Follow us on Twitter
Tag Cloudacrobat adobe approved trust list ASSET ASSET Software Security Certification Program black hat Brad Arkin CanSecWest CCF cds certified document services Compliance conference Data Loss Prevention DefCon digital certificate digital signature digital signatures DLP DRM electronic signature Flash Player Fuzzing incident response LiveCycle Microsoft OWASP PAdES PCI pdf Peleus Uhley protected mode Reader Rights Management RSA RSA Conference SAFECode sandbox sandboxing security SPLC standards SWF Update video women in security
Posts in Category "Rights Management"
Today Bentley Systems announced their alliance with Adobe to integrate rights management with ProjectWise and AssetWise for architecture, engineering, construction (AEC) and operations workflows. Rights management already supports native PDF and Office formats, and this integration will provide support for additional formats in these markets. This includes the ability to control who can open a document, specify what they can do with it, as well as track what has been done with it. This content-centric security also supports expiration, revocation, and version control at the file level.
Now available for free on the Apple App Store and the Android Market, Adobe Reader 10.1 brings to your favorite mobile devices the same best-in-class PDF viewing experience you’re used to on the desktop. This latest release is our first for iOS devices, and shows Adobe’s commitment to provide the most compelling mobile experiences on the most popular platforms. With each new version, Adobe is bringing to mobile those capabilities that users on the go find most important, like text search, easy page navigation, bookmarks, and printing.
As a result, key among the new features in Adobe Reader 10.1 for Mobile is support for accessing files secured by Adobe LiveCycle Rights Management. LiveCycle Rights Management protects sensitive documents by encrypting them with industry-standard AES encryption and enabling central management of their access permissions. Protections persist even when documents are accidentally distributed via email, the cloud, or saved on a lost mobile device. Continue reading…
If you have sensitive information you want to protect and distribute, PDF is a good option to consider. Adobe Reader could very well be the most widely distributed crypto-enabled application from any vendor, because Adobe has been including encryption since version 2.0 in 1994 – across numerous desktop and mobile platforms. So there’s a pretty good chance that your intended recipients will be able to open an encrypted PDF. Today in 2011, PDF supports the FIPS certified AES 256 algorithm and provides a number of advanced capabilities.
Another advantage of using the built in encryption of PDF is that it can be persistently integrated in the file – and not enveloped. This means that anywhere the file goes, independent of storage and transport, it stays protected. Common alternatives like PGP, ZIP, and S/MIME use enveloping encryption around content that gets discarded when the envelope is open – leaving the content unprotected, subject to accidental or malicious redistribution.
There are three main ways to encrypt a PDF file:
- Password encryption
- Public Key Infrastructure (PKI) encryption
- Rights Management
Password encryption relies on a shared password between the publisher and all the recipients. The publisher selects a phrase like “No1Kn0w$” to encrypt the document, and the recipient uses the same to decrypt it. To mitigate brute force attacks as well as simple guessing of common passwords – be sure to use long complex passwords with multiple upper, lower, number, and symbol combinations. Remember to be creative, like song lyrics, poetry, and other long phrases as source material.
PKI encryption can provide greater protection by using additional cryptography and digital certificates. Each recipient has a keypair (up to RSA4096), and publishes their public key certificate. While encrypting, the publisher’s computer randomly generates a symmetric key(up to AES256), and encrypts that key to each recipient’s asymmetric public key to include in the document with the symmetric key encrypted content. In return, the recipient computer uses their own private key to decrypt the symmetric key, and then decrypt the document. When the private key is stored on a token, e.g. USB, CAC, PIV, eID – it can provide two factor security – requiring the token, and any PIN codes to unlock the token.
Rights Management was developed to provide integration into enterprise authentication (AuthN) and authorization (AuthZ) infrastructure without requiring PKI. A Rights Management server ties into LDAP, Active Directory (AD), or other user databases to identify the ecosystem of users sharing a document. Rights Management can also use those same directories to read in groups of users. An administrator can create a rights management “policy” which is an easily reusable way to protect documents in a certain way. The policy can define which users or groups can open the document, what they can do with the document, and track what they have done with the document. These can be internal or external users – whether employees, partners, or consumers. The publisher then selects the policy to protect a document. The recipient opens the document and the Acrobat/Reader client will call back to the server to authenticate them, then determine whether they are authorized to open the document. In addition to username/password types of authentication, the server can also support Kerberos single sign on (SSO),PKI authentication (which is different than PKI encryption above), OTP, and other custom methods. With Rights Management you can also expire, revoke, version control, watermark, and audit document usage, too. Rights Management is great for communities of users that have existing authentication and authorization systems in place – whether it’s secure information sharing, or electronic statements to consumers. In addition to PDF, Rights Management can also apply to native Office and CAD documents, too. Stay tuned for news on rights management capabilities being available on smartphone and tablet devices in Fall’11, too!
For all three encryption methods, it is also possible to restrict printing, clipboard, and modification after a protected document is opened.
Applying these encryption capabilities can be done ad-hoc on the desktop with Acrobat, as well as part of automated structured workflows on a server, too.
Version X of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 126.96.36.199 encryption module with FIPS 140-2 validation certificate #1092. To enable FIPS mode in Acrobat and Reader X and restrict document encryption and digital signatures to the FIPS approved algorithms (AES/RSA/SHA) in this library, please refer to Section 6.1.11 of the Acrobat Digital Signature Admin Guide.
Information on FIPS compliance in Acrobat and Reader 9….see this post.
R-MaaS: Rights Management as a service?
I participated in a panel session this week at the Cloud Computing Summit in Washington D.C. sponsored by the 1105 Government Information Group. Over the course of the day, there was a healthy debate being waged about exactly when and how government agencies should deploy cloud applications. Some postulated that the cloud was merely a marketing term for hosted services that had been around for years, while others believed that significant technology advances such as virtualization make today’s cloud computing deployments something altogether different and more valuable. One area that lacked any debate was that the number one area of concern for both commercial and government customers regarding cloud deployments is security. Part of this debate focuses on whether or not applications that housed PII or other highly sensitive information should ever be deployed in a cloud infrastructure due to the assumed lack of control. This topic triggered some thoughts about another way security and the cloud are coming together quickly today: deploying Enterprise security software in the cloud as a managed service.
Perhaps we’ll coin the term R-MaaS for now, Rights Management As A Service. There are many layers of security that needs to be built into a cloud infrastructure, from physical security, to access controls, firewalls, and even encryption for archived data at rest. But this concept is using the power of the cloud to actually deploy security tools such as LiveCycle Rights Management, which provides persistent document protection regardless of whether the recipient is internal or ecternal to the organization, regardless of the document type (PDF, CAD, or Microsoft Office) and regardless of where the documents ultimately travel (at rest in storage or file systems, in motion over email or to the web, or in use on laptops or removable media devices). LiveCycle Rights Management as a Managed Service has already garnered a lot of interest as all of the features available on premise are also available in the cloud. This includes the ability to protect documents both inside and outside the firewall via free, widely available Adobe Reader for PDF, support for strong user authentication including VPN access for internal employees and a variety of PKI based authentication mechanisms for identity federation across organizations. As well as the ability to expire or dynamically revoke documents, link users automatically to the latest versions, or even provide anonymous access to particular documents as a way to track how documents are being consumed.
Some of these capabilities customers have been using since 2003, but now in 2010, we have added this new deployment option that not only brings rights management to the cloud, it’s actually rights management in the cloud. LiveCycle Managed Services is our new cloud deployment option for LiveCycle that allows customers to deploy software in a simple annual subscription pricing model that includes all hardware, software, maintenance, upgrades, and 24/7 monitoring of the system. We still work with a customer’s internal IT and security resources to help build out the appropriate security policies, but the mundane tasks of maintenance and upgrades are performed by Adobe. Besides all the benefits that come with a fully managed service, deployments times can be accelerated from weeks down to a couple of days or less. This allows you to get the application up and protecting documents quickly for the business without the costly delays associated with approvals, hardware and software procurement, and installation.
Now getting back to the original concerns at this week’s conference about relinquishing control of sensitive information to the cloud…. Where LiveCycle Rights Management deployed as a Managed Service circumvents these objections is through an elegant architecture that is absent the need to ever house sensitive documents in the cloud itself. In fact, only the document policies and associated keys are stored in the cloud, the documents remain in the organization’s datacenter, within their control. Keys are passed back and forth from the Rights Management server sitting in the cloud to allow user access based on the document policies. So what started as an interesting philosophical discussion about whether or not applications which transact sensitive information should leverage a cloud computing architecture, ends with the notion that some of these concerns can actually be mitigated by none other than, the cloud.
Well, you’ve experienced us in print…now see us in these exciting, new moving pictures! Listen to John Landwehr and John B Harris discuss Adobe’s key information assurance capabilities and how they can help you achieve content-centric security with products that provide integrity, confidentiality, authentication and privacy.
Today’s post will cover a variety of other other improvements we’ve made to LiveCycle Rights Management ES2.
First, extending our previous capabilities to revoke documents and offer version notification, we now offer out-of-the-box “Revoke and Replace” functionality. By using LiveCycle Content Services as your document repository, you can make sure that every “major version” that is checked in supersedes any version people may have cached locally elsewhere. More info:
Second, our Extension for Office now offers dynamic visible watermarks much like we have offered previously for PDF files viewed within Acrobat and Reader. This means that you can exchange protected Word, Excel, and PowerPoint files that visibly display the recipient’s name, email address, and the time they opened the document. More info:
Finally, customers have asked for additional flexibility in managing audit event records that track the history of a document. With the latest release you can export, archive, and delete event history specifying who has opened, modified, printed, etc, your protected documents. More info:
Adobe released updates of all of the LiveCycle components when we released our “ES2” version in November 2009. As a part of this we made some significant strides to expand how you can integrate our product suite into other directory, identity management, and authentication systems.
I’d like to take this opportunity to explain some of what is new, as well as show you several videos that go into each area in more depth.
Third, several customers have asked us to query one directory for user information, but integrated with a second instance for high performance authentication. We’ve listened and now support this — more info:
Finally, all of our web- and Flex-based components now support SAML-based federated identity for authentication. Technically, this means that LiveCycle is substantially more flexible in terms of the Single-Sign-On (SSO) and authentication facilities that be used. In practice this means that it is very easy for you to integrate LiveCycle into your processes for interacting with customers and engaging with citizens without deploying additional identity provisioning or management software. More info: