Screen Protection for IRM Protected Documents
By Martin Abrahams on Apr 10, 2011
Someone just posted a question to the IRM wall on facebook regarding screen protection. Here is some commentary on the subject based on a blog entry from way back in 2008.
Oracle IRM lets you define policy for screen grabbing as part of user roles. Users with the Screen Capture right assigned as part of their role will be able to take screen shots in the usual ways, but users without that right will find that IRM can mask out sensitive windows.
This immediately illustrates a difference between Oracle IRM and most other solutions, because most solutions attempt to completely disable screen grabbing whenever a protected file is open – even if minimised. To illustrate what I mean, here is a typical example of what you would see if taking a screen shot when there is a sealed document open on the screen and you do not have the Screen Capture right.
You can see that a portion of the screen has been protected, but the capture was not completely prevented. If we completely blocked screen capture, the user would be forced to close all protected documents before repeating their screen capture attempt. This might be pretty inconvenient and frustrating, for example, if the purpose of taking the screen shot is to insert it into the sealed doc you are currently editing, or you have several sealed docs open and you are not sure which is preventing the screen shot, so you need to close them all.
To be clear, we do not claim that Oracle IRM guards against all methods of screen capture – there are so many to consider, and in any case it is always possible to use a camera or to take notes with a pencil and paper if you are determined to copy the information. The fundamental control always remains the control on whether you can open the document in the first place.
Nevertheless, there is real value in the layer of screen protection we provide. Security is all about layers of protection, but nothing is 100% secure unless it is 100% unusable.
Our solution is also a very good way to remind an end user that content is protected, or to protect content that happens to be open when a user makes a legitimate attempt to take a screen shot of something else. On seeing the area that the IRM Desktop has masked out, the usual reaction is surprise that such protection is possible, and appreciation that the solution is only affecting the content that needs to be protected. Customers agree that this approach is a valuable way to remind user communities that they are dealing with sensitive information, and need to adjust their behaviour accordingly – but at the same time, the inconvenience is limited to the content that needs to be protected, so the solution is balancing protection and productivity.
As always with Oracle IRM, the right to screen capture is defined as part of a role, so it can be assigned to the right users for the right classifications of users as a matter of policy. One of the main reasons to assign the right is to enable authorised users to use sealed documents during web conferences. Web conferencing tools often work by taking a series of screen shots and passing them back and forth.