Author Archive: jcarione

New state laws affect encryption practices

Nevada and Massachusetts have been in the process of enacting new state laws that target businesses and individuals who own, license, store, or maintain Personally Identifable Information (PII) about a state resident. Many other states already have these guidelines in place. Personally Identifiable Information (PII) is defined as a combination of the persons name and another unique identifier such as SS#, drivers license, or financial account number.

In Nevada, S.B 347 went into effect on October 1, 2008. This law specifically prohibits businesses in Nevada from transferring personal information through electronic transmission unless it is encrypted. This regulation even affects those companies that do business in Nevada but are headquartered elsewhere.

In Massachusetts, 201 CMR 17 is set to go into effect on May 1st, 2009. The law was initially set to go live on January 1, 2008, but has been extended to May in light of the economic crisis. This law is somewhat broader than Nevada in that it requires that any resident PII stored in laptops or removable storage devices be encrypted in addition to information transmitted over network and wireless connections. It also requires organizations to develop a security program, use updated firewall systems, enforce limits on the amount and length of time PII is retained, and allow access to sensitive PII only as necessary to perform job responsibilities. Even more detailed requirements include a need for documented security policies, prevention of terminated employees from gaining access to PII, and audit trails of employee access to PII.

Although penalties for non-compliance are not specified in either case, non-compliance may expose the business or individual if any legal action is taken subsequent to a data breach for failing to provide a minimum level of security. We recommend that companies review their security procedures in light of these new requirements and take action, if needed. For those companies in less regulated industries, a full risk assessment may be appropriate if you are moving into unchartered waters about what technology options are available to reduce exposure.

Much of the debate has been whether to apply encryption at the infrastructure layer using disk or email encryption or to implement it at a finer grain. Technology such as Adobe LiveCycle Rights Management ES or client based protection embedded in Adobe Acrobat provides this finer grain of protection aimed at protecting only the information assets considered most senstitive (such as PII). I believe each approach has it’s merit under certain circumstances, but Livecycle Rights Management and Acrobat each provide the added benefit of security that travels with the information itself.

As an example, using RIghts Management, if sensititve PII is located on a disk or removable media device and then gets transmitted over a network, it remains protected persistently throught the process. Using encryption at the infrastructure layer involves greater coordination, more layers and resources, and a higher risk of failure if not implemented properly.

Also, when considering some of the detailed requirements of the Mass regulations (along with similar requirements in other states) regarding terminated employees, RIghts Management allows an organization to revoke access to PII once that person is no longer employed. It also provides a complete audit trail of what user actions were taken on a particular document that contained PII and can help map your governance objectives to actionable, enforceable security policies. Furthermore, wIthin Content Management systems, it has the capability to create workflows that dictate when PII should be sent off to archive or even deleted.

Definitely explore all your options as you move towards improving your compliance posture with these new regulations, but do consider the advantages of a strategic strike versus a blanket approach to encryption.

Adobe Secured Customer Showcase: Government Printing Office (GPO)

Please read how the U.S. Government Printing Office has been using LiveCycle Digital Signatures ES to provide authenticity and integrity to public documents including the 2008 e-budget. Also learn how they were able to save over 20 tons of paper and $1 Million over 5 years by bringing antiquated paper based processes online in a secure way for citizens.

SecureWorld Expo Detroit Rewind

We had a fun trip earlier this month to the SecureWorld Expo show at the Ford Convention Center in Dearborn, MI. There was a good crowd on hand generating significant interest in our live demos of LiveCycle Rights Management ES with a specific focus on CAD support. Yours truly was interviewed on the spot, so if you couldn’t make it and would like to see what the booth and demo setup looked like (as well as hear a quick Adobe security elevator pitch under pressure) please click here. Thanks to the folks at for helping get the word out, the Booth Buzz concept is a good one….

There was also tremendous interest in the data security panel, where folks from Adobe, IBM, Symantec, and Websense among others, had a lively exchange on the growing information-centric security market. A wide range of topics were discussed: from the benefits of risk assessment consulting services, to the need for wider adoption of information risk management strategies, to the continued importance of education and training in a security context. Thanks to all who helped make it an great show and we’ll see you at another SecureWorld event in your area soon.

Adobe at Secureworld Expo Detroit – This Week!

Adobe will participating in the Secureworld Expo in Detroit at the Ford Conference and Event Center. Adobe representatives will be in the booth on Wednesday, November 5th and Thursday, November 6th from 9am – 3pm EST. Please stop by the booth where we will be giving live demos and discussing the benefits of Adobe LiveCycle Rights Management ES in a manufacturing context. Click for more details on the conference agenda and last minute registration.

As a bonus, I’ll be particiapting in a panel discussion titled “Data Protection – It’s All About the Data” on Thursday November 6th at 1pm EST. The session will be moderated by David Meunier, former VP/CISO, CUNA Mutual.
Please click for additional information and a list of presenters.

We look forward to you joining us in Detroit this week!!

Communicating the value of Adobe’s Information-Centric Security Solutions

We are excited to announce a new set of assets aimed at helping our customer community and ecosystem partners better understand the benefits and value that can be derived from Adobe’s Information-Centric security solutions. If you haven’t heard the term “Information-Centric” before, it’s not new, but it well represents the way Adobe technologies protect the confidentiality, integrity, and authenticity of information — natively within the information itself.

For LiveCycle Rights Management ES and LiveCycle Digital Signatures ES, please feel free to download and view a host of new collateral including:

New datasheets that provide a overview of the value proposition and specific areas where our solutions solve real customer problems:

LiveCycle RIghts Management ES:

LIveCycle Digital Signatures ES:

There are also two new whitepapers, the first one for Rights Management is entitled: Delivering an Information Risk Management strategy across the heterogeneous enterprise: and is intended to describe the need to protect sensitive information consistently wherever it resides in the enterprise. This paper also outlines common use cases via customer anecdotes about how LiveCycle Rights Managment ES is protecting the most widely used file types inside (and outside) the organization.

The second whitepaper is entitled: Electronic Signatures: Solution Scenarios for your Environment: This piece is intended to articulate the different electronic signatures solutions offered by Adobe and help folks understand the pro/cons of each, so you’re best prepared to map right electronic signature solution to your assurance level requirements.

Finally, there are also new updates to our website including updated customer success stories, in depth pages, features and benefits pages, and a detailed supported formats page for RIghts Management.

LiveCycle Rights Management ES:
LiveCycle Digital Signatures ES:

Leveraging Data Loss Prevention (DLP) with Rights Management

Data Loss has been a hot topic for years now as companies continue to lose sensitive information and are required by law to disclose the breach to customers. In fact, the Ponemon Institute reported that 85% of there survey respondants had experienced a data breach at one point or the other. The fact is that we are in the middle of a data security crisis, one which needs to be solved not by stovepiped security products, but via a solutions approach to limit risk and establish control. One of the markets/products that is becoming an important part of a comprehensive data security solution is commonly known as Data Loss Prevention (DLP).

DLP technologies are very good at providing classification and segmentation of data into raw buckets based whether they are considered high, medium, or low impact to the business. These technologies are less effective, however, in the areas of active enforcement of the data since they typically focus on either blocking or encrypting information in somewhat of a binary fashion, based on the information itself, without significant context for the users or identities involved. In fact, most DLP deployments today are being used in passive mode to discover and monitor “hot spots” and understand where there may be broken business processes in place that may one day lead to data breach.

An effective way to develop a solutions approach to data loss prevention is to utilize Rights Management technology in concert with DLP to provide and extend protection persistently based on the identity of the recipient or group of recipients. This will effectively marry the classification policy (from DLP) with the enforcement policy (from Rights Management) to provide more effective and seamless protection. With Adobe Livecycle RIghts Management ES, this process can be automated by setting up watched folders or email workflows to streamline enforcement of sensitive information as it is being discovered by DLP products. Over time, these products will become more tightly integrated using APIs to build a information-centric policy management framework upon which data governance decisions can be made and implemented from executives down through the lines of business to IT.

Adobe MAX Awards 2008 is now accepting nominations!!

Adobe Security Customers,

I wanted to be sure the group was aware of the 2008 MAX Awards. These customer recognition awards showcase some of our best customer projects developed around the globe over the past year.

This year we will award projects in 6 categories: Advertising & Branding, Enterprise, Mobility and Devices, Public Sector, Rich Internet Application, and Video. Most of our security nominations are typically in the Enterprise and Public Sector categories.

The top three finalists in each category will be invited to attend MAX North America in San Francisco, where we will announce the winner, as well as the People’s Choice award winner. All finalists will receive complimentary admission to MAX.

All submissions must be received online at by September 12th, 2008, so be sure to submit your Adobe Security project today!

For more information or to see last year’s finalists and winners please Click Here

Continue reading…

Adobe Secured Customer Showcase: Allgaier Automotive GmbH

Read about how Allgaier Automotive is using Livecycle Rights Management ES to improve communications of and collaboration on complex 3D design models.