Author Archive: Jonathan Herbach

BPI Philosophy

Often, there are times when the demands of an intellectual property owner are at odds with the desires of an intellectual property recipient/user. First and foremost, IP owners want to make sure that their sensitive information remains sensitive, such that the "right" information is
available to the "right" people. As authors, they specify who is entitled to open content to view, modify, print, etc. Recipients may be surprised to discover that they are not entitled to print or modify protected content, particularly if in the past they were able to — in spite of expressed intent or legal restrictions in place.

In cases where these two conflict, our philosophy is to favor the intellectual property owner and his intent, as security is more important than convenience. We do, however, wish to provide users with the best experience possible. We understand that to be effective security must be straightforward and seamless.

Accordingly, we have developed a philosophy of prioritizing "Block, Prevent, and Inform." It is most important for our Rights Management solutions to block actions prohibited by the author. In addition, we aim to prevent users from attempting to perform operations that are blocked. For example, we disable menu items that are blocked. Finally, we want recipients to understand what restrictions are in place and why, and so we have mechanisms in place to inform them.

Here is an example of how we inform users of what is and is not allowed. Within our LiveCycle Rights Management ES Extension for Microsoft Office, we include "security status" on the Office Ribbon bar to provide context for the protections in place.


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Rights Management within LiveCycle Content Services

This past summer Adobe released the LiveCycle ES Update 1 release. This include LiveCycle Content Services ES, a fully integrated set of content services that enables organizations to "manage content in a lower-cost, extensible way for cross-company and cross-organizational processes". LiveCycle Rights Management ES is a core part of this offering, and allows organizations to include content protection as a part of these cross-organizational processes.

Each "space" within Content Services can be seen as a folder to hold sub-spaces or content. These spaces can be associated with business rules and security — including various access control rights as defined by LiveCycle Rights Management ES.

It’s easy for business users to interact with these spaces because content can be added in several different ways; for example: using the Web UI, FTP, CIFS, or WebDAV. Adding security is a breeze because the act of adding content can be associated with an automatic trigger that can protect the content with Rights Management. For example, an administrator can create a trigger to associate the "Confidential" policy for general documents, or the "Mergers & Acquisitions" policy for content being stored for the M&A team.

In today’s blog entry we show off a simple example of how:

  1. An administrator can create a rule to automatically protect all content with a specific predefined policy.
  2. An end user can upload a document to be automatically protected.
  3. A recipient can open a protected document within the Content Services repository.

Click on the following screenshot of LiveCycle Content Services for a brief tour of this functionality:

Guest Contributor: Neerav Aggarwal


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Flexibility in identifying and authenticating users – Part Two

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smart card/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration. As promised in part one, today’s topic is a deep dive on smartcard/certificate authentication and the benefits to customers.

 

Smart card / Certificate authentication

The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some customers, this form of authentication is often more secure than the other forms of authentication supported. To understand how it works in LiveCycle Rights Management ES and the benefits it provides, however, requires some background and context.

A smart card, in its most well-known form, is a credit card-sized ‘intelligent card’ that carries user’s credentials in the form of Digital Certificates. Many variants today also possess processing capabilities like the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to Username/Password which is something-you-know.

A Digital Certificate, often just referred to as Certificate, is a digital document that at a minimum includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user’s identity, and the public key can be used to prove that identity. The Certificate is signed by a trusted third party known as Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties or encrypting messages. PKI overcomes the significant flaws in the traditional cryptography or the symmetric cryptography, and at the same time provides added security by having strict requirements for key lengths and industry standard cryptographic algorithms (set forth by Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).

At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate’s signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and finally maps this Certificate to a unique user through the rules an administrator creates when configuring LiveCycle. LiveCycle Rights Management ES also provides for flexibility and easier enterprise integration by providing server-based “SPIs,” which can be used to develop custom certificate authentication providers.

Many enterprises and governments today employ smart card based authentication, not only for its enhanced security but also for its ease of deployment and use for end users. For example the United States Department of Defense issues Common Access Cards (CAC cards) which can be used for secure user identification. These CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents. A user would insert his card into a smart card reader on his machine to identify himself. These readers are available in a variety of form factors and can be connected to a computer using USB or PC card interface – and are integrated into many laptops today, such as the Dell Latitude line of business laptops.

To give you a better idea of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, click on the following demo:

Guest Contributor: Chaitanya Atreya


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Protecting native Office documents

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from http://www.adobe.com/go/getrmextensions for use with your LiveCycle Rights Management ES system.


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Emerging Technology: Audit Dashboard

LiveCycle Rights Management can help you maintain the confidentiality of sensitive information by protecting files against unauthorized access. You can also monitor each recipient’s use of the protected information, including when and how often the file is accessed, through detailed audit logs.

The detailed audit logs are accessible through our Web-based GUI, as well as
programmatically through a set of APIs. One of our engineers recently was learning how to develop Adobe AIR applications, and decided to use these APIs to create a new audit dashboard application for examining audit data. We’re starting to explore ways to release this application in the future but I wanted to share a preview of it with you. We’re looking for feedback – so feel free to send an email to the address at the end of the Captivate video.

Click on the following screenshot to watch the preview:

 


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

The benefits of rights management

Adobe recently published a whitepaper that highlights some of the features and benefits of using Rights Management. It provides a variety of anonymous case studies across industries that showcase how LiveCycle Rights Management ES can be applied across industries to minimize risk while increasing the effectiveness of communication.

Highlights of the case studies include:

  • Using the authentication SDK to allow custom integration with third-party authentication systems. By leveraging customers’ non-LDAP authentication infrastructure it reduced the cost to deploy and ensured the solution was non-disruptive.
  • Policy-based control enables flexibility in document usage via seven-day lease and IP address restrictions
  • Using the authorization SDK for native PLM integration, thereby extending the boundary of PLM control to documents regardless of whether they are on laptops, on file servers, or in email.
  • Helping to ensure only the most recent document version is available, regardless of distribution.
  • Secure offline access: viewing protected documents on a laptop with no network access. Authorized users can view only the latest versions of documents while on planes or in the field.
  • Smart card authentication: using multifactor authentication to increase security in high-risk environments.
  • Watermarking: help ensure printed documents reference employee name and timestamp of print to keep employees honest, as well as provide a trail of activity.
  • Audit SDK – View document access usage log data and perform trend analysis.

You can find the paper here.


Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

LiveCycle Rights Management ES supports native Pro/ENGINEER documents

In early 2008 PTC shipped Pro/ENGINEER Wildfire 4, their integrated solution for 3D CAD/CAM. As announced in our relationship last year, PTC and Adobe have worked together to integrate Adobe LiveCycle Rights Management ES directly into Pro/ENGINEER, providing native CAD document protection. Sold as the Pro/ENGINEER Rights Management Extension, this solution exclusively works with Adobe LiveCycle Rights Management ES, allowing designers to provide persistent and dynamic access control to Pro/ENGINEER part, assembly, and drawing files.

Adobe’s latest release of the LiveCycle Rights ManagementES Update 1 — provides additional functionality for Pro/ENGINEER customers wishing to manage and track iterated versions of protected parts and assemblies. These extensions enable designers to ensure that suppliers are instantly updated to the latest version of a design, decreasing the pain of mismatched versions when designing products sourced from multiple organizations.

Click on the following screenshot of Pro/ENGINEER for a brief tour of the functionality:


Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Flexibility in identifying and authenticating users – Part One

Rights management is used to manage usage rights to protect sensitive documents, ensuring that only authorized users have access to protected information. At its core, this is dynamic protection based upon user identities. To facilitate this, the system must know which individual users should have access to secured content.

Flexibility in identifying and authenticating users ensures that protection can be transparently integrated into preexisting infrastructure, and is central to effective deployment. The benefits should be clear: fast deployment, easy administration, and quick to achieve a return on investment.

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smartcard/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration.

In today’s topic, let me explain some of the possibilities and benefits associated with the first three authentication type:

Anonymous authentication

This type of authentication completely skips identifying the end-user! By granting “guest-level” access to content, end-users need not authenticate prior to being authorized to open content. This allows several workflows:

  1. Authors can distribute content and still control them through the “yank and replace” revocation mechanism. For example, an author can distribute a price sheet or a data capture form, and make sure that only the latest version of content can be viewed.
  2. Even though individual end-user identity is unknown, authorization can be controlled based upon IP address or the number of times content has been viewed. Further, detailed (though anonymous) audit records can keep track of how frequently documents are opened.

Username/password authentication

This is typically the most familiar authentication dialog within LiveCycle Rights Management ES:

RMLogin.jpg

This dialog is the gateway to the powerful “username/password” authentication; it provides out-of-the-box functionality to authenticate users against a variety of directory systems, as well as create a custom integration with other credential providers.

For example, you can authenticate users against supported LDAP directories (e.g., Microsoft Active Directory, Sun Directory Server, IBM Domino LDAP, Novell eDirectory, etc.) that you already have deployed. But there’s no need to limit yourself to LDAP users. We provide two out-of-the-box mechanisms for managing user accounts for customers without existing directory infrastructure: “invited users” and “local users”. Think of these accounts as being stored “locally” within our own built-in directory. Administrators can manage these accounts using our built-in APIs and GUI, and the facility exists for end-users to quickly and easily provision their own accounts.

In all these cases, the end user simply enters his username and password upon opening a document and the server automatically queries the relevant system to verify credentials and further authorize the user. If the administrator chooses to allow it, the end user can also instruct the client to remember his credentials, which will securely cache credentials and not bother him to authenticate for subsequent documents. For many customers, this can enable an inexpensive form of “Single Sign-On” (SSO), since end users would see an authentication dialog at most once, and likely forget they are opening protected content.

This authentication type, however, is much more flexible than basic username/password integration with directory services. We can enable integration with any credential system that traffics in two user-inputted strings. This is because LiveCycle Rights Management ES can dynamically customize this authentication dialog, and because a customer can develop a custom authentication provider integration via the server-based “SPIs”.

For example, some of our financial industry customers have leveraged their existing account management infrastructure, allowing their customers to authenticate via their existing account number and PIN to their policy-protected banking statements. Others have used these SPIs to integrate with one-time password (OTP) systems to enable multi-factor authentication.

Kerberos SSO authentication

Those customers who want the ultimate “transparent integration” with existing authentication infrastructure can choose to enable Kerberos-based single sign-on (SSO). This is an outstanding option for those who feel that “clicks ‘R’ bad”, and never want to be impacted with an authentication dialog.

Because end users never see an authentication dialog when opening a protected document, and frequently forget are accessing protected content, they often think of this authentication type as “magic.”

Based upon technology built into Microsoft Windows clients and Microsoft Active Directory on the server, Kerberos SSO allows LiveCycle Rights Management ES clients to securely use the credentials entered the end-user used when logging into his machine to authenticate directly with the Rights Management server.

Next time: A deep dive on smartcard/certificate authentication and the benefits to customers.


Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Delegating control over policy definition and usage with “Policy Sets”

One question that often comes up with customers is “how can my large, distributed organization effectively delegate and manage access control?” Our answer is “policy sets”, a feature introduced in LiveCycle Rights Management ES.

The “Policy Sets” feature allows administrators to delegate who can create and manage shared
policies. It also permits organizations to control which policies each individual or workgroup can use. Allowing decentralized management enables customers to more effectively ensure their intellectual property is protected.


RMPolicySet.jpg

This short video goes through the functionality in more depth

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe