Monday Oct 18, 2010

Document security in the real world, experience from the field

I've invited Justin Cross from Brandon Cross Technologies to share some of the experience gained in the industry when implementing IRM solutions. So over to you Justin...

I began working with IRM at SealedMedia and I have seen it grow and mature through the refinement which only comes from many, many real world deployments, where we need to apply thoughtful consideration to the protection of real business information, against real security risks; while keeping real business users happy and assured that the technology wont get in the way.

I decided take on the challenge of forming my own company, Brandon Cross Technologies, just as SealedMedia were being acquired by Oracle. As Brandon Cross Technologies I've had the good fortune of working with a number of vendors, including Oracle, to provide the consultancy to successfully deploy software which requires an understanding of how software really gets used in practice, by real people, as well the technical know-how.

We have recently been working with some of the largest oil & gas and telecom companies, among others, to deploy their IRM solutions to address their concerns regarding the dramatic increase in data security threats.


Secure from the inside

Despite the best efforts of virus checkers and firewalls, platform vulnerabilities and malware provide lots of scope for bad guys to punch holes in your defences, disrupt your systems, and steal your data. If you ensure your own business users can only access and use information they legitimately require, while retaining the ability to revoke that access, then any external threat will be no more able to extract information from your organisation than your own people. Information Rights Management therefore enables us to limit the threat from perimeter security breaches, as well as potential misuse of information by legitimate business users.



User buy-in

As with other security solutions, successful IRM deployments must be simple to use and work without impeding existing business processes. Any solution which slows or limits a business user's ability to do their daily work will be unpopular, but more importantly the user may actually end up putting business information at greater risk by avoiding such systems. In the case of IRM, users may create, request, distribute or keep unprotected files, or use an IRM Context or document classification intended for less sensitive information to avoid the more stringent controls intended by the business.


Of course once information is IRM protected it is under the full control of the appropriate information owner; but it does need to be sealed / protected in the first place. Protecting information using IRM needs to be a continual, business-as-usual process. While IRM provides simple tools to protect information, manual protection does involve the user making the decision to protect information as it is created, and being in the habit of doing so. This can be addressed through creation of clear guidelines, policy requirements and training.


Integrated solutions

Protecting information using IRM should be performed at the earliest point in the information life cycle. One way to ensure information is appropriately secured using IRM is to automate the protection / sealing process. Oracle IRM has open programmatic interfaces which allow information to be sealed and for rights to be programmatically managed. This allows IRM protection to be integrated with other content management, workflow and security products.


For example Oracle IRM can be integrated with SharePoint, ensuring that any documents which are added into a SharePoint site are automatically IRM protected as they are uploaded. Information is then protected in storage, protecting against privileged users with server access, while still allowing documents to be found by keyword search using Oracle's unique search capabilities. Automated protection can therefore allow users to collaborate in the normal way without having to make the conscious decision to protect it first, or even needing to be aware that such a step is necessary. In this way, taking the manual protection step away from users, the level of usage and consistency with which IRM protection is applied can be substantially improved.

Another policy enforcement technology which can be used in conjunction with IRM is DLP (Data Loss Prevention). There are a variety of vendors which provide DLP solutions and, as with IRM, these solutions work in a variety of ways with different features and capabilities. What they do have in common is the ability to monitor the movement of data within your organisations network, with many also having the ability to control that movement. Some will purely monitor network communications using dedicated network appliances; others monitor file system, device and inter-process communications at the desktop. These capabilities can be used to make sure data does not leave your systems and networks without the necessary IRM protection being applied.


Brandon Cross Technologies

Brandon Cross Technologies is based in the UK, but has delivered projects internationally. It believes it is possible to take the pain and uncertainty out of deploying client-server and web based technologies, simply through listening to customers and sharing experience and expertise.

Friday Sep 24, 2010

Data loss prevention (DLP) solutions with document encryption

This week a new data sheet was approved which details the work done so far on integrating Oracle's industry leading document security solution with the top DLP vendors. The content of the data sheet is below and available as a PDF at the end of the article.

Organizations face the ongoing challenge of protecting their most sensitive information from being leaked. Two of the most popular solutions used to address this problem are Data Loss Prevention and Enterprise Rights Management. This datasheet explains how these technologies are highly complementary and advises how they can most effectively be used together to provide a complete data leakage solution. It also describes the integrations today between Oracle Information Rights Management and the DLP products from Symantec, McAfee, InfoWatch and Sophos.


Data Loss Prevention

Data Loss Prevention (DLP) technologies aim to prevent leaks of sensitive information. They do so by discovering sensitive information at rest, and monitoring and blocking sensitive information in motion, using content-aware scanning technology. The discovery, monitoring and blocking DLP components run either on the network (servers reaching out to scan repositories or intercepting network information flows) or on endpoints (end user computers or laptops).



Information Rights Management

Information Rights Management (IRM) also aims to prevent leaks of sensitive information. It does so by encrypting and controlling access to sensitive documents (and emails) so that regardless of how many copies are made, or where they proliferate (email, web, backups, etc.), they remain persistently protected and tracked. Only authorised users can access IRM-encrypted documents, and authorised users can have their access revoked at any time (even to locally made copies).



Complementary Solutions to Similar Problems

DLP and IRM address very similar problems, but in different and complementary ways:

  • DLP is well suited to situations where an organisation doesn't know where its sensitive information is being stored or sent. Content-aware DLP can map the proliferation of this sensitive information and direct remedial efforts, such as tightening existing access controls using blocking, quarantining or encrypting.
  • Out-of-the-box DLP remedial actions often prove to be disruptive to business workflows. Sensitive information is required for collaboration with certain third parties; configuring DLP to permit only the desired collaboration whilst preventing other data loss proves to be almost impossible.
  • Also DLP provides decisions about content at a point in time, e.g. can this user email this research document to a partner? However, 6 months later the organization may sever ties with the partner at which point the DLP rule may change; but this doesn't affect all the information that has flowed to this partner over the past 6 months. DLP cannot retroactively block access to information that it has previously been allowed to pass beyond its control to third parties.
  • Thus DLP customers are looking for a technology to allow secure collaboration triggered by their DLP solution.
  • IRM is well suited to situations where an organisation has relatively well defined business processes involving sensitive information, e.g. sharing intellectual property with partners, financial reporting, M&A, etc.. IRM-encrypting sensitive documents or emails ensures that all copies remain secured, regardless of their location.
  • IRM continues to work beyond the enterprise firewall or enterprise endpoints, so authorised end users on partner or home networks or endpoints can use IRM-encrypted documents without being able to make unencrypted copies. This access can be audited and revoked at any time, leaving previously authorised users with useless encrypted copies. IRM provides persistent protection, which means that you can revoke access to information at any time. One simple change in an IRM system can stop access to millions of documents shared with partners, customers or suppliers.
  • IRM protection requires any document to be encrypted. This can be manually actioned by an end user according to a corporate policy, but this reliance on a manual process may result in reduced uptake. To aid uptake and enforce policy many organizations automate the process via integrations with content management systems and enterprise applications. However many other sensitive documents are collaborated with that fall outside these perimeters.
  • Thus IRM customers are looking for a technology to detect sensitive data and trigger the IRM encryption process.

Integration Use Cases

From the above it should be clear that the combination of DLP and IRM will be more effective than either solution in isolation.

  1. DLP-discover and IRM-encrypt data at rest
    DLP is used to discover the proliferation of sensitive information (on endpoints and servers) and classify it in terms of its relative sensitivity. Sensitive classifications can then be IRM-encrypted to have persistent access rights in line with enterprise information security policy. For example DLP discovers a set of financial documents stored in a public file share and automatically protects them against an IRM classification that allows only the finance group to open the documents. The documents stay where they are, but IRM enforces the access controls.
  2. DLP-monitor and IRM-encrypt data in motion
    This time DLP monitoring is used to detect sensitive outbound information flows and to add IRM encryption as a remedial action for policy violations. For example a user attempts to email a sensitive document to a supplier, DLP detects this and uses IRM to protect the document but allows the email to continue onto its destination.
  3. DLP discovery of IRM-encrypted information at rest
    It is important that DLP scanners be enabled to scan IRM-encrypted documents and emails. This can be shallow scans (which verify the document is IRM-encrypted and check the IRM classification) to enable controlled sharing of suitably IRM-encrypted documents, or deep scanning (which temporarily decrypts the IRM-encrypted content) to verify that documents are encrypted to the correct IRM classification.
  4. DLP monitoring of IRM-encrypted information in motion
    Shallow scanning of IRM-encrypted documents could be used to ease potentially disruptive DLP blocking of sensitive outbound content. Certain IRM classifications could be allowed outbound while others could be blocked. Deep scanning could be used to add in content-aware policies and ensure consistency between DLP and IRM policies.

Integrating with DLP Vendors

Oracle has been requested by several customers and partners to integrate Oracle IRM with the leading DLP Vendors' solutions. Whilst all four of the above integration use cases are being scheduled on both Network and Endpoints, work has already been done today to support the following functionality.

Symantec DLP and Oracle IRM

Oracle and Symantec have collaborated to provide a solution that allows DLP to discover and automatically call IRM to encrypt data at rest. This results in sensitive documents being identified by DLP and then automatically encrypted with IRM. The encrypted files can then remain in their original location rather than being quarantined, but can only be opened by authorized users. The DLP product can also discover and monitor IRM-encrypted documents and then audit, quarantine or take no action depending on policy and context.

McAfee DLP and Oracle IRM

McAfee's Data Loss Prevention quickly delivers data security & actionable insight about the data at rest, in motion and in use across your organization. Protecting data requires comprehensive monitoring and controls from the USB drive to the firewall. The powerful combination of McAfee DLP and Oracle IRM automates the process of protecting your data, giving you confidence that policies are enforced consistently wherever your data needs to travel.

InfoWatch DLP and Oracle IRM

Oracle and InfoWatch have collaborated to provide a solution that controls information transferred via removable storage, optical media, web uploads and emails with attachments; as well as inspects contents of IRM-encrypted files and messages. The solution applies policies to prevent sensitive information leakage. A flexible policy can be configured to enforce IRM-encryption of sensitive emails. Digital fingerprinting of the IRM-encrypted content ensures that no parts or quotes of IRM-protected documents can leak outside the corporate network.

Sophos DLP and Oracle IRM

Oracle and Sophos have collaborated to provide a solution to control the transfer of IRM-encrypted information via removable storage, optical media, web uploads and email attachments. A policy can be configured to simply audit the transfer of IRM protected files or, if required, authorise the transfer of IRM protected files and block the transfer of non-IRM protected files.


And you can download the PDF version of this data sheet.

Friday Sep 03, 2010

Oracle IRM and Sophos DLP Integration

Continuing our theme on DLP and IRM, we've been working with leading DLP vendor Sophos to create integrations that bring IRM and DLP together. These integrations provide a richer set of security controls for protecting your most sensitive information, such as intellectual property, patient healthcare information (PHI), financial data as it flows around your enterprise networks and beyond. The video below demonstrates one of these integration use cases we are hearing a lot customers ask for, the need to ensure that only IRM protected documents can be copied onto USB devices and CD's to ensure the organization has persistent control over their most valuable content.

John Stringer, product manager at Sopho's comments,

DLP can be used to identify IRM-protected documents, audit their transfer and - where appropriate - apply IRM classification based on document content. This complements traditional methods for applying IRM such as manual classification by employees. At Sophos we're really excited about working with a number of IRM vendors, such as Oracle, to achieve exactly this.

The ultimate goal over the coming months with these integrations is to use DLP to maintain the policy which defines what you classify as confidential or sensitive information. DLP then implements these policies when it monitoring network traffic, searching across file repositories and watching the movement of information onto USB keys and other removable devices. When DLP finds unprotected information instead of simply blocking it it can apply an IRM policy inline with DLP to ensure that it becomes protected no matter where it ends up. Have a look at the video and feel free to contact us if you'd like to know more about what DLP and IRM can do together for you.


Friday Aug 20, 2010

Understanding the value of persistent document security with IRM and DLP

Great progress is being made here at integrating many DLP vendors with our information rights management (IRM) document security solution. Keep an eye out over the coming months for some sneak previews into this work. Our integration with Symantec DLP is also in the pipe for a vast increase in functionality as part of an integration with Oracle IRM 11g.

DLP and IRM together make a lot of sense. DLP is an excellent technology for watching systems and network perimeters to recognize content as sensitive so it can monitor/warn/block activities. For example, if you try to email a sensitive doc out of the business, DLP might block the email due to policy.

But DLP is an internal solution. No third party is going to let you monitor their networks and systems to protect anything that you send out, or that the third party is doing on your behalf. Especially with many looking to the cloud to store and manage content, does the cloud integration with your DLP? Does the cloud provide the same level of security and integrate with your existing internal security technologies and policies? So, many DLP implementations involve monitoring the perimeter of your network trying to prevent things leaving - or monitor your USB ports trying to prevent you from copying information to USB memory. Your USB port is an example of many different "perimeters" that DLP needs to monitor if it can.

IRM on the other hand protects information more directly. You seal a document and it is encrypted. You can send sealed documents to external parties - or allow third parties to create sealed content because they are working for you - but policy and audit still apply. The solution can be used in third party networks because the IRM solution only monitors/controls sealed documents - it does not monitor the third party's networks or systems or intervene in third party processes that have nothing to do with you.

Recent interest from both customers as well as partners and vendors has sparked a lot of discussion within the walls of Oracle and one of our expert IRM consultants came up with a great way to explain the abilities of these two technologies and how they work well together. I thought i'd share his analogy here;


  • DLP is like a police force. It watches as many things as it can for breaches of policy and intervenes in some way when it can. It needs to monitor all the channels that you identify as a potential risk, and its effectiveness stops at your border. You need constant adjustment to be confident that you are catching everything you should catch, and the trick is defining a comprehensive set of policies without making everyone feel that they are living in a police state. In practice, this might mean that you define very simple policies and warn rather than block. Once a document has left your borders, you have no further control and no means of revoking access.

  • IRM is more like a bodyguard. It goes wherever the sensitive assets go - even if they go beyond your border - but it takes no interest in anything that is not sealed. It applies policy consistently even if policy changes over time - so you can revoke access to external copies long after sending them. However, it only protects the assets it is assigned to protect, so the trick is using business process or automation to ensure that all sensitive assets are sealed. The automation could be managed by DLP.


Monday Jul 12, 2010

LaFarge secures sensitive M&A documents in ICSA Blueprint Data Room with Oracle IRM


A very common use case for information rights management technologies is the requirement to protect very sensitive mergers and acquisition processes, Oracle themselves have been using IRM to do this since they acquired the technology. Such information is often shared beyond the classic corporate security infrastructure and there are quite a few companies who package the entire process of sharing and protecting this information into an online service in the "cloud".

These solutions have the challenge of providing an easy to use and simple but yet very secure system. One big problem is how do you ensure that once the documents have been downloaded from the cloud based service, you can still maintain total control over who can open, print, edit the information? Acquisition discussions often break down, which can result in a lot of sensitive information like financial plans, due diligence results and business strategy documents left at a potential acquisition company. This information is now exposed and the company may well be purchased by a competitor. That presents a serious risk to your business and often limits your ability to share information in the first place, hindering your ability to execute efficient M&A projects. "Blueprint Data Room shows excellent security qualities allowing us to fearlessly make our corporate records available."
Jérôme Vitulo (Assistant General Counsel)

This is where IRM technologies can help. Documents and emails secured with IRM are under your constant control allowing you to share information with the knowledge you can revoke access at any time. This can be especially important in the current trend to storing data in the cloud. Cloud data storage and collaboration services are very popular mainly due to cost, but also due to ease of use. Cloud based services are often built on very modern platforms with modern approaches to sharing and collaborating information. They also wrap up many complex processes in easy to use and govern, web based applications. Yet all the glamor of the cloud brings the fears of security. Are you really going to store your most important company information inside a website which is designed to make sharing that information simple and easy to do?

ICSA is a company offering one of those cloud based solutions and has teamed up with Oracle to reinforce its security when protecting their customers most valuable documents. One of ICSA's customers, building materials manufacturer LaFarge (currently the worlds largest producer of cement), have released a case study on how they rely on Oracle IRM to secure their information when used with the ICSA Blueprint Data Room service.


Why Choose Blueprint Data Room?

  • Facilitate communication - Blueprint Data Room allows you to securely store due diligence documents in a central location, easing the exchange of critical and sensitive business information with authorised third parties
  • Global access - Advisers are able to access due diligence documents anywhere, anytime via a standard web browser, a username and password, increasing world-wide business opportunities
  • Configurable - Companies can filter which documents they wish to publish using options such as relevant company or group of companies, category of documents, specific documents and/or date range
  • Highly secure - ICSA Software has teamed up with Oracle to reinforce its security. Its software, Oracle IRM, allows users to benefit from one of the strongest warranties against document fraud and misuse, giving a world-class security application. Oracle IRM extends security to documents that have left Blueprint Data Room by restricting actions on these documents such as printing, opening if not authorised and screenshots
  • User-friendly - Blueprint Data Room is a user-friendly tool allowing everyone to use the application without the necessity of training
  • Fully integrated with other Blueprint applications - No need to duplicate or export documents


Blueprint Data Room is transforming the way companies exchange critical information and is accelerating and significantly simplifying the M&A process. Oracle IRM is a key component to delivering this solution.

Tuesday Oct 27, 2009

Oracle IRM and Symantec DLP version 10 integration announced


This morning Symantec announced the latest incarnation of their data loss prevention (DLP) technology, version 10. DLP technologies allow organizations to do discovery and monitoring of enterprise perimeters to detect the flow of sensitive information. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted. However combining DLP with IRM means you don't have to restrict the end user by blocking their attempts to collaborate. Instead encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

We've been working with Symantec over the past month to build an integration between Oracle IRM and DLP creating the most powerful security solution of any IRM and DLP combination. Oracle IRM is the leading rights management solution for enterprise-scale document and email security. Combining these features with Symantec's leading DLP solution means customers can now have rich monitoring and detection capabilities. Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.



Thursday Oct 08, 2009

Sealed Solutions partners with Outpost24

Sealed Solutions GmbH
There has been a lot of partner activity with IRM recently, more information will be coming out over the next few months. Right now one partner in Germany, Sealed Solutions GmbH, has just teamed up with a vulnerability assessment and management company, Outpost24, to bolster it's information rights management practice.

Sealed Solutions are a leading provider of Oracle IRM services in Germany and the partnership with Outpost24 will increase their ability to fulfill major GRC (Governance, Risk and Compliance) requirements with vulnerability assessment and management best practices to ensure the protecting and handling of customer's confidential information and data.

Norbert Bacher, CEO Sealed Solutions GmbH, was quoted as saying, "With the technology provided by Outpost24, we are now able to secure and protect not only confidential e-mails and other sensitive information like we do with our Information Rights Management solutions, but are pleased to now be able to protect our customer's organizational centerpiece - 'the network'. Both from the inside, as well as the outside. Outpost24's Vulnerability Management solutions are an excellent complement to our current Information Rights, Security and GRC solutions."




Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016