Criteria for evaluating IRM technology – Part 6 of Many – Screen grabbing prevention capabilities

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Over a period of time there have been many comments and views about the importance and feasibility of protecting irm protected documents from being "exposed" via screen grabbing functionality

Screen grabbing can be done in one of the following ways :

1. Using the print screen functionality
2. Using screen grabbing tools like Snag It, Camtasia, .... OR using a virtual machine or virtualized desktop
3. Using remote desktop / web meeting tools like Webex, GotoMeeting
4. Using actual cameras and pointing to the screen
5. Using hardware based VGA recording systems similar to video recorder

The above list is fairly comprehensive and approximately in the increasing order of risks that they pose to confidential information. The list is also in increasing order of complexity of the solution i.e.

1. Blocking print screen functionality is almost trivial and can be done by various methods like keyboard hooking etc.

2. Blocking screen grabbing tools is more difficult because of the variety of technologies used by such software from video memory copy to driver mirrors there is hardly any method which is not used for this purpose

3. Blocking remote desktop functions is even more difficult because a summary blocking of a tool like Webex would mean collaboration loss

4. Blocking camera clicks is more difficult because it is virtually impossible to do without significantly compromising on the user experience i.e. blocking the whole screen except for a "spotlight" around the cursor appears to be the only solution and is usually unacceptable to users. The risks of this are becoming higher as pocket cameras and phone become more powerful. The alternate solution would be to physically block phones with cameras which is also becoming increasingly difficult.

5. Blocking hardware based VGA recording systems is virtually impossible .. it would mean blocking VGA output to all devices except for the attached monitor and would cause an impossibly high loss to basic activities like projection. However the risks with this are lesser because these devices are rare and can be physically blocked easily.

Taking a completely technical view, the IRM system should provide an on/off switch to the user for the screen grabbing functionality. Within the on/off switch itself there should be more granular controls like should a "spotlight" functionality be enabled or not OR should the hardware based recorder be blocked or not.

Once we overlay this more technical view with usability and convenience considerations of the end user AND the policy definition complexity of the policy administrator .. the most optimal criteria appears to be :

• Using the print screen functionality - Should be blocked

• Using screen grabbing tools like Snag It, Camtasia, .... - Should be blocked

• Using remote desktop / web meeting tools like Webex, GotoMeeting - Should be blocked with an option to enable

• Using actual cameras and pointing to the screen - Not necessary as it would cause too much user inconvenience

• Using hardware based VGA recording systems similar to video recorder - Not necessary as the risks are low

In most cases we have found this to be the most pragmatic approach to dealing with the screen grabbing issue.

Finally, a really determined user may just pick up the pen and jot down the important parts of a document or if its small enough then even memorize it. Till the time we have memory erasers however we will have to live with those risks. Are the folks at Men-In-Black listening ??

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us.

Criteria for evaluating IRM technology – Part 5 of Many – Multi-factor authentication support.

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Multi-factor authentication

In most cases, IRM systems do not have an identity store of their own i.e. They rely on a trust relationship with an existing identity system like LDAP. The fundamental basis of security of IRM systems is the credibility and security of the underlying identity establishment infrastructure. If the identity establishment and governance process is weak, then this weakness will have a cascading effect on the security of the IRM system.

As identity thefts become more brazen the need for stronger password protection is more important than ever before. The protection of other elements of IT infrastructure i.e. Networks, applications and even computers is governed by multi-factor authentication. Multi-factor authentication normally consists of a challenge to the user regarding :

1.What you know i.e. your user name, password, mother's maiden name, favorite color etc.
2.What you have i.e. Tokens, Magnetic cards, Mobile Phones, etc.
3.Who you are i.e. Fingerprints, voice biometrics, iris / face recognition etc.

In the context of IRM systems the support for multi-factor authentication system is normally a good-to-have but in cases of extremely confidential information being protected it can become critical.

Ideally an IRM system should allow for graduate "scaling up" of the multi-factor authentication requirements. In the order of cost and complexity the options are :

1.Basic 2 factor authentication system : This consists of a check on what you know (user name / password) and what you have (a specific computer or a specific network signature). For good IRM systems this is a built-in feature of the IRM system itself.

2.Support for token based 2 factor authentication system : This would consist of the regular user name/password with a (normally third party) OTP (one time password) based infrastructure backed by physical tokens given to each user. This method, specifically in the case of IRM systems is a little complex because IRM protected documents might go to external users and there is little control on the number of these external users. Provisioning a user in this case would take a long and in most cases unacceptable time.

3.Support for token-less 2 factor authentication system : This would consist of the regular user name/password with a mobile app or SMS based second factor. The user provisioning in such a case could be really fast but SMS delays and internet connection availability on the phone could be infrastructure issues in adoption.

Identity based access to information is the key to the value of IRM systems and there are many threats to identity today starting with simple SQL injection to globally co-ordinate service based attacks. The recent breaches of information from Sony and even failure of the second factor (RSA: SecureID Data) further online need to have stricter measures for validating identities.

In case of the user identity being compromised or malicious users sharing identities, the critical information of the enterprise can still be protected by using multi-factor authentication mechanism along with IRM. By allowing information to be optionally locked down to physical machines the most common needs of multi factor authentication system can easily be served.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us.

Criteria for evaluating IRM technology – Part 4 of Many - Identity infrastructure support

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Identity Infrastructure support

IRM technology's effectiveness is dependent on the effectiveness of the underlying identity framework which is used to identity the creators and consumers of information. This is of course a good and bad aspect i.e. If the underlying identity gets compromised then there is a potential breach of even IRM protected information .. On the other hand the linkage to underlying identity infrastructure means that identity management could be centralized.

This criterion for evaluation of IRM technology is critical from an adoption perspective.

There are various methods by which an identity of the creator and consumer within an IRM system can be established. Lets list down the various methods in order of increasing maturity i.e.

1. Crudest way : Creation of a fresh identity for the IRM system itself : This is the crudest mechanism of managing identity for the IRM system in which all users of the IRM system would effectively be forced to create a new identity. The identity creation process could be "managed" i.e. a referral / approval system could be followed for creating / approving identities.

2. Less crude way : "Public" providers of identity without verification : In this method the identity of an individual is the one povided to him by a third party identity provider like Open ID, Google, Facebook or Yahoo. The common factor amongst all these identity providers is that they are all "unverified" identities i.e. None of these identity providers actually verify the identity of the individual before creating a user for him / her. In effect there is nothing which prevents Tom Moody from creating a login in the name of Barack Obama on any of these identity providers. Establishing a "trust" relationship with an identity system managed by a different enterprise also falls within this category.

3. Mature way but with some "holes" :"Public" providers of identity with verification : In this method the identity of the individual is the one provided to him by a third party identity provider but this identity provider actually does some kind of verification. Mobile phone numbers & digital signatures are examples of identities where there is some element of verification (in most countries) albiet by a third party. This "verification" will prevent Tom Moody from getting a digital signature in the name of Barack Obama and also will also prevent his mobile phone number from being listed in Mr. Obama's name. The good way of establishing identity in this manner is that this identity is trusted by the "government" and therefore legally irrefutable.

4. Mature way : Private identity establishment using an existing "external" system in use by the enterprise : Most enterprises today already interact with "external" entities like vendors (vendor / e-tendering portal), customers (customer portal / online banking system), partners, auditors, lawyers, board members etc. using some transactional / workflow system. The IRM system could use the identity already established by these systems so that the creator / consumer does not need to remember / manage another identity and is able to interact with the enterprise using the identity that he already has. The underlying transactional / workflow systems already have some method of verification and therefore this system of identity management is fairly mature. There are also existing processes in most enterprises for managing the identities within these systems and therefore there is no overhead of identity management due to the IRM system.

5. Mature way : Private identity establishment using an existing "internal" system in use by the enterprise : This is similar to the previous method except that in this case the system is largely internal facing i.e. for employees. The most dominant example of this is Microsoft Active Directory and other similar identity infrastructures. In most cases there are existing processes for managing the identities within this system and therefore again there is no process overhead due to the IRM system.

A good IRM system should

1. Allow different methods of establishing identities
&
2. Provide flexibility to the enterprise to change the identity infrastructure at a later point of time

In most cases a combination of multiple methods of establishing identities needs to be used. In typical scenarios the identity infrastructure requirement will look as follows :

Example 1
1. For employees : Microsoft AD (Should support forest, trusted relationships, sub-domains etc.)
2. For vendors : Vendor portal
3. For customers : Creation of identity based on email addresses

Example 2
1. For employees : Using Lotus Notes identity system (Directory Server)
2. For customers : Online banking system
3. For temporary consultants and auditors : Creation of identity based on email addresses

Overall the need for having a built in identity federation framework within the IRM system is critical to ease the adoption of IRM technology.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.

Criteria for evaluating IRM technology – Part 3 of Many - Format and application support case study 2 -

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight ages and then decide on the best technology.


To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Format	Application(s) used internally	Application(s) used externally
Doc / docx	Microsoft Office 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Xls / xlsx	Microsoft Office 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Ppt / pptx	Microsoft Office 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
PDF	Adobe PDF reader	Adobe PDF reader, Foxit PDF reader
Email	MS Outlook	MS Outlook, Lotus Notes, Gmail, Hotmail, many others, ...
Drawing / CAD	Numerous AutoDesk products Numerous Siemens PLM products Pro/E from PTC	Numerous AutoDesk products Numerous Siemens PLM products Pro/E from PTC Many other CAD tools

The above is a complex problem and one that is not easily answered by any present IRM
technology.

For the non design formats and applications the criteria remains the same as previous with the exception of MS Exchange replacing Lotus Notes. For the design applications and formats however the list of formats and applications runs into tens. The enterprise in such a case needs to carefully evaluate the requirements.

If the main purpose of the IRM technology is to protect regular business communication and the security of design documents can be ignored then this requirement goes away. If the security of design documents is critical without which the IRM technology itself is rendered useless then one of two options exist i.e.

1.Insist on no change in the present business process which will only allow evaluation of technologies which support all (four in this case) technologies used for designing i.e. AutoDesk, Siemens & PTC.

OR

2. Accept a slight change in the business process where if any design needs protection (before it is sent to an external entity for example) then it gets converted into a predefined "standard" format e.g. DWG / DWF / 3D PDF or JT. Conversion of the design into a "standard" format will, almost always mean some change in business process but this will make the " high jump bar" for IRM technology come down significantly and might be the only option.

For email however the same criteria persists i.e. any technology which is dependent on the recipient's email infrastructure is likely to fail. Since the organization itself is using MS Exchange email, a dependency on internal email system might be OK but not the external email system.

The requirement for format and application support therefore become :

1. Application - MS Office (All versions), Open Office (or another free reader for office documents), Adobe PDF reader, MS Exchange email (should not force the recipient to have any particular messaging system), Adobe 3D PDF reader OR free DWF / DWG reader OR free JT reader.

2. Formats - doc / docx / xls / xlsx / ppt / pptx / pdf / MS Echange email / DWG + DWF OR JT

OR 3D PDF

As always, the more uncompromising the criteria, the lesser number of choices you might have in the IRM technology and the higher may be the cost.

3.This is a small but very important exercise in the evaluation of IRM requirements for any enterprise but our recommendation is that every enterprise do this exercise before considering an IRM system deployment.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.

Criteria for evaluating IRM technology – Part 2 of Many - Format and application support case study 1 -

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.



To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Continuing from our previous blog post , here is an analysis of the format and application support requirements for a large financial services group.

Format	Application(s) used internally	Application(s) used externally
Doc / docx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Xls / xlsx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
Ppt / pptx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office / Free document readers
PDF	Adobe PDF reader	Adobe PDF reader, Foxit PDF reader
Email	Lotus Notes	MS Outlook, Lotus Notes, Gmail, Hotmail, many others, ...
Images	Usually just MS Paint	Not important

In such a case the format list if small but the list of applications which render these formats within and outside the enterprise is widespread. Any technology which (1) Does not support ALL version of MS Office and Open Office OR (2) does not provide a method to access IRM protected information otherwise is likely to fail in this scenario. Adobe PDF reader appears to be universal PDF access method in this case. For email however there is a problem again where any technology which is dependent on the recipient's email infrastructure is likely to fail.

Since the organization itself is using Lotus Notes email, a dependency on internal email system
might be OK but not the external email system.

The requirement for format and application support therefore become :

1. Application - MS Office (All versions), Open Office (or another free reader for office documents), Adobe PDF reader, Lotus Notes email (should not force the recipient to have any particular messaging system)

2. Formats - doc / docx / xls / xlsx / ppt / pptx / pdf / Lotus Notes email

This is a small but very important exercise in the evaluation of IRM requirements for any enterprise but our recommendation is that every enterprise do this exercise before considering an IRM system deployment.

Seclore and its partners regularly advise customers on their IRM requirements so please do not hesitate to contact us for any such requirements.

Criteria for evaluating IRM technology – Part 1 of Many - Format and application support

This is a multi-part blog entry on important criteria based on which enterprises must evaluate rights management technologies before investing significant amounts of time and money.

Please note that not all criteria might be important for any given enterprise so you will have to pick and choose the ones which are important, give appropriate weight-ages and then decide on the best technology.

To view all the blog posts in this series please go to http://blog.seclore.com and then select "IRM evaluation" from the tag list.

Format and application support

IRM technology is, in all cases, dependent on formats and applications. There are multiple cases of IRM technologies claiming to be format and application agnostic however these almost always come with one of the two caveats :

1. The technology will convert or “print” all formats into one single, typically proprietary and typically un - editable format.

OR

2. The technology will enforce restrictions on the methods of collaboration that can be used i.e. no sharing by email OR you have to upload it into our server.

Typically both.

For the purpose of this post the format agnostic technologies are not considered.

One of the most important criterion for selecting an IRM technology is whether the technology supports most of the formats and applications which are in dominant use within your extended enterprise now and in the near future.

Please note that for this criterion do not restrict yourself to looking only within the enterprise. Protected information is likely to reach external stake holders like vendors, customers, partners, auditors, lawyers, board members, ... and therefore it is important to make sure that the technology supports not only those formats & applications which are used within the enterprise but those which are used to communicate with and by external entities. In case there is no uniformity in applications used within and outside of the enterprise then there has to be a non intrusive and free option for external stakeholders to be able to access protected information.

In most cases a matrix which looks something like follows is useful :

Format	Application(s) used internally	Application(s) used externally
Doc / docx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office
Xls / xlsx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office
Ppt / pptx	Microsoft Office XP, 2003, 2007, 2010	Microsoft Office XP, 2003, 2007, 2010 Open Office
PDF	Adobe PDF reader	Adobe PDF reader, Foxit PDF reader
Email	MS Outlook, Lotus Notes	MS Outlook, Lotus Notes, Gmail, Hotmail, ...
Images	Various	Various
Drawings	AutoCAD, Solidedge, ….	AutoCAD, Solidedge, ….
...	...	…

In the following blog posts we will look at specific cases of companies and what this exercise revealed for them.