Sunday Apr 10, 2011

Screen Protection for IRM Protected Documents



Someone just posted a question to the IRM wall on facebook regarding screen protection. Here is some commentary on the subject based on a blog entry from way back in 2008.

Oracle IRM lets you define policy for screen grabbing as part of user roles. Users with the Screen Capture right assigned as part of their role will be able to take screen shots in the usual ways, but users without that right will find that IRM can mask out sensitive windows.

This immediately illustrates a difference between Oracle IRM and most other solutions, because most solutions attempt to completely disable screen grabbing whenever a protected file is open – even if minimised. To illustrate what I mean, here is a typical example of what you would see if taking a screen shot when there is a sealed document open on the screen and you do not have the Screen Capture right.


You can see that a portion of the screen has been protected, but the capture was not completely prevented. If we completely blocked screen capture, the user would be forced to close all protected documents before repeating their screen capture attempt. This might be pretty inconvenient and frustrating, for example, if the purpose of taking the screen shot is to insert it into the sealed doc you are currently editing, or you have several sealed docs open and you are not sure which is preventing the screen shot, so you need to close them all.

To be clear, we do not claim that Oracle IRM guards against all methods of screen capture – there are so many to consider, and in any case it is always possible to use a camera or to take notes with a pencil and paper if you are determined to copy the information. The fundamental control always remains the control on whether you can open the document in the first place.

Nevertheless, there is real value in the layer of screen protection we provide. Security is all about layers of protection, but nothing is 100% secure unless it is 100% unusable.

Our solution is also a very good way to remind an end user that content is protected, or to protect content that happens to be open when a user makes a legitimate attempt to take a screen shot of something else. On seeing the area that the IRM Desktop has masked out, the usual reaction is surprise that such protection is possible, and appreciation that the solution is only affecting the content that needs to be protected. Customers agree that this approach is a valuable way to remind user communities that they are dealing with sensitive information, and need to adjust their behaviour accordingly – but at the same time, the inconvenience is limited to the content that needs to be protected, so the solution is balancing protection and productivity.

As always with Oracle IRM, the right to screen capture is defined as part of a role, so it can be assigned to the right users for the right classifications of users as a matter of policy. One of the main reasons to assign the right is to enable authorised users to use sealed documents during web conferences. Web conferencing tools often work by taking a series of screen shots and passing them back and forth.


Monday Apr 04, 2011

Controlling Rights Synchronization in IRM 11g


synch icon

A colleague recently asked how you can control the periodic synchronization of rights and audit data in IRM 11g – and what are the defaults? What factors should you consider when deciding whether the default synch schedule is right for your organisation, and how does synching impact the performance of the client and the server in large deployments? What exactly is synchronized on each occasion?

By default, synchronization occurs Monday to Friday between the hours of 9am and 5.30pm. The admin UI for the synch schedule is pretty self-explanatory…

synch schedule

Each IRM Desktop evaluates that time window according to its local time zone, so if you have users scattered around the world, they will each synch during their respective working days. You’ll note that the time window is quite large – a full working day. This ensures that the server is not hit by large peaks of requests in large deployments. There is usually no great urgency to get the synch done at a particular time, so we set a broad window.

Each IRM Desktop will pick a random time during each time window – again so that they don’t all try at once – and automatically tries again at intervals in the event of failure. If the network is disconnected at the time, the IRM Desktop will watch for the next connection and try again. All of this is transparent to the user.

What exactly gets synchronized? Synchronization is a two-way activity. The server provides the client with a fresh statement of the user’s rights and resets the offline periods so that the user rarely, if ever, hits the expiry time. In most configurations, this provides the user with a cached copy of ALL of their rights. Our classification model makes this viable even at large scale – there might be thousands or millions of documents, but they are usually organised for policy purposes into a few classifications, and each user has rights to a few classifications. So, each IRM Desktop only needs to receive a small amount of policy information in order for the user to have access to thousands of documents. There is no need for a user to be sent any information about classifications that they do not have any right to use, so the set of information sent to each user is usually quite small.

The server can also take the opportunity to inform the client of a change to the synch schedule, and to remind the client of the correct time from the server’s perspective.

In return, the client provides the server with the audit trail generated by its user since the previous synch event. This means that the server gets regular updates about offline usage of sensitive information. Some solutions only provide audit trail for events that involve contacting the server – so offline use is often invisible.

So why might you change the defaults? The most common reason is simply that your working week might not be Monday to Friday. If you have users in the Middle East, for example, you might configure the schedule accordingly. Alternatively, if you have a service in which rights rarely change, or you are not particularly worried about how quickly policy changes propagate out to users, you might reduce to a weekly schedule rather than daily – but the amount of traffic generated by synching is pretty modest so most customers stick with the defaults.

Another reason would be if you are not using the out-of-the-box classification model. If you are managing rights file-by-file or using some other model that involves a lot of policy configuration, then there might be a lot of information to synch to each user.

Another might be that it is REALLY important that policy changes be propagated rapidly or that audit trail be collected more frequently – so you might configure a lot of smaller windows during each day. Or you might modify some or all roles to achieve similar effects. You increase the traffic, but gain greater control and visibility.

Also, if appropriate, you can configure some or all roles to disable offline auditing. This reduces the amount of data that the client needs to send to the server. This might be useful if users are using a lot of sealed content and you are not too interested in the audit trail. Again, you choose which roles to exempt from auditing.

Thus, out-of-the-box we provide a powerful mechanism for ensuring timely propagation of policy changes and frequent upload of offline audit data – but we also give you a variety of controls to play with if needed.


Monday Oct 18, 2010

Document security in the real world, experience from the field

I've invited Justin Cross from Brandon Cross Technologies to share some of the experience gained in the industry when implementing IRM solutions. So over to you Justin...

I began working with IRM at SealedMedia and I have seen it grow and mature through the refinement which only comes from many, many real world deployments, where we need to apply thoughtful consideration to the protection of real business information, against real security risks; while keeping real business users happy and assured that the technology wont get in the way.

I decided take on the challenge of forming my own company, Brandon Cross Technologies, just as SealedMedia were being acquired by Oracle. As Brandon Cross Technologies I've had the good fortune of working with a number of vendors, including Oracle, to provide the consultancy to successfully deploy software which requires an understanding of how software really gets used in practice, by real people, as well the technical know-how.

We have recently been working with some of the largest oil & gas and telecom companies, among others, to deploy their IRM solutions to address their concerns regarding the dramatic increase in data security threats.


Secure from the inside

Despite the best efforts of virus checkers and firewalls, platform vulnerabilities and malware provide lots of scope for bad guys to punch holes in your defences, disrupt your systems, and steal your data. If you ensure your own business users can only access and use information they legitimately require, while retaining the ability to revoke that access, then any external threat will be no more able to extract information from your organisation than your own people. Information Rights Management therefore enables us to limit the threat from perimeter security breaches, as well as potential misuse of information by legitimate business users.



User buy-in

As with other security solutions, successful IRM deployments must be simple to use and work without impeding existing business processes. Any solution which slows or limits a business user's ability to do their daily work will be unpopular, but more importantly the user may actually end up putting business information at greater risk by avoiding such systems. In the case of IRM, users may create, request, distribute or keep unprotected files, or use an IRM Context or document classification intended for less sensitive information to avoid the more stringent controls intended by the business.


Of course once information is IRM protected it is under the full control of the appropriate information owner; but it does need to be sealed / protected in the first place. Protecting information using IRM needs to be a continual, business-as-usual process. While IRM provides simple tools to protect information, manual protection does involve the user making the decision to protect information as it is created, and being in the habit of doing so. This can be addressed through creation of clear guidelines, policy requirements and training.


Integrated solutions

Protecting information using IRM should be performed at the earliest point in the information life cycle. One way to ensure information is appropriately secured using IRM is to automate the protection / sealing process. Oracle IRM has open programmatic interfaces which allow information to be sealed and for rights to be programmatically managed. This allows IRM protection to be integrated with other content management, workflow and security products.


For example Oracle IRM can be integrated with SharePoint, ensuring that any documents which are added into a SharePoint site are automatically IRM protected as they are uploaded. Information is then protected in storage, protecting against privileged users with server access, while still allowing documents to be found by keyword search using Oracle's unique search capabilities. Automated protection can therefore allow users to collaborate in the normal way without having to make the conscious decision to protect it first, or even needing to be aware that such a step is necessary. In this way, taking the manual protection step away from users, the level of usage and consistency with which IRM protection is applied can be substantially improved.

Another policy enforcement technology which can be used in conjunction with IRM is DLP (Data Loss Prevention). There are a variety of vendors which provide DLP solutions and, as with IRM, these solutions work in a variety of ways with different features and capabilities. What they do have in common is the ability to monitor the movement of data within your organisations network, with many also having the ability to control that movement. Some will purely monitor network communications using dedicated network appliances; others monitor file system, device and inter-process communications at the desktop. These capabilities can be used to make sure data does not leave your systems and networks without the necessary IRM protection being applied.


Brandon Cross Technologies

Brandon Cross Technologies is based in the UK, but has delivered projects internationally. It believes it is possible to take the pain and uncertainty out of deploying client-server and web based technologies, simply through listening to customers and sharing experience and expertise.

Thursday Oct 14, 2010

New Release of Oracle IRM Wrapper version 1.5.0

The wrapper tool has been updated again - this time to provide an installer script for Linux systems, and to improve compatibility between the IRM Desktop and the wrapper when installed on the same machine.

For further info, see the 1.4.0 announcement.

If you download and experiment with this tool, drop us a line to let us know how you get on.

Monday Jul 12, 2010

Maintain your CISA certification with an ISACA Singapore Chapter talk on Information Rights Management


This month the ISACA Singapore Chapter is organizing a dinner talk and networking session on Wednesday, July 21. Amitpal Singh Dhillon, one of our security experts in Singapore, is presenting on the topic of "Information Rights Management - How secure are your confidential documents?". Those who are CISA certified will attain 2 hours towards ongoing certification with this talk.

Details of the event are (sign up here);

  • Time: 6:00pm - 9:00pm (Registration: 6:00pm; Dinner 6:30pm - 7:15pm; Presentation 7:15pm - 9.00pm)
  • Venue: National Library Board Building, Level 5, Imagination Room, 100 Victoria Street, Singapore 188064
  • Cost: S$30.00 (ISACA/IIA Members), S$45.00 (Non-Members), S$15.00 (Students) / Refer Student Registration below
  • CPE: 2 Hours
  • Dinner: Buffet Dinner Included (no pork no lard)
  • Who Should Attend?: Information Security Managers, Analysts and Architects, IT Managers, IT Auditors, Academia and researchers involved with information systems security awareness, training, education, and professionalism.


The speaker, Amitpal Singh Dhillon is well versed in Information Rights Management and is an Identity Management Security Architect for Oracle in the Asia region. Prior to joining Oracle, Dhillon worked as an Information Systems Engineer on Corporate IdM initiatives at Applied Materials in the Silicon Valley. In addition, he has experienced the typical diversity of products from multiple vendors, including Microsoft, SUN and IBM whilst responsible for implementation of such solutions in an SAP environment. To attend the dinner sign up here. For more information on the event visit the ISACA Singapore Chapter website and look in the current events section.

Thursday Nov 05, 2009

Oracle IRM at the Gartner Identity and Access Management Summit 2009

A bit late notice, but i've just been asked to attend the Gartner IAM summit in San Diego next week. I'll be available to discuss and demonstrate Oracle Information Rights Management, details of the summit below.

Gartner Identity and Access Management Summit

Oracle is a Premier sponsor at the Gartner Identity and Access Management Summit this November 9 - 11, 2009 in San Diego, CA. Attendees will have the opportunity to meet with Oracle experts in a variety of sessions, including demonstrations during the showcase receptions.

  • Oracle Customer Case Study and Solution Provider Session
  • Oracle Solution Showcase Receptions
  • Oracle Face to Face Meetings

November 9 - 11, 2009

Sheraton San Diego
1380 Harbor Island Drive
San Diego, CA 92101

Benefits of Attending
  • Increase your company's agility and security by improving your IAM knowledge, and be better prepared to handle the current issues surrounding your IAM environment.
  • Fine tune and maximize your IAM-related projects by leveraging the experience of an increasing network of peers.
  • Better manage your own IAM-related initiatives by using Gartner's unbiased advice and information specific to your situation.
  • Gain insight into which tools could enhance your IAM implementations, and possibly put your company one step ahead of the competition.
  • Improve your company's security, efficiency, effectiveness, business agility, and productivity, by learning how to better manage your own IAM infrastructure.

Click here to view the agenda and to find out more about the Gartner IAM Summit.


Date 09-November-2009 To 11-November-2009
Venue Sheraton San Diego
Street Address 1380 Harbor Island Drive
City San Diego
State CA
Zip 92101
Country United States

Friday Oct 23, 2009

Oracle IRM Webcast: Secure Your Confidential Documents and E-Mail Everywhere They Are Stored and Used

We've just announced two webcasts for Oracle IRM, one in November and one in December. Click on the registration links below to join me live for a presentation and demonstration of information rights management done Oracle style :)

Oracle Corporation
Secure Your Confidential Content--Even Beyond the Firewall

Secure Your Confidential Documents and E-Mail Everywhere They Are Stored and Used

Controlling access to confidential information has never been more important. News agencies continue to report on data breaches resulting from criminal hacking, lost laptops, and incorrectly addressed e-mail. As public awareness grows, enterprises are not only required to implement preventive controls, but also to audit and demonstrate continuous compliance.

Oracle's complete information security solution manages data access everywhere data is used, stored, copied, and forwarded--even after leaving your servers. Join us for a FREE live Webcast to learn how Oracle Information Rights Management enables companies to:

  • Control and audit access to sensitive documents and e-mail wherever they reside, even after they have been shared with customers, partners, and suppliers
  • Revoke access to secured content after employees leave or partnerships end
  • Manage access to sensitive content without granting access to IT administrators
  • Scale security across tens of thousands of documents and users, based on clear information classification policies

Register now for this FREE Webcast on either
Thursday, November 19, 2009,
or Thursday, December 3, 2009. Don't miss the chance to learn how you can secure your confidential content--even beyond the firewall.

Register Now

For your convenience, this Webcast will be presented twice. Register for the Webcast date of your choice.

Thursday, Nov. 19, 2009
10 a.m. PT / 1 p.m. ET

Thursday, Dec. 3, 2009
10 a.m. PT / 1 p.m. ET

Simon Thorpe
Simon Thorpe
Oracle Information Rights Management security expert, Oracle


Oracle Fusion Middleware

Copyright © 2009 Oracle and/or its affiliates.
All rights reserved.

Contact Us | Legal Notices and Terms of Use | Privacy Statement

Monday Jul 20, 2009

Oracle IRM Desktop release advanced warning

Just a quick entry, Andy Peet, IRM product manager has just announced the following;

In 2 weeks time Oracle will release a new IRM Desktop for Windows and IRM Unsealer for Mac.

This release contains a few bug fixes that some customers have requested. These fixes are largely in the areas of Excel macros and clashes with products from other IRM vendors. It is however a fairly minor release, and we do not expect most customers to upgrade to it.

If you would like more details prior to publication of the release notes please contact Oracle support or product management.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016