For Your Eyes Only

We’re all occasionally guilty of ignoring the traditional ‘old school’ way of doing things in favour of modern methods and technology; but just because something has been around a while it doesn’t always mean that it is out-dated or irrelevant to the modern day. In fact many traditional methods can sometimes significantly enhance the way we use our modern technology.

One example of this can be found in the world of document security. Whilst I am the first to sing the praises of document rights management for protecting sensitive information inside and outside of an organisation, my own experiences have proved that deploying the software is only half the solution. If you don’t provide guidelines on how and when to apply security to documents and also communicate why a document has been protected then you are destined to fail. This is because technology is not good at handling the human element of a problem, and this is where we can turn to the past for help.

Document security is not a new problem; in the days when all documents were paper a very efficient system was developed to handle confidential information. Anyone who has watched a Bond movie will be familiar with the “Eyes Only” system of marking secret documents; well this system is not a product of Ian Fleming’s imagination, it is a very real and effective system still used by Governments, security services and organisations the world over. By combining such a protective marking system with document rights management technology we can very clearly communicate that a document is protected by DRM and also indicate exactly why and who will be able to access it. Further more, by insisting that all documents are protectively marked we can provide users with a framework for ensuring that the right level of DRM protection is applied to each document and that they understand fully what they are personally accountable for.

Need to Know Principle
The ‘need to know’ principle is fundamental to the security of all protectively marked assets – casual access to protectively marked documents is never acceptable. I have developed a simple light-weight protective marking system, based on a traditional government model that can be used in conjunction with document rights management in a commercial environment. The scheme comprises three markings. In ascending order of sensitivity they are: PROTECTED, CONFIDENTIAL and SECRET. Unmarked material is considered UNCLASSIFIED, this term is used to indicate positively that a protective marking is not needed. The methodology used to select the correct level of security is expressed in terms of Business Impact levels as illustrated in the chart below:-

These markings can be applied to any company asset, and would be applied to electronic documents in the form of a file name suffix, watermark or document header/footer:-

 

Supplimentary Marking
Supplementary markings can also be applied to protectively marked material. This is known as Compartmental Handling and is used to indicate additional information about the contents, sensitivity and handling requirements of an asset. These markings are added to the marking as a suffix and typically comprise one of the following:-

• Function name e.g. Technical, Customer, Supplier, Finance, Human Resources, Iinformation Management, Legal, Executive
• A project name
• A code-word
• Other relevant descriptors

The compartmental label is an additional qualification of the asset mark and should never be considered in isolation. Compartmental handling, in most cases, is only applied to highly sensitive material (e.g. material marked Confidential and above) and is used to provide more precise named access on a “need to know” basis.

Security Clearance 

The marking system requires that all users and external recipients of information are assigned a security clearance level before they can access marked assets. In simplest terms to access a marked asset the following relationship must be true:-

Person’s Clearance >= Asset Mark  

E.g. an employee who has Secret clearance can access a document marked Confidential, however an employee cleared to Protected cannot access a document marked Confidential.

When Compartmental Handling is used, the compartmental label is appended to the asset mark to create a separate and unique combined clearance level. An individual MUST be cleared specifically to this combination in order to gain access.

Combining with Document Rights Management
When protective marking is combined with DRM, discrete rights management policies are created that represent each clearance level. Further specialist polices are created on an as required basis to reflect special circumstances that require the use of compartmental handling. In effect each DRM policy becomes a complete definition of a clearance level. As users are granted new clearance levels they are added to the relevant DRM policies. The corporate Protective Marking procedure and related guidance chart then becomes the point of reference used by employees when applying DRM to a new document.

 



















Successful Implementation
The secret to successfully combining DRM and protective marking is to keep it simple and abide by the following guidelines:-

• Minimise the number of clearance levels
• Try to set a default level for internal assets
• Develop corporate document templates that include the standard clearance levels
• Make use of DRM functionality such as dynamic watermarking
• Make the clearance levels specific and relevant to your business
• Educate and train your people
• Foster a security aware culture

 

Document Rights Management on Android and iOS

I wrote earlier this week about the new Adobe Reader 10.1 release for Android and iOS.

One very significant feature in this release has not previously been available on a mobile platform. LiveCycle Rights Management, a staple part of Adobe Reader on Windows and OSX for a long time, is now available to Android and iOS users.

One of the key attractions of using Adobe’s rights management over other solutions is the fact that the authentication and decryption technologies are built into Adobe Reader. This solves one of the big issues surrounding rights management, that of supporting and maintaining the decryption technology inside and outside of your organisation. By adopting Adobe’s LiveCycle solution this is taken care of for you, with a worldwide installed base of over 600 million copies of Acrobat Reader, the distribution and maintenance of the reader is already taken care of by Adobe. Now that this has been extended to Android and Apple tablet devices it really does take DRM to the next level.

DRM technology is all about protecting documents on the move, and you don’t get more portable than a tablet device. The concept of DRM documents “phoning home” to request a user’s access rights fits the mobile device strategy like a glove. New mobile internet technology, available 24/7, now mean that the mobile devices are the perfect platform for distributing rights managed documents within and beyond an organisation.

So what is available from this first DRM compatible release? Adobe has pledged further development and enhancements are coming, but for now this first release seems to be very accomplished.

• The recently rebranded, Adobe Digital Enterprise Platform (ADEP) Rights Management (LiveCycle version 10) is supported by default. Users of LiveCycle version 9 will need to ensure that they have service pack 2 installed along with a specific quick fix (QF 2.126). The quick fix is available b y contacting Adobe support.
• This version supports username/password and anonymous authentication, other mechanisms, such as Kerberos, smartcard and SAML are currently being considered by Adobe for future releases.
• It supports 256 bit AES encryption, the highest level of encryption currently available in LiveCycle.
• This is the first release to feature DRM, so there are a few limitations that early adopters need to be aware of. Currently offline viewing of documents is not available and policies that include dynamic watermarks are not supported.

Try it for yourself

If you fancy giving it a spin on your Android or Apple device, I have created a trial user account on my LiveCycle demo server for demonstrating rights management on Android and Apple devices. Just go to the Apple app store or the Android Market and download the reader; then download the following file to your mobile device.

RM_Trial.pdf 

Username: trial

Password: password

For more information on LiveCycle Rights Management, take a look at my "Deep Dive" webcast recording here.

The iPad Finally gets Adobe Reader

The iPad has always been a slick, convenient tool for accessing documents and information on the move and you would have thought that native PDF reading capability would be a given. Just about every other platform out there comes with the ubiquitous Adobe Reader and it often comes as a shock to new iPad owners when they discover that Reader does not appear amongst the 140,000 iPad apps in the app store. So for some time now iPad users have had to settle for the minimal functionality of iBooks or go and buy a 3rd party reader from the app store.

However, now things have changed. Adobe announced yesterday (17 Oct 2011) the release of Reader 10.1.0 for iOs. This now finally plugs a glaring gap in the iPad portfolio. Version 10.1.0 is not only a major step forward for iPad users, it also brings significant additional functionality to the more fortunate Android users who have had the luxury of the Adobe Reader for some time already. Both the iOS and Android version offer some major new enhancements for mobile users:-

• Support for PDF Portfolio and PDF packages.
• Support for Annotations and markup.
• Sticky note support.
• Opening of password protected files.
• Full support of Adobe LiveCycle Rights Management, including 256 bit AES encryption
• A great set of slick gesture-based interface tools
• Text based searches
• Copy and paste capability
• Wireless printing from iPad via AirPrint
• The ability to share and email files

 I will be posting a seperate blog entry on the new rights management capabilities later.

You can download Reader from the Apple App store or Android Market. Further information on Reader for iOS can be found at the Adobe Acrobat Blog here:-

http://blogs.adobe.com/acrobat/2011/10/adobe-reader-ios.html

Securing your Intellectual Property - Full length webcast now available

Back in June I hosted a webcast entitled Securing your Intellectual Property with Adobe LiveCycle Rights Management. Now there is a second chance to see a recording of this webcast in full.

I have published the full Deep Dive 1 hour long recording; you can access it without registration at this link:-

https://connectpro77888205.adobeconnect.com/_a992060836/lcwebcast

The presentation covers such things as:-

• The impact of Data leaks
• Today's challenges in document security
• Tackling the traditional rigid document security solutions
• Architecture of a Rights Management system
• An in-depth live demonstration of Adobe's LiveCycle Rights Management Solution

If you would like to see this technology in action, I'm quite happy to setup a live online demonstration for anyone that has an interest.

Keeping a Leash on Your Sensitive Information

A recent UK Cabinet Office report revealed some startling facts about cyber-crime in the UK. The report titled The Cost of Cyber Crime stated that the overall cost to the UK economy of cyber crime is £27bn per year. This is a sobering statistic in it's own right, but even more revealing is the fact that UK business bears the lion's share of this burden, footing the bill to the tune of £21bn per year, 3/4 of the overall cost.

Further analysis of the report also uncovers the fact that £16bn of cost is attributable directly to intellectual property leaks and industrial espionage. This is something that the CEOs, CTOs and Chief Information Security Officers out there should be sitting up and taking notice of.

Having worked for many years in the high tech manufacturing and engineering sector myself, I can speak from personal experience when I say that there is still a huge amount of complacency when it comes to IP security. There is still very much an "It won't happen to us" or "Why would anyone be interested in us" attitude taken by many companies. The fact of the matter is, that today it is not just the exotic, high profile household names that are targets for cyber criminals, any successful business with a profile and presence in the news and on the web can be easily researched and targetted. One of the UKs most successful and inflential design and industy leaders, Sir James Dyson, recently even went on the record to express his concerns about industrial espionage.

This is my first posting in this blog, but in future entries I will be exploring the security issues that affect businesses and the way that they communicate their most vital and intangible assets, their Intellectual Property.