Tuesday Dec 15, 2009

Oracle IRM December webcast now available as a replay

Secure Your Confidential Content--Even Beyond the Firewall

The second of our online IRM webcasts went really well and we had an even bigger attendance than the first. For those that were not able to attend and would like to listen at their own pace, an archive of the webcast is available.

If you're tempted to learn more about IRM, visit our YouTube channel or contact us for access to one of our evaluation services. You can also try Oracle IRM right now by registering to access our free sample secured content.

Monday Dec 14, 2009

Privacy watchdog warns about unacceptable level of data loss, highlighting the NHS


The Information Commissioner's Office (ICO) is continuing to raise awareness of data loss and highlights that in 2010 companies need to do more to protect customer and patient information. In a recent report they quote;

"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media."

The warning from the office comes with news that the worst offenders are in the health care industry. "We have investigated organisations, including several NHS bodies, that have failed to adequately secure their premises and hardware, which has left people's personal details at risk," said Mick Gorrill, the assistant commissioner with responsibility for investigations.

In the same month the ICO also released an excellent and much needed plain english guide to data protection.

Looking at the results of current research and also at the findings of risk assesments, Information Rights Management is a technology well designed to provide a fast solution to the loss of data in environments where security is hard to enforce. How do you control access to content that is lost by someone you've sent it to at another location outside your firewall? Oracle IRM provides the ability to secure and track that information no matter where it resides.

Loss of data in 2010 is to get more expensive as new laws allow the ICO to implement fines. David Smith, Deputy Information Commissioner, says: "Since November 2007 we have taken action against 54 organisations for the most reckless breaches in line with our commitment to proportionate regulation. Some of these breaches would trigger a significant fine for organisations were they to occur after the introduction of monetary penalties in 2010. We are keen to encourage organisations to achieve better data protection compliance and we expect that the prospect of a significant fine for reckless or
deliberate data breaches will focus minds at Board level."

If you want to learn more about Oracle IRM, have a look at some of the videos on our YouTube channel and please contact us if you want to undertake a free evaluation.

Information Rights Management top of the Christmas list?

We come to the end of a busy year and we've seen a lot of examples over 2009 of data loss that could have been prevented. Computer Weekly have agreed and placed the loss or theft of customer data at the top of their Christmas wish list asking, "what will CEOs be asking CIOs to give them for Christmas?"



1. No more customer data nightmares


The loss or theft of confidential customer data makes headline news these days. Whether you are a public sector body such as the HMRC or a private organisation such as T-Mobile, both of which have been embroiled in high-profile data loss incidents, the damage to reputation is massive. Could technologies such as information rights management software, which make data impossible to read once outside an organisation, be top of the wish list?

Read more over at Computer Weekly.

Wednesday Nov 25, 2009

The importance of balancing security, usability and manageability

Security solutions that are poorly designed and difficult to use don't work, if security presents a significant hurdle for user adoption, it simply won't get used and people will just workaround it.

Security workaround.jpg

With this in mind, I had an excellent meeting this week with a customer interested in Oracle IRM. Right from the start they commented that whatever information rights management solution they implement, it must be simple and easy for end users and the business to use and deploy. This is exactly the opinion we have when developing Oracle IRM. We've built a solution which gives the customer the ability to balance all three.


Sometimes people spend so much time wanting to understand how our crypto works, how long the keys are, how do we ensure the security of the content when it's decrypted and passed to the rendering application and how good the screen capture functionality is. These are all very important technical issues which we address, yet it is just as important to understand how the powerful classification model, the transparent synchronization of rights, separation of rights from content, ability to search in sealed content, all contribute to an easy to use and effective to manage technology.

Experience this for yourself, just go have a look at the easy to use self service Oracle IRM demonstration.

Oracle IRM webcast replay available

Secure Your Confidential Content--Even Beyond the Firewall

Last week we had a great attendance to our online webcast. For those that were not able to attend and would like to listen at their own pace, an archive of the webcast is available.

We do however have another webcast on Thursday, Dec. 3, 2009 10 a.m. PT / 1 p.m. ET, so if you want to ask me any questions feel free to register.

Tuesday Oct 27, 2009

Follow Oracle IRM on Facebook and Twitter


Finally I gave in, too many people kept saying... "you should have a twitter feed for your blog updates". Many in Oracle are embracing modern methods for communicating information about our technology and I decided to jump on the band wagon. You can follow Oracle IRM on twitter and also be a fan of our Oracle IRM page on Facebook.

Friday Oct 09, 2009

IRM, ERM, EDRM, DRM! What does it all mean?

When talking with customers they often ask if Oracle IRM is a DRM technology. I thought I would therefore go over the main differences between the consumer technology world of DRM and the business world of IRM (or ERM/EDRM). First lets detail what the acronyms stand for.


Whilst at first glance it might seem like all of these technologies do the same thing, DRM is the odd one out and the others can be grouped together. In the early days IRM technologies were initially labeled as ERM in an attempt to separate them from DRM, the term IRM came later as the market matured. For simplicity sake in this article, technologies such as ERM, EDRM and RMS will be discussed under the acronym IRM unless specifically mentioned.


What is the difference between DRM and IRM?

All of the technologies above use encryption to protect digital content and apply some form of rights control so the owner of the information can control who can open it, that is where the similarities end and confusion begins. There are some general statements which can be made to define the differences between the two.



  • DRM refers to technologies that control access to common media formats, such as music, video and digitally published material (e.g. high value financial analysis reports)
  • IRM refers to technologies which control access to enterprise generated content, such as engineering intellectual property, HR documents, patient health records, company financial reports, sensitive email communication
  • Most enterprise based technologies (although not Oracle IRM) were developed from either an existing DRM technology, or at least from the same ideals and methods


The first two points are very important with regards to how the technologies are perceived by end users and the main goal for the implementation of the technology. Consider the following scenarios.

1. You purchase a favorite song in a digital form and download to your computer. You want to play this song on both your laptop, mp3 player and also in your home CD player. Yet due to a technology used by the retailer that sold you the song, you can only play the music on a limited number of devices.

2. Your doctor stores your health information on his laptop inside documents that are encrypted and use rights controls to ensure only your doctor and authorized medical staff can open them.

DRM applies to the first situation and consumers are typically unhappy that technology is trying to dictate what they can do with content they've purchased. People are used to playing their music on a variety of devices and want to copy the information to whatever device they wish. DRM is typically about protecting the rights of the content owner from being abused, the consumer of that information doesn't necessarily care about the mis-use of the content. This has led to a constant battle between DRM technologies and the users, with thousands trying to break/hack the DRM so they can use content as they wish.

IRM however addresses a very different issue. It is about helping businesses keep secrets a secret. That information might be your health records, your personal HR data at your place of work, it might be the intellectual property your company owns which allow it to keep ahead of the competition and keep you employed. End users have a very different view of IRM, they want to use it, it helps protect them and their companies data.

So DRM focuses mainly on protecting business to consumer type content, where IRM focuses on enterprise content. This is important because it drives the technology in different ways. For instance, consider the following.

DRM protects a single file which is to only be opened by the purchaser, so the rights are embedded and delivered with the file. This works in a DRM model, because you want only the end user to access the content.

IRM typically is used in different scenarios, such as;

IRM protects a single file which is to be opened by 500 sales employees. After 6 months, 1/2 of the employees leave the company taking a copy of the file with them and another 250 people are hired. Of these people, 15 were promoted to manager and their rights to the document is increased so they are allowed to print copies.

To support the above you can't store any rights specific information in the document itself because the rights do change over time. You need to have a way to change rights to the document with having to re-distribute it. Oracle IRM does this by separating the rights from the content. Oracle IRM has, from day one, kept all rights information outside the file itself and on the network server. Access and rights are granted at the point when the document is opened. Locally cached rights, an authenticated user and the encrypted document, all come together at once.

Other IRM technologies have been developed from DRM technologies or they have used the same design methods. This is what prevents them from being truly enterprise scalable.

Finally, IRM can be used to solve some DRM problems. Oracle IRM has been successfully implemented by publishers to protect high value content in PDF documents. This is a classic business to consumer model but Oracle IRM, due to it's scalable and more effective implementation of encryption, works and can deliver an effective solution.

Thursday Oct 08, 2009

Sealed Solutions partners with Outpost24

Sealed Solutions GmbH
There has been a lot of partner activity with IRM recently, more information will be coming out over the next few months. Right now one partner in Germany, Sealed Solutions GmbH, has just teamed up with a vulnerability assessment and management company, Outpost24, to bolster it's information rights management practice.

Sealed Solutions are a leading provider of Oracle IRM services in Germany and the partnership with Outpost24 will increase their ability to fulfill major GRC (Governance, Risk and Compliance) requirements with vulnerability assessment and management best practices to ensure the protecting and handling of customer's confidential information and data.

Norbert Bacher, CEO Sealed Solutions GmbH, was quoted as saying, "With the technology provided by Outpost24, we are now able to secure and protect not only confidential e-mails and other sensitive information like we do with our Information Rights Management solutions, but are pleased to now be able to protect our customer's organizational centerpiece - 'the network'. Both from the inside, as well as the outside. Outpost24's Vulnerability Management solutions are an excellent complement to our current Information Rights, Security and GRC solutions."



Tuesday Oct 06, 2009

Oracle IRM contexts, a smart way to implement your corporate classification policies

A central concept of the Oracle IRM solution is the security context. So what are contexts and how do they help you protect sensitive information in a secure, usable, and manageable way? In the Oracle IRM solution, a context represents a set of related information and the rights of users to work with that information. For example, a typical enterprise might use the following contexts to manage the rights to access and work with some of its most sensitive information:

Oracle IRM contexts examples

To protect a sensitive document from unauthorized access and modification, all you need to do is seal it to the relevant context. Once sealed, the document is protected by the rights defined for the context.

Choosing an Oracle IRM context

For example, sealing the board minutes to the sensitive board communication context, as shown above, might ensure that the minutes are accessible only to the board members and their personal assistants. To simplify the assignment of different rights to different users, each context contains roles such as Contributor, Reviewer, and Reader. A particular user might be a Contributor in sensitive board communication and a Reader in confidential engineering research.


Contexts and Security

Rather than allowing individual users to configure rights for individual documents, the Oracle IRM solution simply requires users to select the appropriate context for those documents, as shown for the board minutes above. Once sealed, all documents in a context are automatically subject to any future amendment to the rights - no matter who created the documents or how many copies have been distributed within and beyond the enterprise. Contexts ensure that rights management is not arbitrary. Users cannot simply invent new policy for particular documents or emails, so the enterprise retains overall control of information security and has a powerful mechanism for implementing any corporate classification policies.



Contexts and Usability

Any solution that is not easy to use is unlikely to provide the security that an enterprise is seeking. Rather than requiring users to consider in detail what rights are appropriate for particular documents, Oracle IRM simply requires users to seal documents to the appropriate context. Further, Oracle IRM controls the right to seal documents such that, for example, only board members and their personal assistants can create new documents in sensitive board communication. Thus, the enterprise can be confident that only authorized users contribute to each context. By creating contexts that relate very clearly to enterprise business processes and exposing users only to contexts that are relevant to their role, an enterprise can be confident that information will be protected appropriately because users can easily understand what is required of them and are not exposed to detailed choices that they might use inconsistently.



Contexts and Manageability

The simplicity of contexts and roles means that day-to-day rights management tasks are handled by the most appropriate business users. In many live deployments, the rights to board documents are managed by the PA of the CEO or Company Secretary and is as simple as assigning roles to users and groups.


By avoiding the need to manage and propagate the rights to thousands of individual documents, the solution can scale to meet the needs of even the largest enterprise. Finally, contexts enable policy changes to be applied at any time to thousands of documents - regardless of where those documents are. Rights can be assigned and unassigned as required without having to locate and modify each of the documents.


Standard Roles for Enterprise Rights Management

Finally, to help organizations to quickly deploy and create contexts the Oracle IRM solution provides a standardized set of roles that are ready to be assigned out-of-the-box - roles such as Contributor, Reviewer, and Reader.


Each role defines a set of rights that are appropriate to that role. For example, a Contributor has the right to create and edit sensitive documents, whereas a Reviewer can only edit existing documents and change tracking is enforced. These roles are then assigned to users for particular workflows and information classifications. Commonly these assignments are done by group membership inside your corporate user directory. So by simply adding a user to one or more groups in say Active Directory would immediately give them access to thousands documents secured against those classifications, and vice versa, they leave the organization and their account is deleted from Active Directory, all the documents they had copied to their USB device are now useless.

Where necessary, the standard roles can be tailored or extended, but Oracle has used the experience gained from numerous enterprise deployments to provide a set of roles that meet the needs of most clients. So what are the standard roles and what do they allow users to do?

Standard Roles Overview

Out-of-the-box, Oracle IRM provides five standard roles for controlling access to sensitive documents and email:



Contributors are the people who are authorized to create and edit documents in a particular context. They can open and search and print documents that are sealed to the context. Reviewers are authorized to edit sealed documents and email, but change tracking is enforced. They can also open and search and print sealed documents and email but are not authorized to create new sealed documents or email - they can only review or reply to documents and email created by Contributors. The Reader role allows opening, searching and printing of sealed documents but they cannot create or edit. The Reader (no print) is the same except they obviously have no rights to print.

Finally Item Readers are authorized to open and search particular sealed documents. This allows for people to be added to contexts which contain large amounts of protected information and yet they can only open a few identified documents. This role is designed to be the exception to the rules defined by all the contexts on the system, otherwise it managing lists of users rights to specific documents becomes quickly unmanageable.

Oracle also recognizes the need to control access to these roles so that they are assigned appropriately. Oracle IRM therefore defines standardized administrative roles, the most significant being:


Context Owners are authorized to assign roles, and are typically the owners of confidential information and work flows. System Owners are authorized to create new contexts and make the initial assignment of the Context Owner role. Their involvement in a particular context might end soon after that initial assignment.

If you want to learn more about Oracle IRM, please have a look at our simple online demo or contact us for a more in depth evaluation.

Wednesday Sep 16, 2009

Importance of hostnames for IRM production servers

During the installation phase of an IRM server for production use there are important prerequisite steps that must be performed to ensure the system is to work flawlessly. Making sure the firewall has rules to allow communication to and from the public internet to the IRM server, attaining access to the database and assigning IP addresses to the IRM server's public network interfaces are all key to allowing successful communication to the server from anywhere the sealed content may travel.

The most important of all these steps, and it cannot be stressed enough, is the registration and use of the fully qualified hostname for the IRM service itself. During the installation of the IRM server and the Management Website you are asked for some hostnames which are then inserted into every single piece of content you secure with IRM.


Fully qualified hostnames in use

When a user attempts to open a sealed document, the Oracle IRM Desktop first reads the unencrypted (but signed) header which contains a URL back to the server that secured the document, this URL typically looks like;


Oracle IRM 10g: seal://irm.domain.com:80
Oracle IRM 11g: https://irm.domain.com/irm_desktop

The desktop then attempts to connect to the server by resolving the hostname to an IP address and then making a connection to the server over a secured protocol. If communication is successful and the IRM Desktop can authenticate the user, any valid rights are then sent to the user allowing them to open the content. At the same time the URL for the IRM server is added to the sync list so that the IRM Desktop can transparently ensure these rights are updated on a schedule as defined by the same IRM server.

Therefore for every copy of every sealed document, every initial online access to that content, for every subsequent transparent sync, the hostname back to the server is referenced. If the client cannot resolve that address, it cannot give access to the document.

Of course if you have successfully synchronized rights and are offline, then you don't need to rely on this chain of events because your offline cache has the rights to content. But this usability feature doesn't detract from the importance of these hostnames.


Management Website hostname is just as important

What if you can't communicate to the IRM server? What if you can, but your credentials cannot be authenticated, or you don't have rights to the document you are trying to open? The IRM Desktop will then attempt to redirect you to the status page for the classification of the document you are opening. How does it know where this online status page is? Exactly... it is also sealed into the content and in Oracle IRM 10g it typically looks like;



Clicking on the above link takes you to an example of the sort of page you would see when the IRM Desktop fails to connect to the IRM Server.

Note that with Oracle IRM 11g the URL to the service for getting rights is also the same URL for the out of the box status pages, unless of course you design your own and override the defaults.



So during the planning and installation phase of your production IRM service, the choices and management around these hostnames is critical for long term success. The following are common scenarios in how these hostnames do actually resolve back to the server.



  1. Hostname resolves to one address no matter where the request comes from. This address is the internet facing interface. So if you try to access content from the internet, or the corporate network, the traffic always goes via the public internet IP address.
  2. Hostname resolves to a different address depending on where the request was made. So for those on a public network, they resolve the hostname from a publicly visible DNS server to the publicly listening interface. A request made from the corporate network is resolved from a corporate DNS server to a different IP that is listening on the internal corporate network.
  3. Sometimes if the IRM server is protecting very sensitive information then access to it may be limited purely by a VPN or other tightly controlled network route. Therefore the hostname to the service can only be resolved from a specific set of name servers that are only accessed from a virtual network.


Sometimes you may use option 3 above for access to the IRM server, and yet have the Management Website publicly facing. Then when users get the "Cannot connect to IRM server" as in the above example, the web page can inform them they must be connected to the corporate VPN. This is a nice example of how Oracle IRM is both secure and yet easy to use for authorized end users.

No matter what method is employed to manage the resolution of the hostnames, the fact remains you must be diligent in managing the names such that they always resolve to the IRM service when users attempt to open sealed documents.

Tuesday Aug 25, 2009

Oracle IRM protecting sensitive content delivered from a web application

[Read More]

Oracle IRM using NT Authentication to control access to sealed documents

As part of the videos recently released on our new YouTube Channel we recorded a simple demonstration of how Oracle IRM can use NT Authentication to authorise users access to sealed documents and how the IRM server can import user and group information from Microsoft Active Directory.


Oracle IRM demonstration - NT Authentication



Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« June 2016