Follow us on Twitter
Tag CloudAATL acrobat adobe approved trust list ASSET ASSET Software Security Certification Program black hat Brad Arkin CanSecWest cds certified document services conference Data Loss Prevention digital certificate digital signature digital signatures DLP DRM electronic signature esignature event Flash Player Fuzzing incident response LiveCycle Mac Microsoft open-source OWASP PAdES pdf Peleus Uhley protected mode Reader Reader Acrobat Security Update Rights Management RSA RSA Conference SAFECode sandbox security SPLC SWF Update Updater video
Posts in Category "General"
R-MaaS: Rights Management as a service?
I participated in a panel session this week at the Cloud Computing Summit in Washington D.C. sponsored by the 1105 Government Information Group. Over the course of the day, there was a healthy debate being waged about exactly when and how government agencies should deploy cloud applications. Some postulated that the cloud was merely a marketing term for hosted services that had been around for years, while others believed that significant technology advances such as virtualization make today’s cloud computing deployments something altogether different and more valuable. One area that lacked any debate was that the number one area of concern for both commercial and government customers regarding cloud deployments is security. Part of this debate focuses on whether or not applications that housed PII or other highly sensitive information should ever be deployed in a cloud infrastructure due to the assumed lack of control. This topic triggered some thoughts about another way security and the cloud are coming together quickly today: deploying Enterprise security software in the cloud as a managed service.
Perhaps we’ll coin the term R-MaaS for now, Rights Management As A Service. There are many layers of security that needs to be built into a cloud infrastructure, from physical security, to access controls, firewalls, and even encryption for archived data at rest. But this concept is using the power of the cloud to actually deploy security tools such as LiveCycle Rights Management, which provides persistent document protection regardless of whether the recipient is internal or ecternal to the organization, regardless of the document type (PDF, CAD, or Microsoft Office) and regardless of where the documents ultimately travel (at rest in storage or file systems, in motion over email or to the web, or in use on laptops or removable media devices). LiveCycle Rights Management as a Managed Service has already garnered a lot of interest as all of the features available on premise are also available in the cloud. This includes the ability to protect documents both inside and outside the firewall via free, widely available Adobe Reader for PDF, support for strong user authentication including VPN access for internal employees and a variety of PKI based authentication mechanisms for identity federation across organizations. As well as the ability to expire or dynamically revoke documents, link users automatically to the latest versions, or even provide anonymous access to particular documents as a way to track how documents are being consumed.
Some of these capabilities customers have been using since 2003, but now in 2010, we have added this new deployment option that not only brings rights management to the cloud, it’s actually rights management in the cloud. LiveCycle Managed Services is our new cloud deployment option for LiveCycle that allows customers to deploy software in a simple annual subscription pricing model that includes all hardware, software, maintenance, upgrades, and 24/7 monitoring of the system. We still work with a customer’s internal IT and security resources to help build out the appropriate security policies, but the mundane tasks of maintenance and upgrades are performed by Adobe. Besides all the benefits that come with a fully managed service, deployments times can be accelerated from weeks down to a couple of days or less. This allows you to get the application up and protecting documents quickly for the business without the costly delays associated with approvals, hardware and software procurement, and installation.
Now getting back to the original concerns at this week’s conference about relinquishing control of sensitive information to the cloud…. Where LiveCycle Rights Management deployed as a Managed Service circumvents these objections is through an elegant architecture that is absent the need to ever house sensitive documents in the cloud itself. In fact, only the document policies and associated keys are stored in the cloud, the documents remain in the organization’s datacenter, within their control. Keys are passed back and forth from the Rights Management server sitting in the cloud to allow user access based on the document policies. So what started as an interesting philosophical discussion about whether or not applications which transact sensitive information should leverage a cloud computing architecture, ends with the notion that some of these concerns can actually be mitigated by none other than, the cloud.
Adobe released updates of all of the LiveCycle components when we released our “ES2″ version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.
I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.
Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:
Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info:
Today McAfee announced the availability of a new joint offering with Adobe called the McAfee Data Protection Suite for Rights Management. This joint solution combines the classification capabilities from McAfee’s Host Data Loss Prevention (DLP) product with persistent protection from LiveCycle Rights Management ES. The joint value proposition allows customers to discover and classify sensitive information on laptops or desktops and automatically and proactively protect it from a single, uniform policy. This will significantly reduce the cost, complexity, and risk associated with sensitive IP and compliance information located on endpoints throughout the enterprise.
This is the result of a global alliance partnership between Adobe and McAfee, previously announced September 28, 2009 aimed at offering more comprehensive security to our Enterprise customers.
Learn more about the new offering available now from McAfee here. Please contact your local McAfee or Adobe sales representative for more in depth information or to schedule a demo of the solution.
Here are some links to the latest statements by Adobe, McAfee, and iDefense concerning reports of cyberattacks this past week. Additional information will be available on these links should new information become available.
Managing information risk is a complex business these days, especially when you look at (1) the range of information you need to protect, (2) the breadth of risks you need to mitigate, and (3) the management policies and tools available to today’s IT security professionals to protect that information. However:
“A well-realized information risk management strategy has other benefits [beyond security]: enhanced business agility, competitiveness, efficiency and cost savings.”
In other words, you can’t do without it!!
The problem? According to Deloitte, on
average, only half of the companies surveyed in their annual Global Security and Privacy Survey had formal security
policies or strategies. Not a great foundation on which to build risk management on!
I wrote a recent article in Security Products magazine which confronts these challenges head-on, and provides some tips on navigating the “mind-boggling” task of information risk management.
Jim King, PDF Architect, senior principal scientist at Adobe and one of the key drivers behind the PDF format and its adoption and continuing development by ISO as a standard (ISO 32000), recently delivered a keynote presentation to the ISSE (Information Security Solutions Europe) 2009 Conference in The Hague, Netherlands. He discussed the evolution of the PDF format and standard, and spent most of his talk introducing the new PAdES signature standard and what it encompasses.
During that conference, Jim sat down with Roger Dean, executive director of eema UK, for a conversation about PDF, the need for digital signatures, challenges of communicating the benefits of digital signatures, and finally a description of the PAdES standard. This interview is now available below (and here)…enjoy!
On October 13, 2009 – Adobe released critical updates to Acrobat and Reader. All users are recommended to update their systems to the these releases as soon as possible.
“Click on this…” Adobe’s eSubmissions Solution Accelerator Shows Off Click-thru Approvals & Signatures
Electronic signatures come in many shapes and sizes, and for a long time, Adobe has been primarily associated with three of those sub-types—digital signatures, certification signatures, and handwritten eSignatures based on solutions from our Security Partner Community—due to our comprehensive coverage of, and capability for, those technologies. However, customers and partners do not often associate us with click-thru approvals and electronic signatures, where a user authenticates to a website, reviews a document, and then is allowed to approve or reject said document with a simple click of a button.
Actually, Adobe has supported this capability for some time within our LiveCycle ES product line, but the capability was spread across components that can prepare documents for review (PDF Generator, Output, Reader Extensions, Forms), move documents along a workflow (Process Management), present documents for review, comment, and approval (Workspace), and then sign (Digital Signatures) and archive (Content Services) or further process those documents for storage, submission, etc.
The challenge of piecing together these components was not lost on Adobe, and last year we started working on Solution Accelerators–sample code and tooling that brings together task-oriented building blocks composed of LiveCycle components. More than a proof-of-concept, but less than complete production code, Solution Accelerators can be used by a customer or systems integrator to bring projects to fruition in a much shorter timeframe, while providing for flexibility in the final implementation.
The eSubmissions Solution Accelerator, released this Spring, shows how LiveCycle can be used to present documents for review, commenting, & approval in parallel or serial workflows, and incorporates the capability to not only sign with traditional digital signatures or handwritten electronic signatures, but also via authenticated click-thru approvals and server-side signing and certification functions. Download the demonstration video here. Unlike other click-thru solutions on the market, this Solution Accelerator shows the breadth and depth of Adobe’s offering, providing for compliance with electronic signature regulations around the world.
While this Solution Accelerator was designed for the biopharmaceutical market, it can easily be repurposed for contract approvals, financial services transactions, and the like—this is one of the benefits of the Solution Accelerator approach. Moreover, eSubmissions demonstrates Adobe’s intent to provide users with a best-in-class experience when it comes to electronic documents and workflows. There’s no longer any reason to print an electronic document just for review and signature…Adobe provides a one-stop shop for a full range of electronic signature and approval capabilities.