Security Matters

Live Webcast: Information Assurance - Keeping Your Documents Secure

2008-10-13T22:25:28Z

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization's business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Come One, Come All...

2008-09-30T18:16:06Z

...to the E-Signatures '08 Conference, scheduled for November 12-13, 2008, at the Omni Shoreham hotel in Washington, DC. This conference, organized by the Electronic Signatures and Records Association, features compelling presentations from industry experts on the leading business, legal, and technology topics surrounding e-signatures, and prominently highlights several case studies.

Included in these case studies, Adobe customers will describe how electronic signature solutions involving products from Adobe and our Security Partner Community have improved their internal workflows and, in turn, saved them significant amounts of money, time, and resources. You can expect to hear from:

John Hannan, Chief Information Security Officer, U.S. Government Printing Office
Kay Bross, Senior PKI Specialist, Information Security & Solutions, Procter & Gamble
Thomas Niman, Director, Business Operations & Systems Integration, Snap-on Credit LLC

In addition, conference attendees will learn about government and insurance industry views on e-signatures; legal, regulatory & standards updates; and finally how the new administration might affect the future of e-signature policy. For an updated agenda, keep checking here.

Sign up this week! Early bird registration ends Monday, October 6th.

Tags:e-signature,conference,ESRA,adobe customers,electronic signature,digital signature

Rights Management within LiveCycle Content Services

2008-09-30T14:00:00Z

This past summer Adobe released the LiveCycle ES Update 1 release. This include LiveCycle Content Services ES, a fully integrated set of content services that enables organizations to "manage content in a lower-cost, extensible way for cross-company and cross-organizational processes". LiveCycle Rights Management ES is a core part of this offering, and allows organizations to include content protection as a part of these cross-organizational processes.

Each "space" within Content Services can be seen as a folder to hold sub-spaces or content. These spaces can be associated with business rules and security -- including various access control rights as defined by LiveCycle Rights Management ES.

It's easy for business users to interact with these spaces because content can be added in several different ways; for example: using the Web UI, FTP, CIFS, or WebDAV. Adding security is a breeze because the act of adding content can be associated with an automatic trigger that can protect the content with Rights Management. For example, an administrator can create a trigger to associate the "Confidential" policy for general documents, or the "Mergers & Acquisitions" policy for content being stored for the M&A team.

In today's blog entry we show off a simple example of how:

An administrator can create a rule to automatically protect all content with a specific predefined policy.

An end user can upload a document to be automatically protected.

A recipient can open a protected document within the Content Services repository.

Click on the following screenshot of LiveCycle Content Services for a brief tour of this functionality:

Guest Contributor: Neerav Aggarwal

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com
Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Adobe Presenting at Security Automation Conference

2008-09-22T05:40:35Z

On Wednesday September 24, 2008 John Landwehr from Adobe will be providing an overview of Digital Rights Management at the 4th Annual IT Security Automation Conference at NIST - Gaithersburg, MD.

A copy of the keynote presentation is available here as a 5MB PDF download.

DIRECTV NFL Sunday Ticket Supercast protected by Adobe products

2008-09-09T21:04:00Z

DIRECTV and Adobe announced that the NFL SUNDAY TICKET SUPERCAST is powered by Adobe's video solution with content protection.

DIRECTV is also providing SUPERCAST as a downloadable rich Internet application (RIA) built on Adobe AIR. Adobe AIR offers a new way to engage customers on the desktop with a downloadable, branded RIA that can be deployed across major operating systems. The SUPERCAST application on AIR provides a wide variety of real-time NFL SUNDAY TICKET content right on the desktop as games stream live in high-quality H.264 video, including Red Zone channel’s live-action of critical plays, statistics and moments from game broadcasts, as well as near real-time highlights from all the games. Additionally, only in the SUPERCAST application on Adobe AIR can fans receive desktop notification alerts when requested highlights become available. SUPERCAST is available at www.directv.com/supercast.

Content is streamed live via Adobe Flash Media Server software to the browser using Adobe Flash Player technology, which is installed on more than 98 percent of Internet-connected computers, and to the desktop via Adobe AIR. DIRECTV also uses Adobe Flash Media Rights Management Server software for digital rights management (DRM) to protect the NFL premium on-demand content downloaded to the desktop. Adobe Flash Media Server is helping enable DIRECTV to stream content more securely and cater to large volumes of fans with rapid, reliable delivery of exciting content. Adobe Flash Media Rights Management Server is a robust on-demand content protection solution that is non-intrusive to users, yet can allow DIRECTV to safeguard media integrity, authenticity and access, whether SuperFan subscribers are online or offline, even after the content has been viewed.

Scientific American Article on Improving Online Security

2008-09-09T20:55:41Z

Adobe recently participated in an industry roundtable on Improving Online Security. The transcript has been published in the September 2008 issue of Scientific American, page 96 and on their website.

John Landwehr from Adobe and representatives from Hewlett Packard, Kaiser Permanente, McAfee, Microsoft, Panda Security, Sun, and Symantec discussed ways to protect against more numerous and sophisticated attacks by hackers and called for upgraded technology along with more attention to human and legal factors.

Leveraging Data Loss Prevention (DLP) with Rights Management

2008-09-08T14:59:41Z

Data Loss has been a hot topic for years now as companies continue to lose sensitive information and are required by law to disclose the breach to customers. In fact, the Ponemon Institute reported that 85% of there survey respondants had experienced a data breach at one point or the other. The fact is that we are in the middle of a data security crisis, one which needs to be solved not by stovepiped security products, but via a solutions approach to limit risk and establish control. One of the markets/products that is becoming an important part of a comprehensive data security solution is commonly known as Data Loss Prevention (DLP).

DLP technologies are very good at providing classification and segmentation of data into raw buckets based whether they are considered high, medium, or low impact to the business. These technologies are less effective, however, in the areas of active enforcement of the data since they typically focus on either blocking or encrypting information in somewhat of a binary fashion, based on the information itself, without significant context for the users or identities involved. In fact, most DLP deployments today are being used in passive mode to discover and monitor "hot spots" and understand where there may be broken business processes in place that may one day lead to data breach.

An effective way to develop a solutions approach to data loss prevention is to utilize Rights Management technology in concert with DLP to provide and extend protection persistently based on the identity of the recipient or group of recipients. This will effectively marry the classification policy (from DLP) with the enforcement policy (from Rights Management) to provide more effective and seamless protection. With Adobe Livecycle RIghts Management ES, this process can be automated by setting up watched folders or email workflows to streamline enforcement of sensitive information as it is being discovered by DLP products. Over time, these products will become more tightly integrated using APIs to build a information-centric policy management framework upon which data governance decisions can be made and implemented from executives down through the lines of business to IT.

Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part Two – “The How – Manual Trust Settings”

2008-08-29T23:03:38Z

In part one of this series, I discussed the three essential questions that Adobe products ask in regards to electronic signatures: (1) is the signature credential in good standing; (2) has the document changed since it was signed, and (3) has the relying party trusted the signer. This third question is the one that is oftentimes left to the user or organization to answer, due to the unique circumstances of any particular situation. Today we’ll discuss how users can set up that trust and provide the third leg of the tripod in the intrinsic valdiity of an electronic signature.

Signature credentials are trusted in Adobe products through the establishment and installation of trust anchors and trusted identities. Trust anchors are typically root certificates—certificates at the top of the hierarchy from which other certificates are derived. Trusted identities can be any certificate, even an end-entity, or user, certificate. In any case, in order to pass validation, the signing certificate must either be a trust anchor (root) or be chained to (derived from) that root.

We’ll cover in this post the 3 ways an individual user can set trust in Adobe products.

]]> User Trust Setting #1: The Signature Dialog Box

This is the most straightforward method: a user receives a signed document from an individual who has not been previously trusted by the user. The user opens the document with Adobe Acrobat or Reader, right-clicks on the signature, chooses Show Signature Properties and then Show Certificate. By clicking on the Trust tab within that dialog box, the user can select Add to Trusted Identities to select whether the credential will be trusted for standard approval signatures and/or certification (publishing) signatures.

User Trust Setting #2: Trust Manager

In this method, a user may already have a number of certificates in hand or available (via email, for example) from approved signers and wishes to add them to the Trusted Identity list. The user clicks on the Advanced menu and then chooses Manage Trusted Identities. The user can then simply add or request ‘contacts’ (certificates) and go on to edit that trust.

User Trust Setting #3: Certificate Store (Windows)

In order to best serve the purposes of web browsing, operating system and browser vendors have created lists of trusted identities (SSL certificates) to enable more secure transactions online. Users of Adobe products have the option to allow the software to trust all of the certificates in the Windows Certificate Store, though this option is not selected by default. Why? Adobe believes the store casts too wide a net, and trusts a large number of both high and low assurance certificates, thereby introducing unnecessary risk into a document signing scenario. The rise of the enhanced validation (EV) SSL certificate also highlights this problem.

Despite these concerns, some users may still wish to enable this option. Within the Edit menu, select Preferences, and then Security. Click on the Advanced Preferences button, and then on the Windows Integration tab. The user can then choose to either trust certificates in the Store for validating standard signatures and/or certification signatures.

For more detailed information on these options, be sure to check out this link:

Acrobat & Reader Security Documentation

Tags:electronic signature,digital signature,trust,validity,acrobat,reader,trust settings

Setting Signature Trust in Adobe Reader & Adobe Acrobat – Part One – “The Why”

2008-08-28T16:20:18Z

A few months ago, I wrote about the nature of assurance in electronic signatures and how aspects like authentication, audit, and integrity add to the trust you place in a signature.

When we consider electronic signatures, recognize that there are typically two parties to the transaction: the author / signer and the recipient, or relying party. The signer’s role is obvious. The relying party, on the other hand, is the one who is in the position to accept the signature and therefore the signer’s approval of the terms or nature of the signed document. When faced with an electronic signature, the relying party must be aware (or have resources he/she can turn to, such as a lawyer) of three intersecting zones of validity—legal, contractual, and intrinsic—and how Adobe products can assist.

]]> First, signature validity is provided by national, regional and local legislation, as well as industry regulations. E-Sign and the EU Signature Directive at the national level, UETA at the regional / local level, and industry standards like MISMO, NAVA, and SPeRS, all are informative as to an electronic signature’s standing.

The second category is that of contractual validity. Organizations may jointly accept each other’s electronic signatures via contract and thus impart additional validity to those signatures. As an example, the SAFE-BioPharma initiative among pharmaceutical and life sciences companies has as its backbone a strong business contract that stipulates each member will trust other members’ digital signatures and accept them as legally valid. SAFE members can therefore easily rely on each other’s signatures without worry.

Adobe products cannot provide specific feedback on these first two aspects of trust and assurance. Adobe Reader can be found on practically every computer in the world and thus Adobe can’t be aware of every single law, regulation, or contractual relationship a user may be subject to—we have to leave the lawyers something. But, Adobe products can provide clear guidance on that most important aspect of electronic signatures, the signature’s intrinsic validity.

Adobe products like Acrobat, Reader and LiveCycle ES Digital Signatures ask three questions of an electronic signature:

Is the signature credential valid and in good working order?

Is the digital certificate in good standing? Has it expired? Has it been revoked?

Has the document been altered since it was signed?
- Integrity checking. Has the document been changed? What’s been changed, if so? Is it an authorized change (another signature, for example)?
Is the signer trusted by the relying party?

The answers to these questions remain critically important no matter whether a signature is governed by legislation or established in a contractual relationship. The first two questions are handled behind the scenes by Adobe products through industry standard cryptographic protocols. The third question, however, is, by its very nature, answered by the relying party, based on their knowledge of relationships the organization may have, business colleagues, etc.

Adobe products cannot answer this question in most circumstances. Adobe understands that the relying party must be free to make their own trust decisions based on their own unique circumstances. If Adobe were to trust every signature credential, users might accept signatures from false identities or trust documents that should not be trusted in the first place. However, as you’ll read later in this series, Adobe has been looking at ways to help relying parties make this determination since 2005, and will be announcing an even more comprehensive approach starting later this year.

Next time, though, I’ll cover how a relying party can trust a signer from a user perspective.

Tags:electronic signature,digital signature,valdiity,assurance,trust settings acrobat,reader,livecycle

Adobe MAX Awards 2008 is now accepting nominations!!

2008-08-27T19:33:54Z

Adobe Security Customers,

I wanted to be sure the group was aware of the 2008 MAX Awards. These customer recognition awards showcase some of our best customer projects developed around the globe over the past year.

This year we will award projects in 6 categories: Advertising & Branding, Enterprise, Mobility and Devices, Public Sector, Rich Internet Application, and Video. Most of our security nominations are typically in the Enterprise and Public Sector categories.

The top three finalists in each category will be invited to attend MAX North America in San Francisco, where we will announce the winner, as well as the People's Choice award winner. All finalists will receive complimentary admission to MAX.

All submissions must be received online at by September 12th, 2008, so be sure to submit your Adobe Security project today! https://www.Adobemaxsubmission.com/submission

For more information or to see last year's finalists and winners please Click Here

]]> Here is the link to submit a nomination:

https://max.adobe.com/na/experience/#?s=5&p=0

Adobe Secured Customer Showcase: Allgaier Automotive GmbH

2008-08-21T18:37:40Z

Read about how Allgaier Automotive is using Livecycle Rights Management ES to improve communications of and collaboration on complex 3D design models.

http://www.adobe.com/cfusion/showcase/index.cfm?event=casestudydetail&casestudyid=510844&loc=en_us

Flexibility in identifying and authenticating users – Part Two

2008-08-18T22:00:00Z

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smart card/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration. As promised in part one, today's topic is a deep dive on smartcard/certificate authentication and the benefits to customers.

Smart card / Certificate authentication

The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some customers, this form of authentication is often more secure than the other forms of authentication supported. To understand how it works in LiveCycle Rights Management ES and the benefits it provides, however, requires some background and context.

A smart card, in its most well-known form, is a credit card-sized ‘intelligent card’ that carries user’s credentials in the form of Digital Certificates. Many variants today also possess processing capabilities like the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to Username/Password which is something-you-know.

A Digital Certificate, often just referred to as Certificate, is a digital document that at a minimum includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user’s identity, and the public key can be used to prove that identity. The Certificate is signed by a trusted third party known as Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties or encrypting messages. PKI overcomes the significant flaws in the traditional cryptography or the symmetric cryptography, and at the same time provides added security by having strict requirements for key lengths and industry standard cryptographic algorithms (set forth by Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).

At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate’s signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and finally maps this Certificate to a unique user through the rules an administrator creates when configuring LiveCycle. LiveCycle Rights Management ES also provides for flexibility and easier enterprise integration by providing server-based “SPIs,” which can be used to develop custom certificate authentication providers.

Many enterprises and governments today employ smart card based authentication, not only for its enhanced security but also for its ease of deployment and use for end users. For example the United States Department of Defense issues Common Access Cards (CAC cards) which can be used for secure user identification. These CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents. A user would insert his card into a smart card reader on his machine to identify himself. These readers are available in a variety of form factors and can be connected to a computer using USB or PC card interface – and are integrated into many laptops today, such as the Dell Latitude line of business laptops.

To give you a better idea of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, click on the following demo:

Guest Contributor: Chaitanya Atreya

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Additional Resources on Electronic Signatures and the Law

2008-08-17T20:11:56Z

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2, 3 and 4)

Disclaimer. This blog entry is not intended to provide legal advice. You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

Two months ago we discussed here the nature of the legal environment surrounding electronic signatures. I’d like to point out some additional resources that can expand your knowledge of the subject.

• Within the EU context, Law Professor Dr. Jos DuMortier, director of the Interdisciplinary Centre for Law and ICT at the Catholic University of Leuven (K.U. Leuven) in Belgium, and a well-known authority on the intersection of law with information technology, has published and/or contributed to a large number of whitepapers and articles on the subject of electronic signatures. This whitepaper from October 2007 describes how digital signatures created with PDF documents and the Belgian eID can be granted valid, legal status.

• Just last week, the American Bar Association published an impressive book entitled, “Foundations of Digital Evidence,” which covers, as you might have guessed, the implications, nature, and changes that digital evidence has wrought upon legal systems around the world. Adobe’s own Ed Chase, a Solutions Architect and one of our electronic signature gurus, contributed a critical chapter on PDF and its impact on the subject, providing details about how the features of PDF and digital signatures can support legal requirements for electronic records.

Partners working with partners...working with Adobe

2008-08-14T19:46:23Z

Partners are critical to everything we do in the security space, and we are very proud of the best-of-breed Community we have fostered in order to best create solutions based on Adobe’s capabilities and customized to each customer’s needs.

With that in mind, we’re always extremely pleased to see cooperation among our many security partners so that they can also mutually leverage their capabilities which in the end is all the better for our own customers.

One of our partners, Communication Intelligence Corporation (CIC), a key electronic signature industry player, recently announced a partnership with 4Point Solutions, one of our foremost LiveCycle systems integrators, to promote closer integration of their technologies.

And ARX, Inc., a security partner offering a convenient , virtually plug-and-play CA and signing appliance, CoSign, announced relationships (here and here) with two of our Certificate Authority partners, GlobalSign and ChosenSecurity,to provide more complete and easy-to-deploy solutions around these two companies’ digital ID offerings.

So, how do these new relationships benefit Adobe’s customers? CIC’s relationship with 4Point means that customers deploying LiveCycle will have more electronic signature options on the table. With ARX, customers looking to speed workflows with digital signatures can deploy the ARX CoSign product, centrally storing user signing credentials from GlobalSign or Chosen Security, both leading certificate authorities in their own right.

“The train has left the station!” - Electronic Signatures in the Real World

2008-08-14T17:55:53Z

This entry is part of our continuing educational series, “What is an Electronic Signature, Anyway?” (Parts 1, 2 and 3.)

In June, at an event at the National Press Club, Jerry Buckley, Founding Partner at the Buckley Kolar law firm in Washington DC, as well as Counsel to the Electronic Signatures and Records Association (ESRA), an organization devoted to promulgating the use of electronic signatures & documents and educating the public & industry on those matters, stated that the “train had left the station” when it came to electronic signature usage around the world. As the demand for more fully electronic workflows becomes more pronounced, especially given the meteoric rise in gas, and thus shipping, prices, as well as an increasing desire on the part of enterprises and organizations to ‘go green,’ electronic signatures will become even more ubiquitous.

]]> Buckley and Margo Tank, also a Founding Partner at Buckley Kolar, together provided compelling examples of this movement:

“This year marks a significant turning point in the adoption of electronic signatures...
• eMortgages up six-fold in last year
• $12 billion in electronic automobile finance contracts have been consummated and over $2 billion of these have been securitized, reflecting acceptance by the capital markets
• Billions of dollars in student loan transactions signed electronically
• Of relevance to our environment, the Government Printing Office estimates that it saves 20 tons of paper and roughly 480 trees by electronically distributing just one annually published document, the National Budget, electronically signed”

In parallel with the press event, ESRA also released a newsletter containing information on several key signature deployments. Two of these (US Government Printing Office and Procter & Gamble are Adobe customers who have used the universally deployed nature of Reader and PDF, combined with Adobe’s powerful LiveCycle Enterprise Suite software, to save money and accelerate and improve their signature workflows in combination with key security partners.

But the examples do not end there. Here are some other organizations that have revolutionized their business processes using various electronic signature methods combined with Adobe products:

• Snap-On Credit: “We're impressed by the ease of integrating CIC and Adobe solutions into our processes. Already, we are looking to automate more forms processes, making it even faster and easier for franchisees to conduct business." – Thomas Niman, Snap-on Credit, LLC

• Astra Zeneca : “’Due to the enthusiastic response from users signing regulatory documents, we are looking for opportunities to leverage the existing solution for digitally signing documents in other areas,’ says Rich Ware, one of the project team leaders.” – Bio-IT World, July 2008
• Speaking of SAFE, be sure to check out this Adobe blog post on the use and deployment of digital signatures within SAFE environments.

• Land Title & Survey Authority of British Columbia: "One law firm informed us they saved $6000 per month. Plus, the stress level is lower because there are fewer delays and errors in processing paperwork. Acrobat and Adobe Reader software are ideal for government agencies that want to streamline document processes by using electronic forms and digital signatures." - Denis Thomas, technical architect of the Electronic Filing System at the Land Title & Survey Authority

• Kane County Circuit Court: "The automated process built around Adobe LiveCycle software is dramatically faster than our previous manual workflows. Within approximately sixty seconds of having a judge sign the document, an order of protection arrives at the sheriff's office for input into the national wanted persons database. Overall, we've seen as much as a five-fold improvement in the time it takes to complete, submit, and process orders of protection." - Matt Meyer, programmer at the Circuit Court Clerk's office

We’ll continue to shine light on other real world electronic signature deployments in future posts.