McAfee and Adobe today announced their global strategic partnership across enterprise and consumer businesses. For enterprises, the companies are developing an integrated solution to expand data protection across the enterprise using data loss prevention and rights management technologies. For consumers, McAfee's free diagnostic tool, McAfee Security Scan, is available as an optional download to customers when installing Adobe Reader and Adobe Flash Player.

Continue reading "McAfee and Adobe Team on Automated Data Protection (DLP + DRM)" »

Posted by John Landwehr at 9:01 PM | Permalink

Canon announced today their imageRUNNER Advance Series to seamlessly bridge the distance between user and multifunction printer (MFP). These models have a tighter collaboration with Adobe technologies, by offering the ability to print and scan into a variety of Adobe PDF formats and integration with Adobe LiveCycle Rights Management ES to bring secure collaboration to PDF documents.

Integration with LiveCycle Rights Management is provided directly on the imageRUNNER ADVANCE control panel to easily select document security policies that persistent protect the electronic document after it is scanned on the device.

Posted by John Landwehr at 7:29 AM | Permalink

Today, I hope to answer some of the questions surrounding “offline lease” and “offline synchronization” settings within the LiveCycle Rights Management ES server configuration. Here is a screenshot showing several settings within our Admin UI:

and within our end-user-facing policy-edit UI:

What are these settings for? The “offline lease period” and “offline synchronization period” are interrelated settings that dictate how and when clients can be trusted to access (view, modify, print, etc) “offline”. There are varied casual definitions of “offline” depending on the scenario: when an executive needs to view confidential documents on an airplane without network access; when a field service technician is on-site at a customer location repairing a device but not entitled to “network guest access” due to security concerns. Both are supported with our solution and in fact are exceedingly transparent to the end user because they “just work” when the client is unable to “phone home” to the LiveCycle Rights Management ES server to authorize access in real time.

Customers appreciate that this offline access mechanism works transparently for users when they need it to most – but only when the author (and administrator) want it enabled. Not all organizations are willing to enable offline features for their most sensitive documents because while they retain complete access to revoke content or change authorization rules at any time, they are not guaranteed that these changes will go into effect immediately for all users world-wide. This is because the users and clients who are physically unable to “phone home” to the server will not receive an updated set of authorization rules while they remain disconnected.

In other words, by introducing offline access, authors retain complete control over protected intellectual property, however they introduce some latency before authorization rules are implemented.

This latency is the period of time before the clients can “phone home” to get the latest set of authorization rules. So we offer customers the ability to set a “ceiling” on the amount of latency they are willing to tolerate between an authorization rule being changed and when it will go into effect worldwide.

The maximum tolerated latency can be configured by document author/owners on a per-policy basis. This offers our customers the greatest flexibility because an internally-targeted policy covering executive “Insiders” may be very different from information classified for external use by customers. So how does this work? Each policy can set the "auto-offline lease period" - refer back to the second screnshot. This is how an author sets the maximum latency associated with one policy (and all documents associated with it). Since not all authors will want to set the latency, we give the administrator the ability to establish a default global latency: see screenshot one, where the administrator can set the default maximum latency – which is the value that is copied into each policy when it is created.

When discussing the feature, customers ask what happens if a disconnected user has access to two different documents with different policies, and different latency thresholds (that offline lease period). An example may help – say we have document A which allows three days of offline access, and document B which allows 15 days, and the client last phoned home to the server on March 1. Through March 3, the client will be authorized to view document A and document B, and from March 4-15 will be able to view document B only. If on March 8 the client phones home again, the clock is reset so document A and B will be viewable until March 11, and B will continue to be accessible until March 23.

Back to the March 1 example. What if somebody gives the offline client document C with 10 days of maximum latency on March 6? Because our system tries to be transparent to the user, and we do not require offline documents to be opened first online, he will be able to open document C from March 6 through March 10.

So…how does “Default Offline Synchronization Period” (screenshot one) relate? It’s a global server setting regulated by the administrator that dictates how long offline accessible documents should remain available offline. We accomplish the feature of not requiring offline documents to be opened first online by having the server give the client enough information to open “all” documents the user should be entitled to use while offline.

Our engineers decided to allow customers to tune whether “all” is really “all documents ever protected in the system” or whether in most customer uses it may mean for example “all documents protected in the last 365 days”, because many customers may not need to grant access to documents offline forever. By tuning this from an infinite (true “all”) period to a rolling-window of XX (e.g., 365) days, it simplifies the amount of information that needs to be sent to the client, and the amount of information that the client must store. The user benefit of this is that if you hire a new employee in the future and want to enable his machine to access documents offline, it’s unlikely he would need to access documents from 1982 while offline.

There are clearly tradeoffs here; the key takeaway is that this value should be set to the amount of time the client should allow protected documents to be viewed offline from the date they are initially protected.  Tuning this value to accommodate your scenario may be somewhat complex, so if you have any questions about your setup, do not hesitate to contact your local Adobe support representative.

Some general advice: administrators should set the offline synchronization period to be the total amount you would like documents to be viewable offline. It’s very easy to set this value large at initial deployment and then decide to tune it down later. Increasing this value is possible, but we recommend you contact Adobe support first to understand the implications and interactions in the system.

In conclusion, the “offline synchronization period” is an administrator-tunable setting that makes sure the end-user experience is always straightforward and that people can view confidential intellectual property when on an airplane, at a disconnected customer site, etc. Simply set this as the maximum time any document can be used offline from when it is initially protected.

End users who want to control access to content need only set how long they want their content to be viewable offline—and remember that it will stop being viewable offline once the “offline synchronization period” has been exhausted.

Posted by Jonathan Herbach at 3:30 PM | Permalink

Recently, Adobe executive vice president and Chief Financial Officer Mark Garrett presented a keynote at the CFO Rising conference, sponsored by CFO Magazine. Speaking to a ballroom full of senior finance executives, Mark outlined the “Seven Technology Habits of Highly Effective CFOs” and utilized several case study examples to illustrate his points.

Continue reading "Seven Technology Habits of Highly Effective CFOs" »

Posted by John Landwehr at 8:43 AM | Permalink

A frequent topic of conversation with customers is how LiveCycle ES can be used to seamlessly store and manage protected documents. Following on to an earlier discussion of some of the capabilities within LiveCycle Content Services ES, we recently published an article in the LiveCycle Developer Center describing how LiveCycle can be used as a repository of protected documents. An online guide as well a several Captivate demos can be found at http://www.adobe.com/devnet/livecycle/articles/rm_contentservices.html.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 10:18 AM | Permalink

Version 9.1 of Adobe Acrobat and Adobe Reader are now available with critical security updates and other product improvements. Adobe strongly recommends all users update using the built-in software update system or manual download from adobe.com. Here are some additional details on this release:

Continue reading "Acrobat and Reader 9.1 Now Available with Information Assurance Updates" »

Posted by John Landwehr at 12:15 PM | Permalink

One frequently asked question I get is about the “Base URL” setting within the LiveCycle Rights Management ES server configuration. What is this for? It’s a global setting that is used in several places where the server must identify its location to a remote client. The text is used as a “base” for deriving various types of server URLs. Here is a screenshot of the relevant configuration section of the administrative web console:

Here are two examples of its use in the system:

• Have you ever wondered how, when somebody opens a RM protected document, the client determines your credentials and decrypts the document? “Baked” into each protected document are two important pieces of unencrypted information: a globally unique identifier (the document GUID), and the server address that the client contacts to receive authorization to decrypt and open the document. The server address is a derivative of the base URL that the administrator configured when setting up the server.
• When an author or recipient performs a “web-based action” on a particular document, the client will automatically receive a single-sign-on-based redirect to a web age populated with the appropriate information. For example, the client-based request to view the audit history of a document opens a web browser showing which users have viewed, modified, or printed a protected document. The end-user experience is seamless, and the redirect instruction is derived from the base url of the document.

The advantage of deriving URLs from this base URL is that it simplifies the end-user experience, as outlined above, and gives flexibility to customers implementing a LiveCycle Rights Management server. This flexibility means that administrators can leverage DNS as a layer of indirection between client and ultimate server(s). DNS, for example, can provide different routes to a server depending on whether a document viewer is located inside or outside of a company’s network. It can also be used in with a load-balanced cluster to ensure that LiveCycle Rights Management runs as a high-availability and high-throughput system.

However, when configuring this URL you need to be careful: by changing settings on the server, you may orphan existing secured documents if you neglect to update DNS to point to the new server. Also, because of the sensitive information communicated between our server and clients (e.g., Adobe Acrobat, Adobe Reader, the LiveCycle Rights Management ES Extensions for Microsoft Office, PTC Pro/ENGINEER, …), we strongly advocate that the URL specified be HTTPS such that the communication is done over SSL. In fact, most of our clients will refuse to talk to a server URL that is not specified as HTTPS. (Specifying a HTTP-based URL will attempt to force the client to communicate over HTTP, however this is likely to fail because our clients generally do not support non-SSL connections.)

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 1:30 PM | Permalink

Do your employees know what "confidential" really means? Do you need an information classification system to better protect your sensitive documents?

Continue reading "SC Magazine article: Minding your documents" »

Posted by John Landwehr at 1:31 PM | Permalink

Since Acrobat 2.0 in 1994, encryption has been available to protect a PDF document - restricting who can open it and what they can subsequently do with it. Today, there are a number of packaging options for distributing one or more protected PDF files.

Continue reading "Packaging options for encrypted PDFs" »

Posted by John Landwehr at 1:14 PM | Permalink

Event Details:

Please join Adobe and Forrester Research on February 10th at 2pm EST as we attempt to help you address the always difficult question "Is your company's data safe?".

To succeed in today's global economy, companies face intense pressure to produce and deliver better products and services to the market faster and more efficiently. Accordingly, sensitive information needs to be exchanged efficiently and securely to partners and suppliers across industries and geographies with diverse regulatory requirements.

Join Adobe's John Carione, and special guest Jonathan Penn, Analyst at Forrester Research, to learn how to be proactive and systematic in reducing the risk of Data Loss in your environment. Jonathan will discuss best practices in data security, trends in the industry, and examine the inherent strengths of today's data protection solutions and how they relate to a customer's underlying business drivers. John will then address how Adobe customers are using Rights Management technology to protect sensitive information assets as they flow inside the Enterprise and beyond. He will also discuss the need for persistent document enforcement as a vital extension to any Enterprise classification project.
Attendees will learn how to:

• Proactively protect and control sensitive information
• Deliver best practices around data protection
• Understand the importance of Rights Management in any Enterprise Security strategy

Speakers:
John Carione
Senior Product Marketing Manager, LiveCycle

Jonathan Penn
Analyst, Forrester Research

Event Schedule:
Tuesday, February 10, 2009 at 2PM EST (11AM PST)

Register Now here

Posted by John Carione at 1:39 PM | Permalink

Following on to our overview of authentication types in LiveCycle Rights Management, we recently published a guide within the LiveCycle Developer Center that shows how you can configure LiveCycle to support certificate authentication.You can read it here: http://www.adobe.com/devnet/livecycle/pdfs/lcrmes_config_authentication.pdf

Posted by Jonathan Herbach at 3:09 PM | Permalink

We've received a bunch of good feedback lately on some of our explanations and demonstrations of the authentication types supported in LiveCycle Rights Management. We adapted some of these posts into a technical article within the LiveCycle Developer Center on Adobe's web site. You can read it here: http://www.adobe.com/devnet/livecycle/articles/rm_authentication.html

Posted by Jonathan Herbach at 2:24 PM | Permalink

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe's commitment to providing high-assurance document security implementations.

Continue reading "Acrobat 9 and password encryption" »

Posted by John Landwehr at 2:10 PM | Permalink

As we've mentioned in earlier posts on this blog, LiveCycle Rights Management ES has a growing set of integrations with 3D CAD/CAM packages. Today we have integrations in the market to provide for rights management IP protection in native Pro/ENGINEER, CATIA, and XVL files.

Adobe recently hosted a joint webcast with PTC to showcase how customers can improve design collaboration while reducing risk using Pro/ENGINEER and LiveCycle Rights Management. In today’s global manufacturing marketplace, survival depends on fast time-to-market.  Spreading the design process across the supply chain continues to increase design complexity as customers demand better products, quickly.   The key is better collaboration, but as companies try to deliver better information, earlier in the process, to a broader audience, the risk of intellectual property (IP) loss goes up dramatically.  Survey after survey has shown that protection of design information is at the top of the list for most engineering organizations.  Companies that learn to balance improved collaboration with the risk of IP loss will be the winners moving forward.

You can replay the webcast by going to: http://www.ptc.com/view?im_dbkey=76710

Posted by Jonathan Herbach at 12:00 AM | Permalink

Adobe will participating in the Secureworld Expo in Detroit at the Ford Conference and Event Center. Adobe representatives will be in the booth on Wednesday, November 5th and Thursday, November 6th from 9am - 3pm EST. Please stop by the booth where we will be giving live demos and discussing the benefits of Adobe LiveCycle Rights Management ES in a manufacturing context. Click http://secureworldexpo.com/events/index.php?id=257 for more details on the conference agenda and last minute registration.

As a bonus, I'll be particiapting in a panel discussion titled "Data Protection - It's All About the Data" on Thursday November 6th at 1pm EST. The session will be moderated by David Meunier, former VP/CISO, CUNA Mutual.
Please click http://secureworldexpo.com/events/conference-details.php?cid=2388 for additional information and a list of presenters.

We look forward to you joining us in Detroit this week!!

Posted by John Carione at 9:38 AM | Permalink

Adobe's LiveCycle Rights Management solution has been in the market since the beginning of 2005 and can be used to protect a growing variety of file formats - PDF, Office, CAD, and FLV as of our LiveCycle ES Update 1 release this past summer. The server works together with Adobe Acrobat and Adobe Reader clients to protect, view, and manage sensitive PDF documents. Because support is included in every copy of Acrobat and Reader 7.x, 8.x, and 9.x, we have more than 700 million machines worldwide that are capable of receiving protected PDF documents with absolutely no configuration required or any special software to be deployed.

We give our customers the option to allow documents to be viewed on any of these clients out of the box, but understand that in certain cases customers might wish to restrict clients to the latest version. For example, there may be cases where customers want to take advantage of newly introduced functionality, such as the new AES-256bit encryption algorithms introduced earlier this year.

As such, we now allow customers to configure each deployed server to restrict which client versions or applications the server may communicate with. Technical details can be found at http://www.adobe.com/devnet/livecycle/articles/deny_services.html.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 10:45 AM | Permalink

We are excited to announce a new set of assets aimed at helping our customer community and ecosystem partners better understand the benefits and value that can be derived from Adobe's Information-Centric security solutions. If you haven't heard the term "Information-Centric" before, it's not new, but it well represents the way Adobe technologies protect the confidentiality, integrity, and authenticity of information -- natively within the information itself.

For LiveCycle Rights Management ES and LiveCycle Digital Signatures ES, please feel free to download and view a host of new collateral including:

New datasheets that provide a overview of the value proposition and specific areas where our solutions solve real customer problems:

LiveCycle RIghts Management ES: http://www.adobe.com/products/livecycle/pdfs/livecycle_rights_management_es_datasheet_na.pdf

LIveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/pdfs/95011596_lc_digisig_ds_ue.pdf

There are also two new whitepapers, the first one for Rights Management is entitled: Delivering an Information Risk Management strategy across the heterogeneous enterprise: and is intended to describe the need to protect sensitive information consistently wherever it resides in the enterprise. This paper also outlines common use cases via customer anecdotes about how LiveCycle Rights Managment ES is protecting the most widely used file types inside (and outside) the organization. http://www.adobe.com/products/livecycle/pdfs/95011600_lc_rightsmgmt_wp_ue.pdf

The second whitepaper is entitled: Electronic Signatures: Solution Scenarios for your Environment: This piece is intended to articulate the different electronic signatures solutions offered by Adobe and help folks understand the pro/cons of each, so you're best prepared to map right electronic signature solution to your assurance level requirements. http://www.adobe.com/products/livecycle/pdfs/95011606_Digital_Signature_wp_ue.pdf

Finally, there are also new updates to our website including updated customer success stories, in depth pages, features and benefits pages, and a detailed supported formats page for RIghts Management.

LiveCycle Rights Management ES: http://www.adobe.com/products/livecycle/rightsmanagement/
LiveCycle Digital Signatures ES: http://www.adobe.com/products/livecycle/digitalsignatures/
Enjoy!

Posted by John Carione at 1:36 PM | Permalink

Often, there are times when the demands of an intellectual property owner are at odds with the desires of an intellectual property recipient/user. First and foremost, IP owners want to make sure that their sensitive information remains sensitive, such that the "right" information is available to the "right" people. As authors, they specify who is entitled to open content to view, modify, print, etc. Recipients may be surprised to discover that they are not entitled to print or modify protected content, particularly if in the past they were able to -- in spite of expressed intent or legal restrictions in place.

In cases where these two conflict, our philosophy is to favor the intellectual property owner and his intent, as security is more important than convenience. We do, however, wish to provide users with the best experience possible. We understand that to be effective security must be straightforward and seamless.

Accordingly, we have developed a philosophy of prioritizing "Block, Prevent, and Inform." It is most important for our Rights Management solutions to block actions prohibited by the author. In addition, we aim to prevent users from attempting to perform operations that are blocked. For example, we disable menu items that are blocked. Finally, we want recipients to understand what restrictions are in place and why, and so we have mechanisms in place to inform them.

Here is an example of how we inform users of what is and is not allowed. Within our LiveCycle Rights Management ES Extension for Microsoft Office, we include "security status" on the Office Ribbon bar to provide context for the protections in place.

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 5:19 PM | Permalink

Join us for this LIVE Event on:
Wednesday, October 29, 2008
12:00 PM PT / 3:00 PM ET

The need to keep your organization's business critical information confidential by restricting distribution and preventing unauthorized disclosure of this information is imperative. Discover how Adobe Acrobat 9 can help protect your organization’s sensitive information by helping provide document control and security, addressing issues such as encryption, document authenticity, passwords, redaction, and sanitization/metadata removal. Join John Landwehr as he covers best practices on Security and Information Assurance.

More information and registration is available here.

Posted by John Landwehr at 2:25 PM | Permalink

This past summer Adobe released the LiveCycle ES Update 1 release. This include LiveCycle Content Services ES, a fully integrated set of content services that enables organizations to "manage content in a lower-cost, extensible way for cross-company and cross-organizational processes". LiveCycle Rights Management ES is a core part of this offering, and allows organizations to include content protection as a part of these cross-organizational processes.

Each "space" within Content Services can be seen as a folder to hold sub-spaces or content. These spaces can be associated with business rules and security -- including various access control rights as defined by LiveCycle Rights Management ES.

It's easy for business users to interact with these spaces because content can be added in several different ways; for example: using the Web UI, FTP, CIFS, or WebDAV. Adding security is a breeze because the act of adding content can be associated with an automatic trigger that can protect the content with Rights Management. For example, an administrator can create a trigger to associate the "Confidential" policy for general documents, or the "Mergers & Acquisitions" policy for content being stored for the M&A team.

In today's blog entry we show off a simple example of how:

1. An administrator can create a rule to automatically protect all content with a specific predefined policy.
2. An end user can upload a document to be automatically protected.
3. A recipient can open a protected document within the Content Services repository.

Click on the following screenshot of LiveCycle Content Services for a brief tour of this functionality:

Guest Contributor: Neerav Aggarwal

---

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 6:00 AM | Permalink

On Wednesday September 24, 2008 John Landwehr from Adobe will be providing an overview of Digital Rights Management at the 4th Annual IT Security Automation Conference at NIST - Gaithersburg, MD.

A copy of the keynote presentation is available here as a 5MB PDF download.

Posted by John Landwehr at 9:40 PM | Permalink

DIRECTV and Adobe announced that the NFL SUNDAY TICKET SUPERCAST is powered by Adobe's video solution with content protection.

DIRECTV is also providing SUPERCAST as a downloadable rich Internet application (RIA) built on Adobe AIR. Adobe AIR offers a new way to engage customers on the desktop with a downloadable, branded RIA that can be deployed across major operating systems. The SUPERCAST application on AIR provides a wide variety of real-time NFL SUNDAY TICKET content right on the desktop as games stream live in high-quality H.264 video, including Red Zone channel’s live-action of critical plays, statistics and moments from game broadcasts, as well as near real-time highlights from all the games. Additionally, only in the SUPERCAST application on Adobe AIR can fans receive desktop notification alerts when requested highlights become available. SUPERCAST is available at www.directv.com/supercast.

Content is streamed live via Adobe Flash Media Server software to the browser using Adobe Flash Player technology, which is installed on more than 98 percent of Internet-connected computers, and to the desktop via Adobe AIR. DIRECTV also uses Adobe Flash Media Rights Management Server software for digital rights management (DRM) to protect the NFL premium on-demand content downloaded to the desktop. Adobe Flash Media Server is helping enable DIRECTV to stream content more securely and cater to large volumes of fans with rapid, reliable delivery of exciting content. Adobe Flash Media Rights Management Server is a robust on-demand content protection solution that is non-intrusive to users, yet can allow DIRECTV to safeguard media integrity, authenticity and access, whether SuperFan subscribers are online or offline, even after the content has been viewed.

Posted by John Landwehr at 1:04 PM | Permalink

Read about how Allgaier Automotive is using Livecycle Rights Management ES to improve communications of and collaboration on complex 3D design models.

http://www.adobe.com/cfusion/showcase/index.cfm?event=casestudydetail&casestudyid=510844&loc=en_us

Posted by John Carione at 10:37 AM | Permalink

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smart card/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration. As promised in part one, today's topic is a deep dive on smartcard/certificate authentication and the benefits to customers.

Smart card / Certificate authentication

The fourth type of authentication that LiveCycle Rights Management ES supports is smart card, or certificate-based authentication. For some customers, this form of authentication is often more secure than the other forms of authentication supported. To understand how it works in LiveCycle Rights Management ES and the benefits it provides, however, requires some background and context.

A smart card, in its most well-known form, is a credit card-sized ‘intelligent card’ that carries user’s credentials in the form of Digital Certificates. Many variants today also possess processing capabilities like the ability to compute Digital Signatures. A smart card is a something-you-have type of authentication, as compared to Username/Password which is something-you-know.

A Digital Certificate, often just referred to as Certificate, is a digital document that at a minimum includes a Distinguished Name (DN) and an associated Public Key. The DN uniquely identifies a user’s identity, and the public key can be used to prove that identity. The Certificate is signed by a trusted third party known as Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. This Public Key Infrastructure (PKI) assumes the use of Public Key Cryptography, which is the most common method on the Internet for authenticating end parties or encrypting messages. PKI overcomes the significant flaws in the traditional cryptography or the symmetric cryptography, and at the same time provides added security by having strict requirements for key lengths and industry standard cryptographic algorithms (set forth by Public Key Cryptography Standards or PKCS, and governed by RSA Laboratories).

At the time of authentication, LiveCycle Rights Management ES validates the chosen Certificate’s signature against its cache of known and trusted CA certificates. The server verifies the Certificate, validates the Digital Signature, and finally maps this Certificate to a unique user through the rules an administrator creates when configuring LiveCycle. LiveCycle Rights Management ES also provides for flexibility and easier enterprise integration by providing server-based “SPIs,” which can be used to develop custom certificate authentication providers.

Many enterprises and governments today employ smart card based authentication, not only for its enhanced security but also for its ease of deployment and use for end users. For example the United States Department of Defense issues Common Access Cards (CAC cards) which can be used for secure user identification. These CAC cards can be used within LiveCycle Rights Management ES to authenticate users who are opening protected documents. A user would insert his card into a smart card reader on his machine to identify himself. These readers are available in a variety of form factors and can be connected to a computer using USB or PC card interface – and are integrated into many laptops today, such as the Dell Latitude line of business laptops.

To give you a better idea of how easy it is for an end user to authenticate to LiveCycle Rights Management ES using a smart card, click on the following demo:

Guest Contributor: Chaitanya Atreya

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 2:00 PM | Permalink

On June 17th Adobe announced an expansion of the LiveCycle Enterprise Suite with our forthcoming LiveCycle ES Update 1 release. Included as a part of this release is our second version of our LiveCycle Rights Management ES Extension for Microsoft Office. This release expands our support for to include the ability to protect, and collaborate in natively protected Word documents, Excel spreadsheets and PowerPoint presentations. Further, we support all editions of Office 2003 and Office 2007 localized natively into English, French, German, and Japanese.

Click on the following screenshot to watch a short Captivate demo of our native support for PowerPoint presentations:

The software are now available for download from http://www.adobe.com/go/getrmextensions for use with your LiveCycle Rights Management ES system.

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 10:00 AM | Permalink

LiveCycle Rights Management can help you maintain the confidentiality of sensitive information by protecting files against unauthorized access. You can also monitor each recipient's use of the protected information, including when and how often the file is accessed, through detailed audit logs.

The detailed audit logs are accessible through our Web-based GUI, as well as programmatically through a set of APIs. One of our engineers recently was learning how to develop Adobe AIR applications, and decided to use these APIs to create a new audit dashboard application for examining audit data. We're starting to explore ways to release this application in the future but I wanted to share a preview of it with you. We're looking for feedback - so feel free to send an email to the address at the end of the Captivate video.

Click on the following screenshot to watch the preview:

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 3:00 PM | Permalink

Adobe recently published a whitepaper that highlights some of the features and benefits of using Rights Management. It provides a variety of anonymous case studies across industries that showcase how LiveCycle Rights Management ES can be applied across industries to minimize risk while increasing the effectiveness of communication.

Highlights of the case studies include:

• Using the authentication SDK to allow custom integration with third-party authentication systems. By leveraging customers' non-LDAP authentication infrastructure it reduced the cost to deploy and ensured the solution was non-disruptive.
• Policy-based control enables flexibility in document usage via seven-day lease and IP address restrictions
• Using the authorization SDK for native PLM integration, thereby extending the boundary of PLM control to documents regardless of whether they are on laptops, on file servers, or in email.
• Helping to ensure only the most recent document version is available, regardless of distribution.
• Secure offline access: viewing protected documents on a laptop with no network access. Authorized users can view only the latest versions of documents while on planes or in the field.
• Smart card authentication: using multifactor authentication to increase security in high-risk environments.
• Watermarking: help ensure printed documents reference employee name and timestamp of print to keep employees honest, as well as provide a trail of activity.
• Audit SDK - View document access usage log data and perform trend analysis.

You can find the paper here.

Questions or feedback on this entry? Contact us at RMFeedback@adobe.com

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 4:51 PM | Permalink

In early 2008 PTC shipped Pro/ENGINEER Wildfire 4, their integrated solution for 3D CAD/CAM. As announced in our relationship last year, PTC and Adobe have worked together to integrate Adobe LiveCycle Rights Management ES directly into Pro/ENGINEER, providing native CAD document protection. Sold as the Pro/ENGINEER Rights Management Extension, this solution exclusively works with Adobe LiveCycle Rights Management ES, allowing designers to provide persistent and dynamic access control to Pro/ENGINEER part, assembly, and drawing files.

Adobe's latest release of the LiveCycle Rights Management -- ES Update 1 -- provides additional functionality for Pro/ENGINEER customers wishing to manage and track iterated versions of protected parts and assemblies. These extensions enable designers to ensure that suppliers are instantly updated to the latest version of a design, decreasing the pain of mismatched versions when designing products sourced from multiple organizations.

Click on the following screenshot of Pro/ENGINEER for a brief tour of the functionality:

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 4:59 PM | Permalink

Rights management is used to manage usage rights to protect sensitive documents, ensuring that only authorized users have access to protected information. At its core, this is dynamic protection based upon user identities. To facilitate this, the system must know which individual users should have access to secured content.

Flexibility in identifying and authenticating users ensures that protection can be transparently integrated into preexisting infrastructure, and is central to effective deployment. The benefits should be clear: fast deployment, easy administration, and quick to achieve a return on investment.

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smartcard/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration.

In today’s topic, let me explain some of the possibilities and benefits associated with the first three authentication type:

Anonymous authentication

This type of authentication completely skips identifying the end-user! By granting “guest-level” access to content, end-users need not authenticate prior to being authorized to open content. This allows several workflows:

1. Authors can distribute content and still control them through the “yank and replace” revocation mechanism. For example, an author can distribute a price sheet or a data capture form, and make sure that only the latest version of content can be viewed.
2. Even though individual end-user identity is unknown, authorization can be controlled based upon IP address or the number of times content has been viewed. Further, detailed (though anonymous) audit records can keep track of how frequently documents are opened.

Username/password authentication

This is typically the most familiar authentication dialog within LiveCycle Rights Management ES:

This dialog is the gateway to the powerful “username/password” authentication; it provides out-of-the-box functionality to authenticate users against a variety of directory systems, as well as create a custom integration with other credential providers.

For example, you can authenticate users against supported LDAP directories (e.g., Microsoft Active Directory, Sun Directory Server, IBM Domino LDAP, Novell eDirectory, etc.) that you already have deployed. But there’s no need to limit yourself to LDAP users. We provide two out-of-the-box mechanisms for managing user accounts for customers without existing directory infrastructure: “invited users” and “local users”. Think of these accounts as being stored “locally” within our own built-in directory. Administrators can manage these accounts using our built-in APIs and GUI, and the facility exists for end-users to quickly and easily provision their own accounts.

In all these cases, the end user simply enters his username and password upon opening a document and the server automatically queries the relevant system to verify credentials and further authorize the user. If the administrator chooses to allow it, the end user can also instruct the client to remember his credentials, which will securely cache credentials and not bother him to authenticate for subsequent documents. For many customers, this can enable an inexpensive form of “Single Sign-On” (SSO), since end users would see an authentication dialog at most once, and likely forget they are opening protected content.

This authentication type, however, is much more flexible than basic username/password integration with directory services. We can enable integration with any credential system that traffics in two user-inputted strings. This is because LiveCycle Rights Management ES can dynamically customize this authentication dialog, and because a customer can develop a custom authentication provider integration via the server-based “SPIs”.

For example, some of our financial industry customers have leveraged their existing account management infrastructure, allowing their customers to authenticate via their existing account number and PIN to their policy-protected banking statements. Others have used these SPIs to integrate with one-time password (OTP) systems to enable multi-factor authentication.

Kerberos SSO authentication

Those customers who want the ultimate “transparent integration” with existing authentication infrastructure can choose to enable Kerberos-based single sign-on (SSO). This is an outstanding option for those who feel that “clicks ‘R’ bad”, and never want to be impacted with an authentication dialog.

Because end users never see an authentication dialog when opening a protected document, and frequently forget are accessing protected content, they often think of this authentication type as “magic.”

Based upon technology built into Microsoft Windows clients and Microsoft Active Directory on the server, Kerberos SSO allows LiveCycle Rights Management ES clients to securely use the credentials entered the end-user used when logging into his machine to authenticate directly with the Rights Management server.

Next time: A deep dive on smartcard/certificate authentication and the benefits to customers.

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 4:04 PM | Permalink

One question that often comes up with customers is "how can my large, distributed organization effectively delegate and manage access control?" Our answer is "policy sets", a feature introduced in LiveCycle Rights Management ES.

The "Policy Sets" feature allows administrators to delegate who can create and manage shared
policies. It also permits organizations to control which policies each individual or workgroup can use. Allowing decentralized management enables customers to more effectively ensure their intellectual property is protected.

This short video goes through the functionality in more depth

Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Posted by Jonathan Herbach at 5:47 PM | Permalink

Today Adobe announced general availability of the Flash Media Rights Management Server with cross-platform content protection that helps safeguard video content created for Adobe Flash technology against misuse.

Adobe has been offering content protection capabilities for over a dozen years in a variety of formats, starting with PDF and expanding to native office documents and CAD files. As the leader in web video, Adobe has also had online streaming protections from Flash Media Server since its second release in 2005, which have recently expanded in Flash Media Server 3.

Adobe's Rights Management technologies are now included in the Adobe AIR Runtime to protect downloadable and offline video in Adobe Media Player and other custom AIR applications. This provides content owners with the ability to consistently protect their content on both Mac and Windows platforms, with Linux in the works, providing significant cross-platform reach.

The server is also cross platform, running on Windows and Linux, providing utilities to encrypt video files encoded with the Sorenson, On2 and H264 video codecs. Those protected files can then be distributed over standard HTTP progressive download delivery, including through a CDN. The FMRMS service provider interfaces allow for integration into existing infrastructure for authentication and authorization of content.

The content protection capabilities Adobe provides give content owners choices in download to own, download to rent, and ad-supported business models with an engaging user experience including content protection.

A FAQ is available here.

Posted by John Landwehr at 2:07 PM | Permalink

A new case study is available showcasing Tribunale di Cremona, one of the Courts within the District of Tribunale di Brescia, using Adobe Connect with Adobe LiveCycle solutions to support an end-to-end process for holding legal proceedings with dispersed parties and efficiently delivering all required case documents.

In addition to supporting dynamic web conferences with streaming audio and video, Adobe solutions deliver other benefits to the Digital Connect project. For instance, the court can store court papers for each trial in Adobe PDF; plus staff can handle documents remotely and securely via digital signature authentication.

These capabilities are handled by Adobe LiveCycle solutions to address the need to assign policy controls to protect documents.

“These features are critical,” says Beluzzi. “A trial transcript can be shared among participants, downloaded, digitally signed just as if participants were physically next to each other. In addition, the transcript goes through a workflow and is automatically added to the remaining court papers.”

The project is the result of a productive collaboration with Adobe. First electronic court papers, then web conferencing-based court trials give the Italian justice system a new image: fast, efficient, and on time.

“By collaborating with Adobe and using products such as Adobe Policy Server, Adobe LiveCycle Workflow, and Adobe Connect, the court is designing a powerful system that can be replicated in other areas without customization,” says Beluzzi. “This is important because it allows Tribunale di Cremona to achieve great results with limited efforts, without developing ad hoc software.”

The Court has documented the excellent cost benefits of the system. The total cost of training and traveling for detainees and lawyers is about €467,000 a year. Using Digital Connect to perform trials and to train employees could save the Court over €1 million in three years.

Posted by John Landwehr at 10:01 PM | Permalink

Applying a policy from Adobe LiveCycle Rights Management is as easy as two clicks in Adobe Acrobat. With a PDF document open, click the Secure menu, followed by one of the pre-defined policy names (that typically map to a organization-wide information classification system).  That's it!  Click here to see this demonstrated using Adobe Captivate and Flash...

Posted by John Landwehr at 9:18 PM | Permalink

Adobe LiveCycle Rights Management provides dynamic watermarking capabilities on PDF documents. A watermark is an image that is superimposed over the original base document. In a rights managed document, the image can be applied dynamically as the document is viewed in Adobe Acrobat or Adobe Reader. The watermark is not editable by recipients and is not permanently stored in the document. The location is customizable by administrators and can contain pre-defined text such as an information classification as well as the recipient's name, their username, and the date/time the document is opened.

Click here to download a sample PDF with a dynamic watermark across the top of every page. To show it's really dynamic and not burned into the underlying document, the watermark shows the current date and time for which the document was opened. If you close and reopen the document, it will change.

The dynamic watermark is often used as a detective control to track down unauthorized redistribution of sensitive documents and is a good part of a Data Loss Prevention (DLP) strategy. The dynamic watermark reminds the recipients of the document classification, such as "Company Confidential", and the user-specific information shown on the document acts as a deterrent to unauthorized redistribution of the document. If a printed copy of a sensitive document shows up someplace it shouldn't - the source of unauthorized redistribution can be determined by simply looking at the watermark.

The watermark templated is defined by LiveCycle Rights management administrators. Here are the options:

_____________________________________________________________________________________

A policy definition, such as "Confidential", can then specify which watermark template to use every time that policy is applied:

_____________________________________________________________________________________

Here is what a watermarked document looks like with a policy applied that includes a dynamic watermark showing full name, username, custom text, and date/time:

_____________________________________________________________________________________

Here we have unchecked the User Name, User ID, and Current Date - leaving only the Custom Text.  The H/V alignment is set to center, and the rotation to 45 degrees:

_____________________________________________________________________________________

Here the vertical alignment is set to the top at 50% scale using only the custom text field:

_____________________________________________________________________________________

By remapping the user name from the DN in LDAP to a separate field containing a unique hex code for each user, it can be applied rather unobtrusively to the lower right hand corner of a document:

Posted by John Landwehr at 4:19 PM | Permalink

If you are evaluating or deploying data loss prevention or enterprise rights management technologies, here are some tips we have collected while helping organizations over the past few years. This particular list covers a deployment that spans internal and external users, such as a corporate board book for public companies with a board of directors.

- How will non-employee participants authenticate? Organizations today use LDAP or Active Directory to internally authenticate users. For your non-employee board members, or accountants, partners, or customers - they will also need some form of authentication to your organization. This could also be LDAP, or even stronger security with a one-time-password (OTP) token or a public key infrastructure (PKI)-based smartcard or USB token. Alternatively, we have seen many organizations build their own authentication system using a relational database. Whatever mechanism you choose, make sure that it can tie into your rights management engine directly or through a service provider interface and that the policy server is able to create a single policy that contains participants from multiple directories. That way, a protected document is able to be exchanged seamlessly across the organizational boundary. Beware of encryption/rights management systems that are only tied to an internal or external email address and not another unique identifier. Otherwise, when Joe Smith (jsmith@domain) leaves and Jane Smith (jsmith@domain) joins – Jane could open Joe’s old documents simply because the email address was recycled.

- How will external participants access your network? One option is to set up an IPSEC VPN for remote users to have internal access to authorized servers – including the content repository and the rights management server. Alternatively, SSL VPN is another lighter weight option. If the web service for rights management is available externally, it’s important to utilize account lockout features for potential brute force and denial of service attacks.

- How will protected documents be stored/delivered? Today, many file servers, portals, and content management systems are already providing storage level security and file access control. However, once the document leaves the virtual file cabinet, it loses those controls and subsequent auditing - unless the files are protected with enterprise rights management. Large organizations have numerous vendors and versions of content management systems, portals, and file servers. If files are to be exchanged across business units or divisions, it's important that rights management system is independent of any one content management system. Note that some vendors are attempting to use rights management as a way to lock in a whole suite of products together across the desktop and server, so look for flexibility and integration options. Once the files are protected, distribution should be possible via web, file shares, email, CD/DVD, and USB storage so as not to disrupt the workflow participants existing process using those methods. Rights management provides protection independent of storage and transport. If a protected file ends up somewhere it shouldn’t, the built-in protections still enforce access.

- Protect files inbound or outbound? Identify whether you want the source files in the repository to be rights managed and/or only the copies. Look for a rights management system that can apply rights automatically as documents are entered into a repository and apply rights only as documents are copied out of the repository. There are pros/cons of each, so it really depends on your workflow and deployment goals. For instance, if all your inbound files are protected - you have extra encryption at the file level, should the repository be compromised. The challenge is that not all search systems may be able to index a protected file. Further, if you need to change rights management systems, you will have a lot of files to convert. Outbound protection can automatically encrypt files as they are being requested from the repository, leaving the original files untouched. This facilitates searching and flexibility in rights management deployment. A hybrid approach is to store one version of the file unencrypted in its source form and also automatically create a rights managed copy for external distribution outside the repository.

- How will you classify your documents? It is important to have an information classification system to create a list of policies with corresponding users and groups. If you have too many policies, it will be difficult for individuals or even automated systems to determine what policy should be applied. This article provides additional recommendations on setting up information classification.

- How will you identify sensitive documents? Once the documents are assigned a policy, it is important to mark those documents with the policy. This can be done either as part of the original source document template, part of a document stamping procedure on the server, or through a dynamic watermark on the document as applied by the enterprise rights management system. With the dynamic watermark, the policy can change on the document as well as provide additional information in the visible watermark such as the viewer’s name, email address, and/or date/time viewed. If the document then ends up somewhere it shouldn’t, you have a detective control to trace the source of unauthorized distribution.

- How will authorization lists be maintained? A rights management policy needs to identify users or groups as authorized recipients. While users can be manually maintained in a policy, more dynamic organizations should look at groups and external authorization capabilities. For example, a group referenced by the rights management server could tie to an existing mailing list, or fileserver access list. HR systems can be configured to automatically populate directory groups based on reporting structure, so a “legal-all” group can dynamically include the entire legal department – even as employees join and leave the organization. Authorization within a content management system or custom system can be integrated to a policy definition through a service provider interface.

- What are your end-user software limitations? Some document protection mechanisms require additional desktop software to be deployed and others do not. Most IT organizations are looking to limit the management of software they deploy internally. This can make it difficult to deploy rights management to the desktop, especially when exchanging files outside your organization - if additional software is required to open the document. Verify whether the security software requires administrative rights on the system and the compatibility with operating system vendors and versions. Adobe has integrated security natively into PDF as supported by Adobe Acrobat and Reader 7.0 and higher on Mac, Windows, and Linux platforms. The native enterprise rights management capabilities are utilized via webservice calls to the Adobe LiveCycle Rights Management server, so no additional software is required by recipients to view the protected document. Adobe has partnered with other IT providers to include rights management in their native applications and supported formats, such as PTC, Hitachi/Lattice3D and multi-function peripheral vendors like Ricoh. Adobe also provides plug-ins for Microsoft Office and Dassault CATIA native file formats so rights management policies can be consistently applied across a variety of applications and formats.

- How will your users be trained? Once a system is deployed, it’s important for users to be trained on its use, including which policies to use on which applications and file formats under which circumstances. Options range from instructional text on employee portals, to doorhanger and poster campaigns, to mandatory online training classes.

- How will your system scale? With an increasing number of employees, partners, and customers accessing sensitive information– it’s important that your enterprise rights management system will scale to meet the needs of the growing community. Look for high availability systems that support J2EE clustering (eg WebLogic, WebSphere, JBoss) and scalable databases (Oracle, DB2, SQLServer, MySQL).

- Will your administrators become insiders? If an administrator has access to sensitive information, that could make them an insider – depending on the content. While deploying an enterprise rights management system, look for segregation of duties where different administrators have access to different systems. For instance, one administrator may manage the repository of sensitive board book documents but another administrator manages the enterprise rights management server. Neither administrator would individually be able to view a sensitive document because access to the document and authorization to open it are both required.

- What will you do when policies are broken? After deploying enterprise rights management, you will find an increase in policy violations. This includes internal and external people opening protected documents without access rights and watermarked documents found in unauthorized places. A strong communication and non-disclosure policy should be in place to address violations. Further, if violations require notification of law enforcement – be prepared to answer whether your compromised information was marked as confidential, whether the recipients knew what your confidential information classification policies are, whether the information was protected with information security, and has a quantifiable value to it.

These tips coupled with enterprise rights management, such as Adobe LiveCycle Rights Management, provide added assurances that your intellectual property and personally identifying information is protected and the corresponding policies/laws are more enforceable.

Posted by John Landwehr at 12:50 PM | Permalink

Adobe and NEC BIGLOBE recently announced a new enterprise enterprise rights management software as a service (SaaS) offering for the Japanese market. This service is designed for organizations seeking to strengthen their internal controls and mitigate risk of disclosing confidential or personally identifying information.

NEC BIGLOBE is an application service provider (ASP) offering Adobe LiveCycle ES Rights Management to dynamically control protected documents inside and outside an organization. Organizations can quickly and easily deploy this technology by utilizing the hosting and integration capabilities offered by NEC BIGLOBE.

Posted by John Landwehr at 9:48 AM | Permalink

Every once in a while, someone asks "How long has Adobe offered content protection?" Turns out, Adobe's information assurance efforts have been ramping up for over a dozen years. Adobe provides security features in numerous products and also provides dedicated security solutions such as LiveCycle Digital Signatures and LiveCycle Rights Management. Here's a brief history:

Adobe's history of content protection started with Acrobat 2.0 in 1994. At the time, this was simple 40-bit RC4 password-based encryption and digital rights management (DRM) to restrict who can open the document and what they can do with it.

Acrobat 4.0 in 1999 added support for Public Key Infrastructure (PKI) enabling a single PDF document to be protected for multiple recipients, with different permissions based on their own keypair. Depending on who opened the document, printing, modification, and clipboard actions are enabled/disabled. This release was also the first to add digital signatures using PKI. This was important for paper documents to move to digital with an opportunity for higher levels of assurance than a pen could provide on paper with a wet signature (ink) by utilizing cryptographic protections of authenticity, integrity, and non-repudiation. Acrobat 5.0 added support for 128-bit RC4 encryption for stronger levels of confidentiality. Acrobat 6.0 added support for the Microsoft CryptoAPI to (CAPI) so the keypair could be stored in the Windows certificate store or through a Crypto Service Provider (CSP) to smartcards and other tokens.

In 2005, Acrobat and Reader 7.0 shipped along with LiveCycle Policy Server and Security Server. AES128 encryption was added to PDF. The enterprise rights management capabilities of Policy Server integrate with an organization's LDAP or Active Directory. A policy coupled with an information classification such as "Insider Restricted" restricts who can open the document, what they can do with it, and also provides enterprise auditing measures. Absolute (e.g. on 12/31) and relative (e.g. 7 years from document creation) expiration dates can be set to automatically expire documents. All these permissions in a policy are dynamic and can change after the document is published - to add or delete users, change permissions, or even revoke the document entirely. This revocation feature is used by many to enable version control outside a repository, so as a document is changed on the server all distributed copies of that document are automatically revoked providing the recipient with a notification to go back to the server for a current version. Visual watermarking capabilities on PDF are able to show the policy name, recipient opening the document, and the date/time. Acrobat and Reader 7.0 were also US Department of Defense (DoD) certified by the Joint Interoperability Test Command (JITC). The LiveCycle Security Server provided the ability to apply and validate digital signatures as well as encrypt and decrypt document in an automated business process. Flash Media Server 2 provided protected streaming capabilities for delivering video to Flash Player.

As we wrap up 2007, there has been a lot going on over the last 12 months. Acrobat, Reader, and LiveCycle shipped with new FIPS 140 approved encryption libraries. LiveCycle Rights Management (formerly Policy Server) now supports native Microsoft Office documents as well as Dassault CATIA. LiveCycle Digital Signatures (formerly Security Server) provides XML signature support as well as certified documents and is integrated with automated forms and document generation processes. Adobe's rights management has been integrated into hardware devices such as Multi Function Peripherals (MFPs) from Ricoh and others. Third party software vendors including PTC and Hitachi/Lattice3D are integrating Rights Management into their native applications. Adobe Media Player is in public pre-release with support for content protection on downloadable and offline Flash video.

What about 2008 and beyond? Stay tuned for more entries as Adobe's security solutions expand to protect even more aspects of the information lifecycle - independent of storage, independent of transport, across operating systems and file formats.

Posted by John Landwehr at 9:32 AM | Permalink

Data Loss Prevention (DLP) has been a hot topic lately based on increased intellectual property and personally identifying information (PII) leaks. A number of vendors are offering desktop and server systems to monitor traffic and determine whether sensitive content is going somewhere it shouldn't. It's like a reverse firewall - instead of keeping malicious outside traffic from coming in, it's keeping malicious inside traffic with sensitive information from going out.

The challenge with these systems is that a very complex rule set needs to be developed to determine whether the content is sensitive and authorized to be delivered from the sender to the recipient. While searching for credit card and social security numbers can be easy, documents such as product strategies, CAD drawings, intraquarter finances, and board of director minutes can be much more difficult to track.

Implementing an information classification system is a critical step in any kind of information assurance initiative. If you don't know what your sensitive information is, it's difficult to protect it and determine who the authorized recipients are.

If you're considering host and/or network based DLP, you may want to consider an extension or alternative by deploying enterprise rights magagement (also known as information rights management - IRM, or even digital rights management - DRM). One such product is Adobe LiveCycle Rights Management (formerly Policy Server)

Enterprise rights management provides persistent protection across data in storage and data at rest, inside and outside an organization. You aren't limited to protections from access controls on a content management system or portal that only protect the document inside the virtual file cabinet. You aren't limited to VPN, SSL, or S/MIME secure email sessions that only protect the content in transport. You also aren't limited to protecting only your end-points, this technology provides persistent access control at the file level - no matter where the file goes or how it got there. A protected file is controlled by a server based policy rule which determines whether the authenticated recipient is allowed to view the document. Further, application level permissions can restrict what an authorized viewer can do with the document - such as printing, modifying, and copy & paste clipboard functions.

Adobe's LiveCycle Rights Management solution provides dynamic policies which can change after a document has been published and distributed. If a previously authorized recipient changes roles or leaves an organization completely - the document will no longer open, no matter how many copies were made to hard drives, USB keys, and CDs/DVDs. This dynamic policy engine can be integrated with a content management system so the same groups/roles/permissions that protect the file inside the virtual file cabinet are persistent to the file after it leaves the repository. Further, this dynamic protcol allows documents to be remotely version controlled and even revoked. So if the primary copy changes on the server, recipients have enforced versions on the desktop. As part of the LiveCycle Enterprise Suite, rights management can be programatically integrated into structured business processes that are generating documents and reports in bulk and routing electronic forms with sensitive financial or healthcare information. The rights can also be applied in ad-hoc workflows on the desktop with two clicks, e.g. Secure -> Insider Restricted.

IT organizations know that deploying software has become more difficult. The typical DLP vendors require desktop software to enforce infromation distribution. If you are sharing sensitive information outside your organization with customers, partners, suppliers, or government agencies - good luck telling them that they need your flavor of DLP end-point monitoring software requiring administrative mode install. If an employee or outside user doesn't have end-point software installed, they can still interact with sensitive data without your knowledge. Even with the DLP software, printing, copying & pasting, and modifying isn't usually restricted. With rights managed files - recipients cannot open a file unless they have an application with rights management and permission to open the file from the server - which also enforces what can be done when the file is open.

Adobe's enterprise rights management software is built into PDF with Adobe Acrobat and Adobe Reader, version 7 and higher - across OS platforms. Further, Adobe has partnered with PTC and Lattice3D so their CAD software applications are natively incorporating enterprise rights management without additional plug-ins. The upcoming release of the Adobe Integrated Runtime (AIR) is also incorporating rights management to natively protect video files in Adobe Media Player. Great for protecting training videos and employee meetings with sensitive information that should not be available to unauthorized recipients. Multifunction peripherals and devices (MFP / MFD) are also including native Adobe rights management - such as Ricoh. Even native Office and Dassault CATIA documents can be protected - but those applications do require a a separate plug-in in order to view a rights managed document.

With enterprise rights management on all these native file formats, a protected document can accidentally or maliciously travel anywhere inside or outside an organization and provide added assurances that only the authorized recipients are available to view it. So while most DLP vendors only detect and block questionable traffic at end points, enterprise rights management persistently enforces access independent of storage, independent of transport.

Posted by John Landwehr at 10:03 PM | Permalink

An important aspect of protecting critical electronic information is knowing what information needs to be protected, what doesn't, and who are the authorized recipients. Countless organizations stamp "Confidential" at the bottom of their documents. What does that mean? Everyone inside the organization can access it, but nobody outside? Or is it only full time employees inside the organization? Or is it anyone internally plus anyone externally that has some sort of non-disclosure agreement(NDA) in place? If there isn't a widely understood definition in place internally and externally - sensitive information is no doubt going places it shouldn't be.

A basic system of marking documents can help. It's often called information classification, sensitivity classification, sensitivity labels, or even data classification. A short list of tags or labels is used to define the sensitivity of the document and is tied to an intended audience. Large organizations will certainly have more than one label, but if you create too many - it becomes too confusing for a document owner or auto classification system to determine which one to use to apply and stamp on a document.

Here are a few recommended labels to get started. You might want to prefix the labels so recipients know it's your system of classifying documents, e.g. XYZ Public, or customize them more for your organization.

1. XYZ Public. Documents that are for public consumption and have no risk to the company if they end up some place they shouldn't. It is also usually assumed that a document that does not have a label on it - is public.

2. XYZ NDA Confidential. For documents that should be viewed only by recipients with a non-disclosure agreement.

3. XYZ Employee Confidential. For documents that should be viewed only by recipients who are employees (full or part-time). Depending on your organization, you may want to create two tags - one for full-time, one for part-time. Could be something like "XYZ Employee Confidential" and "XYZ Regular Employee Confidential"

4. XYZ Insider Restricted. For publicly held companies, there is a lot of sensitive information that cannot be disclosed externally or to the general employee community.

5. XYZ Management Restricted. For documents that should only be viewed by the senior management of an organization, and not the general employee community.

6. XYZ Board Restricted. For publicly held companies, with electronic "board books" this classification designates the board of director community.

7. XYZ Private. For documents with personally identifying information that typically includes health, financial or other personally identifiying information.

For strategic alliances or mergers & acquisitions, additional classifications should be created specific to that initiative. For example, "XYZ Project ABC". By using a codename, the existence of the label does not expose the project itself.

A color coding scheme can also be used with these labels to help users remember what is the least confidential and most confidential of the classifications. For example, a spectrum from Green, through Blue, Yellow, Orange, to Red. Some organizations will color the label, or even the entire cover sheet of a sensitive document.

With a basic system like this in place, it's much easier to classify information as part of a data loss prevention (DLP) strategy. Further, when you do find a document that has leaked to someplace it shouldn't, you now have the ability to take corrective action internally or legal action internally. Otherwise, if you discover an insider or an outsider that has your sensitive information, but it isn't marked - it will be significantly more difficult to take action if the recipient of that information can claim it wasn't sensitive.

Some other things to think about are:

- What is the default label for all documents? Should it be Public? Or should it be Employee Confidential? Should it be set up that way for an entire organization? Or should different departments have different default classifications?

- How will you identify which internal and external users are in which classifications? Directories such as Active Directory or LDAP are a good place to store the group membership information, especially when they can contain organization reporting structures and/or roles as part of the group member lists. So instead of having to specify every employee or recipient individually, whole divisions and departments can be included and dynamically updated as the org chart changes.

- How will you enforce access to labeled information? File servers, portals, and content management systems are typically used for this tied to the directory of users and their corresponding access. You can go one step further by utilizing enterprise rights management, from a product such as Adobe LiveCycle Rights Management (formerly known as Policy Server), to persistently enforce a security classification - independent of storage and independent of transport. So after the sensitive document leaves the secure storage and/or secure transport mechanism, it maintains it's access control at the data level. Should that document be accidentally or maliciously forwarded to someone that shouldn't have access - the file won't open.

- How will you mark sensitive documents? Document templates are a good way to start, including those in presentation and word processing programs. The process can become much more automated when tied to enterprise rights management. A policy from LiveCycle Rights Management can automatically apply a dynamic watermark to a document corresponding to the classification label. It can also show the name of the user that is opening the document and the data/time the document was viewed. If printing of the document is allowed (which can also be restricted) - the dynamic watermark persists onto the document as a detective control. If that physical document ends up some place it shouldn't, you can track down how it got there.

- How will your users know who is in what classification? In addition to posting the classification labels and having an awareness campaign, the employee directory structure tied to enterprise rights management can enforce the classification labels even if the sender doesn't know whether the recipients are allowed to view the document. For example, the insiders in an organization are typically reminded on a regular basis that they cannot trade the company stock anytime they want - and they are restricted to certain trading windows. Everyone that is identified as an insider is frequently reminded of their insider status. However a common vulnerability is that an insider may not know who all the other insiders are in a very large organization. That makes it difficult to determine when business critical information should be shared to adjust the business operations. By using an insider restricted label, tied to a directory, tied to enterprise rights management - an insider restricted document cannot be opened by someone that isn't specifically tagged as an insider. If such a document is accidentally or maliciouslly distributed to someone - it remains secure.

- Need additional enforcements beyond just opening the document? Again, enterprise rights management provides persistent security to the document to not only restrict who can open a document, but also what they can do with it. For example, you can restrict printing, modifying, and copy & paste clipboard actions from a protected document.

Posted by John Landwehr at 7:53 AM | Permalink

As announced at MAX 2007, MFG.COM won the award for the Communications and Collaboration category with their Online Marketplace for the Manufacturing Industry.

MFG.com is creating an elegant online service that enables manufacturers and their partners to collaborate on and manage engineering drawings and 3D models in Adobe PDF. The result: accelerated manufacturing and reduced costs. Adobe solutions include Acrobat 3D, Flex 2, LiveCycle PDF Generator, LiveCycle Rights Management, and LiveCycle Reader Extensions.

Adobe's rights management provides intellectual property protection and data loss prevention by persistently protecting participants electronic files in multiple formats and across organizations.

Click here for more information on their innovative solution.

Posted by John Landwehr at 9:30 PM | Permalink

Manufacturing is now practically a global exercise, with parts vendors and production facilities located in countries around the world. With this rise in globalization, the risk to a company’s parts and production plans increases exponentially as those documents are sent from one partner to another. At the same time, providing easy access to the information to those who have the right and need to view it is also critical, especially with rising competitive & time-to-market pressures driving faster production timelines.

Lattice Technology Inc and HitachiSoftware Engineering Company’s announced integration with Adobe® LiveCycle® Rights Management brings Adobe’s unique, granular, document-level protection capabilities to the ultra-compressed XVL 3D data format, which is used to present complex CAD data in applications ranging from design review to planning and even parts catalogs.

This integration provides manufacturers with the ability to collaborate and share intellectual property with more confidence, and is strategic to Adobe’s commitment to extending the family of important manufacturing file formats protected by LiveCycle Rights Management.

LiveCycle ES Rights Management is further compatible with the PTC Pro/Engineer and Dassault CATIA V5 CAD formats, and also protects PDF, Word, and Excel files.

Posted by John B Harris at 1:00 PM | Permalink

The FLV format used by Adobe Flash Player has contributed to the significant increase in popularity of video on the Internet. Whether it's user-generated or professional content, Flash Video provides an engaging experience with high quality video to the masses. Advances in software are making it very easy to create, edit, deliver, and copy video content. If you're looking for ways to mitigate unauthorized redistribution of Flash Video content downloaded from your website, a new technical paper is available - Video content protection measures enabled by Adobe Flash Media Server.

While unprotected FLV files distributed via HTTP can be downloaded, locally stored, and subsequently redistributed - Flash Media Server provides RTMP-based streaming directly into Flash Player, avoiding the browser cache. SSL encryption and additional authentication mechanisms can also be added to more directly target the client player. This new technical paper describes how these mechanisms can be enabled on the server.

As announced earlier this year, Adobe is also developing digital rights management capabilities directly in FLV for playback in the Adobe Media Player. DRM in FLV will provide additional content protection mechanisms for HTTP distributed content that can be more securely stored for offline viewing. For more information and participation in upcoming pre-releases, please contact your Adobe enterprise account manager.

Posted by John Landwehr at 9:23 AM | Permalink

PTC and Adobe Systems today announced an agreement for integrating Adobe LiveCycle Rights Management ES with PTC Pro/ENGINEER. Together, Adobe LiveCycle Rights Management ES and Pro/ENGINEER will provide product development organizations with robust digital rights management (DRM) capabilities that apply persistent document security and management to native Pro/ENGINEER models, as well as specification sheets and supporting design documents (in PDF, DOC and XLS format), inside and outside the firewall.

Product development organizations began employing globalization strategies to outsource manufacturing in an effort to reduce production costs in the 1970s. The outsourcing of manufacturing can be considered as the starting point for global product development (GPD), a trend that has continued to evolve over the past 30 years and now includes outsourcing and off shoring of core design and development work. The integration of LiveCycle Rights Management ES and Pro/ENGINEER will help protect intellectual property in global product development environments. Users will be able to effectively manage document policies with capabilities for controlling access, auditing, expiration and revocation of models and documents even after they have been distributed. This level of security helps to ensure that only intended recipients can open a protected file inside and outside the firewall and that files can be made to expire on a specific date, or if necessary revoked immediately.

Ultimately, the integration of LiveCycle Rights Management ES with Pro/ENGINEER will help improve collaboration with supply chains, outsourcing partners, and teams across dispersed locations. Global businesses will have the ability to access lower cost specialty-skilled labor pools and develop products in a continuous 24/7 timeframe.

The integration is expected to be available from PTC with the next production release of Pro/ENGINEER.

Posted by John Landwehr at 6:23 AM | Permalink

Adobe Systems today introduced Adobe LiveCycle Enterprise Suite (ES), an integrated family of software for more securely automating processes that help businesses and governments engage with customers, citizens, employees, partners, and suppliers.

With LiveCycle ES, organizations can deliver applications that are easier to interact with. This enables companies to better communicate with people who may be frustrated with, or confused by on-line procedures, and are likely to abandon transactions, resorting to higher cost avenues such as in-person visits or phone assistance. By transforming processes such as account enrollment, claims processing or guided self service into engaging applications, businesses and governments can improve customer service, decrease costly cycle times, and manage information faster, more accurately, and more securely.

LiveCycle ES includes scalable solution components to build, manage and optimize business critical processes. Information assurance capabilities are provided by LiveCycle Rights Management ES and LiveCycle Digital Signatures ES.

Click below for more information on:
* New features in LiveCycle Rights Management ES
* New features in LiveCycle Digital Signatures ES
* Adobe LiveCycle ES Platform Support

Posted by John Landwehr at 9:59 PM | Permalink

Adobe LiveCycle Rights Management ES (formerly Adobe LiveCycle Policy Server) provides added assurances that the sensitive information you manage and distribute is exposed only to the people you intended. You specify how people can use protected documents to restrict accidental or intentional forwarding to unauthorized recipients. The protections are persistently applied to a document, independent of subsequent storage and transport - inside and outside your organization.

Using Rights Management ES, you can protect PDF as well as native Microsoft Word, Microsoft Excel, and CATIA documents by using confidentiality policies. A policy is a collection of information that includes document confidentiality settings and a list of authorized users. The confidentiality settings you specify in a policy determine how a recipient can use documents to which you apply the policy. Because PDF documents can contain any type of information, such as text, audio, and video files, you can use Rights Management ES to more safely distribute any information that is saved in a PDF document.

You can use policies to do these tasks:
● Specify who can open policy-protected documents. Recipients can belong to your organization or can be external to your organization. You can also specify different confidentiality options on the same policy for different users.

● Specify the document confidentiality settings. You can restrict access to various permissions, including the ability to print and copy text, make changes, and add signatures and comments to a document. Administrators can also specify some additional confidentiality options, including the ability of a recipient to view a document offline and the ability of the user who applies the policy to revoke the document access rights or switch the policy.

● After distributing a policy-protected document, you can monitor and revoke access to the document, switch the policy, and change the access and confidentiality settings. Users can change confidentiality settings in policies they create. Administrators can change any organizational or user-created policy.

New Features in LiveCycle Rights Management ES

● Introduces policy sets to help administrators manage document policies. Policy set coordinators can organize and share policies that have a common business purpose into workgroup policy sets. Policy sets let administrators control and administer multiple policies simultaneously.

● Delivers scalability and performance improvements including enhanced directory synchronization performance as part of LiveCycle Foundation.

● Provides two-factor authentication using PKI and smartcards with Adobe Reader 8.0.

● Enhances external authorization, enabling another system to determine a user’s access to a document or file. For example, your organization may have a Content Management System (CMS) in which all of your documents are stored. Your CMS already has Access Control Lists (ACLs). The external authorization feature enables Rights Management ES to use the ACLs specified in your CMS, eliminating the need to keep ACLs in sync with Rights Management ES policies.

● Supports the ability to initiate a process in response to a particular audit event, for example, a request to
print a document.

● Provides extensible audit events, which enable implementors of client applications to define application-specific audit events and load these new event definitions onto the LiveCycle ES server.

● Implements server-side packaging features such as applying policies or removing policies as part of the Rights Management service instead of using a separate component that was needed in the previous version.

● Supports role-based administration for segregation of duties. Administrative tasks are now divided into different roles. For example, one administrator may be able to administer policies, but not server configurations. Another administrator may only be able to view the audit logs and other server configuration settings.

● Supports server side encryption packaging in FIPS mode: You can enable the Federal Information Processing Standards (FIPS) option restricting data protection to FIPS 140-2 approved algorithms using the RSA BSAFE Crypto-J 3.5.2 encryption module with FIPS 140-2 validation certificate #590

Posted by John Landwehr at 8:51 PM | Permalink

Adobe Systems Incorporated (Nasdaq:ADBE) today announced the Adobe® Media Player™ at the National Association of Broadcasters (NAB) trade show. This desktop application expands Adobe’s Internet video solutions, adding to an emerging ecosystem that enables new ways to distribute and monetize media, while helping viewers discover and view high-quality content both online and offline. Leveraging Adobe’s Emmy® Award winning Flash video architecture, the Adobe Media Player delivers more engaging video experiences to viewers while offering content publishers new abilities to distribute, track, protect and build businesses around their media assets. A preview of the new player is being shown during NAB, April 16 - 19 (Booth SL 3220).

Building on Adobe's rich history of document protection technology, Adobe Media Player plans to offer content publishers a range of DRM protection options, including streaming encryption, content integrity protection and identity-based protection.

Adobe Media Player is developed using Apollo, the code name of Adobe’s recently announced application runtime that empowers content publishers and web developers to build and deploy rich Internet applications (RIAs) on the desktop using technologies such as Flash, PDF, and HTML. Adobe Media Player is planned to be available as a free beta download from the Adobe Web site later in 2007 with full availability expected by the end of the year, from Adobe and a wide range of media and technology partners.

Posted by John Landwehr at 10:28 PM | Permalink

If you're looking for more details on how digital signatures, encryption, and other security features work in Adobe Acrobat and Adobe Reader, here are some good resources updated for v8:

Document Security User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 2.2 MB)
This document describes how to configure and use the application user interface, register a digital ID for use in Acrobat, and manage other people's public key certificates within your system.

Digital Signature User Guide for Adobe Acrobat and Adobe Reader Version 8 (PDF, 3 MB)
This guide describes the digital signature features of the Acrobat 8.x family of products both for Adobe Acrobat and Adobe Reader Version 8 users as well as for security administrators.

Adobe Acrobat 8 for Microsoft Windows Group Policy and the Active Directory service (PDF, 378KB)
This document describes using Group Policy to deploy Acrobat 8 or Adobe Reader 8 products on a Windows network.

Sharing Acrobat settings and data with FDF files in Acrobat 8 (PDF, 456 KB)
Learn how to use FDF files to exchange data between the Acrobat family of client and server products.

Posted by John Landwehr at 8:18 PM | Permalink

Today at the RSA Conference 2007, Ricoh is showcasing their rights managed document scanning solution. Thwarting unauthorized access to confidential documents processed through Ricoh Aficio multifunction products, the solution combines Ricoh ScanRouter EX Professional software with Adobe LiveCycle Policy Server software to deliver a secured paper-to-digital document solution.

Ricoh and Adobe are offering users the ability to manage risk at the point-of-capture. Paper documents are scanned at the Ricoh MFP where the security policy is applied. To ensure the information remains safe, the security policy remains with the document through its lifetime, whether it is transferred inside or outside the corporate firewall.

Further benefits of the Ricoh-Adobe integrated solution are gained from the availability of the Adobe PDF Scan Library, which operates in conjunction with the LiveCycle Policy Server. Paired with Ricoh's ScanRouter EX Professional solution, the Adobe PDF Scan Library enables Ricoh's ScanRouter to generate searchable, more secure and compact PDF files from scanned paper documents. In essence, this integration of Adobe technologies with Ricoh solutions will allow users to create and manage intelligent documents with enterprise applications and various business processes.

Posted by John Landwehr at 7:07 AM | Permalink

Adobe is looking for a Sr. Product Manager to join our security solutions team and work on rights management.

Position Summary:
Adobe information assurance solutions enable organizations to more securely engage with employees, external associates, and customers by protecting the information lifecycle. Security can be persistently applied independent of storage and transport, inside and outside an organization. Adobe's ecosystem of security partners provides interoperability with many security infrastructures including identity and access management, single-sign-on, public key infrastructures, smart cards, and biometrics.

This product management position in the Security Solutions team of Adobe's Enterprise and Developer Business Unit (EDBU) will significantly contribute to growing Adobe’s market share in information assurance solutions by identifying and prioritizing feature requirements, providing product competitive analysis, understanding customer usage workflows and customer satisfaction, driving and evaluating technology trends, ease of use, standards and certifications.

Knowledge & Skills:
Requires at least 8 years of experience in enterprise software/hardware product management. BS in CS/EE or related technical discipline, and in-depth experience with identity management, encryption, J2EE authentication, digital rights management, public key infrastructure, smartcards, their related standards, and information lifecycle workflows. This position also requires significant cross-group interaction, a strong customer focus, excellent communication, presentation, and negotiation skills, attention to detail, solid technical abilities to work collaboratively with engineering and direct market experience with information assurance solutions. Candidates must be passionate about the technology to make Adobe solutions more secure and easy to use. Preference given to candidates with security certifications.

Click here for more information on this position

Posted by John Landwehr at 2:30 PM | Permalink

Adobe Systems has introduced a new hosted service that enables knowledge workers to better protect, share and track the usage of Adobe PDF and Microsoft Office documents using rights management powered by LiveCycle Policy Server.

Adobe Document Center is designed for the professional who shares or publishes business-, time- or version-sensitive documents. Whether it’s an independent graphics designer submitting designs for client review, or a legal practice exchanging sensitive files with clients, users can customize access settings, closely audit usage of their documents, and retain control over the files regardless of where they travel. Users also have the ability to set expiration dates on documents, supersede an older version once a new version is distributed, and revoke access after distribution. They even have the ability to track who has received the documents and what recipients have done, or attempted to do, with the protected files.

When using Acrobat 8 or LiveCycle Policy Server for Office, authentication, authorization, and auditing are managed via a webservice from those software clients to Adobe's hosted service, so a document does not need to be uploaded to the service to be protected. In that case, the hosted service datacenter never sees or stores unprotected customer documents - for added security. Recipients of protected PDF documents only need the Adobe Reader 7.0 or higher. Recipients of protected Office documents only need the Office plug-ins.

Authentication of authors and recipients using the Adobe Document Center is handled by the Adobe ID. This email address and user-specified password credential is common across Adobe's web-based properties for the online store, support, developer programs, and other Adobe hosted services. For an author that wants to share a protected document, they simply need to provide the recipient's email address. If the recipient already has an activated Adobe ID for the Document Center, they simply enter their ID when opening the document. Otherwise, the recipient is provided with instructions on how to activate their email address as an Adobe ID to open the protected document.

A free trial of Adobe Document Center is available until December 31, 2006. For more information, visit http://dc.adobe.com

Posted by John Landwehr at 11:46 AM | Permalink

Adobe Systems has shipped Livecycle Policy Server 7.2, an enterprise rights management (ERM) solution for protecting and controlling documents throughout their entire lifecycle, from creation, through distribution and collaboration, to archiving and destruction. Supported formats now include Adobe PDF, Microsoft Office, and Dassault Systems CATIA V5 files.

LIveCycle Policy Server allows users to apply persistent and dynamic security policies to documents. Those policies can specify who has access, what they can do, when, and for how long. Security policies can be updated at any time, even after distribution, making it easy to manage and track access, no matter how a document is stored or transported.

When should you use enterprise rights management?

If you are already tagging documents with information classification policies like "Company Confidential","Top Secret" or "Insider Restricted", ERM provides both preventative and detective controls persistently applied to those documents.

You can connect Policy Server to your corporate directory to specify that a protected document can only be opened by employees, departments, or individuals of your company, or be opened by extranet business partners that have signed NDAs. These controls are independent of storage and transport. If a file is accidentally or maliciously sent to a recipient that shouldn't have the document, they cannot open the document because it's encrypted. The encryption keys are not distributed unless the recipient has successfully authenticated and is designated in the policy permissions. An optional audit log can also help track who opened a document, what did they do with it (print, copy, modify), or what did they try to do without permission.

Why chose Adobe for Information Assurance?

Adobe has been providing information assurance solutions since Acrobat 2.0 in 1994, when rights management and encryption were first added to the file format. Since then, support for authenticity, integrity, and non-repudiation has been added with digital signatures. These capabilities can all be combined in a document to provide holistic security, protecting both static documents and electronic forms.

Policy Server has a growing ecosystem of cross-platform, cross-format, and cross-device capabilities. PDF protections are supported in the free Reader on Windows, Mac, and Linux platforms. Office and CAD are supported on the Windows platform. Policy Server itself can run on Windows, Linux, and UNIX platforms, and integrate with LDAP, Active Directory, and other custom authentication systems. Policy Server is also supported by a growing community of MFP (Multifunction Printer) devices that can scan paper documents and automatically apply policies selected by the device's LCD display.

Once documents are protected with Policy Server, the policies can be changed - without republishing the documents. This is important when the members of a team are dynamic, or when permissions change as part of the document's lifecycle. Documents can also be revoked to mitigate subsequent access, no matter how many copies of the document were created and distributed. This helps enforce version control at the document level, outside of a content management system or portal. When a revoked document is opened, it can also indicate to the user where to go to get the most recent version of the document, specified by a URL.

Policy Server is built on a J2EE architecture with webservices, and achieves scalability and reliability by working with underlying platform capabilities from WebSphere, WebLogic, JBoss, Oracle, DB2, MySQL, etc.

Posted by John Landwehr at 9:15 AM | Permalink

Adobe has unveiled a new Flash-based Rich Internet Application (RIA) for managing and reading eBooks and other digital publications in PDF and XHTML formats. Digital Editions will also integrate with a new, hosted content authorization service to protect publisher's rights while maintaining superior ease-of-use for customers. The new Adobe Digital Editions Protection Service, based on Adobe LiveCycle Policy Server, will allow publishers to choose from a flexible array of business models, with user-ID-based authorization that supports an improved user experience for digital rights management. Digital Editions also supports Adobe content Server DRM, delivering full compatibility with existing protected PDF content and infrastructure.

Adobe Digital Editions beta is available for free download from the Adobe Labs Web site at:
http://labs.adobe.com/technologies/digitaleditions

Posted by John Landwehr at 9:23 PM | Permalink

Board member usage of company confidential material has been a hot topic in the news this month. A recent Bay Area incident involved allegations of intentional redistribution of sensitive information to unauthorized recipients. Even when there are highly trusted and ethical board members and employees, precautions are also important to protect against accidental redistribution of sensitive material.

With laptops being stolen out of houses, cars, offices, cafes, hotels, luggage, etc. - the value of the information on computers can be much more than the resale value of the hardware itself. Not only is protection of the information important while it's being stored on a laptop - further safeguards should be in place to prevent unintentional redistribution of sensitive information beyond that device.

A common incident is when someone sends confidential information to the wrong person, say through a slip of the email address book and the handy auto-complete addressing feature. Let's say you know two people with the same name. Do you always visually double-check the domain name to make sure you have the right one? Sometimes this means having to actually click on the name in the To: line to view the address, beyond just the name. Also important to know who is on what mailing lists, internally and externally. That's a lot of extra effort required on every sensitive email message.

One way to provide added assurances against both intentional and accidental redistribution of sensitive information is to persistently protect the content itself - using enterprise rights management. This technology is independent of storage and transport, applying directly to the content itself. It can be used to restrict access to an electronic document, no matter where it ends up stored on a computer, transported in an email message, CD-ROM, or USB key - inside or outside the company. Enterprise Rights Management can further restrict printing, modifying, and copy/paste once the protected content is open. Expiration and revocation functions can request that access to a document be disabled at a specified time, or even immediately. Audit logs help track who did what to a document, or who tried to do something without permission.

Sensitive information can be protected with Adobe Acrobat on Windows and Mac. Recipients with the free Adobe Reader on Windows, Mac, or Linux can view the PDFs - protected with LiveCycle Policy Server. Support for native Office and CAD documents is available this Fall.

If you are interested in joining other companies using Policy Server to protect their confidential information, you can click here for more information.

Posted by John Landwehr at 11:55 AM | Permalink

Adobe Systems has just received an award for Policy Server from Frost & Sullivan.

In recognition of Adobe's ability to meet the demands of a very dynamic market with a product that provides the company with a competitive advantage while providing customers with a unique interoperable solution, Frost & Sullivan is proud to present Adobe Systems with the 2006 Product Differentiation Award for the world digital rights management market.

The press release announcement is available here.

Posted by John Landwehr at 12:09 PM | Permalink

For a limited time, paid subscribers of the Create Adobe PDF Online service have access to a beta preview of Adobe LiveCycle Policy Server running as a hosted service for enterprise rights management on PDF files.

Create Adobe PDF Online is an existing production service from Adobe Systems that converts many popular file formats into the Adobe Portable Document Format (PDF) without installing additional desktop software. Subscribers can use their web browser to upload a native file for conversion or configure a Windows network printer driver to convert directly within native desktop applications. This subscription service is available in the U.S. and Canada for US$9.99/month or US$99.99/year.

Paid subscribers can experience the new hosted Policy Server Beta to restrict who can open their published PDF documents and what those authorized recipients can do with those documents - using only email addresses and the free cross-platform Adobe Reader 7.0. Both the subscribing author as well as all invited document recipients simply register their email address as an Adobe ID to receive the benefits of persistent confidentiality and privacy for their documents.

In the protected document's usage policy, the subscribing author can specify authorized recipients by their registered email address and restrict printing, copy/paste, and offline access. The policy can optionally specify an expiration date for a document as either fixed (e.g. December 31, 2006) or relative (e.g. 30 days from publishing) after which the document is restricted from opening. Because the policies are dynamically maintained for a document, recipients and permissions can be changed by the author after the document is published. This also allows the author to immediately revoke a document they previously published, no matter how many copies where made or where they are stored. This is a convenient way to provide persistent version control of documents independent of storage and transport mechanisms.

To protect a document, authors can easily upload a PDF into the service using their web browser. While not required, authors with Adobe Acrobat 7.0 or later can more easily protect documents using the Secure application toolbar button in their Acrobat desktop application, customized to display policies from the hosted service account.

Here are some demonstration documents authorized for Adobe ID subscribers:
- APS_Beta_Demo.pdf - with a protected FAQ describing the expansion of Policy Server to native Office and CAD formats

- APS_Beta_Expired.pdf - sample document that has expired

- APS_Beta_Revoked.pdf - sample document that was immediately revoked

To view these sample protected documents, you must have a registered AdobeID. A paid subscription is not required.

To create protected documents in this beta service, you must have a Create PDF Online paid subscription, as trial accounts are not eligible. For more information, here is the FAQ.

Posted by John Landwehr at 1:25 PM | Permalink

Today at the AIIM/ON DEMAND Conference, Ricoh and Adobe announced an agreement to develop and co-market document scanning, printing and security solutions. The integration of Adobe's Policy Server enterprise rights management software and Adobe print + scan technologies with Ricoh multifunction (MFP) devices transforms the way knowledge workers convert paper processes into more secure digital workflows. Paper can be easily scanned and encrypted into PDF to control who has subsequent electronic access and usage permissions.

"We are natural partners in that Ricoh has long provided world class digital products and solutions, and Adobe is the standard in document software," said Katsumi Yoshida, Corporate Executive Vice President, Ricoh. "We look forward to developing together new document solutions that truly bridge the paper and digital worlds. Our Fortune Global 500 customers demand the most advanced solutions and we will deliver."

Posted by John Landwehr at 12:27 PM | Permalink

Adobe offers Active Directory Single Sign On in LiveCycle Policy Server, including support for smartcard authentication.

As announced by Quest Software, Adobe utilizes Quest's Vintela Single Sign-on for Java to provide native authentication of Java and J2EE applications and services with Active Directory.

This technology is currently shipping in Adobe LiveCycle Policy Server providing users with cross-platform access to Active Directory and single-sign-on. When a user is logged into their Windows desktop, they do not need to log in again to view a Policy Server protected document. The kerberos authentication information from the operating system is passed through Adobe's desktop applications (e.g. Adobe Acrobat, Adobe Reader, and other native Rights Management plug-ins) to the Policy Server. If the user logged in using a smartcard to authenticate to their desktop, that credential can also used by Policy Server as a single sign on token.

Posted by John Landwehr at 6:58 AM | Permalink

At CeBIT this week, IBM announced that they are working with Adobe on Enterprise Rights Management (ERM) solutions to help companies protect their intellectual property and digital data from product theft.

The protection of commercial rights is becoming a major issue for many international companies. As a result of globalization, supplier and cooperation networks are becoming increasingly complex, and development and production data is being made accessible to ever-larger groups of users. Much of the development data and documents in question are "unprotected" against unauthorized access and redistribution.

IBM and Adobe are collaborating to offer joint solutions and services for worldwide Enterprise Rights Management that extends beyond the company firewall.

"The global access rights are issued by the Adobe LiveCycle Policy Server, which we host in our IBM computer centers with high availability and global access options", said Michael Diemer, Vice President Strategic Outsourcing, IBM Information Technology Services.

"This means that we are immediately able to offer our customers the full ERM functionality of the Adobe LiveCycle Policy Server. In addition, we advise our customers on all ERM requirements and work with Adobe to offer complete end-to-end solutions to ensure maximum protection of their intellectual property, thereby making it difficult for intellectual property thieves."

Adobe and IBM are demonstrating this solution in the front row of IBM's primary CeBIT Booth F41/51, dempoint #1.

Here are links to the Enlgish and German press releases.

Posted by John Landwehr at 6:31 AM | Permalink

Gartner recently published a research note titled, "Navisware E-DRM Buy Could Give Adobe a One-Stop-Shopping Solution". It is available for purchase directly from Gartner, here.

With the acquisition of the FileLine Digital Rights Management division of Navisware, Adobe expands comprehensive enterprise digital rights management functionality beyond its Portable Document Format and into enterprise workflow applications.

Posted by John Landwehr at 8:10 AM | Permalink

I am pleased to announce that Adobe has acquired the FileLine Digital Rights Management (DRM) division of Navisware. The acquisition will extend the capabilities of Adobe LiveCycle Policy Server, providing protection for native Microsoft Office and CAD documents.

Acquiring FileLine will allow Adobe to protect the entire information lifecycle -- from creation in native file formats through distribution and collaboration to archival and destruction. As a result, organizations can:
*Ensure the reliability of their electronic information
*Enhance the protection of intellectual property and sensitive information
*Safeguard the privacy of customers
*Comply with regulations governing electronic information

The FileLine DRM capabilities are anticipated to be integrated into LiveCycle Policy Server for release in Fall 2006. This release will enable organizations to secure a broad range of documents such as financial, government and engineering documents, and will support auditing, expiration, revocation and version control of these documents, features currently available for PDF files only.

Posted by John Landwehr at 9:02 PM | Permalink