Security Matters

The 2009 edition of the RSA Conference is right around the corner, but it’s still not too late to join us. This year’s conference will be held at the Moscone Center in downtown San Francisco from April 20 through April 24th, 2009. Register here and learn about all the great sessions, speaking engagements, and events planned for the week.

We are excited to announce that this year we will be participating as a co-host in the Arcot Systems booth. Arcot is a leader in protecting and verifying digital identities. Financial institutions, pharmaceutical companies, and eShopping sites rely on the company’s software-only solutions to prevent online fraud and identity theft.

On the show floor, we will be offering demos for Adobe’s Electronic Signature offerings as well as LiveCycle Rights Management ES, so please stop by the Adobe pod within the Arcot booth! Also, please don’t forget to check out John Landwehr, Director of Security Solutions and Strategy, at Adobe, for a lively panel discussion on Cloud Computing.

We look forward to meeting you!

Arcot is part of Adobe’s Security Partner Community, a growing ecosystem of ISV and solutions partners that allow Adobe to offer best of breed security offerings for our customers.

Click here to visit the Arcot website.

Castilla-La Mancha, a Spanish community government is using Adobe LiveCycle to streamline and secure their complex document management and review process for the executive office and community council. Specifically, the organization uses Adobe Acrobat Pro and Adobe Reader software for the development and review of the documentation, and Adobe LiveCycle Rights Management ES software to apply the maximum level of security to control access to the documents.

The secure documents can be accessed online using a web browser via JCCM’s intranet or offline. Updated authorization is required for both methods of access, providing the system with complete traceability of its use, which in the case of printing consists of a watermark. Downloads are completely controlled, identifying each user, and preventing the document from being opened on a computer where it was not originally downloaded. An expiration date is also applied for each document’s use.

Click here for the full story.

Click here to read about how this technology-savvy law firm improves operations, safeguards sensitive content, and builds stronger cases using Adobe® Acrobat® 9 software.

Using Acrobat, Young Conaway’s staff can go beyond the preservation of confidentiality. They can redact sensitive case information quickly and apply passwords and digital signatures to documents for added security. “We need to control who accesses documents and give people the assurance that the materials they receive have not been altered,” explains DiBianca. “With Acrobat, we can put controls on PDF files to limit access to information and restrict copying of data from files.”

Read about how Adobe LiveCycle RIghts Management ES is helping the Australian government secure forms in an automated process for collecting information from individuals participating in a National Bowel Cancer Screening Program.

“Today, doctors can download a form from the cancer screening website, complete the form on their computers and submit the completed form to the National Bowel Cancer Screening Program Register via a secure electronic process.”

Click here for the full story and additional ROI statistics.

The Antwerp Port Authority manages Europe’s second biggest port and is guided by the European Directive on Invoicing (EC / 115 / 201) to ensure member states implement electronic invoicing as part of the value added tax (VAT) legislation. The tax rule requires that each supplier guarantee the authenticity of origin and integrity of the content for invoices they create and ultimately archive for compliance.

To meet these requirements, Adobe LiveCycle ES has been deployed in conjunction with Globalsign certificates to ensure that PDF invoices are digitally certified to cryptographically bind the identity of the certifying party to the invoice itself. Users can then open the invoices using the free Adobe Reader and document authenticity and integrity automatically to detect whether the contents have been altered after certification.

By applying digital signatures, Antwerp Port Authority was able to quickly automate invoicing processes, thereby streamlining workflow, lowering costs, and meeting the mandatory European directives for compliance. The entire process is packaged into a seamless solution via the Adobe Certified Document Services (CDS) platform.

Read more about Antwerp Port Authority’s successful implementation of Digital Signatures here.

Nevada and Massachusetts have been in the process of enacting new state laws that target businesses and individuals who own, license, store, or maintain Personally Identifable Information (PII) about a state resident. Many other states already have these guidelines in place. Personally Identifiable Information (PII) is defined as a combination of the persons name and another unique identifier such as SS#, drivers license, or financial account number.

In Nevada, S.B 347 went into effect on October 1, 2008. This law specifically prohibits businesses in Nevada from transferring personal information through electronic transmission unless it is encrypted. This regulation even affects those companies that do business in Nevada but are headquartered elsewhere.

In Massachusetts, 201 CMR 17 is set to go into effect on May 1st, 2009. The law was initially set to go live on January 1, 2008, but has been extended to May in light of the economic crisis. This law is somewhat broader than Nevada in that it requires that any resident PII stored in laptops or removable storage devices be encrypted in addition to information transmitted over network and wireless connections. It also requires organizations to develop a security program, use updated firewall systems, enforce limits on the amount and length of time PII is retained, and allow access to sensitive PII only as necessary to perform job responsibilities. Even more detailed requirements include a need for documented security policies, prevention of terminated employees from gaining access to PII, and audit trails of employee access to PII.

Although penalties for non-compliance are not specified in either case, non-compliance may expose the business or individual if any legal action is taken subsequent to a data breach for failing to provide a minimum level of security. We recommend that companies review their security procedures in light of these new requirements and take action, if needed. For those companies in less regulated industries, a full risk assessment may be appropriate if you are moving into unchartered waters about what technology options are available to reduce exposure.

Much of the debate has been whether to apply encryption at the infrastructure layer using disk or email encryption or to implement it at a finer grain. Technology such as Adobe LiveCycle Rights Management ES or client based protection embedded in Adobe Acrobat provides this finer grain of protection aimed at protecting only the information assets considered most senstitive (such as PII). I believe each approach has it’s merit under certain circumstances, but Livecycle Rights Management and Acrobat each provide the added benefit of security that travels with the information itself.

As an example, using RIghts Management, if sensititve PII is located on a disk or removable media device and then gets transmitted over a network, it remains protected persistently throught the process. Using encryption at the infrastructure layer involves greater coordination, more layers and resources, and a higher risk of failure if not implemented properly.

Also, when considering some of the detailed requirements of the Mass regulations (along with similar requirements in other states) regarding terminated employees, RIghts Management allows an organization to revoke access to PII once that person is no longer employed. It also provides a complete audit trail of what user actions were taken on a particular document that contained PII and can help map your governance objectives to actionable, enforceable security policies. Furthermore, wIthin Content Management systems, it has the capability to create workflows that dictate when PII should be sent off to archive or even deleted.

Definitely explore all your options as you move towards improving your compliance posture with these new regulations, but do consider the advantages of a strategic strike versus a blanket approach to encryption.

We had a fun trip earlier this month to the SecureWorld Expo show at the Ford Convention Center in Dearborn, MI. There was a good crowd on hand generating significant interest in our live demos of LiveCycle Rights Management ES with a specific focus on CAD support. Yours truly was interviewed on the spot, so if you couldn’t make it and would like to see what the booth and demo setup looked like (as well as hear a quick Adobe security elevator pitch under pressure) please click here. Thanks to the folks at ThreatChaos.com for helping get the word out, the Booth Buzz concept is a good one….

There was also tremendous interest in the data security panel, where folks from Adobe, IBM, Symantec, and Websense among others, had a lively exchange on the growing information-centric security market. A wide range of topics were discussed: from the benefits of risk assessment consulting services, to the need for wider adoption of information risk management strategies, to the continued importance of education and training in a security context. Thanks to all who helped make it an great show and we’ll see you at another SecureWorld event in your area soon.

Data Loss has been a hot topic for years now as companies continue to lose sensitive information and are required by law to disclose the breach to customers. In fact, the Ponemon Institute reported that 85% of there survey respondants had experienced a data breach at one point or the other. The fact is that we are in the middle of a data security crisis, one which needs to be solved not by stovepiped security products, but via a solutions approach to limit risk and establish control. One of the markets/products that is becoming an important part of a comprehensive data security solution is commonly known as Data Loss Prevention (DLP).

DLP technologies are very good at providing classification and segmentation of data into raw buckets based whether they are considered high, medium, or low impact to the business. These technologies are less effective, however, in the areas of active enforcement of the data since they typically focus on either blocking or encrypting information in somewhat of a binary fashion, based on the information itself, without significant context for the users or identities involved. In fact, most DLP deployments today are being used in passive mode to discover and monitor “hot spots” and understand where there may be broken business processes in place that may one day lead to data breach.

An effective way to develop a solutions approach to data loss prevention is to utilize Rights Management technology in concert with DLP to provide and extend protection persistently based on the identity of the recipient or group of recipients. This will effectively marry the classification policy (from DLP) with the enforcement policy (from Rights Management) to provide more effective and seamless protection. With Adobe Livecycle RIghts Management ES, this process can be automated by setting up watched folders or email workflows to streamline enforcement of sensitive information as it is being discovered by DLP products. Over time, these products will become more tightly integrated using APIs to build a information-centric policy management framework upon which data governance decisions can be made and implemented from executives down through the lines of business to IT.

We have all encountered situations where obtaining a signature of an appointed authority/specific individual was the only item on the checklist for completing a transaction. Starting in Acrobat 8, this is a very easy task for collecting signatures in your ad-hoc workflows. Navigate to the Advanced menu item on the toolbar in Acrobat 8.0 and select the "Enable usage rights in reader" option. This option allows the recipient of the document to sign as long as they have Adobe Reader 8.0 or higher version.You will see the following dialog box confirming the usage rights. Notice that one of the usage rights granted is the ability to digitally sign the specific document for which the rights have been granted.

For large volumes of data collection on these documents or forms, there is a corresponding Adobe LiveCycle Reader Extensions ES product that must be licensed.