Archive for December, 2008

Digital Certificate Veteran Entrust Joins Certified Document Services (CDS) Program

Posted on December 18, 2008 by John B Harris | Comments (0)

Following on the heels of a number of successful customer deployments, Adobe is proud to welcome another respected organization to the CDS Program.  Entrust announced today they have joined the CDS Program and will begin offering certificates under its auspices in early 2009.  This will bring to five the number of CAs in the program, along with ChosenSecurity, GlobalSign, Keynectis, and VeriSign.

CDS makes creating and receiving authentic documents easier by not requiring a recipient to explicitly trust the author of the document.  CDS signatures automatically validate in Adobe Acrobat or Adobe Reader 6.0 and above, providing integrity and long-term assurance to electronic documents of record.  Providers involved in the CDS Program are required to meet stringent requirements for identity vetting, security, and operations.

According to Entrust’s President and CEO Bill Conner:

While electronic documents are an efficient method to do business, until recently they lacked the security necessary to be accepted for official enterprise use.  With the advent of this standard and the specialized certificates, organizations can be confident that electronic documents are authentic and have not been tampered with or altered.

Read more about CDS here.

To learn more about Adobe’s security partner ecosystem, visit the Adobe Security Partner Community!

Tags:,,,,,,

New state laws affect encryption practices

Posted on December 16, 2008 by jcarione | Comments (0)

Nevada and Massachusetts have been in the process of enacting new state laws that target businesses and individuals who own, license, store, or maintain Personally Identifable Information (PII) about a state resident. Many other states already have these guidelines in place. Personally Identifiable Information (PII) is defined as a combination of the persons name and another unique identifier such as SS#, drivers license, or financial account number.

In Nevada, S.B 347 went into effect on October 1, 2008. This law specifically prohibits businesses in Nevada from transferring personal information through electronic transmission unless it is encrypted. This regulation even affects those companies that do business in Nevada but are headquartered elsewhere.

In Massachusetts, 201 CMR 17 is set to go into effect on May 1st, 2009. The law was initially set to go live on January 1, 2008, but has been extended to May in light of the economic crisis. This law is somewhat broader than Nevada in that it requires that any resident PII stored in laptops or removable storage devices be encrypted in addition to information transmitted over network and wireless connections. It also requires organizations to develop a security program, use updated firewall systems, enforce limits on the amount and length of time PII is retained, and allow access to sensitive PII only as necessary to perform job responsibilities. Even more detailed requirements include a need for documented security policies, prevention of terminated employees from gaining access to PII, and audit trails of employee access to PII.

Although penalties for non-compliance are not specified in either case, non-compliance may expose the business or individual if any legal action is taken subsequent to a data breach for failing to provide a minimum level of security. We recommend that companies review their security procedures in light of these new requirements and take action, if needed. For those companies in less regulated industries, a full risk assessment may be appropriate if you are moving into unchartered waters about what technology options are available to reduce exposure.

Much of the debate has been whether to apply encryption at the infrastructure layer using disk or email encryption or to implement it at a finer grain. Technology such as Adobe LiveCycle Rights Management ES or client based protection embedded in Adobe Acrobat provides this finer grain of protection aimed at protecting only the information assets considered most senstitive (such as PII). I believe each approach has it’s merit under certain circumstances, but Livecycle Rights Management and Acrobat each provide the added benefit of security that travels with the information itself.

As an example, using RIghts Management, if sensititve PII is located on a disk or removable media device and then gets transmitted over a network, it remains protected persistently throught the process. Using encryption at the infrastructure layer involves greater coordination, more layers and resources, and a higher risk of failure if not implemented properly.

Also, when considering some of the detailed requirements of the Mass regulations (along with similar requirements in other states) regarding terminated employees, RIghts Management allows an organization to revoke access to PII once that person is no longer employed. It also provides a complete audit trail of what user actions were taken on a particular document that contained PII and can help map your governance objectives to actionable, enforceable security policies. Furthermore, wIthin Content Management systems, it has the capability to create workflows that dictate when PII should be sent off to archive or even deleted.

Definitely explore all your options as you move towards improving your compliance posture with these new regulations, but do consider the advantages of a strategic strike versus a blanket approach to encryption.

News from Adobe’s Security Partner Community: Significant GlobalSign Customer Announcements Buoy CDS Program

Posted on December 8, 2008 by John B Harris | Comments (0)

Since its induction into the Adobe Certified Document Services (CDS) Program, GlobalSign has been very busy working to build a customer base eager to leverage the native trust and assurance that CDS brings to any recipient opening a CDS digitally signed PDF document in Adobe Acrobat or Reader 6.0 and above.  That work has paid off in three separate customer announcements this year, including one just released today:

  • December 8, 2008: In partnership with Adobe and SafeNet, GlobalSign today announced the success of the Antwerp Port Authority project.  This port is the second largest in Europe and the fourth largest in the world.  Looking to save time and money by eliminating paper invoices, and required by law to provide for the integrity and authenticity of the resulting electronic invoices for value-added taxes (VAT), the Port of Antwerp deployed a solution combining:
    • LiveCycle ES document generation and digital signature servers;
    • DocumentSign CDS digital certificates from GlobalSign; and
    • SafeNet hardware security modules (HSMs) to protect the signing keys themselves.

    “We’ve seen a marked increase in the number of projects across the whole of Europe in recent months as the worldwide economic climate causes enterprises both large and small to re-evaluate their invoicing processes to drive down costs and remain competitive.  DocumentSign is not only a cost effective and easy solution for businesses to use, but is also compliant with European e-VAT legislation.”  -Steve Roylance, Business Development Director, GlobalSign.

  • May 2008: At the annual National Notary Association conference, GlobalSign announced the positive results of a pilot undertaken with the UK Notaries Society in which the cost efficiency and legal admissibility of eNotarization performed with GlobalSign CDS credentials was well-documented.
  • May 2008: Bodycote, a leading provider of testing and thermal processing services, announced  that it had selected GlobalSign’s DocumentSign program, based on CDS credentials, to certify its test data and reports.  With this solution Bodycote can provide results to its clients in PDF form, confident in the both the accuracy and integrity of the data contained within. 

    “DocumentSign services our security requirements but is also instantly deployable and very scalable – essential factors for rolling out a solution that can be easily understood by every person in the reliance chain.  For our clients’ customers, they simply open the test results in [R]eader.” -
    Alan Slater, Head of IS & IT Architecture, Bodycote

Tags:,,,,,,,,,,,,,,,,

Flexibility in identifying and authenticating users

Posted on December 2, 2008 by Jonathan Herbach | Comments (0)

We’ve received a bunch of good feedback lately on some of our explanations and demonstrations of the authentication types supported in LiveCycle Rights Management. We adapted some of these posts into a technical article within the LiveCycle Developer Center on Adobe’s web site. You can read it here: http://www.adobe.com/devnet/livecycle/articles/rm_authentication.html

Adobe Secured Customer Showcase: Government Printing Office (GPO)

Posted on December 2, 2008 by jcarione | Comments (0)

Please read how the U.S. Government Printing Office has been using LiveCycle Digital Signatures ES to provide authenticity and integrity to public documents including the 2008 e-budget. Also learn how they were able to save over 20 tons of paper and $1 Million over 5 years by bringing antiquated paper based processes online in a secure way for citizens.

http://www.adobe.com/cfusion/showcase/index.cfm?event=casestudydetail&casestudyid=533433&loc=en_us

Acrobat 9 and password encryption

Posted on December 1, 2008 by John Landwehr | Comments (0)

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe’s commitment to providing high-assurance document security implementations.

Continue reading…