usefordefault%%

There are two very important macro's that sit on the URL. These macros are replaced by data during runtime when the client decides to send the user to the website.
- %%usefordefault%% means that the IRM Desktop will always send the user to the website. There are also some offline HTML pages that are displayed in place of the online website when the user is not connected to the internet. If you were to remove this macro, even when the user is online they would be shown the offline pages, something you'd not want and in all honestly I think even removing this line may have no effect! Much more interesting is the other macro...
- %%allparams%% is replaced by a whole set of data which pertains to the user and activity at time of redirection. This data is placed directly onto the query string and is therefore available to the web page that the URL refers to. Here is a broken down example of what the URL would look like;
  http://irmweb.domain.com/status/default.asp? cntxt=nolic &status=nolic &clntver=5.5.8 &user=john.smith@domain.com &lang=EN &cat=Default &cs=default &item=2009_05_16%2001:10:36%20Finance%20report.sxls &mime=application/vnd.sealed.xls &srvurl=seal://irm.domain.com:80 &pub=Top%20Secret%20Financial%20Data &vrsn=Default &brand=0 &prod=Office%20Unsealer&src=2 &sealedby=fred.bloggs@domain.com &cntschema=5.0.0.0.release&
  Lots and lots of very useful information. status contains the information of what actually happened such as "No License available" or "Not Logged In". The list of these is on the test page. The user field contains who the logged in user was that is being redirected, sealedby tells you who sealed the document that the user is accessing.
Now imagine taking this information from the querystring into your ASP/PHP/JSP page and then pass some of the data to the Oracle IRM server via the API and you can do some very funky things. A good example that I helped a customer write was for handling users that accessed multiple computers. The logic went something like...
1. User attempts to open a sealed document on a machine and has hit their device limit. The device limit stops a user opening the same document to a certain number of machines. They are redirected to the default URL and the status that is passed is licinuse which means all available rights are in use.
2. A dynamic web page then takes this information, including the user, and queries the IRM server to see how many devices they have access to and what groups the user is a member of.
3. If the user is a member of an executive group, then the code automatically increases the users device limit.
4. An email is then generated in the dynamic web page and is sent to the owner of the IRM classification the content was sealed to informing them of the activity.
5. The status page then informs the end user that they've had their ability to open content on multiple machines increased and tells them to retry opening the content.
Each classification can have a different URL! This means two main things, if you want have the skills or the time to build a fancy dynamically driven status page application, you can set a different URL for each classification and point it to a static HTML page. Secondly from a dynamic perspective you now have even more flexibility. You can point different classifications to different applications, and have some simply point to static files. Some classifications could be forced to deliver these pages over SSL for instance whilst others not.

So all in all, this part of the Oracle IRM solution is VERY flexible. In our 10+ years of experience in deploying IRM solutions with customers we've found that making the end users experience very important. You have to guide them through WHY they cannot access content because often the reason changes. It might be that the user is new to the company and someone forgot to add them to a classificaiton. These pages enable the end user to understand and then contact the right people to get further help. Security, usability and manageability, all must be balanced to ensure a secure and effective solution.

MP expenses data up for sale

2009-03-31T13:08:25Z

The latest high-profile data exposure story comes from the mother of all parliaments as part of an ongoing furore about inappropriate expense claims by Members of Parliament.

According to the BBC, details of expenses claims of all 650 or so MPs from all parties are available for a sum of around £300000. There is an expectation that some of the more embarrassing claims will find their way into the papers over the coming weeks - although it is hard to imagine anything more embarrassing than the weekend's revelations about the Home Secretary's claims.

The breach has privacy implications. Parliament itself plans to publish the information some time this Summer as part of a drive towards more openness. However, it cannot do so until about a million receipts have been reviewed for data privacy purposes, and the incident might also represent a breach of the Official Secrets Act. Whoever is trying to sell the data evidently has no qualms about the privacy implications. Electronic copies of the receipts are being offered in redacted and unredacted form.

This story illustrates how seemingly trivial information can have extraordinary value and significant privacy implications. We have customers who seal payslips and other HR information, but it has never occurred to me that expense receipts represent a significant risk.

Data on Presidential helicopter goes astray

2009-03-08T09:26:28Z

The BBC reports that information about the Presidential helicopter has been exposed inappropriately. Apparently an executive working for a defense contractor was running file sharing software, and the file in question wound up on an Iranian computer.

The information was low-grade - no real harm done - but the story illustrates how easily information gets out and about. It also illustrates how third parties, such as contractors, can lose your information even if you do not, and how some technology focuses on leak detection rather than prevention.

My initial reaction was to think about how an enterprise would typically lock down all the network ports/protocols that would allow for file sharing such as this to occur. But this is no good when laptops are taken home or documents are stored on USB devices and worked on using home computers.

The BBC says that "Keith Tagliaferri, director of operations at Tiversa, said the employee who inadvertently disclosed the information was a high-level executive - and the breach had taken place outside the company's offices."

Traditional network security tools such as firewalls simply do not protect against these types of problems. Even DLP technologies can only be effective at the points where DLP agents are deployed. It is impossible to protect every channel and its why IRM is a good compliment to these existing techniques.

Protecting the most valuable content is most effectively done when the security controls are around the content itself, no matter where it resides nor where it is transmitted to.

Simple Oracle IRM flash presentation

2009-02-25T07:41:07Z

I'm working on some new demo's of the IRM technology to host here. I will be showing how Oracle IRM can protect HTML and images (GIF, JPG, PNG) in the context of a portal or an online application such as online banking. Also i'll soon have a video overview of how our IRM solution integrates with the Oracle Content Management solution.

But whilst researching information for these demo's I found a nice flash presentation that was made last year and does a good job of explaining the issues that IRM solves, have a look!

Laid off workers stealing company data

2009-02-25T05:57:33Z

More news articles published this week are raising awareness of risks involved with sensitive information leaving your organization when employees are laid off. Another research study from the Ponemon Institute, in conjunction with Symantec, surveyed 945 adults in the United States who were laid-off, fired or changed jobs in the last 12 months. It found 59% of employees who leave or are asked to leave are stealing company data, such as contact lists, employee records, financial reports, confidential business documents and software tools

Kevin Rowney from Symantec told the BBC that, "The intellectual property of a company can represent the crown jewels and are almost worth more than the building. This is the core asset of a company and any breach or loss can be very expensive... The industry has concentrated on the protection of the containers where the data is stored like firewalls, access, controls and end point security systems... The end result is that most security teams are protecting the containers not the data itself. And that is a core flaw in the security methodology of many practitioners today,"

Symantec sponsorship obviously highlights their DLP solutions which allows for the detection and control of information as it flows across devices such as firewalls and network files servers onto desktop and laptop computers, and ultimately onto removable USB devices.

Without question i'm going to state that IRM is a perfect compliment to DLP to provide a robust solution to protecting, controlling and reporting on the use of sensitive content. DLP has its limitations and IRM fills those holes, combine this with the total set of security technologies from Oracle and a smart company could ensure the recent increase in risk can be reduced and controlled for a fraction of the cost from the repercussions of loosing all this data.

Another comment I found interesting was, "It is not enough that I will be laid off, that I will have to sell my home and possessions at a loss - I am now considered a 'thief' for'stealing' (ie taking work home with me) intellectual property. Why is the worker blamed for everything that goes wrong with a company?"

Oracle IRM has positive solutions for both problems. It first provides an organization with the ability to have absolute control over documents, not only by limiting who can print (and therefore steal paper copies) but also by removing access to content when an employee no longer works for the organization.

Secondly it can actually help the employee... Oracle IRM allows for a balance of usability and security that allows people to use sensitive content on the move and from home locations. Leaving a company and knowing they are responsible for removing your access rights, frees the ex-employee from all responsibility. If the organization is able to revoke all rights to content, then the end user no longer feels under the spot light when they leave.

Email circular exposes sensitive board minutes

2009-02-20T08:47:49Z

Having just read Simon's comments on securing email, I can't resist mentioning a recent report in the UK press about a company that accidentally exposed its board's thinking on how to cope with the current economic downturn.

According to the Daily Telegraph, an up-market estate agency accidentally included its board minutes in an internal email. Employees got to read about cost cutting proposals and a "final solution" that might be called for if things get really bad in the housing market. Attempts to recall the email were doomed, as some employees had already forwarded it beyond the company network.

Using Oracle IRM to secure your sensitive emails

2009-02-20T01:13:30Z

Email is a very useful technology. It allows for people to easily and quickly communicate with vast numbers of people over great distances within minutes. However there is a downside to the ease of use, sensitive information can be broadcast with little effort and sometimes by mistake. How often have you been writing an email, filling in the "To" list and have allowed the email client to search through your history of previous emails and suggest the right recipient? Only to find that just after you've sent the email, you realize it went to the wrong person? I have heard all sorts of horror stories of sensitive documents, sometimes containing mergers and acquisition information being sent to the wrong people at the wrong company. Worse there have been reports of documents being sent to entire distribution/mailing lists of people by mistake.

So no surprise that we on the Oracle IRM team have a solution for protecting email communication. Oracle IRM supports a lot of formats, from Office (2000-2007, wider support than Microsoft's own IRM technology), PDF (Acrobat Reader 6.0+), HTML, JPEG, GIF, XML and others which allows people to protect documents that are attached to emails but we also support the ability to secure the content (body) of the email.

This is an area that comes with many different methods of creating, sending, receiving and reading the information. Some also regard their email client to be the most important tool in the workplace, so when integrating with this environment, especially from a security perspective, you need to be very careful and ensure you do not disrupt end users day to day activities.

Oracle IRM ensures the best user experience when protecting sensitive emails

When the Oracle IRM team decided to include email as part of the solution, we thought long and hard about how to address the issue of multiple email clients and servers. The decision was to be as agnostic as possible to the underlying platform so that we could ensure users could consume sealed information via as many clients and servers as possible. Nothing worse than a vendor trying to tie you into their way of doing things.

This led to the creation of the .seml format and the method of taking the body of an email, sealing it and then attaching that file to an ordinary email message. This means that the resulting email package can be sent via any of the usual email mechanisms. What did do on the client side was write some simple plug ins for the most common email clients to automate the above process. The email clients we current support are;

Microsoft Outlook 2000-2007
Lotus Notes 6.5-7.0
Novell GroupWise 6.5-7.0

Sending a secure email with Oracle IRM

When using one of the email clients above it is very simple to send a secured email. Simply start a new email as you would normally and the Oracle IRM Desktop will insert a small button in the email window. This allows you to mark the email as one which you wish to be sealed. Upon sending of the email the IRM software will ask you what classification (context) the email falls under and will list all the contexts to which you have the rights to secure information. This is exactly the same dialog and selection a user makes when sealing any document with Oracle IRM, consistency with the end user is important to reduce any confusion in the process. After choosing the classification the email is then sealed and sent onto the recipients.

It is still possible to send a sealed email if you don't have one of the supported clients. But it requires the end user to create the sealed email attachment manually like any other ordinary sealed file and attach that to the email. Future support of new email clients is however possible as we have an API exposed specifically for integrating with email. This API has already been used in Oracle to develop an integration with the open source Thunderbird email client.

Receiving a secure email with Oracle IRM

The beauty of the Oracle IRM solution is that receiving and opening a sealed email doesn't require any specific email client. Because the file is an attachment to the email, you just double click on the attachment and, assuming you have rights to the content, open the message.

There are some advantages with using a client that we've integrated with. For instance to reply to a sealed email is much easier with Outlook, Notes or Groupwise because we again insert a button behind which some logic automates the replying. But it is still possible to do this from any email client it just requires some manual effort on the end user.

Your email is secure and persistently under your control with Oracle IRM

Email extends the Oracle IRM format base to an area that is crucial for effective secure communication. It not only offers powerful protection using industry encryption algorithms to secure the information in transit, but it enables you to have total control over the email even after delivery. So even when your sensitive information goes out to thousands in the organization and is forwarded onto more, you still have the ability to audit and revoke access to every single copy of that communication, no matter where it resides.

Protecting large amounts of files with Oracle IRM

2009-02-19T01:10:45Z

I am often asked how it is possible to seal en mass lots of files against an Oracle IRM server. There are many ways to do this via our APIs and prebuilt tools.

Sealing a folder with the Windows Explorer integration

The simplest method by far is by simply right clicking on a folder in Windows and selecting "Seal To..." Installing the Oracle IRM Desktop gives the user the ability to seal an entire folder structure of content directly from Windows Explorer. All you need are rights to seal in a context (be given a Contributor role) and have the Oracle IRM Desktop installed.

Limitations of this method are being able to insert any form of logic in the process. Performance wise it should be just as quick via this method as any other. I tried this on my little laptop, I have a documents folder of about 600mb in size and made a copy. This folder contains all sorts of content, some already sealed and some in a format Oracle IRM doesn't support. I timed how long it took to seal 445 supported files by a right click and seal, it completed in about 45 seconds. Not a bad result on a little laptop hard disk (320GB, 5300RPM).

smBatch.exe

For slightly more control you can use the command line driven utility that is available in the Oracle IRM Developers SDK. This tool uses the C++ interface and the source code for it is included as part of the SDK. It takes a set of parameters as follows. This allows for a really easy way to include sealing as part of an existing batch process that can call out to the shell passing in the details of the content to be sealed.

smBatch (DSE v5.5.9.95), Copyright (c) 1996, 2007, Oracle. All rights reserved. use: smBatch -licserv -publisher -aemail -apwd -contentset -category [-sealedfileschema ] [-dryrun [-batch [-metadata ] [-mime ] [-version ] [-item ] [-time ] [-cipherlen ] [-plainlen ] [-period ] [-streaming [-semail ] [-spwd ] [-pxuser ] [-pxpwd ] [-pxhost ] [-pxport ] [-impersonate ] [-simpersonate ] []

e.g. smBatch -lic seal://licence.www.oracle.com:80 -pub mypub-001 -aem myname@mydomain.com -apw topsecret -cont cs_1 -cat cat_1 -pxhost 10.2.3.54 -pxport 77 -stream off -pxuser mickey.mouse -pxpwd disney -t "25 Aug 2000 16:30:00 EST" example.pdf

Calling the Dynamic Sealing Engine (DSE) API

For the ultimate in control you can use the DSE API which is available in Java, C++ and COM. An example of this use in a Javascript function is;

function fnSealFileActiveX (strLicenseURL, strPublisher, strAdminAccount, strAdminPassword, strContentSet, strCategory, strItemCode, strFilePathname, strSealedFilePathname) { try { var objSealer = new ActiveXObject ("SealedMedia.DynamicSealingEngine"); objSealer.SetLicenceServerURL (strLicenseURL,30); objSealer.ItemCode = strItemCode; objSealer.username = strAdminAccount; objSealer.password = strAdminPassword; objSealer.publisherID = strPublisher; objSealer.contentSet = strContentSet; objSealer.category = strCategory;

objSealer.SealFile (strFilePathname, strSealedFilePathname); } catch (e) { throw e.description + " " + e.number; } return true }

Using Web Services to seal files

Finally there is the option to be totally platform and language independant by using the Web Services interfaces on the Oracle IRM server. There is an excellent tutorial of how to get this up and running over on OTN. Using Oracle IRM Web Services with Eclipse WTP 1.5.4. However this is not going to be the best bet for performance as you will be sending all the content over the network to the IRM server, which will seal it and then pass the entire, encrypted file back to the calling client over the network.

So in summary, plenty of options to fine ways of sealing existing repositories of files using Oracle IRM.

The beauty of separating rights from content

2009-02-18T09:21:16Z

I was discussing the subject of why separating rights from the content is so important with a friend at work and thought I would share some elements of this discussion.

Fundamental to the success of the Oracle IRM solution is that from day one Martin Lambert, Oracle IRM creator, decided to separate the information that describes who can access content and what they can do with it from the actual content itself. To demonstrate why this important consider the following.

1. You protect 10 documents which you distribute, via email, to 100 people in your company. Each person copies those 10 documents to their local computer from their inbox. 10 of these people are managers who are given rights to print the documents, the rest are prohibited and can only open the content.
2. A few weeks later the company hires another 20 people. 10 of the people from the original 100 are promoted to managers and 15 leave the company, taking the content with them.

Now imagine if those 10 documents, of which there are now thousands of copies, contained information about the 100 people that could initially open them. What happens a few weeks later? What do you do? Recall all the copies of those old documents and reissue new ones with updated lists of rights? How do you ensure users are then opening the right document with the correct rights? What about those who are promoted and have gained new rights to the same content? Do they have different versions of the same document, one they can print and one they cannot?

Many IRM solutions were born from Digital Rights Management (DRM) technologies which typically embed such rights information into the protected content. DRM technologies are commonly used to protect rich media such as music distributed by iTunes and movies by Amazon Unbox. In these environments the content is only designed to be read by the single consumer and the rights are typically distributed/embedded at the time of purchase/download. DRM used to be very restrictive and often received a lot of bad press about the unfair methods employed to restrict the use of content by the end user. Things are better these days and a more separated rights approach is being taken. Yet the technologies are still built on this limiting methodology.

When you take this approach from the consumer world into the enterprise, things suddenly become very difficult. Scalability becomes a large issue. Would you really store the rights of thousands of corporate users in each file you protect? Each time the rights to a specific document changes, do you redistribute those rights? Many IRM solutions in the market are born from such DRM systems and are struggling to scale into the enterprise.

This is where Oracle IRM is able to work so easily and allows the fast changing trust relationships in the enterprise to be reflected quickly. Oracle IRM sealed content only knows of a classification to which it belongs. It also knows on what server this classification resides. So when a user access content, two things happen.

1. A user when attempting to access content whilst online is authenticated against the IRM server.
2. If authentication is successful, the IRM server checks to see if they are authorized to access content with the classification matching the request. Is so, the rights are shipped and cached to the requesting machine and remain valid for a certain period of time. After which the user must again check with the IRM server to see if rights to the content have changed.

What this separation of rights means is that by making a single, simple change to a user rights on the Oracle IRM server, their access to thousands of documents can be affected when they next check with the server.

If you then consider how the Oracle IRM server can be hooked into your LDAP and Active Directory repositories and that groups can be assigned rights to these classifications. Then someone joining an organization can be added to one group in the corporate user repository and this one single act can give them instant access to hundreds and thousands of documents that are stored in a variety of places all over the organization.

Because this was a design feature from the very start, it means that we've been able to improve, learn through customer experience and fine tune this model. Our 11g release will be the best demonstration yet of how Oracle is leading the way when it comes to providing persistent, scalable and usable security to your sensitive enterprise information.

Deploying Oracle IRM in unreliable network environments

2009-02-18T04:21:16Z

I just received a question from a fellow sales consultant in Vietnam. He asks...

"In my demonstration, all of our customers asked me the same questions when I delivered the IRM demo: how can distribute the IRM server in multiple provices in Vietnam? Vietnam internet connection is very bad, therefore all distributed locations in Vietnam could not share the same central IRM server, then they are expected to deploy one central IRM Server on internet, and few other IRM servers on intranets of each location thru out Vietnam.

The requirement is how to synchronize all IRM data (security configuration, roles, rights...) between these IRM servers, so that when I assign for you a document in Hanoi IRM server, then I travel to Hochinhminh I can open the document with Hochiminh IRM server"

There are a number of ways to resolve this issue and not knowing the specifics of the infrastructure for these customers i'll outline all possible ways to solve the problem.

Oracle IRM is already very network resilient

Firstly, Oracle IRM is by design very resilient to network performance. When the technology was first developed back in the late 90's it was very common for mobile workers to be using 14.4 and 28.8 modems. Network bandwidth and reliability was very poor in comparison to today's standards. Therefore Oracle IRM had some vital features which were essential in those early days and are unique to the Oracle IRM technology.

Network protocol was a cut down version of SSL designed for speed and low bandwidth use. It is also tunneled inside HTTP which gives it a stateless aspect that forces a system design which is efficient with network communication.
As long as you are not assigning large amounts of rights to each user, the size of data to be transferred from server to client is small. Again due to the bandwidth limitations around when the system was initially designed, Oracle IRM is very efficient with the data that is sent server to client and back. For example as you access sealed content offline the client audits this activity. These logs are returned to the server in batches to conserve available network bandwidth.
Offline caching has been in the core design of the system from day 1. This enables trusted users to travel with sensitive information without requiring to constantly connect with the network to validate rights. This of course needs to be balanced with the increased risk of extending that offline period, but in cases like this, just being able to deploy IRM brings a huge increase in security. This offline period can be taken to an extreme, some customers have given users a whole year of offline use. So they only need to access the IRM server once in an entire year! Of course this dramatically reduces the effectiveness of the security, but its demonstrative of the flexibility of the system.

Apart from taking advantage of the inbuilt functionality, it is possible to build a system which allows for a more balanced security approach. This does involve a little more work and complexity and requires good system design to avoid instability as more components are involved.

Multiple Oracle IRM servers can talk to one database

It would be possible to deploy multiple IRM server instances in each province. Then using localized DNS resolution (remember each piece of content has a fixed DNS hostname pointing to the home IRM server) you can have rights requests be served from a local servers. The IRM server by default is set to cache data in memory which mitigates some of the connectivity issues from the server instance back to the centralized database.

There are issues here. You need to figure out a smart way to do geographical DNS resolving which is hard if the end user is using public DNS servers and not ones on your own network. Also you might find that the connectivity from server to database also shares exactly the same issue you are trying to design around, that of a very poor network connection.

Using Oracle database in a distributed manner

The ultimate solution of course would be to have an Oracle IRM server with its own distributed copy of an Oracle database running in each location. Oracle database has some very powerful capabilities which allow it to clone schema's to remote databases. A good example of this in action is how Google achieves its super-fast response time by cloning the Oracle database server in many locations across the world.

This, whilst possible, is going to require some clever consulting to setup. Latency of changes to data needs to be taken into consideration across the entire system and also allowing those remote IRM and database systems to update information back to the "master" server. There is also still the issue of ensuring DNS points users to the right local server.

With 10g this would be a challenge, but he imminent release of 11g opens up the ability for the system architect to insert all sorts of logic right into the Oracle IRM server which would facilitate a design such as the one above. Of course when it comes to resolving distributed database issues then Oracle is already the master of that problem :)

Using the Oracle IRM API to manage the distribution of rights

Another, more complex system could be built on the extensive API's available. The central IRM server would contain the master copy of rights and classifications which could then be "copied" using logic contained in an application that would utlilize the IRM API to update the intranet IRM servers.

Considerations also need to be taken about how to handle the audit logs from the separate IRM servers. These can be written to binary files, which are transferred back to a central location for processing into a complete audit of all activity. The Oracle IRM server also allows for these events to be placed onto a message queue which would provide a quicker method for amalgamating the records.

UK citizens' private information being lost at record rate

2009-02-12T05:12:01Z

Tis not a good time to be a UK citizen right now, "your personal information of UK citizens is being lost and stolen at an unprecedented rate", the UK’s privacy watchdog said today. However, if you happen to be one of the private companies that have lost this data you are currently safe in the knowledge that you're not going to be investigated.

The Information Commissioner’s Office (ICO) in the UK has been reported saying that "Data breaches jumped by 36 per cent last year, the ICO said. Personal information is now lost - on average - more than once a day."

This is just shocking news, but worse is that the ICO is unable to investigate any breaches if they are within the realm of the private sector. Richard Thomas, the Information Commissioner himself states, "For more than 20 years, my office has not had the power to carry out any inspection without the consent of the organisation concerned, In the six and a half years that I have been commissioner, I have strenuously argued that that is not acceptable. One would not expect a food inspector to have to get the restaurant’s consent before carrying out an inspection.”

The government is making changes but this only applies to central and local government departments, private companies will still be exempt from investigation. Surely this must change, how can the ICO ask companies to sign its Personal Information Promise and not be given the power to investigate those who break this trust? Crazy...

Average loss of data breach in 2008 = $6.65 million and results in lost customers

2009-02-09T20:24:51Z

CIO.com have published an article by Dr. Larry Ponemon of the Ponemon Institute. It continues the relentless reports of how data loss incidents are on the rise and the associated costs. The article discusses the results of the recent annual data breach study which concludes that the average cost of a data breach in 2008 was $6.65 million.

"Violate a consumer's trust and they are more likely to walk, and that likelihood increases when the breach involves an organization in which the consumer has placed a great deal of trust."
Dr. Larry Ponemon, chairman and founder The Ponemon Institute.

The summary of this study leads Dr Ponemon to state "the financial impact for a company that experiences a data breach is significant and rising." The institute use the data from their studies to, "analyze the methods and strategies used by companies when responding to a breach, and the outcome of the response, to create best practices so other organizations don't have to learn from their own experience."

One aspect of the report I found interesting is the effect on certain industries when it comes to rates of customer loss. Dr Ponemon describes;

"This year, lost business costs rose to a level 38 percent higher than in 2005. What's more, healthcare and financial services organizations experienced much higher abnormal customer loss—6.5 percent and 5.5 percent respectively—when compared with retail and consumer products organizations, whose churn rates were found to be 1.5 percent and 3.6 percent respectively. The significant difference in these rates of customer loss can be explained in one word: trust. Violate a consumer's trust and they are more likely to walk, and that likelihood increases when the breach involves an organization in which the consumer has placed a great deal of trust.

What do I mean? When a consumer chooses to do business with a financial services or healthcare organization, they tend to conduct more due diligence than when they walk through the doors of a department store to buy a shirt or a pair of shoes. A retail purchase is a simple transaction, but banking and healthcare requires entrusting an individual or organization with a great deal of highly sensitive information. Violate that trust and the customer may be more inclined to look for a new relationship. This is especially evident when the consumer receives multiple breach notifications from such an organization."

Companies right now need to do everything possible to retain existing customers and attract new business. As Larry highlights, people are very diligent when they make decisions about whom to place their finances with and with whom they entrust their healthcare so these organisations are more at risk than most.

Yet it isn't all doom and gloom. It is possible to turn this risk into a competitive advantage. Budgeting for the deployment of an IRM technology to protect customer information can both reduce financial risks of data loss but can also be used to differentiate your organisation from the competition by being seen to be using advanced technologies to protect their confidential information. This can drive new business which is crucial right now. Businesses who are freezing budgets, hoping to cut costs are potentially exposing themselves to further financial demise. Instead it is wise spending in the right areas to both maximise revenue and minimise risk that will prove the survival of the fittest.

Kaiser Permanente becomes another healthcare data loss casulty

2009-02-09T19:22:03Z

A news report in the San Francisco bay area has brought attention to Kaiser warning nearly 30,000 employees of a data breach

involving their names, addresses and social security numbers. Infact a handful of employees have already reported incidents of identity theft.

The report states, "The theft came to light after the arrest of San Ramon resident Mia Garza, 28, on Dec. 23 on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data, said San Ramon police Cpl. Rich Persson."

So it seems that a computer was stolen from Kaiser and contained the information about the employees. A classic case of data loss that would've been prevented had the document in question been secured using Oracle IRM. Not only that, but attempts to open the file would've created an audit trail for the police to use as part of the investigation.

Kaiser is helping it's employees by providing "one year of free credit monitoring to help affected employees protect their accounts." This can't be cheap for 30,000 odd employees, I wonder if the cost of an IRM solution would have been cheaper?

Online Oracle Enterprise 2.0 (E2.0) Conference

2009-02-09T10:08:01Z

Oracle IRM forms part of the Oracle Enterprise 2.0 (E2.0) solution set, enabling organizations to manage, search, protect, track, and archive information assets, and build rich, collaborative web sites and portals for internal and external business processes. Oracle is hosting a virtual conference which will go over the entire set of technologies in this area, including IRM.

To find out more, sign up for the Oracle E2.0 Online Conference which will be live on February 19th and will be made available for playback afterward.