Posted by John B Harris at 7:58 AM | Permalink

On October 13, 2009 - Adobe released critical updates to Acrobat and Reader. All users are recommended to update their systems to the these releases as soon as possible.

Continue reading "Acrobat and Reader 9.2 update" »

Posted by John Landwehr at 9:34 AM | Permalink

Electronic signatures come in many shapes and sizes, and for a long time, Adobe has been primarily associated with three of those sub-types—digital signatures, certification signatures, and handwritten eSignatures based on solutions from our Security Partner Community—due to our comprehensive coverage of, and capability for, those technologies.  However, customers and partners do not often associate us with click-thru approvals and electronic signatures, where a user authenticates to a website, reviews a document, and then is allowed to approve or reject said document with a simple click of a button.

Actually, Adobe has supported this capability for some time within our LiveCycle ES product line, but the capability was spread across components that can prepare documents for review (PDF Generator, Output, Reader Extensions, Forms), move documents along a workflow (Process Management), present documents for review, comment, and approval (Workspace), and then sign (Digital Signatures) and archive (Content Services) or further process those documents for storage, submission, etc. 

The challenge of piecing together these components was not lost on Adobe, and last year we started working on Solution Accelerators--sample code and tooling that brings together task-oriented building blocks composed of LiveCycle components.  More than a proof-of-concept, but less than complete production code, Solution Accelerators can be used by a customer or systems integrator to bring projects to fruition in a much shorter timeframe, while providing for flexibility in the final implementation. 

The eSubmissions Solution Accelerator, released this Spring, shows how LiveCycle can be used to present documents for review, commenting, & approval in parallel or serial workflows, and incorporates the capability to not only sign with traditional digital signatures or handwritten electronic signatures, but also via authenticated click-thru approvals and server-side signing and certification functions.  Download the demonstration video here.  Unlike other click-thru solutions on the market, this Solution Accelerator shows the breadth and depth of Adobe’s offering, providing for compliance with electronic signature regulations around the world.

While this Solution Accelerator was designed for the biopharmaceutical market, it can easily be repurposed for contract approvals, financial services transactions, and the like—this is one of the benefits of the Solution Accelerator approach. Moreover, eSubmissions demonstrates Adobe’s intent to provide users with a best-in-class experience when it comes to electronic documents and workflows.  There’s no longer any reason to print an electronic document just for review and signature...Adobe provides a one-stop shop for a full range of electronic signature and approval capabilities.

Tags:electronic signatures,click-thru signatures,click-through signatures,digital signatures,electronic approval,electronic workflow,solution accelerator,livecycle,security partner community,click-thru approval

Posted by John B Harris at 10:08 AM | Permalink

Recently, Adobe executive vice president and Chief Financial Officer Mark Garrett presented a keynote at the CFO Rising conference, sponsored by CFO Magazine. Speaking to a ballroom full of senior finance executives, Mark outlined the “Seven Technology Habits of Highly Effective CFOs” and utilized several case study examples to illustrate his points.

Continue reading "Seven Technology Habits of Highly Effective CFOs" »

Posted by John Landwehr at 8:43 AM | Permalink

The United States Department of Defense Joint Interoperability Test Command (JITC) has certified both Adobe Acrobat and Adobe Reader version 9...

Continue reading "DoD Certification of Acrobat and Reader 9" »

Posted by John Landwehr at 2:15 PM | Permalink

Adobe Acrobat and Adobe Reader have been tested and meet the NIST FDCC compliance guidelines according to the testing process provided in OMB memo m08‐22. Compliance was verified by testing the product using the following procedures:

Continue reading "NIST FDCC Compliance with Adobe Acrobat and Reader" »

Posted by John Landwehr at 4:19 PM | Permalink

Version 9.1 of Adobe Acrobat and Adobe Reader are now available with critical security updates and other product improvements. Adobe strongly recommends all users update using the built-in software update system or manual download from adobe.com. Here are some additional details on this release:

Continue reading "Acrobat and Reader 9.1 Now Available with Information Assurance Updates" »

Posted by John Landwehr at 12:15 PM | Permalink

If you are attending the 2009 RSA Conference in San Francisco this April, be sure to check out this panel discussion on cloud computing security

Continue reading "RSA 2009 Conference Session on Cloud Computing Security" »

Posted by John Landwehr at 8:54 AM | Permalink

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe's commitment to providing high-assurance document security implementations.

Continue reading "Acrobat 9 and password encryption" »

Posted by John Landwehr at 2:10 PM | Permalink

Version 9.0 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1.0.3 encryption module with FIPS 140-2 validation certificate #828. Instructions here will also enable FIPS mode in Acrobat and Reader 9.0 to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) in this library.

Adobe LiveCycle ES still includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Posted by John B Harris at 10:29 AM | Permalink

We are excited to announce a new set of assets aimed at helping our customer community and ecosystem partners better understand the benefits and value that can be derived from Adobe's Information-Centric security solutions. If you haven't heard the term "Information-Centric" before, it's not new, but it well represents the way Adobe technologies protect the confidentiality, integrity, and authenticity of information -- natively within the information itself.

For LiveCycle Rights Management ES and LiveCycle Digital Signatures ES, please feel free to download and view a host of new collateral including:

New datasheets that provide a overview of the value proposition and specific areas where our solutions solve real customer problems:

LiveCycle RIghts Management ES: http://www.adobe.com/products/livecycle/pdfs/livecycle_rights_management_es_datasheet_na.pdf

LIveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/pdfs/95011596_lc_digisig_ds_ue.pdf

There are also two new whitepapers, the first one for Rights Management is entitled: Delivering an Information Risk Management strategy across the heterogeneous enterprise: and is intended to describe the need to protect sensitive information consistently wherever it resides in the enterprise. This paper also outlines common use cases via customer anecdotes about how LiveCycle Rights Managment ES is protecting the most widely used file types inside (and outside) the organization. http://www.adobe.com/products/livecycle/pdfs/95011600_lc_rightsmgmt_wp_ue.pdf

The second whitepaper is entitled: Electronic Signatures: Solution Scenarios for your Environment: This piece is intended to articulate the different electronic signatures solutions offered by Adobe and help folks understand the pro/cons of each, so you're best prepared to map right electronic signature solution to your assurance level requirements. http://www.adobe.com/products/livecycle/pdfs/95011606_Digital_Signature_wp_ue.pdf

Finally, there are also new updates to our website including updated customer success stories, in depth pages, features and benefits pages, and a detailed supported formats page for RIghts Management.

LiveCycle Rights Management ES: http://www.adobe.com/products/livecycle/rightsmanagement/
LiveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/digitalsignatures/
Enjoy!

Posted by John Carione at 1:36 PM | Permalink

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization's business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Posted by John Landwehr at 2:25 PM | Permalink

...to the E-Signatures '08 Conference, scheduled for November 12-13, 2008, at the Omni Shoreham hotel in Washington, DC.   This conference, organized by the Electronic Signatures and Records Association, features compelling presentations from industry experts on the leading business, legal, and technology topics surrounding e-signatures, and prominently highlights several case studies.

Included in these case studies, Adobe customers will describe how electronic signature solutions involving products from Adobe and our Security Partner Community have improved their internal workflows and, in turn, saved them significant amounts of money, time, and resources.  You can expect to hear from:

• John Hannan, Chief Information Security Officer, U.S. Government Printing Office
• Kay Bross, Senior PKI Specialist, Information Security & Solutions, Procter & Gamble
• Thomas Niman, Director, Business Operations & Systems Integration, Snap-on Credit LLC

In addition, conference attendees will learn about government and insurance industry views on e-signatures; legal, regulatory & standards updates; and finally how the new administration might affect the future of e-signature policy.  For an updated agenda, keep checking here.

Sign up this week!  Early bird registration ends Monday, October 6th.

Tags:e-signature,conference,ESRA,adobe customers,electronic signature,digital signature

Posted by John B Harris at 10:16 AM | Permalink

Adobe recently participated in an industry roundtable on Improving Online Security. The transcript has been published in the September 2008 issue of Scientific American, page 96 and on their website.

John Landwehr from Adobe and representatives from Hewlett Packard, Kaiser Permanente, McAfee, Microsoft, Panda Security, Sun, and Symantec discussed ways to protect against more numerous and sophisticated attacks by hackers and called for upgraded technology along with more attention to human and legal factors.

Posted by John Landwehr at 12:55 PM | Permalink

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on digital signatures in Acrobat, Reader, and LiveCycle.

The job description and application process is posted on cooljobs.adobe.com.

Description:
Adobe (NASDAQ: ADBE) revolutionizes how the world engages with ideas and information. For 25 years, the company’s award-winning software and technologies have redefined business, entertainment, and personal communications by setting new standards for producing and delivering content that engages people virtually anywhere at anytime. From rich images in print, video, and film to dynamic digital content for a variety of media, the impact of Adobe solutions is evident across industries and felt by anyone who creates, views, and interacts with information. With a reputation for excellence and a portfolio of many of the most respected and recognizable software brands, Adobe is one of the world’s largest and most diversified software companies.

Today, Adobe is better positioned than ever to push the boundaries of the digital universe. Under the leadership of President & CEO Shantanu Narayen, we're driving even greater innovation with powerful, compelling software solutions that meet the needs of customers and markets ranging from designers and filmmakers, to enterprises and governments, to developers and home users.

Recognizing that employees are at the core of our success, Adobe recruits and retains highly qualified and motivated individuals, creates an environment where they can innovate and achieve their best, and rewards them for their performance by giving them an opportunity to share in the company’s success.

Position Overview
Adobe Information Assurance Solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied to information independent of storage and transport, inside and outside an organization. Adobe's ecosystem of security partners provides interoperability with many information security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This Sr. Product Manager position in the Security Solutions team of Adobe's Business and Productivity BU will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Requirements
Requires at least 5 years of experience in enterprise software product management. BS in Computer Science or related technical discipline, and in-depth experience with identity management, electronic and digital signatures, encryption, J2EE authentication, public key infrastructure, smartcards, maintaining documents of record, and information lifecycle workflows.

This position also requires significant cross-group interaction, a strong customer and partner focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to collaborate with engineering and direct market experience. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Adobe believes personal fulfillment and company success go hand in hand, sustaining one another. In fact, our dynamic, rewarding working environment is well known – including eight years on FORTUNE magazine’s "100 Best Companies to Work For" and other, similar accolades. By hiring the very best and brightest, Adobe continues to be a simply better place to work – creating a dynamic environment today and providing incentives for future achievement.

Posted by John Landwehr at 2:26 PM | Permalink

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from http://www.adobe.com/go/getrmextensions for use with your LiveCycle Rights Management ES system.

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 10:00 AM | Permalink

electronic signature,digital signature,admissibility,assurance,e-sign act,EU signature directive,SAFE

This entry is the third in our “What is an Electronic Signature, Anyway?” (Part One / Part Two) educational series.

First, a disclaimer.  This blog entry is not intended to provide legal advice.  You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

With that out of the way, welcome back to our series on electronic signatures.  Up to now we’ve covered what can be defined as an electronic signature, and how one can provide assurance as to the validity of an electronic signature.  However, our clients and customers are mainly concerned with one thing:  are electronic signatures legality and admissible in a court of law?  Will my contract be null and void if use this electronic signature pad?  Will my account documents be tossed out because they’ve been digitally signed?  Can I accept electronic signatures on my contracts?

Only your legal counsel can answer these specifically, but, in this lengthy entry, we can offer some very high-level information on the applicable laws, what is meant by legal effect versus admissibility, the availability of case law, and where you can go to find out more information.

Laws

In 2000, President Clinton digitally signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).  This public law provides that:

a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

At the state level, the Uniform Electronic Transactions Act (UETA), passed by 48 US States, provides much the same protections to electronic signatures and records. (The remaining 2 states have other legislation covering electronic signatures.)

Note that neither piece of legislation specifies a particular electronic signature technology.  In fact, the E-Sign Act states that:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

By keeping the legislation technology-agnostic, the law doesn’t create a bias and also does not have to be changed as technology changes.  It therefore has the added benefit of allowing for a wide spectrum of electronic signature technologies (click-thru, signature pad, biometrics, digital signatures, etc), as long as the systems provide a signature that is “attached” to the electronic document needing to be signed, and provide evidence to the fact that the signatory actually signed the electronic document, showing an “intent to sign.”  The laws do prohibit the use of electronic signatures on certain legal documents such as wills and adoption papers, though.

Other US laws and regulations provide guidance in specific industries.  For instance, 21 CFR Part 11 covers the use of digital signatures in communications with the Food and Drug Administration.  This is a good time to mention that laws are not the only things to be concerned about when it comes to electronic signatures.  You also have to be aware of any regulatory standards or recommendations that may be in place for your industry. 

Using the pharmaceutical industry again as an example, the SAFE-BioPharma Association ( Signatures and Authentication for Everyone), interested in promoting the use of electronic documents and reducing costs, created a technical, legal & business model around the use of electronic signatures among pharmaceutical manufacturers, clinical investigators and regulators.    In fact, SAFE requires the use of digital signatures, and has certified (and recently re-certified) PDF-based digital signatures in Adobe Reader®, Acrobat®, and LiveCycle® Digital Signatures within the SAFE standard.

Outside of the US, most countries have electronic signature laws in place, as well, though they vary in complexity.  For the 27 member states of the European Union, Directive 1999/93/EC on a Community Framework for Electronic Signatures (EU Signature Directive) provides an in-depth legal framework for electronic signatures and their validity inside and between EU countries.  It creates several categories of electronic signatures, with so-called “Qualified” signatures required to be legally accepted and valid in all EU member states.  The high assurance requirements around Qualified Electronic Signatures (QES) do point to digital signature technology, with a requirement for a ‘Secure Signature Creation Device’ and best practices around key generation, storage, and certification of the providers of the signing credentials themselves.

Adding to the fun, EU member states are required to individually transpose EU Directives into their own legislation.  Certain countries decided to tweak the text on the way to implementation, and in so doing, created another layer of complexity that makes working with cross-border electronic signatures quite a challenge!

Note that electronic signatures applied in the US may not be provided legal admissibility in the European Union, especially on documents like electronic, or e-, invoices.

Legal Effect vs. Admissibility

We’ve tossed these terms around in this entry, so it’s probably time to clarify the difference between the two.  While lawyers around the globe may cringe at my over-simplification, here we go...

“Legal effect” pretty much means that, yes, the court will accept that an “electronic signature” is a “signature” as already defined by precedent and law.  So, in other words, an electronic signature and a wet ink signature are equivalent in most respects, and they can be brought into trial.

However, just like their wet ink counterparts, each document intended to be entered into evidence in a trial will need to be assessed for its “admissibility,” whether it’s signed with ink or a digital certificate.  Does it represent the intent of the signatory?  Has the document been altered?  Who had the right to sign this document?  How was the signature derived, and what controlled access to the document for its signature?  These questions come into play no matter the type of signature.

However, wet ink signatures have been in use for quite a long time and have established a certain amount of credibility.  Electronic signatures, on the other hand, are a newer phenomenon, and thus may be more subject to the critical eye of the court.  This is where the concept of assurance, as described in the previous entry in this series, can come into play.  Higher assurance signature methods that authenticate the signer, use document fingerprinting (‘hashing’) to provide integrity, and store signature keys (and thus, the “pen”) in a secure manner, are more likely in the long run to be provided with the benefit of the doubt than those signature technologies which provide lesser assurance.

So, in the end, your electronic signature may be a legal signature, but it could be tossed out of court if the judge feels that the signature process did not provide the appropriate level of assurance.

Case Law 

Well, we’d love to point you to a particular case which ruled this or that technology admissible or signatures captured on these types of documents were OK, but there are none.  In the United States, there are likely hundreds of cases that cover subjects related to the use of electronic documents and e-discovery, but none that specifically cover challenges to electronic signatures.  While this could mean that cases are being handled in arbitration (outside the courts), or that challenges have not been filed, it is all the more likely that the courts have been holding electronic signatures as accessible.  

What the future holds, no one is certain.  The EU Signature Directive provides a clear sign that assurance does play a role in admissibility.  Will the ideas of the Directive take hold in other countries around the world?  How will US and state case law react to increasing numbers of electronic signatures?  We’ll keep watching...and we’ll keep you informed!

The good thing is that with Adobe products like Acrobat and LiveCycle you are gaining the ability to sign electronic documents (PDF) with a spectrum of electronic signatures, whether they’re electronically captured on a tablet PC, created with digital certificates, or even required to be compliant with the EU Signature Directive.  You can rely on Adobe’s global expertise in the field and years of collaboration with our Security Partner Community to meet your electronic signature needs, no matter the requirements.

Links

Here are some links to continue your reading.  Again, be sure to confer with your legal counsel on these topics.

• ABA Digital Signature Guidelines Tutorial – A great starting point for understanding digital signatures from the American Bar Association.
• The Sedona Conference® – Though focused primarily on electronic records, this educational non-profit organizations provides substantial coverage of related case law and issues that may come into play.
• Electronic Signatures & Records Association (ESRA) – This association brings together vendors and business owners in its efforts to extol the benefits of electronic signatures and documents.  Adobe is a board member of the Association.

Next in our “What is an Electronic Signature, Anyway?” series will be an exploration of real world examples of electronic signatures in action around the world today and what the implications are for the businesses implementing them and the customers using them.

Posted by John B Harris at 1:32 PM | Permalink

The RSA Conference is one of the most highly respected information security conferences and exhibitions in the industry.  This year, the Conference runs from April 7-11 in San Francisco, California, at the Moscone Convention Center.  Anyone who’s anyone in the information security space, specifically companies and individuals involved in authentication, identity management, encryption, and cryptography, will be there.  Attendees (over 17,000 expected) represent every key vertical market and range from C-level executives to front line IT staff.  Heck, even Al Gore is making an appearance (no really...he’s one of the keynotes at the event!).

Adobe will be exhibiting at Booth 828 and demonstrating our LiveCycle ES and Acrobat products, highlighting their electronic signature and rights management capabilities.  If you are planning on attending, please come by and say hello!  Learn about the latest updates to our product and feature line-up, as well as our integration with a wide variety of partners, many of whom will also be exhibiting at the event (see below).  We’ll be happy to answer any questions you have. 

The extended Security Solutions team, including product managers, engineering, and sales engineers will be on hand during RSA, not only manning the demo stations at the booth, but also roving the floor, and speaking at the conference itself.  For example, John Landwehr, director of Security Solutions and Strategy at Adobe, will be speaking on Thursday, April 10 at 8:00 AM on a panel (DEPL-301) with Deloitte & Touche covering the topic of Information Classification and its critical application to the questions of security policy, data leakage and rights management in the enterprise.

If your company is interested in a partnering relationship with Adobe, please visit the booth and ask for John Harris, who manages our security alliances.

We look forward to meeting you in San Francisco next week!  Our Security Partner Community will also be exhibiting at RSA...be sure to visit them and ask how they work hand-in-hand with Adobe:                                                

Partner	Booth #
ActiveIdentity	Booth 657
Athena Smartcard Solutions	Booth 1350
Arcot Systems, Inc.	Booth 1045
CoreStreet Ltd.	Booth 1350
Entrust	Booth 817
Gemalto Inc.	Booth 1923
nCipher Inc.	Booth 2129
RSA, The Security Division of EMC	Booth 1717
SafeNet, Inc.	Booth 1039
SOFTPRO GmbH	Booth 1332
VeriSign, Inc.	Booth 1316

Posted by John B Harris at 2:36 PM | Permalink

Every once in a while, someone asks "How long has Adobe offered content protection?" Turns out, Adobe's information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here's a brief history:

Adobe's history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization's LDAP or Active Directory. A policy coupled with an information classification such as "Insider Restricted" restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published - to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe's rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe's security solutions expand to protect even more aspects of the information lifecycle - independent of storage, independent of transport, across operating systems and file formats.

Posted by John Landwehr at 9:32 AM | Permalink

Version 8.1 of Adobe Acrobat and Adobe Reader include the RSA BSAFE Crypto-C ME 2.1 encryption module with FIPS 140-2 validation certificate #828. FIPS mode can be enabled to restrict document encryption and digital signatures to FIPS approved algorithms (AES/RSA/SHA) from this library using these instructions.

Adobe LiveCycle ES includes the RSA BSAFE Crypto-J 3.5.04 encryption module with FIPS 140-2 validation certificate #590. FIPS mode is configured in the product installer.

Posted by John Landwehr at 1:05 AM | Permalink

MAX 2007 is an experience unlike any other, an opportunity to connect with thousands of Adobe users, experts, and staff for education, inspiration, and community. Join us to discover new skills, explore emerging technologies, and build valuable relationships.

This year's conference tour is scheduled for:
* North America: Chicago, IL - September 30 - October 3
* Europe: Barcelona, Spain - October 15-18
* Japan: Tokyo - November 1-2

Below is a sampling of sessions covering various aspects of Adobe security solutions, features, and infrastructure:

LiveCycle Digital Security and Certification
This session will focus on the persistent rights management and document security technologies in the LiveCycle Enterprise Suite. The components explored will include LiveCycle Digital Signatures ES, LiveCycle Rights Management (formerly Policy Server), and LiveCycle User Manager. The thrust of the talk will focus on LiveCycle ES as a service oriented platform for delivering key interactions with remote clients but will also showcase core capabilities and delve quickly into SDK's and API's for developers.

Implementing Rights Management (DRM) for Video Delivery
Content protection is an important consideration when creating and deploying streaming media. This session addresses the optimal ways to prepare, host, and deliver video content to the Flash player. We'll examine administrative and security tools, tips, and tricks as part of Flash technology and Flash solutions.

LiveCycle Rights Management ES: Its Purpose, Scope, and Integration with Various Technologies and FormatsIn this session, we'll provide an overview of Adobe LiveCycle Rights Management ES and how it is used to protect content. Afterward, the session will focus on some common integration tasks, including integration with enterprise content management (ECM) software, product lifecycle management (PLM) software, authentication environments (such as ActiveDirectory and LDAP), and multiple file formats. Topics will include Rights Management Customer Configuration and architecture, integration strategy, integration points, and open-source products.

Adobe Integrated Runtime (AIR) Security
Desktop application security creates different requirements for developers. Find out how the Adobe AIR security model will affect your application and what best practices you should follow to build more secure desktop applications using Adobe AIR.

Partner Summit: Meet the Team: An Enterprise Print and Scan Security Solution
Adobe has developed a solution that provides more secure document scanning, printing, collaboration, and auditing. This solution integrates Acrobat and LiveCycle Rights Management with MFP (multifunction peripheral) devices to provide end-to-end document security. Adobe is working with MFP OEMs to bring this solution to market in 2008 and is looking for VARs and systems integrators to partner with. Learn how you can extend document workflows by adding more secure print and scan services to your solutions.

Securing your Video delivery with Flash Media Server
Learn about the many new content protection mechanisms in Flash Media Server. We will cover content encryption and protection, rights management, protected streaming into Flash/AIR/AMP, SWF verification, content integrity, and user-based content protection.

Securing ColdFusion
Securing ColdFusion servers involves more than just setting an administrator password. From OS and HTTP issues to SQL injection attacks to vulnerabilities in installed software and more, there's a lot to lock down and a lot to keep an eye on. This session will cover security at multiple levels, arming you with the know-how to protect your servers and valuable data.

Adobe Media Player: The New Model for Content Monetization
The Adobe Media Player offers content publishers new ways to monetize content by integrating advertising into both online and offline experiences. Explore the new advertising model, more secure content protection capabilities, flexible user-selected features for downloading and viewing "favorites," and more.

Flash Player Cross-Domain Security
Find out how the Flash Player sandbox keeps your content and users safe from malicious attacks. Learn how to configure Flash Player using policy files, config files, and ActionScript to allow the communication you want and prevent the problems you don't want.

Hands On: LiveCycle ES Business Process Management and Design
In this session, we'll explain the process management functionality in Adobe LiveCycle Enterprise Suite. Topics will include components, control flow, data types and mappings, exception handling, events, parallel flows, security, subprocesses, transactions, versioning, short- vs. long-lived processing, and reporting.

Branding and Protecting Flash Enabled Video
Learn how to create and deliver interactive content featuring seamlessly integrated video. Create customized players that fit the look and feel of your project. Learn how to protect your content so you can deliver with confidence. Discover new components, including closed-captioning capabilities. This session will appeal to new Flash users, as well as Flash experts who are newly interested in video.

Introduction to Streaming with Flash Media Server
This session will provide an overview of the full ecosystem for delivering high performance streaming with Flash Media Server, including encoding, encrypting, securing, managing the assets, delivery options with Flash Media Server and the CDN, tracking, and reporting. Topics will include the difference between streaming and progressive video, the details of secure delivery, the use of DRM, and planning your Flash Media Server cluster. Come learn the basics of what Flash Media Server can do for your online video experience.

Posted by John Landwehr at 1:36 PM | Permalink

Arcot, a member of Adobe's security partner community, just announced their Flash-based two-factor browser authentication solution as well as support of Adobe Integrated Runtime (which was also announced today as available in beta, and formerly codenamed Apollo). Arcot's "software smartcard" solution provides greatly improved simplicity and security for consumer logins to online applications.

Usernames and passwords alone have reached the end of their useful life for protecting valuable online transactions because they are often reused by consumers across sites, easily guessed, and subject to phishing. While today's web browsers provide PKI authentication using SSLv3 client authentication, there is not a consistent or friendly user experience across browsers and operating systems to provision and utilize the necessary PKI credential. That's why you often hear PKI = Painful Key Infrastructure instead of Public Key Infrastructure.

Arcot has developed a seamless provisioning and utilization of PKI credentials in the form of an ArcotID. While the user logs in with their existing username/password, a SWF in the browser is providing PKI authentication behind the scenes using a locally stored credential in the form of an ArcotID.

ArcotID Flash client is part of WebFort, Arcot's two-factor authentication system for large enterprises in financial services, healthcare and other industries facing increasing regulatory pressure to protect and verify end-users’ identities such as those from the Federal Financial Institutions Examination Council (FFIEC) and the Health Insurance Portability and Accountability Act (HIPAA).

Posted by John Landwehr at 8:21 AM | Permalink

Adobe Acrobat 8.1 and Adobe Reader 8.1 are now available for download. In Acrobat, check the Adobe Updater (Help menu -> Check for Updates) to look for the update. You can also directly download Adobe Reader 8.1.

A partial listing of what's new in 8.1:
* Microsoft Windows Vista™ and Office 2007 support

* Installing on 64-bit versions of Windows XP and Vista

* Easily extract documents from a package. Search and print the current or selected document, or all documents within the package.

* Read and organize eBooks and other publications with Adobe® Digital Editions (a separate product). When you first click the Digital Editions menu item, you can download and install the Adobe Digital Editions software. After installation, choose Digital Editions to go directly to your Adobe Digital Editions bookshelf.

* Acrobat 8.1 provides a FIPS mode to restrict data protection to Federal Information Processing Standard (FIPS) 140-2 approved algorithms using the RSA BSAFE Crypto-C 2.1 encryption module. This article has more information on enabling FIPS mode.

The following knowledgebase articles describe the 8.1 update in more detail:
401730: Adobe Acrobat 8.1 Update
401732: Adobe Reader 8.1 Update

Posted by John Landwehr at 3:00 PM | Permalink

Adobe Systems today introduced Adobe LiveCycle Enterprise Suite (ES), an integrated family of software for more securely automating processes that help businesses and governments engage with customers, citizens, employees, partners, and suppliers.

With LiveCycle ES, organizations can deliver applications that are easier to interact with. This enables companies to better communicate with people who may be frustrated with, or confused by on-line procedures, and are likely to abandon transactions, resorting to higher cost avenues such as in-person visits or phone assistance. By transforming processes such as account enrollment, claims processing or guided self service into engaging applications, businesses and governments can improve customer service, decrease costly cycle times, and manage information faster, more accurately, and more securely.

LiveCycle ES includes scalable solution components to build, manage and optimize business critical processes. Information assurance capabilities are provided by LiveCycle Rights Management ES and LiveCycle Digital Signatures ES.

Click below for more information on:
* New features in LiveCycle Rights Management ES
* New features in LiveCycle Digital Signatures ES
* Adobe LiveCycle ES Platform Support

Posted by John Landwehr at 9:59 PM | Permalink

Adobe LiveCycle Rights Management ES (formerly Adobe LiveCycle Policy Server) and Adobe LiveCycle Digital Signatures ES (formerly Adobe LiveCycle Document Security) support additional platform combinations and updated application server versions:

Operating Systems: Microsoft Windows Server 2003, Red Hat Enterprise Linux AS or ES 4.0, SUSE Linux Enterprise Server 9.0, IBM AIX 5L 5.3, Solaris 9 &10

Application Servers: Red Hat JBoss Application Server 4.0.3 SP1, BEA WebLogic 9.2, IBM WebSphere 6.1.0.5

Databases: MySQL 5.0, IBM DB2 8.2 & 8.1 FP7, Oracle 9i & 10g, Microsoft SQL Server 2005

Directories: Sun ONE 5.1 & 5.2, Microsoft Active Directory 2000 & 2003, Novell eDirectory 8.7, IBM Tivoli Directory Server 6.0

Posted by John Landwehr at 8:21 PM | Permalink

Adobe Systems will be discussing information assurance solutions at the Tal Global & Pro-Tec Data IP Protection Summit "Demystifying Trade Secret Protection Strategies", to be held at Sun Microsystems in Santa Clara on June 13. This event provides an opportunity to network with peers, executives and other information protection professionals on topics essential for staying up to date on:

- Legal and regulatory obligations to protect trade secrets
- Identifying and classifying your company’s crown jewels
- Risk assessment and mitigation strategies
- Forensic investigation of trade secret loss
- Motivating, enabling and enforcing information protection
- An overview of enabling technologies, including digital rights management and content monitoring and filtering
- Practical case studies to apply lessons learned

More information is available here.

Posted by John Landwehr at 8:04 PM | Permalink

The Acrobat for Legal Professionals blog has a good post on securing legal documents using the security features in Acrobat 8.

Posted by John Landwehr at 1:09 PM | Permalink

Adobe has a keynote presentation at the American Institute of Certified Public Accountants (AICPA) TECH+ Conference in Las Vegas.

Tuesday June 12, 2007
8:00 am – 9:00 am Keynote Presentation
How Adobe Allows You to Drive the World of Media
John Landwehr, Director, Security Solutions & Strategy, Adobe Systems Inc.,San Jose, CA

Adobe is a diverse company with offerings way beyond Adobe Acrobat and Reader. This session
will help you see the vision of a world leader in digital content and media. You will be exposed
to capabilities in the Adobe family that will give you a vision of how they can be applied in your
business for both control and collaboration. Once you see this vision, you will be asking yourself
how you could have missed the opportunity to apply Adobe technology.

Posted by John Landwehr at 12:51 PM | Permalink

Adobe is presenting at CSI NetSec 2007 in Scottsdale, AZ to discuss how enterprise rights management technology can be used to persistently protect information.

Session Title: [CRT-2] Using Policies to Control Document Access Beyond the Firewall
Speaker: John Landwehr (Director of Security Solutions and Strategy, Adobe Systems)
Date/Time: Monday (June 11, 2007) 1:15pm — 2:30pm
Track: Critical Decisions
Presentation Format: 75-minute Session

Presentation Abstract
Today’s business processes extend beyond the firewall. Here's how companies are using enterprise security solutions to set policies that control who can access, and what they can do with, digital documents, regardless of where the information is stored or distributed, while monitoring document activity.

Posted by John Landwehr at 12:37 PM | Permalink

If you're looking for more details on how digital signatures, encryption, and other security features work in Adobe Acrobat and Adobe Reader, here are some good resources updated for v8:

Document Security User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 2.2 MB)
This document describes how to configure and use the application user interface, register a digital ID for use in Acrobat, and manage other people's public key certificates within your system.

Digital Signature User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 3 MB)
This guide describes the digital signature features of the Acrobat 8.x family of products both for Adobe Acrobat and Adobe Reader Version 8 users as well as for security administrators.

Adobe Acrobat 8 for Microsoft Windows Group Policy and the Active Directory service (PDF, 378KB)
This document describes using Group Policy to deploy Acrobat 8 or Adobe Reader 8 products on a Windows network.

Sharing Acrobat settings and data with FDF files in Acrobat 8 (PDF, 456 KB)
Learn how to use FDF files to exchange data between the Acrobat family of client and server products.

Posted by John Landwehr at 8:18 PM | Permalink

Adobe Systems will be showcasing security solutions at the 2007 RSA Conference, February 5-9 at Moscone Convention Center in San Francisco.

Multi-format and multi-device Rights Management and Digital Signature capabilities will be demonstrated in booth 1037 along with a variety of security partner solutions to protect the information lifecycle.

Adobe Recreuiters will be available in the booth to discuss open engineering and product management positions on the security solutions team.

John Landwehr is hosting a Peer to Peer session at the conference on "Ten Qs to ask when selecting corporate governance and compliance solutions". This session will be in the Orange Room 238 on Tuesday February 6 at 1:30pm. Seating is limited.

Posted by John Landwehr at 9:53 AM | Permalink

Today, Adobe Systems announced Acrobat 8, enabling business professionals to reliably create, combine, and control Adobe PDF documents for easy, more secure distribution, collaboration, and data collection.

Here's a preview of some of the new Acrobat security capabilities:

* Native document redaction
* Document inspection (for metadata, attachments, and other potentially hidden information)
* Support for Adobe Online Services
* "Roaming Credential" system for easier digital signature deployments
* Updated user-interface for digital signatures
* Security plumbing updates like SHA256 & SHA512
* and more...

Posted by John Landwehr at 9:01 AM | Permalink

At MAX 2006, Adobe will host a workshop on our information assurance architecture that provides persistent security across multiple file formats.

MAX is the annual user conference offering the Adobe community an unprecedented opportunity to learn about Adobe software, interact with industry experts, connect with other Adobe software users, and have lots of fun.

The security workshop will be held Tuesday October 24 at 3pm and Thursday October 26 at 12 Noon at The Venetian Hotel in Las Vegas, Nevada, USA.

Registration information is available here.

Posted by John Landwehr at 9:34 PM | Permalink

Redaction and document metadata leakage have been in the news lately based on various public incidents.

This is not proper redaction!.

Adobe has been made aware of customers posting public documents that have not been redacted properly to remove sensitive information. The most common user error is shown above. What appears to be an opaque rectangle over some text, is actually the same color font and background applied together. If you select the above text, copy it to the clipboard, and paste it into another application - you'll see what was redacted!

For the proper way to redact documents in their source form and PDF, Adobe has written a whitepaper titled "Redaction of Confidential Information in a Document".

The National Security Agency Information Assurance Directorate has also provided guidance in a document titled: "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted from Word to PDF"

Posted by John Landwehr at 6:22 AM | Permalink

This week we'll be in booth #1323 at the 15th annual RSA Security Conference demonstrating our information assurance solutions that enable enterprise rights management and digital signatures. These solutions work in conjunction with Adobe Acrobat 7, the widely distributed Adobe Reader 7, and soon Microsoft Office to help ensure the reliability of electronic information, enhance the protection of intellectual property, safeguard the privacy of customers, and comply with regulations governing electronic information.

Adobe will host several focused educational sessions on relevant topics in the security arena, including document encryption, high assurance digital signatures and digital rights management beyond the firewall, the use of information classification strategies to help protect intellectual property, as well as a panel discussion on the BioPharma industry's SAFE PKI effort to create a single electronic signature standard based on public key infrastructure (PKI).

In addition, several partners appearing in Adobe's theater presentations will highlight new solutions and strategies for securing information throught its lifecycle, including ActivIdentity, Arcot, Entrust, GeoTrust, RSA and SafeNet.

Wednesday, Feb. 15, 2006 (3:25 - 4:25 PM): Encryption and Rights Management Services for Enterprise Document Security with Adobe’s Gary Gilchrist and Bill Shapiro.

Wednesday, Feb. 15, 2006 (4:50 - 6:00 PM): How the BioPharma Industry is Creating SAFE Digital Signatures with Adobe’s John Landwehr, Johnson & Johnson’s Richard Guida, GST Advisors’ Guy Tallent, and Cybertrust’s Matthew Tuttle.

Thursday, Feb. 16, 2006 (3:25 - 4:25 PM): Managing Business Risk via Information Classification with Gartner’s Paul Proctor, Adobe’s John Landwehr, and Lexmark International’s Sam Moore.

Posted by John Landwehr at 3:17 PM | Permalink

In today's world, security matters more than ever and this blog is dedicated to various security matters relevant to Adobe. Your host is John Landwehr, Director of Security Solutions and Strategy. John's team oversees the company's information assurance solutions and partnerships for securing the information lifecycle with persistent content-level confidentiality, privacy, authenticity, rights management and reliability. John has presented testimony to the United States Congress on electronic commerce and security issues, is a Certified Information System Security Professional (CISSP), a board member of the San Francisco Bay Area Members Alliance local FBI InfraGard chapter and the Electronic Authentication Partnership, and a graduate of Northwestern University.

This blog will generally discuss topics such as enterprise rights management, digital signatures, public key infrastructure (PKI), and identity management, in addition to Adobe's security products, features, and relationships in the information security ecosystem.

Posted by John Landwehr at 7:28 PM | Permalink