Friday Sep 24, 2010

Data loss prevention (DLP) solutions with document encryption

This week a new data sheet was approved which details the work done so far on integrating Oracle's industry leading document security solution with the top DLP vendors. The content of the data sheet is below and available as a PDF at the end of the article.

Organizations face the ongoing challenge of protecting their most sensitive information from being leaked. Two of the most popular solutions used to address this problem are Data Loss Prevention and Enterprise Rights Management. This datasheet explains how these technologies are highly complementary and advises how they can most effectively be used together to provide a complete data leakage solution. It also describes the integrations today between Oracle Information Rights Management and the DLP products from Symantec, McAfee, InfoWatch and Sophos.


Data Loss Prevention

Data Loss Prevention (DLP) technologies aim to prevent leaks of sensitive information. They do so by discovering sensitive information at rest, and monitoring and blocking sensitive information in motion, using content-aware scanning technology. The discovery, monitoring and blocking DLP components run either on the network (servers reaching out to scan repositories or intercepting network information flows) or on endpoints (end user computers or laptops).



Information Rights Management

Information Rights Management (IRM) also aims to prevent leaks of sensitive information. It does so by encrypting and controlling access to sensitive documents (and emails) so that regardless of how many copies are made, or where they proliferate (email, web, backups, etc.), they remain persistently protected and tracked. Only authorised users can access IRM-encrypted documents, and authorised users can have their access revoked at any time (even to locally made copies).



Complementary Solutions to Similar Problems

DLP and IRM address very similar problems, but in different and complementary ways:

  • DLP is well suited to situations where an organisation doesn't know where its sensitive information is being stored or sent. Content-aware DLP can map the proliferation of this sensitive information and direct remedial efforts, such as tightening existing access controls using blocking, quarantining or encrypting.
  • Out-of-the-box DLP remedial actions often prove to be disruptive to business workflows. Sensitive information is required for collaboration with certain third parties; configuring DLP to permit only the desired collaboration whilst preventing other data loss proves to be almost impossible.
  • Also DLP provides decisions about content at a point in time, e.g. can this user email this research document to a partner? However, 6 months later the organization may sever ties with the partner at which point the DLP rule may change; but this doesn't affect all the information that has flowed to this partner over the past 6 months. DLP cannot retroactively block access to information that it has previously been allowed to pass beyond its control to third parties.
  • Thus DLP customers are looking for a technology to allow secure collaboration triggered by their DLP solution.
  • IRM is well suited to situations where an organisation has relatively well defined business processes involving sensitive information, e.g. sharing intellectual property with partners, financial reporting, M&A, etc.. IRM-encrypting sensitive documents or emails ensures that all copies remain secured, regardless of their location.
  • IRM continues to work beyond the enterprise firewall or enterprise endpoints, so authorised end users on partner or home networks or endpoints can use IRM-encrypted documents without being able to make unencrypted copies. This access can be audited and revoked at any time, leaving previously authorised users with useless encrypted copies. IRM provides persistent protection, which means that you can revoke access to information at any time. One simple change in an IRM system can stop access to millions of documents shared with partners, customers or suppliers.
  • IRM protection requires any document to be encrypted. This can be manually actioned by an end user according to a corporate policy, but this reliance on a manual process may result in reduced uptake. To aid uptake and enforce policy many organizations automate the process via integrations with content management systems and enterprise applications. However many other sensitive documents are collaborated with that fall outside these perimeters.
  • Thus IRM customers are looking for a technology to detect sensitive data and trigger the IRM encryption process.

Integration Use Cases

From the above it should be clear that the combination of DLP and IRM will be more effective than either solution in isolation.

  1. DLP-discover and IRM-encrypt data at rest
    DLP is used to discover the proliferation of sensitive information (on endpoints and servers) and classify it in terms of its relative sensitivity. Sensitive classifications can then be IRM-encrypted to have persistent access rights in line with enterprise information security policy. For example DLP discovers a set of financial documents stored in a public file share and automatically protects them against an IRM classification that allows only the finance group to open the documents. The documents stay where they are, but IRM enforces the access controls.
  2. DLP-monitor and IRM-encrypt data in motion
    This time DLP monitoring is used to detect sensitive outbound information flows and to add IRM encryption as a remedial action for policy violations. For example a user attempts to email a sensitive document to a supplier, DLP detects this and uses IRM to protect the document but allows the email to continue onto its destination.
  3. DLP discovery of IRM-encrypted information at rest
    It is important that DLP scanners be enabled to scan IRM-encrypted documents and emails. This can be shallow scans (which verify the document is IRM-encrypted and check the IRM classification) to enable controlled sharing of suitably IRM-encrypted documents, or deep scanning (which temporarily decrypts the IRM-encrypted content) to verify that documents are encrypted to the correct IRM classification.
  4. DLP monitoring of IRM-encrypted information in motion
    Shallow scanning of IRM-encrypted documents could be used to ease potentially disruptive DLP blocking of sensitive outbound content. Certain IRM classifications could be allowed outbound while others could be blocked. Deep scanning could be used to add in content-aware policies and ensure consistency between DLP and IRM policies.

Integrating with DLP Vendors

Oracle has been requested by several customers and partners to integrate Oracle IRM with the leading DLP Vendors' solutions. Whilst all four of the above integration use cases are being scheduled on both Network and Endpoints, work has already been done today to support the following functionality.

Symantec DLP and Oracle IRM

Oracle and Symantec have collaborated to provide a solution that allows DLP to discover and automatically call IRM to encrypt data at rest. This results in sensitive documents being identified by DLP and then automatically encrypted with IRM. The encrypted files can then remain in their original location rather than being quarantined, but can only be opened by authorized users. The DLP product can also discover and monitor IRM-encrypted documents and then audit, quarantine or take no action depending on policy and context.

McAfee DLP and Oracle IRM

McAfee's Data Loss Prevention quickly delivers data security & actionable insight about the data at rest, in motion and in use across your organization. Protecting data requires comprehensive monitoring and controls from the USB drive to the firewall. The powerful combination of McAfee DLP and Oracle IRM automates the process of protecting your data, giving you confidence that policies are enforced consistently wherever your data needs to travel.

InfoWatch DLP and Oracle IRM

Oracle and InfoWatch have collaborated to provide a solution that controls information transferred via removable storage, optical media, web uploads and emails with attachments; as well as inspects contents of IRM-encrypted files and messages. The solution applies policies to prevent sensitive information leakage. A flexible policy can be configured to enforce IRM-encryption of sensitive emails. Digital fingerprinting of the IRM-encrypted content ensures that no parts or quotes of IRM-protected documents can leak outside the corporate network.

Sophos DLP and Oracle IRM

Oracle and Sophos have collaborated to provide a solution to control the transfer of IRM-encrypted information via removable storage, optical media, web uploads and email attachments. A policy can be configured to simply audit the transfer of IRM protected files or, if required, authorise the transfer of IRM protected files and block the transfer of non-IRM protected files.


And you can download the PDF version of this data sheet.

Friday Sep 03, 2010

Oracle IRM and Sophos DLP Integration

Continuing our theme on DLP and IRM, we've been working with leading DLP vendor Sophos to create integrations that bring IRM and DLP together. These integrations provide a richer set of security controls for protecting your most sensitive information, such as intellectual property, patient healthcare information (PHI), financial data as it flows around your enterprise networks and beyond. The video below demonstrates one of these integration use cases we are hearing a lot customers ask for, the need to ensure that only IRM protected documents can be copied onto USB devices and CD's to ensure the organization has persistent control over their most valuable content.

John Stringer, product manager at Sopho's comments,

DLP can be used to identify IRM-protected documents, audit their transfer and - where appropriate - apply IRM classification based on document content. This complements traditional methods for applying IRM such as manual classification by employees. At Sophos we're really excited about working with a number of IRM vendors, such as Oracle, to achieve exactly this.

The ultimate goal over the coming months with these integrations is to use DLP to maintain the policy which defines what you classify as confidential or sensitive information. DLP then implements these policies when it monitoring network traffic, searching across file repositories and watching the movement of information onto USB keys and other removable devices. When DLP finds unprotected information instead of simply blocking it it can apply an IRM policy inline with DLP to ensure that it becomes protected no matter where it ends up. Have a look at the video and feel free to contact us if you'd like to know more about what DLP and IRM can do together for you.


Friday Aug 20, 2010

Understanding the value of persistent document security with IRM and DLP

Great progress is being made here at integrating many DLP vendors with our information rights management (IRM) document security solution. Keep an eye out over the coming months for some sneak previews into this work. Our integration with Symantec DLP is also in the pipe for a vast increase in functionality as part of an integration with Oracle IRM 11g.

DLP and IRM together make a lot of sense. DLP is an excellent technology for watching systems and network perimeters to recognize content as sensitive so it can monitor/warn/block activities. For example, if you try to email a sensitive doc out of the business, DLP might block the email due to policy.

But DLP is an internal solution. No third party is going to let you monitor their networks and systems to protect anything that you send out, or that the third party is doing on your behalf. Especially with many looking to the cloud to store and manage content, does the cloud integration with your DLP? Does the cloud provide the same level of security and integrate with your existing internal security technologies and policies? So, many DLP implementations involve monitoring the perimeter of your network trying to prevent things leaving - or monitor your USB ports trying to prevent you from copying information to USB memory. Your USB port is an example of many different "perimeters" that DLP needs to monitor if it can.

IRM on the other hand protects information more directly. You seal a document and it is encrypted. You can send sealed documents to external parties - or allow third parties to create sealed content because they are working for you - but policy and audit still apply. The solution can be used in third party networks because the IRM solution only monitors/controls sealed documents - it does not monitor the third party's networks or systems or intervene in third party processes that have nothing to do with you.

Recent interest from both customers as well as partners and vendors has sparked a lot of discussion within the walls of Oracle and one of our expert IRM consultants came up with a great way to explain the abilities of these two technologies and how they work well together. I thought i'd share his analogy here;


  • DLP is like a police force. It watches as many things as it can for breaches of policy and intervenes in some way when it can. It needs to monitor all the channels that you identify as a potential risk, and its effectiveness stops at your border. You need constant adjustment to be confident that you are catching everything you should catch, and the trick is defining a comprehensive set of policies without making everyone feel that they are living in a police state. In practice, this might mean that you define very simple policies and warn rather than block. Once a document has left your borders, you have no further control and no means of revoking access.

  • IRM is more like a bodyguard. It goes wherever the sensitive assets go - even if they go beyond your border - but it takes no interest in anything that is not sealed. It applies policy consistently even if policy changes over time - so you can revoke access to external copies long after sending them. However, it only protects the assets it is assigned to protect, so the trick is using business process or automation to ensure that all sensitive assets are sealed. The automation could be managed by DLP.


Wednesday Jan 06, 2010

Solving the data loss prevention (DLP) puzzle and using IRM for encryption

An interesting strategy guide was published recently from InfoWorld. Titled "Strategies for endpoint security", it addresses concerns and challenges businesses have regarding the protection of endpoints, namely laptops and desktop computers.

One section of the guide which caught my eye was "Five technologies that will help solve the DLP puzzle." The article discusses the following areas where "before embarking on a data loss prevention program, enterprises must first determine the essential technical ingredients.".

The first subject tackled is that of classifying information in the first place. DLPs most valuable functionality is the ability to monitor many points in the enterprise and detect the storage or movement of documents, emails and websites that contain sensitive or classified data. However one problem with DLP is how do you configure it to reflect a well designed and understood information classification policy? William Pfeifer states that "You cannot protect everything, Therefore methodology, technology, policy and training is involved in this stage to isolate the asset (or assets) that one is protecting and then making that asset the focus of the protection." Nick Selby, former research director for enterprise security at The 451 Group and CEO/co-founder of Cambridge Infosec Associates, then goes onto say the key is to develop a data classification system that has a fighting chance of working. To that end, lumping data into too few or too many buckets is a recipe for failure. "The magic number tends to be three or four buckets--public, internal use only, classified, and so on," he says.

So the recommendation is that DLP should be configured with a simple and easy to understand set of classifications. Keeping things simple in the complex world of security dramatically reduces chance of human error and increases usability. Oracle IRM is a technology that has had this message designed within its core from day one, it has a very powerful and yet simple to configure and deploy classification system. This is what makes the union of IRM and DLP such a compelling story when it comes to a comprehensive data loss prevention solution that can actually be deployed and used at an enterprise scale.

The second subject approached in the article is encryption. It's worth repeating the full statement here...

"This is a tricky one [encryption], as some security pros will tell you encryption does not equal DLP. And that's true to a point. As former Gartner analyst and Securosis founder Rich Mogull puts it, encryption is often sold as a DLP product, but it doesn't do the entire job by itself. Those polled don't disagree with that statement. But they do believe encryption is a necessary part of DLP. "The only thing [encryption doesn't cover] is taking screen shots and printing them out or smuggling them out on a thumb drive. Not sure I have a solution to that one."

No worries Rich, Oracle and Symantec have exactly the solution you are looking for. DLP detects that a document or email contains sensitive information and IRM encrypts and secures it. IRM not only encrypts the content, but it can limit the ability to take screenshots, stop printing, manage who can edit the content, who can see formulae in Excel spreadsheets, even allow for users to search across hard disks and content systems for information inside encrypted documents to which they have legitimate access...

The article continues, "Stiennon says that while all encryption vendors are not DLP vendors, applying encryption is a critical component to DLP. "It could be as simple as enforcing a policy," he says. "When you see spreadsheets as attachments, encrypt them."

Or more specifically, when you see any sensitive document or email, seal them with Oracle IRM! For more information on how IRM and DLP technologies can work together, have a read of this.

Monday Dec 21, 2009

IRM for CRM - Protection and Auditing for CRM Reports

In a recent article on ComputerWorld, David Taber highlighted the need to "prevent key CRM data from walking out the door", observing that "Your employees not only have access to a significant amount of data, but also know what the data means and how to separate the marginal from the important." and that "Given the number of layoffs and the turnover of sales reps these days, the risk has grown."

David goes on to comment "If a user is allowed to run any reports, they can typically run almost all of them and export the results to a CSV file." - which they may then print or distribute as they choose. There are tools that can block the usage of CSV files, but actually you want to target just the ones that pose a risk.

Amongst the recommendations made to mitigate the resultant risk, it is proposed that an organization should "dramatically limit" the use of mass import/export tools.

The problem with this recommendation, and with the suggestion that you might block the creation of CSV files, is that while seeking to reduce risk it also reduces the usefulness of the CRM system to its users. The data export function exists to help employees make use of CRM data - to get their jobs done. The tension between security and usability is clear.

Within Oracle, we use IRM to address exactly this issue by sealing CSV files as they are created by the export function. This allows the employee to run whatever reports they need as usual, but protects the data automatically. This approach has no impact on any other uses of the CSV format - the protection is targeted on the files that constitute a risk.

The export files are sealed to a classification that allows them to be shared with other Oracle employees, but guards against accidental or malicious exposure to 3rd parties. As and when the employees leave the company, their rights are automatically revoked. Simple.

Sealing also addresses another concern raised in the article - the creation and usage of the export data is fully audited.



Wednesday Nov 04, 2009

Oracle IRM and the evolution of "information-centric" security

Whilst responding to an RFI I needed to describe how information rights management was positioned against many other types of technologies that use encryption to protect documents and emails. I thought it would make sense to write up the response on the blog. The diagram below really highlights how information rights management is at the leading edge of using cryptographic technologies to protect your confidential information.

Oracle IRM Evolution of information-centric security

Information security is a crowded and confusing marketplace. Many security solutions are really infrastructure security, because they secure IT infrastructure and users from information (for example anti-virus, anti-spam, intrusion detection). Some information security solutions only attempt to secure information from external attack (for example firewalls).

This diagram above illustrates the evolution of "information-centric" solutions that, by securing information directly, attempt to secure information from accidental or deliberate leakage by internal and external users. This diagram is not entirely even-handed in that it does not show the benefits of earlier solutions, just their critical shortcomings - but the idea is to show how IRM for the first time sufficiently solves these limitations to be the first truly enterprise-viable "information centric" solution.

Information-centric security started with products like PGP, which used public key infrastructure (PKI) encryption to encrypt information, and provided document and email encryption products. Products like PGP have two killer shortcomings. Firstly they ask busy non-technical business people to understand and personally manage the principles of PKI cryptography - pass phrases, public keys, private keys, digital signing, encryption, decryption, public key rings, certificates, etc. And then, after jumping through all these PKI hoops, the PGP-like technologies still just pass the decrypted information off into the clear (decrypted) to the document and email applications, from which they can easily and untraceably be redistributed - there is no post-delivery protection or tracking. Invasive to user workflows and with dubious benefits (most leaks are made, accidentally or deliberately, by end users - not by eavesdropping on networks) these solutions have over a long period gained minimal traction. Many people have briefly played with PGP, or something like it, but it is rare to meet someone who still does.

"In-delivery" secure email products built on the encryption capabilities of PGP-like products, in an email context. As organizations began to see email as their leading vector for information leakage (deliberate or accidental - how often have you sent a confidential email to the wrong user?) they sought solutions for securing email. Almost all of these solutions operate by intercepting outbound emails, and for those marked or scanned as being confidential, they place them on an SSL-protected web site and send on a replacement email with a link back to the original email on the SSL-protected web site. When the users follow the link to collect the email they are typically required to authenticate and the original email is then obtained over a secure SSL connection. So the shortcomings of these solutions are clear - again they provide no post-delivery security (authorized users can still save out in the clear and forward), they only defend against eavesdropping (which is a much less common threat than redistribution) and is ultimately an email-only point solution. While email remains the leading means of sharing information, there is also a huge amount of sharing via file shares, web, USB devices, etc.

The next major evolution of "information centric" security, which is currently generating significant interest, is gateway- or desktop-based filtering/monitoring. These technologies install software agents into gateways (such as email servers or web servers) or desktops that monitor outbound information flows, and scan the outbound emails, attachments and web pages for confidential information (such as social security numbers). It remains to be seen how effective these solutions are in practice, because they tend to be primarily passive (they are often detuned to prevent them blocking outbound information flows as a result of false positives) and act more as a deterrent; because they must monitor a bewildering number of perimeters in a modern network to be effective; and must sift through a staggering amount of legitimate traffic looking for a hopefully small amount of illegitimate traffic. But the fundamental shortcoming of these filtering/monitoring solutions is that they are effectively enterprise spyware: spying on internal information flows. Unfortunately most sensitive business processes involve sharing confidential information with external parties, and they are never going to allow your organization to spy on their networks to protect your information. So it would seem absurdly incomplete to spy on your own employees and then send the same confidential information unprotected and untracked into the networks of your partners, customers and suppliers.

Nevertheless there are considerable synergies between monitoring/filtering technologies and IRM - to help automate the sealing/classification of information. This is seen in the recent integrations between both DLP vendors and IRM vendors.

Oracle Information Rights Management (IRM) is very much an evolution from all these earlier technologies. It uses the PKI encryption from PGP-style products, but hides all the complexity from end users. It uses the close integration with leading email clients of secure email. It shares the same desktop agent and policy server profile of desktop filtering, but is only active in the context of sealed/classified information. But unlike preceding solutions Oracle IRM provides pro-active, post-delivery protection and tracking; works just as well outside the firewall as inside; has a classification-based rights model that completely hides all the complexity of encryption and makes policy management straightforward; and secures documents, emails and web pages regardless of how they are shared - so Oracle IRM it is a significantly more complete solution.

Tuesday Oct 27, 2009

Oracle IRM and Symantec DLP version 10 integration announced


This morning Symantec announced the latest incarnation of their data loss prevention (DLP) technology, version 10. DLP technologies allow organizations to do discovery and monitoring of enterprise perimeters to detect the flow of sensitive information. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted. However combining DLP with IRM means you don't have to restrict the end user by blocking their attempts to collaborate. Instead encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

We've been working with Symantec over the past month to build an integration between Oracle IRM and DLP creating the most powerful security solution of any IRM and DLP combination. Oracle IRM is the leading rights management solution for enterprise-scale document and email security. Combining these features with Symantec's leading DLP solution means customers can now have rich monitoring and detection capabilities. Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.



Tuesday Oct 13, 2009

Oracle IRM at Open World 2009

Wow, a busy two days at Oracle Open World. All the IRM team are around the demoGrounds booth W105 in Moscone West helping customers and the public learn about Oracle IRM working with the wide range of Oracle applications, content solutions, portals and of course security technologies.

Martin Lambert, Andy Peet, Ryan Carroll at Oracle Open World

From left to right, Ryan Carroll - VP IRM development, Andy Peet - IRM product manager, Martin Lambert - IRM founder and Oracle CTO

Unfortunately James Wallace-Hadrill, one of our European consultants was unable to make the conference due to a last minute customer engagement. Therefore his IRM presentation slot has fallen to myself (which i'm still working on at 10pm) and you can join me at 1:30pm on Thursday in Moscone South, room 304. If you don't get chance to be there due to travel arrangements, no worries i'll be recording all the presentation and demonstration material and putting it on our YouTube channel later in the week.

So if you are at Open World, come by W105 and say hi, we've got some very cool technology we can show you.

Wednesday Jul 15, 2009

Twittergate? Twitter employee hacked and loses hundreds of documents


News broke this month about the hacking of Twitter CEO Evan Williams's email account. His wife and two other Twitter employees also had email accounts hacked. As a result the hacker, French in origin, was able to access numerous documents containing information about a reality TV show involving Twitter, financial forecast documents (although they claim no longer current), wage information, credit card details and many others. He then offered these documents to different sources one of which was TechCrunch, a well respected Silicon Valley site. They made the brave choice to publish these documents and have caused widespread debate with many calling the incident Twittergate.

This obviously raises the issue of the documents security. The Wall Street Journal comments that, "Bloggers and tech experts are debating not only the ethics of airing the files, but also how the hacker got the information. Was it Google's password-recovery system? "That would mean this isn't a 'cloud' privacy issue," wrote GigaOm's Om Malik. "Rather it would be an issue of companies using poor authentication and password protocols to secure their data."

In Mr. Williams blog post about the issue he wrote that "It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email."

This incident raises the issue about storing sensitive information in the cloud. A few months ago Google accidentally exposed access to their online document services. Although this recent incident was in no way a result of problems with Google security, it does highlight that putting your important documents in the hands of others and using poor security to protect your own information systems is asking for trouble.

The BBC News website commented that "Many in the technology industry said this latest episode points to the potent reminder of how much information is stored in the cloud and the vulnerability or otherwise of that data.".

With people storing sensitive documents out in the cloud networks, it is even more important that any security affects the document itself, not the place of storage. It isn't good enough to rely on the security implemented by others such as Google, mistakes happen and leaks occur. Oracle IRM can provide this persistent security by securing the document and so no matter where you store it nor where it is stolen from, your ability to control access to the information remains where ever that document resides! Hmm I think i'll just go and tweet this...

Challenges with the classification of content, or, "data labels suck"!

A mildly heated debate has arisen regarding whether the classification of content/data (and the use of labels) for security purposes is worth the effort. On one side of the discussion is the position that trying to manually classify and label both content and data is time consuming, prone to error and quickly results in out of date classifications/labels. The opposing opinion is whilst in theory there are problems, in the real world you need to apply some level of classification/labeling manually and it isn't as hard as you think if you keep things simple.

Simple... this reminds of a key phrase that was drilled into me from day one when working on IRM. Simplicity is the key to effective security. Of course in reality implementing enterprise security is never simple, but the goal should always be to achieve the simplest solution possible. Humans are simple creatures, and the more complex a solution, the more the risk.

Anyway, back on topic. One difference being discussed is between the definition of information classification, e.g. what is the definition of top secret, and the mechanisms for applying the classification, "top secret", to data and documents. The crux of the dispute is that relying on manual application of the "top secret" classification doesn't work. The reasons being;

  1. By the time you manually classify something, it's something (or someplace) else.
  2. Labels aren't necessarily accurate.
  3. Labels don't change as the data changes.
  4. Labels don't reflect changing value in different business contexts.
  5. Labels rarely transfer with data as it moves into different formats.

Technologies such as DLP can however provide some clever real time capabilities to identifying important information, yet often the methods of protection are invasive and limiting. For example you might want to copy an important document to your USB flash drive and the DLP technology stops you. This means frustration on the users part and trying to place restrictions on every possible end point can be complex and expensive.
Andy Peet, Oracle IRM product manager

"The next generation of IRM will see truly dynamic classifications; where a document is categorized by its content and not according to a security classification in place when the document was created."

Andy Peet, product manager

I spoke with Andy Peet, Oracle IRM product manager, who had the following to say on this topic.

"I don’t think that there is any disagreement that sensitive data needs to be classified. The problem faced by security products such as DLP and IRM is that it is easiest for these solutions to label a document with information about its classification. However data classification is a dynamic process: a highly restricted document today may become a public document in a few days time (for example quarterly financial results). So if a document is permanently labelled with a fixed classification then it cannot evolve with the data that it contains."

I've seen and dealt with this sort of discussion at most of our customers. Oracle IRM provides the ability to create classifications, define roles within them (e.g. can someone edit and print a document?), assign those roles to users and then apply the classification to a document. But customers often ask;

  • What if someone doesn't apply the classification at all in the first place, we have no security!
  • What if someone applies the wrong classification (secures a top secret document to the public classification), this is even worse than no security, the technology is now actively allowing the document to be accessed by the wrong people.
  • What happens if my document changes classification? Or if someone joins the company after the point where the content was secured, how do I enable access?


Here is how with Oracle IRM we have often addressed these issues. IRM doesn't solve all the problems, but it does provide a simple and powerful mechanism for addressing a high percentage. Remember, good security is defense in depth. IRM and DLP combined also creates a compelling set of solutions and we are working with the leading DLP companies to have integrations between the technologies.


What if someone doesn't apply the classification at all in the first place, we have no security!

A very common question. IRM doesn't enforce the creation of sealed content for all documents, users have to actively make the decision to classify and then secure the document... or do they? We've been developing IRM for over 10 years and therefore we've had plenty of time to create solutions for this problem. The best way to address this concern is to remove the choice from the end user, simply apply the classification in a way that makes sense from the start. How?



Using sealed Office templates

With Oracle IRM you can seal Word, Excel and PowerPoint templates. Users then use existing work flows for creating documents from templates and therefore the classification choice is removed, it is instead predefined. From the first instance of the document, it is always sealed and protected. But what if the document already exists? Or if the user didn't choose to start from a template?



Protecting the content storage location

We've done many integrations with the location where content gets stored. We have an integration with our own Oracle content server which allows documents to be automatically classified and sealed upon checkin, and we've had customers do integrations with Documentum and Microsoft SharePoint. Again here the user is unaware of making the classification decision, the system automates the protection. We also have a tool called "Hot Folders" which allows for content to be secured when it is stored on a file system, either locally or a network file share. But what if a user stores the content in a location that doesn't have an IRM agent actively classifying and protecting the content?



Integrating with DLP technologies

Another line of defense is to leverage the powerful content scanning and identification functionality offered from DLP. If the user attempts to store that sensitive financial report onto their local USB flash drive, instead of preventing them from performing the copy, simply have DLP call to IRM to encrypt it. The user gets to move the content, securely, because IRM secures access to the content no matter where it resides, and they are still unaware that a decision to classify the content has been made.


In summary IRM, integrated with the storage locations and DLP, provides a much richer solution to classifying and securing content.


What if someone applies the wrong classification (secures a top secret document to the public classification), this is even worse than no security, the technology is now actively allowing the document to be accessed by the wrong people.

This is a tough one. Any technology that provides the user with a choice to secure a document is prone to poor decision making. Consider a network file share, one called "financial reports" which contains sensitive financial documents and has a very limited access control list and one called "financial documents" which has public documents for redistribution and access by a wide number of users. It doesn't take much for a user to drop a document into the wrong location. The same is true with IRM, someone could choose the wrong classification and allow the wrong set of users to potentially have access. Remember IRM is part of a total security solution, so just applying the wrong classification doesn't mean unauthorised users get access, only that they have the potential, they must first get their hands on the document. But this can happen...



Real time auditing with Oracle IRM

IRM may not be able to stop mis-classification, but it can provide audit reporting of both the securing of content and access. IRM audit logs contain information about the file, who is accessing/securing it, from what IP address (both local and firewall) plus other data. This can be combined with other technologies such as DLP, Governance, Risk, and Compliance (GRC) tools and Business Activity Monitoring (BAM).


Obviously there is still risk involved, but at least with IRM you now have the ability to view every single access to your sensitive information. Again, DLP here plays a good role in being able to identify information that isn't just unclassified, but has been misclassified.


What happens if my document changes classification? Or if someone joins the company after the point where the content was secured, how do I enable access?

This is a question at the heart of the dispute. Information changes and therefore so does its classification. Consider the following;

  • You have open an email and enter in employee details such as address and social security number.
  • You are working on a spreadsheet about a 35nm technology and enter in details about a 22nm technology you are working on.
  • You edit a financial document and remove information pertaining to quarterly financial results.


All three are scenarios mean the classification of the document or email changes. Use case one is a document that requires classification, use case two is a change in classification and the third is actually content being declassified. I have spent a lot of time with customers who deal with export control and foreign national compliance regulations which dictate who should have access to what information, often based on the type of technology. For example the US government may decide that the point at which compliance controls take effect moves from 35nm to 22nm and therefore all documents classified as 35nm change classification from controlled, to non-controlled. The subject matter of the document doesn't change, but the classification has.


Separation of rights from the content.

There are different scenarios which breed different methods for addressing this problem. They typically depend on the model used for classification, but fall into two main areas. One where the classification applied reflects the documents content, i.e. in the above example the classification would be "35nm technology" and the other is where the classification is directly mapped to the document, i.e. "L1 Top Secret technology documents"


Now we come to one of the most important aspects of Oracle IRM. The separation of rights from content. This allows for dynamic changes to be made to rights on the server and this affects all content associated with those rights, in the above example imagine.


  • 1000 documents classified as "35nm technology - chip designs".
  • 1 group on the IRM server called "3E001 Chip designs - top secret"
  • The above group assigned a "Contributor" role which allows the engineers to create, edit, print the document.
  • 500 engineers who are a member of the above group


The 3E001 is an example of an ECCN number. Lets say that this set of documents is no longer covered by this control and therefore all the 1000 documents are reclassified. With Oracle IRM this is easily handled by reassigning another group, lets say "Declassified information - top secret". Which contains a wider variety of users within the company that can now access this information BUT it still remains classified as top secret to the organization. Because this change is made on the server, the next time someone tries to access a secured document, then the new rights are issued and it all happens dynamically!

Making this even simpler to manage is the fact you can tie in these rights assignments with identity management technologies such as role management and identity managers.


Oracle IRM allows the resealing, or reclassification of content.

Another example, depending on the classification model, is the ability to reclassify the documents themselves. Lets say that in the above example we had a document classified as "35nm technology - chip designs" and the document actually had some new content insert which contained details on a 22nm technology. This document now needs to be reclassified. Oracle IRM allows you to re-encrypt the document from "35nm technology - chip designs" to "22nm technology - chip designs". This can either be done by the end user or en mass automatically. It could be a change on meta data in the content repository and all documents get reclassified automatically.



Oracle IRM 11g brings even more dynamic possibilities

Now there are still some limitations here, documents still have some sort of descriptive classification that needs to be managed and is relatively static. The next release of Oracle IRM makes another big leap in this area, i'll let the words of Andy Peet explain.


"The next generation of IRM will see truly dynamic classifications; where a document is categorized by its content and not according to a security classification in place when the document was created. This enables the classification to evolve as the content enters different stages of its lifecycle. Take the simple example of document workflow: a set of marketing collateral for an exciting new campaign is being collaborated on (highly restricted), then the collateral is sent off for wider internal review (company confidential), after review the collateral is shared with trusted external partners (restricted) and eventually at the launch of the campaign the collateral is revealed to consumers (public). This demonstrates how the same content has its classification dynamically changing; it is exactly these processes that Oracle IRM will be supporting in future releases as the technology evolves to match the business requirements."

So yes, there is a huge challenge in trying to apply a classification model to information. In theory it would be fantastic if it was possible to have security always use dynamic classification but in reality this isn't available yet with current technologies. Oracle IRM is close and by far the leading IRM technology which has a lot of the required capabilities. From its creation it has separated the rights from the information which is crucial to an effective, large scale enterprise rights solution.

We see in the real world that IRM is applied at a high level and in simple scenarios, for instance insuring all sensitive content about a large acquisition is protected or a corporate wide classification as a catch all to sensitive data. Our experience is that simplicity is key and we are often advising customers to make compromises between the complex regulatory controls, complex inter-enterprise security requirements and apply IRM with large scale simple classifications.

Tuesday Feb 24, 2009

Laid off workers stealing company data


More news articles published this week are raising awareness of risks involved with sensitive information leaving your organization when employees are laid off. Another research study from the Ponemon Institute, in conjunction with Symantec, surveyed 945 adults in the United States who were laid-off, fired or changed jobs in the last 12 months. It found 59% of employees who leave or are asked to leave are stealing company data, such as contact lists, employee records, financial reports, confidential business documents and software tools

Kevin Rowney from Symantec told the BBC that, "The intellectual property of a company can represent the crown jewels and are almost worth more than the building. This is the core asset of a company and any breach or loss can be very expensive... The industry has concentrated on the protection of the containers where the data is stored like firewalls, access, controls and end point security systems... The end result is that most security teams are protecting the containers not the data itself. And that is a core flaw in the security methodology of many practitioners today,"

Symantec sponsorship obviously highlights their DLP solutions which allows for the detection and control of information as it flows across devices such as firewalls and network files servers onto desktop and laptop computers, and ultimately onto removable USB devices.

Without question i'm going to state that IRM is a perfect compliment to DLP to provide a robust solution to protecting, controlling and reporting on the use of sensitive content. DLP has its limitations and IRM fills those holes, combine this with the total set of security technologies from Oracle and a smart company could ensure the recent increase in risk can be reduced and controlled for a fraction of the cost from the repercussions of loosing all this data.

Another comment I found interesting was, "It is not enough that I will be laid off, that I will have to sell my home and possessions at a loss - I am now considered a 'thief' for'stealing' (ie taking work home with me) intellectual property. Why is the worker blamed for everything that goes wrong with a company?"

Oracle IRM has positive solutions for both problems. It first provides an organization with the ability to have absolute control over documents, not only by limiting who can print (and therefore steal paper copies) but also by removing access to content when an employee no longer works for the organization.

Secondly it can actually help the employee... Oracle IRM allows for a balance of usability and security that allows people to use sensitive content on the move and from home locations. Leaving a company and knowing they are responsible for removing your access rights, frees the ex-employee from all responsibility. If the organization is able to revoke all rights to content, then the end user no longer feels under the spot light when they leave.

Wednesday Feb 11, 2009

UK citizens' private information being lost at record rate

Tis not a good time to be a UK citizen right now, "your personal information of UK citizens is being lost and stolen at an unprecedented rate", the UK’s privacy watchdog said today. However, if you happen to be one of the private companies that have lost this data you are currently safe in the knowledge that you're not going to be investigated.

The Information Commissioner’s Office (ICO) in the UK has been reported saying that "Data breaches jumped by 36 per cent last year, the ICO said. Personal information is now lost - on average - more than once a day."

This is just shocking news, but worse is that the ICO is unable to investigate any breaches if they are within the realm of the private sector. Richard Thomas, the Information Commissioner himself states, "For more than 20 years, my office has not had the power to carry out any inspection without the consent of the organisation concerned, In the six and a half years that I have been commissioner, I have strenuously argued that that is not acceptable. One would not expect a food inspector to have to get the restaurant’s consent before carrying out an inspection.”

The government is making changes but this only applies to central and local government departments, private companies will still be exempt from investigation. Surely this must change, how can the ICO ask companies to sign its Personal Information Promise and not be given the power to investigate those who break this trust? Crazy...

Tuesday Feb 03, 2009

ROI for IRM? Businesses risk $1 trillion losses from data theft

Understanding the return of investment for a new technology deployment in the current economic climate is vital to allowing the business to extend security abilities whilst being confident it makes financial sense to do so. So a study recently released by McAfee Inc (also reported here) during the World Economic Forum in Davos, Switzerland is quite timely in outlining the risks that companies take when they choose not to adequately secure their most sensitive data.

The study states that; "Researchers from Purdue University’s Center for Education and Research in Information Assurance and Security examined responses from more than 800 CIOs in the United States, the United Kingdom, Germany, Japan, China, India, Brazil and Dubai. The research examined where vital information such as intellectual property originates, where it is stored globally, how it is transferred and lost. The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches. Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year

The increase in the availability and power of removable storage, such as mobile phones, laptops, and USB sticks, has made data loss or theft easier. And global supply chains mean that sensitive data is often stored abroad."

Gene Spafford "Companies are grossly underestimating the loss, and value, of their intellectual property, Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen."
Eugene Spafford, professor of computer science at Purdue University and executive director of CERIAS

Oracle IRM has been in use to protect intellectual property that needs to be distributed outside the traditional enterprise security perimeters for many years. Combine IRM with a technology such as DLP, and you'd have a very powerful and complete set of security tools that will ensure your information is secure no matter where it is. Oracle has many customers that have realized the value of ensuring their engineering, sales, board information is kept safe and that Oracle IRM was the right technology to deliver that functionality.

For full information from the report, you can request it from McAfee.

Friday Jan 30, 2009

Lost laptops plague health care organizations

2009 has not been kind to health care organizations. Already in the first month we have seen 2 incidents of lost/stolen laptops which contain patient information.

And then today in the news a report of the Department of Veterans Affairs announcing they have agreed to pay $20 million to current and former military personnel to settle a class action lawsuit on behalf of the men and women whose personal data was on a laptop computer stolen during a burglary. That is a big price to pay for the loss of one laptop and could have been avoided with the use of a technology such as Information Rights Management at a much smaller cost.


Tuesday Jan 27, 2009

Man finds US troop data on MP3 player

USTroopData_ChrisOgle.jpg I am woefully behind on updating the blog this year. Things have been very busy and I have a stack of articles waiting to be edited and published. However this just broke in the news and I thought it was too important to delay. The BBC, ABC and others are just reporting a story about New Zealand man, Chris Ogle, who has stumbled upon 60 US military files that were stored on a second hand MP3 player he bought at a secondhand store in Oklahoma. The data contained a wide variety of confidential and personal information including US social security numbers and even which female troops were pregnant!

Shocking news and this is just one of an increasing number of incidents where government agencies are repeatably failing to maintain control over their sensitive information in digital form. Last year one of the most highly publicized incidents was the loss of the details of 7 million families by the UK government. The discs were sent in the regular mail and never arrived at their destination.

I'm sure these agencies are now rushing around, initiating huge internal audits to track down the single points of failure in process and security that leads to these losses. This is where the real value of Oracle IRM comes into play. Deploying the technology across the organization and using one single, organization wide, classification to which there is a catch all for sensitive information, provides a simple and easy mechanism to protect against such losses. In the meantime better process and clearer classification policies can be implement and enforced with IRM as the organizations learn about how this data is actually used.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016