Monday Aug 01, 2011

Document Theft - IRM as a Last Line of Defense

Document TheftI haven't had much time to update the blog recently, but just time to post before going on holiday. Over recent weeks there have been numerous stories relating to document theft – the Pentagon commentary on systematic theft of thousands of documents from defense contractors, the reports of journalists hacking into not just phones but the email systems of public and private citizens, the smug announcements by “cyber terrorists” that they’ve stolen files from various organisations.

The relevance of IRM is clear. Protect your perimeter, your applications, your file systems and repositories, of course, but protect your sensitive documents too. In the end, there are so many ways to gain digital possession of documents – but only one way to actually make use of them if they are protected by IRM. Anyone stealing a sealed document by whatever means has another substantial line of defense to overcome.

And that line of defense is designed to audit and authenticate access attempts as well as consider a number of other risk factors. It can also be rapidly reconfigured to deny access completely in the event of calamity – a single rule change can prevent all access from compromised user accounts or for whole classifications of information. The audit trail can also provide valuable clues as to the source of the attack.

In a cloudy world, where perimeters are of diminishing relevance, you need to apply controls to the assets themselves. And the scalable, manageable, intuitive way to achieve that control is Oracle IRM.

Tuesday Jun 14, 2011

IRM Hotfolder update - seal docs automatically

wrapper linkAnother update of the IRM Hotfolder tool was announced a few days ago - 3.2.0.

The main enhancement this time is to preserve timestamps, ownership and file system permissions during the automated sealing process. Earlier versions would create sealed files with timestamps reflecting the time of sealing, and ownership attributed to the wrapper utility, etc. This version lets you preserve the properties of the file prior to sealing. 

The documentation has also been updated to clarify the permissions needed to use the utility.

For those who aren't familiar with the IRM Hotfolder, it is a simple utility that uses IRM APIs to seal and unseal files automatically by monitoring file system folders, WebDAV folders, SharePoint folders, application output folders, and so on.

Saturday Jun 11, 2011

Clouds Leak - IRM protects

leaky cloudIn a recent report, security professionals reported two leading fears relating to cloud services:

"Exposure of confidential or sensitive information to unauthorised systems or personnel"

"Confidential or sensitive data loss or leakage"

 

These fears are compounded by the fact that business users frequently sign themselves up to cloud services independently of whatever arrangements are made by corporate IT. Users are making personal choices to use the cloud as a convenient place to store and share files - and they are doing this for business information as well as personal files. In my own role, I was recently invited by a partner to review a sensitive business document using Googledocs. I just checked, and the file is still there weeks after the end of that particular project - because users don't often tidy up after themselves.

So, the cloud gives us new, seductively simple ways to scatter information around, and our choices are governed by convenience rather than compliance. And not all cloud services are equal when it comes to protecting data. Only a few weeks ago, it was reported that one popular service had amended its privacy assurance from "Nobody can see your private files..." to "Other [service] users cannot...", and that administrators were "prohibited" from accessing files - rather than "prevented". This story demonstrates that security pros are right to worry about exposure to unauthorised systems and personnel.

passwordAdded to this, the recent Sony incident highlights how lazy we are when picking passwords, and that services do not always protect passwords anything like as well as they should. Reportedly millions of passwords were stored as plain text, and analysis shows that users favoured very simple passwords, and used the same password for multiple services. No great surprise, but worrying to a security professional who knows that users are just as inconsiderate when using the cloud for collaboration.

No wonder then that security professionals put the loss or exposure of sensitive information firmly at the top of their list of concerns. They are faced with a triple-whammy - distribution without control, administration with inadequate safeguards, and authentication with weak password policy. A compliance nightmare.

So why not block users from using such services? Well, you can try, but from the users' perspective convenience out-trumps compliance and where there's a will there's a way. Blocking technologies find it really difficult to cover all the options, and users can be very inventive at bypassing blocks. In any case, users are making these choices because it makes them more productive, so the real goal, arguably, is to find a safe way to let people make these choices rather than maintain the pretence that you can stop them.

seal to protect cloud docsThe relevance of IRM is clear. Users might adopt such services, but sealed files remain encrypted no matter where they are stored and no matter what mechanism is used to upload and download them. Cloud administrators have no more access to them than if they found them on a lost USB device. Further, a hacker might steal or crack your cloud passwords, but that has no bearing on your IRM service password, which is firmly under the control of corporate policy. And if policy changes such that the users no longer have rights to the files they uploaded, those files become inaccessible to them regardless of location.  You can tidy up even if users do not.

Finally, the IRM audit trail can give insights into the locations where files are being stored.

So, IRM provides an effective safety net for your sensitive corporate information - an enabler that mitigates risks that are otherwise really hard to deal with.

Thursday Jun 02, 2011

Growing Risks: Mobiles, Clouds, and Social Media

ics2 logoThe International Information Systems Security Certification Consortium, Inc., (ISC)²®, has just published a report conducted on its behalf by Frost & Sullivan.

The report highlights three growing trends that security professionals are, or should be, worried about - mobile device proliferation, cloud computing, and social media.

Mobile devices are highlighted because survey respondents ranked them second in terms of threat (behind application vulnerabilities). Frost & Sullivan comment that "With so many mobile devices in the enterprise, defending corporate data from leaks either intentionally or via loss or theft of a device is challenging.". Most respondents reported that they have policies and technologies in place, with rights management being reported as part of the technology mix.

Cloud computing was ranked considerably lower by respondents, but Frost & Sullivan highlighted it as a growing concern for which the security professionals consistently cited the need for more training and awareness.

The security professionals also reported that their two most feared cloud-related threats are:

  • "Exposure of confidential or sensitive information to unauthorised systems or personnel"
  • "Confidential or sensitive data loss or leakage"

These two concerns were ranked head and shoulders above access controls, cyber attacks, and disruptions to operation, and concerns about compliance audits and forensic reporting.

Rather contrarily, the third trend is highlighted because respondents reported that it is not a major concern. Frost & Sullivan observe that many security professionals appear to be under-estimating the risks of social computing, with 28% of respondents saying that they impose no restrictions at all on the use of social media, and most imposing few restrictions.

So, interesting reading although no great surprises - and reason enough for me to write three pieces on what Oracle IRM brings to the party for each of these three challenging trends.

A comment on mobile device proliferation is already available here.

A comment on cloud adoption is available here

Monday May 30, 2011

Simple IRM Demonstration

The demo server has recently been retired after many years of faithful service. Please contact your local Oracle representative if you would like a demo, or see the demos on the Oracle IRM YouTube channel.

Thursday May 26, 2011

IRM Item Codes: How to Find Them

barcode

In a recent post, I discussed the value of item codes for enabling document-specific policies. As a rule, we recommend avoiding document-specific policies because of the governance and usability issues that tends to raise, but there are numerous scenarios where it is the right approach for some types of communication.

A colleague who is responsible for such a scenario within Oracle asked me for some tips on how to find the item code, so this post provides a few simple suggestions.

Firstly, you can usually see a document's item code simply by selecting it in Windows Explorer and hovering the mouse pointer over the document. On most operating systems, the tooltip provided by Explorer is modified to include a few pieces of IRM metadata, including the item code.

IRM tooltip

If you prefer, you can select a file and access its Properties dialog. The IRM Desktop adds an Oracle IRM tab to the dialog on most OSs and exposes further metadata including the item code. This approach has the additional advantage that you can copy the metadata to the clipboard - so you can cut and paste the item code if you need to specify it when setting up item specific policy.

IRM properties tab in Explorer

Another method is to access the control panel from the IRM toolbar or menu when you are actually using a document. This gives you access to the metadata as well as a tab that tells you what rights you have, when the rights are due for refresh or expiry, a link to reset your password (presuming you are not using single sign on), and IRM Desktop version information.

IRM Desktop control panel

There are other ways to get at the item code and other metadata - including programmatic methods that you might use during automated workflows that need to make decisions based on the item code or other factors - but these are the three most obvious ways for users to get at the item code if the scenario requires it. Of course, most users never need to know or care about such things.

Wednesday May 25, 2011

IRM 11g Quick Setup Guide

Oracle-IRM-Quick-Guide-Logo-Regular.gif
The following pages provide a step-by-step guide to setting up an 11g IRM system, covering everything from downloading the software through to creating your first sealed documents, and then provides some guidance on classification design and some examples of how you might use classifications to meet the needs of some typical workflows.

Saturday May 07, 2011

IRM Desktop for 64-bit Systems

Quick product update – the IRM Desktop now formally supports 64 bit Windows. Oracle has just released Oracle Fusion Middleware 11g R1 PS4 (11.1.1.5.0), which includes a fresh IRM build. Some of our customers have been using earlier IRM Desktops on 64 bit systems for various reasons, but there were some known restrictions. The PS5 release gives us a build that is formally certified for 64 bit. The new kit is available from the Oracle Tech Network and elsewhere.

Sunday Apr 10, 2011

Screen Protection for IRM Protected Documents

 

capture

Someone just posted a question to the IRM wall on facebook regarding screen protection. Here is some commentary on the subject based on a blog entry from way back in 2008.

Oracle IRM lets you define policy for screen grabbing as part of user roles. Users with the Screen Capture right assigned as part of their role will be able to take screen shots in the usual ways, but users without that right will find that IRM can mask out sensitive windows.

This immediately illustrates a difference between Oracle IRM and most other solutions, because most solutions attempt to completely disable screen grabbing whenever a protected file is open – even if minimised. To illustrate what I mean, here is a typical example of what you would see if taking a screen shot when there is a sealed document open on the screen and you do not have the Screen Capture right.

OracleIRMScreenShot.jpg

You can see that a portion of the screen has been protected, but the capture was not completely prevented. If we completely blocked screen capture, the user would be forced to close all protected documents before repeating their screen capture attempt. This might be pretty inconvenient and frustrating, for example, if the purpose of taking the screen shot is to insert it into the sealed doc you are currently editing, or you have several sealed docs open and you are not sure which is preventing the screen shot, so you need to close them all.

To be clear, we do not claim that Oracle IRM guards against all methods of screen capture – there are so many to consider, and in any case it is always possible to use a camera or to take notes with a pencil and paper if you are determined to copy the information. The fundamental control always remains the control on whether you can open the document in the first place.

Nevertheless, there is real value in the layer of screen protection we provide. Security is all about layers of protection, but nothing is 100% secure unless it is 100% unusable.

Our solution is also a very good way to remind an end user that content is protected, or to protect content that happens to be open when a user makes a legitimate attempt to take a screen shot of something else. On seeing the area that the IRM Desktop has masked out, the usual reaction is surprise that such protection is possible, and appreciation that the solution is only affecting the content that needs to be protected. Customers agree that this approach is a valuable way to remind user communities that they are dealing with sensitive information, and need to adjust their behaviour accordingly – but at the same time, the inconvenience is limited to the content that needs to be protected, so the solution is balancing protection and productivity.

As always with Oracle IRM, the right to screen capture is defined as part of a role, so it can be assigned to the right users for the right classifications of users as a matter of policy. One of the main reasons to assign the right is to enable authorised users to use sealed documents during web conferences. Web conferencing tools often work by taking a series of screen shots and passing them back and forth.

 

Monday Apr 04, 2011

Controlling Rights Synchronization in IRM 11g

 

synch icon

A colleague recently asked how you can control the periodic synchronization of rights and audit data in IRM 11g – and what are the defaults? What factors should you consider when deciding whether the default synch schedule is right for your organisation, and how does synching impact the performance of the client and the server in large deployments? What exactly is synchronized on each occasion?

By default, synchronization occurs Monday to Friday between the hours of 9am and 5.30pm. The admin UI for the synch schedule is pretty self-explanatory…

synch schedule

Each IRM Desktop evaluates that time window according to its local time zone, so if you have users scattered around the world, they will each synch during their respective working days. You’ll note that the time window is quite large – a full working day. This ensures that the server is not hit by large peaks of requests in large deployments. There is usually no great urgency to get the synch done at a particular time, so we set a broad window.

Each IRM Desktop will pick a random time during each time window – again so that they don’t all try at once – and automatically tries again at intervals in the event of failure. If the network is disconnected at the time, the IRM Desktop will watch for the next connection and try again. All of this is transparent to the user.

What exactly gets synchronized? Synchronization is a two-way activity. The server provides the client with a fresh statement of the user’s rights and resets the offline periods so that the user rarely, if ever, hits the expiry time. In most configurations, this provides the user with a cached copy of ALL of their rights. Our classification model makes this viable even at large scale – there might be thousands or millions of documents, but they are usually organised for policy purposes into a few classifications, and each user has rights to a few classifications. So, each IRM Desktop only needs to receive a small amount of policy information in order for the user to have access to thousands of documents. There is no need for a user to be sent any information about classifications that they do not have any right to use, so the set of information sent to each user is usually quite small.

The server can also take the opportunity to inform the client of a change to the synch schedule, and to remind the client of the correct time from the server’s perspective.

In return, the client provides the server with the audit trail generated by its user since the previous synch event. This means that the server gets regular updates about offline usage of sensitive information. Some solutions only provide audit trail for events that involve contacting the server – so offline use is often invisible.

So why might you change the defaults? The most common reason is simply that your working week might not be Monday to Friday. If you have users in the Middle East, for example, you might configure the schedule accordingly. Alternatively, if you have a service in which rights rarely change, or you are not particularly worried about how quickly policy changes propagate out to users, you might reduce to a weekly schedule rather than daily – but the amount of traffic generated by synching is pretty modest so most customers stick with the defaults.

Another reason would be if you are not using the out-of-the-box classification model. If you are managing rights file-by-file or using some other model that involves a lot of policy configuration, then there might be a lot of information to synch to each user.

Another might be that it is REALLY important that policy changes be propagated rapidly or that audit trail be collected more frequently – so you might configure a lot of smaller windows during each day. Or you might modify some or all roles to achieve similar effects. You increase the traffic, but gain greater control and visibility.

Also, if appropriate, you can configure some or all roles to disable offline auditing. This reduces the amount of data that the client needs to send to the server. This might be useful if users are using a lot of sealed content and you are not too interested in the audit trail. Again, you choose which roles to exempt from auditing.

Thus, out-of-the-box we provide a powerful mechanism for ensuring timely propagation of policy changes and frequent upload of offline audit data – but we also give you a variety of controls to play with if needed.

 

Saturday Apr 02, 2011

Customising Status Pages in Oracle IRM 11g

 

status page default

Did you know that you can customise the pages that users see, for example, when they are denied access to a document - what we call Status Pages? Simon blogged about this nearly two years ago, during the days of IRM 10g. The capability is, of course, still very much part of IRM 11g, but the mechanism has changed, so this is a brief update. The details are in the IRM docs here.

Out of the box, IRM 11g provides a page that will look a lot like this....

status page default

As you can see, this is very much an Oracle branded page.

You can see in the above example that the status page shows some information about the file that is being accessed - the file name, the date it was sealed, and the name of the context it is sealed to. These details are provided by the IRM Desktop as query strings that it appends to the URL of the status page. The server interprets the query strings so that it can construct a context sensitive status page. In many cases, calls to the Help Desk are forestalled because the status page makes it self-evident that the user was denied access for very good reason.

Useful as the default page is, many customers like to redirect to custom pages. In so doing, they can apply their own corporate branding to make it clear whose policy is being enforced. They can also add further information to the status page as appropriate to their own needs. For example, they might provide links to corporate classification policy or links to an account provisioning system or contact details of the people responsible for managing this particular classification of information.

The custom status pages can still take advantage of the query strings provided by the IRM Desktop, and the customer can add further parameters that are specific to their deployment.

For further information, refer to the IRM 11g Developer's Guide, which explains the various options and parameters that you can exploit in your custom pages.

 

Monday Mar 28, 2011

Information Rights Management supports IE9

 

Hi, just a brief note to mention that we released an IRM Desktop last week to provide compatibility with IE9. The new IRM Desktop is compatible with 10g and 11g IRM Servers, and is available via our patch delivery mechanism in the Oracle Support site. Customers can download it from their and distribute it to their users as and when required.

To recap, the latest IRM Desktop supports Microsoft Office from 2000 through 2010 for Office formats and RTF and text, Outlook likewise for sealed email, Adobe 9 and X for PDF, MS IE 7 through 9 for HTML, XML and some image formats, and MS SharePoint 2007 and 2010.

For searching encrypted content, it also supports Windows Explorer Search from XP through Windows 7, Windows Indexing Service on XP and 2003, and SharePoint Indexing Service 2003 and 2008.

UPDATE: A number of people have contacted me to ask how to get hold of the patch kit. If you are an Oracle customer, you can go to support.oracle.com and log in using your customer service id to access patches and knowledge base articles and much more. The IRM patch for IE9 should be found by searching for 10410462. If you use IRM as part of a service run by one of our customers, then the service provider should be making the patch available to you.

 

Monday Mar 14, 2011

Anonymous exposes sensitive bank emails

 

anonymous As expected for quite a while, emails purporting to reveal alleged naughtiness at a major bank have been released today. A bank spokesman says "We are confident that his extravagant assertions are untrue".

The BBC report concludes...  "Firms are increasingly concerned about the prospect of disgruntled staff taking caches of sensitive e-mails with them when they leave, said Rami Habal, of security firm Proofpoint.

"You can't do anything about people copying the content," he said.

But firms can put measures in place, such as revoking encryption keys, which means stolen e-mails become unreadable, he added."

Actually, there is something you can do to guard against copying. While traditional encryption lets authorised recipients make unprotected copies long before you revoke the keys, Oracle IRM provides encryption AND guards against unprotected copies being made. Recipients can be authorised to save protected copies, and cut-and-paste within the scope of a protected workflow or email thread - but can be prevented from saving unprotected copies or pasting to unprotected files and emails. 

The IRM audit trail would also help track down attempts to open the protected emails and documents by unauthorised individuals within or beyond your perimeter.

 

Friday Mar 11, 2011

IRM Item Codes – what are they for?

 

barcode

A number of colleagues have been asking about IRM item codes recently - what are they for, when are they useful, how can you control them to meet some customer requirements? This is quite a big topic, but this article provides a few answers.

An item code is part of the metadata of every sealed document - unless you define a custom metadata model. The item code is defined when a file is sealed, and usually defaults to a timestamp/filename combination.

This time/name combo tends to make item codes unique for each new document, but actually item codes are not necessarily unique, as will become clear shortly.

In most scenarios, item codes are not relevant to the evaluation of a user's rights - the context name is the critical piece of metadata, as a user typically has a role that grants access to an entire classification of information regardless of item code. This is key to the simplicity and manageability of the Oracle IRM solution.

Item codes are occasionally exposed to users in the UI, but most users probably never notice and never care. Nevertheless, here is one example of where you can see an item code - when you hover the mouse pointer over a sealed file.

tooltip As you see, the item code for this freshly created file combines a timestamp with the file name.

But what are item codes for?

The first benefit of item codes is that they enable you to manage exceptions to the policy defined for a context. Thus, I might have access to all oracle - internal files - except for 2011_03_11 13:33:29 Board Minutes.sdocx.

This simple mechanism enables Oracle IRM to provide file-by-file control where appropriate, whilst offering the scalability and manageability of classification-based control for the majority of users and content. You really don't want to be managing each file individually, but never say never.

Item codes can also be used for the opposite effect - to include a file in a user's rights when their role would ordinarily deny access. So, you can assign a role that allows access only to specified item codes. For example, my role might say that I have access to precisely one file - the one shown above.

So how are item codes set?

In the vast majority of scenarios, item codes are set automatically as part of the sealing process. The sealing API uses the timestamp and filename as shown, and the user need not even realise that this has happened. This automatically creates item codes that are for all practical purposes unique - and that are also intelligible to users who might want to refer to them when viewing or assigning rights in the management UI.

It is also possible for suitably authorised users and applications to set the item code manually or programmatically if required.

Setting the item code manually using the IRM Desktop

The manual process is a simple extension of the sealing task. An authorised user can select the Advanced... sealing option, and will see a dialog that offers the option to specify the item code.

setitemcode

 

To see this option, the user's role needs the Set Item Code right - you don't want most users to give any thought at all to item codes, so by default the option is hidden.

Setting the item code programmatically

A more common scenario is that an application controls the item code programmatically. For example, a document management system that seals documents as part of a workflow might set the item code to match the document's unique identifier in its repository. This offers the option to tie IRM rights evaluation directly to the security model defined in the document management system. Again, the sealing application needs to be authorised to Set Item Code.

The Payslip Scenario

To give a concrete example of how item codes might be used in a real world scenario, consider a Human Resources workflow such as a payslips. The goal might be to allow the HR team to have access to all payslips, but each employee to have access only to their own payslips.

To enable this, you might have an IRM classification called Payslips. The HR team have a role in the normal way that allows access to all payslips. However, each employee would have an Item Reader role that only allows them to access files that have a particular item code - and that item code might match the employee's payroll number. So, employee number 123123123 would have access to items with that code. This shows why item codes are not necessarily unique - you can deliberately set the same code on many files for ease of administration.

The employees might have the right to unseal or print their payslip, so the solution acts as a secure delivery mechanism that allows payslips to be distributed via corporate email without any fear that they might be accessed by IT administrators, or forwarded accidentally to anyone other than the intended recipient.

All that remains is to ensure that as each user's payslip is sealed, it is assigned the correct item code - something that is easily managed by a simple IRM sealing application. Each month, an employee's payslip is sealed with the same item code, so you do not need to keep amending the list of items that the user has access to - they have access to all documents that carry their employee code.

 

Thursday Mar 10, 2011

Hospital fined $1m for Patient Data Breach

 

hospital-finedAs an illustration of the potential cost of accidental breaches, the US Dept of Health and Human Services recently fined a hospital $1m for losing documents relating to some of its patients. Allegedly, the documents were left on the subway by a hospital employee.

For incidents in the UK, several local government bodies have been fined between £60k and £100k. Evidently, the watchdogs are taking an increasingly firm position.

 

About

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today