Friday Dec 17, 2010

Wikileaks Cablegate, could Oracle IRM have helped?

Wikileaks Logo
I've been asked many times over the past month about how IRM could help with the saga playing out in the news regarding Julian Assange and Wikileaks. There must be a lot going in within certain US government agencies right now as the backlash of the constant release of information not only causes pain for US security departments, but also across the globe as the cables detail all sorts of sensitive and embarrassing information.

I won't go into the question of why this was possible in the first place, why so much information could be extracted en mass, but I will comment on how IRM could play a part in a solution to prevent something like this in the future.

Once it's out, it's out...

One thing the release of this information is demonstrating, is as soon as you've lost control of information, it's gone. Once those cables existed as clear text on a website, they were quickly copied, distributed via Torrent networks and mirrored at a rate that it is now impossible to destroy all evidence of these files. This is a problem with a lot of security technologies today, they focus either on the location, the network or a gateway to define access to information. If that information leaves these protected areas, then it can travel very quickly and multiply at an amazing rate.


This is the real value of IRM over hard disk encryption, DLP, PGP etc. Most security technologies that use encryption only do so whilst the information is at rest or in transit. Then typically an access control mechanism defines who has the ability to access and decrypt that information. PGP for files is the best example. Say you secure a document with PGP. It wraps the file up with encryption, you can then safely store this file anywhere, on a USB key, on a hard disk or website. You may then want to share the encrypted file with a trusted person via email, you then have to give them the ability to decrypt it. It is at this point where the real threat begins. PGP decrypts the file back to the user and they can then store the unprotected file where they like. Sure DLP can detect this and try and block it, but this becomes impractical when the user NEEDS to decrypt and open the file, or when you are sharing the information with a supplier who can't install your DLP agents.


IRM provides persistent protection, it's never in the clear

IRM makes sure the information is ALWAYS protected, even when in use. I'm not familiar with the system that contained the information Wikileaks is exposing, but most likely this was some custom application storing the data in a secure database. The application probably has some secure access control mechanism in place to ensure only authorized users can login to the application and see classified information at their security level. But the application ultimately delivers the information in a format that is easily copied. In fact the masses of information Wikileaks has acquired implies the application which stored it had easy ways to access data en mass. An RSS feed? It would be trivial, for an authorized user, to export masses of information from an RSS feed into another format and ship this over to Julian and his crew.



What specifically does IRM do to keep control over information?

IRM on the other hand would never have allowed the information to be exported into an insecure location. IRM provides the following such features to defend against this type of risk.

  • Most importantly every IRM secured document or email requires authentication every time you open it. Even if you do copy thousands of IRM secured documents to your local computer, you need to authenticate every time you open them.
  • If you have the ability to open an IRM document, you cannot use the clipboard to cut and paste the information into another unsecure environment. IRM ensures that information STAYS inside the secured document. Even if you try to use a programmatic approach and access the information via the application document object model, IRM protects and defeats that as well.
  • You can't easily take screen shots of the information either, IRM protects against that. Sure there are ways to get around this (take a photograph of your computer screen), but Wikileaks is stating to have 251,287 documents. I wonder how long it would take to photograph every one?
  • You can place dynamic watermarks in IRM secured content. So even if you DID take 250,000 photographs, your login id, computer name, time/date is going to appear in them all. Good luck sitting down in Photoshop editing out the watermarks for 250,000 digital photos.
  • Every time you open an IRM protected document it generates an audit. So if someone with the authority to open lots of secured content starts opening thousands of files, the activity is going to be very visible. Want to know who spent all their spare time taking pictures of his monitor, editing all the images in photoshop and passing them to an illegitimate source? Just run one audit report.
  • IRM rights to secured content can be removed at any time. So if your audit report starts to show mass opening of content, you can detect this and revoke that persons access very quickly.



Could Oracle IRM have been used?

Absolutely. IRM supports HTML, TXT, CSV, DOC, and other popular formats. The application could have delivered the classified information via an RSS feed. Users would be authenticated when they access each piece of information and they can also take copies to store where they like. Centrally the department would have complete visibility of who is accessing what. Different classifications of information (secret, confidential) can be enforced even when someone takes a file and forwards it via email onto someone else. Most importantly of all, if someone were to copy 250,000 IRM protected documents, zip them up and stick them on a BitTorrent network... the information is still safe.


The Oracle IRM server also has a very extensive set of APIs with a plug in architecture that can support any classification model you want. This means the integration of the technology with a secured application is possible and sustainable.

I'm sure we are going to see an increase in the use of IRM technologies over the coming months as the questions over how Cablegate was possible trickle through the information security departments of governments and other organizations. If you'd like to know more about how this technology can help your organization, please contact us and we can go into detail.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016