Irm11g overview


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 05/08/10 Oracle Confidential Most regulated information originates and concentrates in databases. Oracle offers industry-leading database security options for its database. Worth starting to secure information at source (losing a database is worse than losing a file). Myriad end users access regulated information in databases via business applications (HR self-service, CRM, etc.). Oracle Identity Management offers industry-leading identity and access management governing end user/application access to regulated information. Centralised and consistent policy control and auditing across Oracle and non-Oracle applications. Industry leadership in this area extended by Sun acquisition. End users copy information beyond databases and applications, generally in the form of documents (e.g. sensitive reports). These copies proliferate hugely in number and location (e.g. to unmanaged servers and web sites and corporate and home computers, inside and outside the firewall). Oracle IRM uses encryption to retain control over all copies of these sensitive documents, regardless of where they are located, inside and outside the firewall. Oracle is doing more than just reorganising its security sales forces to sell database security, IAM and IRM together. It is engineering the product suites to work together so that enterprises can consistently and cost-effectively manage the security of their most sensitive and regulated information – in the database and application layers and beyond.
  • Many organizations today are exposed to the risk of losing valuable information which resides in emails and documents. Financial information, mergers and acquisition activity, engineering and research data, often resides in Word, Excel or PDF documents and when lost can have significant impact to your business. Regulations specify controls must be in place when handling classified content, failing to comply with these regulations can result in fines. Losing your intellectual property to competitors reduces your effectiveness in the market place. Often such incidents are reported by the popular press which has a severe impact to your company brand and your customers lose confidence in your ability to protect their information.
  • Over the past few years we have seen many examples of organizations losing important information. This is exposure you do not desire.
  • 6/ 10 Research also reveals that a high percentage of data loss happens by mistake or through pure negligence and only a small amount of incidents happen internally where your existing security infrastructure is implemented. These risks are increasing as more and more business use cases involve the collaboration of sensitive content with external parties, parties who don’t employ the same importance on protecting your information and accidently lose it.
  • Database security not enough Select / report / applications API Web service Your business has of course deployed security solutions for content that resides internally. Take SharePoint for instance, different folders provide different access controls to documents. Yet when these documents are taken out of SharePoint, say by emailing to someone, the security doesn’t travel with them. Instead security is applied at each location the content could reside. But this is a constant struggle when the digital information doesn’t respect your security perimeters, they can be stored on USB devices, external hard drives, CDs etc. Information proliferates. Between share filed systems, email, intranets, extranets and thousands of desktops inside and outside the firewall. Red boxes: If you are looking for conventional information security to provide with compliance, records management & content management. Today, at best you are really only managing a small subset of your information within these systems.
  • But the problem doesn’t stop there. Your business requires that information is shared beyond your enterprise, to customer, partners and suppliers. Yet you cannot enforce the same level of security on their firewalls and content repositories. The previous slide shows the perimeters of existing systems, but which perimeters are we talking about? Many business processes, for example with Oracle acquiring other companies, information is shared with external parties such as customers, partners and people working at home.
  • Your business has of course deployed security solutions for content that resides internally. Take SharePoint for instance, different folders provide different access controls to documents. Yet when these documents are taken out of SharePoint, say by emailing to someone, the security doesn’t travel with them. Instead security is applied at each location the content could reside. But this is a constant struggle when the digital information doesn’t respect your security perimeters, they can be stored on USB devices, external hard drives, CDs etc. Information proliferates. Between share filed systems, email, intranets, extranets and thousands of desktops inside and outside the firewall. Red boxes: If you are looking for conventional information security to provide with compliance, records management & content management. Today, at best you are really only managing a small subset of your information within these systems.
  • Wouldn’t it be nice if you could solve this problem? Have control over content no matter where it exists, beyond your networks. Imagine if you could produce evidence that regulatory controls had been put in place by showing every single access to controlled content by authorized users.
  • In summary, Oracle IRM is the leading document rights management technology and our customers have chosen it for the immediate reduction in costs and increase in security it brings. But as important as security is, Oracle IRM delivers unprecedented ease of use and the ability to scale to very large numbers of users and documents. This balance of security, usability and manageability means your business can deploy an IRM solution without interrupting existing workflows and meet the desired security and regulatory requirements.
  • Offline Use Oracle IRM stores a copy of a user’s rights locally on their PC.  These rights are refreshed every day via invisible synchronization with the IRM Server.  This means that a user can be given an offline working period of, say, 3 days.  This enables them to work with sealed documents, just as easily as if they were unsealed, without needing to connect to the internet for 3 days.  However, whenever they do connect their rights are refreshed and they are given another 5 days from that point in time.  Thus in reality users are never aware of refreshing their rights, all of their documents just open, regardless of when the last time they opened any given document was or even if they have never opened it before  Oracle IRM daily synchronization also allows remote users to have their rights revoked at short notice.  So partners at the end of a project, or employees leaving the organization, can have their access denied to all of their sealed documents the next time they synchronize.  Highly sensitive data can be given shorter offline periods, or even only have access whilst online, to enable faster revocation of rights. Microsoft, Adobe, EMC, Liquid Machines All other IRM products issue a fixed length offline lease to a document only when that document is opened.  If that offline period is 5 days, then it cannot be refreshed until that 5 day lease has expired.  Thus it is common for offline leases to expire whilst a user is offline and unable to refresh their rights, thus being denied access to their document.  Also if a user does not obtain leases for their documents before going offline (because they have never opened them before, or they haven’t opened them for some time) then again they will be denied access whilst offline. Microsoft: Revocation of rights can only be performed by a system administrator editing an XML file, the ‘revocation list’.  This is effectively impractical and clearly does not scale. EMC, Adobe: Rights can only be revoked at the end of the offline lease, not during as with Oracle IRM synchronization. Search Only Oracle IRM has out-of-the-box integrations with Windows Explorer Search, Windows Indexing Service, Windows Desktop Search (on Vista) and SharePoint 2007 Indexing Search. Oracle IRM also has easy to deploy Search APIs which for example have been integrated with: Autonomy, Oracle SES, LiveLink Search, Oracle Text Microsoft, Adobe, EMC, Liquid Machines No other IRM solutions have out-of-the-box search integrations nor easy to integrate APIs enabling searching of sealed documents Thus not even Microsoft can search its own sealed documents within SharePoint, their answer is to store unprotected documents in SharePoint, which does not scale Cont..
  • Renault F1 wanted to be able to replicate documents when shared between 2 factories, 2 mobile teams, suppliers, sub-contractors and partners Security of documents containing technical specifications, including the “Bible” which contains all the information relating to the racing car. The solution needed to convert 80TB of documents stored in multiple repositories and with no global search functionality Necessary? See*****i_espionage_conviction Sophisticated deployment, illustrating several key Oracle IRM differentiators Rapid (hosted) evaluation, rapid deployment Active Directory integration Windows authentication Transparent offline working (track-side) Citrix deployment (design office, Linux, Citrix) Silent MSI rollout
  • To recap…
  • A key differentiator of Oracle IRM - the key to moving from initial pilot IRM deployments to successful, large-scale enterprise IRM deployments - is its unique classification-based rights model. Ignoring the text for a moment … The picture shows 8 documents: 4 sealed to one classification “Board Communications”, and 4 sealed to “Company Announcements”. The CFO is assigned a “Contributor” role, which means he can open, print and edit documents sealed to “Board Communications”. The HR Director has a similar “Contributor” role for “Company Announcements” but only has a “Reader” role for “Board Communications”. The group “All Employees” which like the users comes from an enterprise directory, are “Readers” for “Company Announcements” but cannot access documents sealed to “Board Communications”. The point of the picture is that for 8 documents there are 4 role assignments – the black dotted lines to the right of the picture. But if there were 80,000 documents – 40,000 sealed to “Board Communications” and 40,000 sealed to “Company Announcements” there would still only be 4 role assignments. This is a subtle but huge advantage for Oracle IRM, with both technical and business benefits. From the business perspective end users and business and IT administrators are presented with a simple model governing access to their information that they can understand and communicate, even at enterprise scale, because it is implemented in terms of things they already understand – classifications based on existing information classifications, or business processes or projects; their roles within these business processes; and existing organizational groupings in enterprise directories. From a technical perspective the per-classification Oracle IRM system has to manage orders of magnitude fewer rights than systems which clone per-user and per-file rights from policy templates. Far fewer rights enables the automated synchronization of rights to the desktop that provides Oracle IRM with its unique “hands free” offline working, while retaining timely revocation and up-to-date audit trails. This is not at the expense of making real-world exceptions. While Oracle IRM manages rights primarily at the level of classifications and roles it can easily make per-user and per-file exceptions – when they are needed – as compared to competing solutions which attempt to build enterprise policy on the quicksand of millions of per-user and per-file exceptions.
  • Irm11g overview

    1. 1. Oracle Information Rights Management 11g Deborah Assayag [email_address]
    2. 2. Oracle Security Inside Out Oracle Confidential Information Rights Management <ul><li>Encryption and Masking </li></ul><ul><li>Privileged User Controls </li></ul><ul><li>Multi-Factor Authorization </li></ul><ul><li>Activity Monitoring and Audit </li></ul><ul><li>Secure Configuration </li></ul>Identity Management Database Security <ul><li>User Provisioning </li></ul><ul><li>Role Management </li></ul><ul><li>Entitlements Management </li></ul><ul><li>Risk-Based Access Control </li></ul><ul><li>Virtual Directories </li></ul><ul><li>Document-level Access Control </li></ul><ul><li>All copies, regardless of location (even beyond the firewall) </li></ul><ul><li>Auditing and Revocation </li></ul>Databases Applications Content Infrastructure Information
    3. 3. Risks of not controlling sensitive data <ul><li>High costs when losing control of… </li></ul><ul><ul><li>Financial documents </li></ul></ul><ul><ul><li>Mergers & acquisition information </li></ul></ul><ul><ul><li>Intellectual property </li></ul></ul><ul><ul><li>Personally identifiable information </li></ul></ul><ul><li>Reduced share price due to lack of market confidence </li></ul><ul><li>Regulatory fines due to non-compliance </li></ul><ul><li>High legal expenses </li></ul><ul><li>Compensation costs </li></ul><ul><li>Impact to company brand </li></ul><ul><li>Reduced competitive advantage </li></ul>
    4. 4. Examples
    5. 5. How does the loss happen and by who? <ul><li>Over 70% of data loss from lost devices and negligence </li></ul><ul><li>Only 12% from malicious activity </li></ul><ul><li>Only 18% of loss happens internally </li></ul><ul><li>Increasing data loss from partner collaboration </li></ul>The Business Impact of Data Breach . Ponemon Institute LLC. May 15, 2007 Causes of security breaches Trends in Data Breach Sources 2008 Data Breach Investigations Report . Verizon Business. June 10, 2008
    6. 6. You have secured the perimeters… … but digital information is no respecter of perimeters! SharePoint Email File system Content Management Intranet/ Extranet
    7. 7. Which perimeter are we talking about? Many business processes involve external parties SharePoint Email File system Content Management Intranet/ Extranet
    8. 8. Typical methods for securing desktops Encrypt disk Prevent use of external devices Monitor information flow (DLP) OS access control Encrypt content (PGP) Prevent use of external services <ul><li>Buying all these solutions is expensive </li></ul><ul><li>What about partners, customers, suppliers? </li></ul><ul><li>Massively restrict end users ability to work </li></ul><ul><li>Protect the content instead of location! </li></ul>
    9. 9. Security – Usability - Manageability An enterprise-class solution must balance all three aspects Secure Usable Manageable
    10. 10. Imagine if you could… <ul><li>Control content access beyond your network? </li></ul><ul><li>Prove regulatory controls are in place? </li></ul><ul><li>Audit every single access to secured content? </li></ul><ul><li>Revoke access even after delivery, to every single copied ever made? </li></ul><ul><li>Restrict print, copy, view formulae even enforce change tracking? </li></ul><ul><li>Easily deploy and manage a solution </li></ul>
    11. 11. The Solution: Information Rights Management <ul><li>Persistent protection, control and tracking of… </li></ul>What Single documents or groups of documents Who Single people or groups of people When Flexible start and stop times, revoke after delivery Where Single device or roaming across internet, on or offline How Open, Print, Edit, Annotate, Interact, Reply, Pause…
    12. 12. Oracle Information Rights Management Securing all copies of your sensitive information <ul><li>Everywhere IRM-encrypted content is stored, transmitted or used </li></ul><ul><ul><li>NO ACCESS FOR UNAUTHORIZED USERS </li></ul></ul><ul><ul><li>Transparent, revocable access for authorized users </li></ul></ul><ul><ul><li>Centralized policy and auditing for widely distributed content </li></ul></ul><ul><li>Content security beyond the database, application and firewall </li></ul>ECM Email File systems Intranet/ extranet Databases Oracle IRM Server Enterprise perimeters Customer Partner Supplier
    13. 13. With Oracle Information Rights Mgmt Flexible & comprehensive information protection Oracle IRM Server Oracle IRM Server Application Export Saved in Content Management Secured from the Desktop
    14. 14. Sealed documents & emails <ul><li>Sealing documents and emails protects them wherever they go </li></ul><ul><li>A central server manages rules - even for copies of documents that leave your network </li></ul><ul><li>The central server audits usage – even for copies of documents that leave your network </li></ul><ul><li>The rules apply even when users are offline and the server is unreachable </li></ul><ul><ul><li>Local secure cache refreshes automatically upon network connection </li></ul></ul>
    15. 15. Benefits Secure and track information beyond the repository <ul><li>Encryption places an access-controlled perimeter around the information itself ‏ </li></ul><ul><ul><li>Authorized Access, Audited, Revokable </li></ul></ul><ul><li>Consistent security: one “virtual” perimeter to manage </li></ul><ul><li>Control and monitoring does not stop at the firewall </li></ul>Storage Area Network Email Web Collaborative Workspace Content Management Oracle IRM Server
    16. 16. <Insert Picture Here> Oracle Information Rights Management DEMO
    17. 17. Content Author Seals Content Could be… Intellectual property, research, supplier communications, manuals, BI reports… Content Author Chooses Content Classification Confidential Highly Restricted (Board, Legal, M&A, Project, etc.) Confidential Restricted Confidential Internal Public
    18. 18. This User Doesn’t Have Rights to View Even if stored on a local file system or external drive Access can be revoked at any time
    19. 19. This User Only Has Read Access No printing, editing or screen captures… User can view document in MS Word, but take screenshot and paste…. Partner
    20. 20. Oracle Information Rights Management Enterprise-class security within & beyond your firewall Different users have different access to a single, secured document
    21. 21. Why customers choose Oracle IRM <ul><li>Oracle Information Rights Management reduces Costs and delivers the right balance of Security , Usability , and Manageability </li></ul><ul><li>Reduce Costs </li></ul><ul><ul><li>Avoid expensive legal costs, regulatory fines </li></ul></ul><ul><ul><li>Protect company brand and market share price </li></ul></ul><ul><li>Increase Security </li></ul><ul><ul><li>Documents and emails remain secure regardless of location </li></ul></ul><ul><ul><li>Usage is audited and access can always be revoked </li></ul></ul><ul><li>Maintain Usability </li></ul><ul><ul><li>As easy to use as unprotected documents and emails </li></ul></ul><ul><ul><li>Mature product supports existing document workflows </li></ul></ul><ul><li>Overall Manageability </li></ul><ul><ul><li>Intuitive, policy-based control at enterprise scale </li></ul></ul><ul><ul><li>Rapidly deployable, out-of-the-box packages for point solutions </li></ul></ul>
    22. 22. Headline Oracle IRM Differentiators <ul><li>Offline use </li></ul><ul><ul><li>Oracle IRM synchronization gives seamless offline working </li></ul></ul><ul><ul><li>Microsoft does not allow revocation </li></ul></ul><ul><ul><li>Adobe & EMC require offline leases </li></ul></ul><ul><li>Search </li></ul><ul><ul><li>No competitor has iFilters or server-side search APIs </li></ul></ul><ul><li>Policy-driven & manageable </li></ul><ul><ul><li>Oracle IRM is classification-based </li></ul></ul><ul><ul><li>Microsoft burns ACLs into the document </li></ul></ul><ul><ul><li>Adobe & EMC require integration with another product at scale </li></ul></ul><ul><li>Format support </li></ul><ul><ul><li>Platforms, formats, versions </li></ul></ul>
    23. 23. Oracle IRM 11g Release Highlights <ul><li>Broader Enterprise Reach </li></ul><ul><ul><li>Built on Fusion Middleware and Java EE </li></ul></ul><ul><ul><li>Broad platform certifications </li></ul></ul><ul><ul><li>Standard 27 Oracle languages </li></ul></ul><ul><ul><li>SSO authentication: OAM, Windows auth, Basic auth to LDAP </li></ul></ul><ul><li>Extensible, First-Class Security </li></ul><ul><ul><li>Extensible classification model for application integrations </li></ul></ul><ul><ul><li>FIPS 140-2 certification </li></ul></ul><ul><ul><li>Hardware Security Module for key storage </li></ul></ul><ul><li>Usability and Templates </li></ul><ul><ul><li>New Web-based management console </li></ul></ul><ul><ul><li>Best practice rights model: global roles and templates </li></ul></ul>
    24. 24. Oracle IRM + ECM Suite <ul><li>Out of the box integration with Oracle Universal Content Management </li></ul><ul><li>Automatically ensure managed documents are protected – wherever it’s shared and used </li></ul><ul><li>IRM extends key features of content management “beyond the repository” </li></ul><ul><ul><li>Security – share information with more confidence (that it will be secure outside the repository) </li></ul></ul><ul><ul><li>Auditing – invaluable business intelligence as you track all remote access to information </li></ul></ul><ul><ul><li>Version management – revoke obsolete versions and route users to current versions </li></ul></ul><ul><ul><li>Records management – delete decryption keys to dispose all copies of records </li></ul></ul>
    25. 25. Oracle Information Rights Management Customer Success
    26. 26. Use case: Renault F1 <ul><li>Renault F1 sought to protect its technological specifications against competitive espionage. Oracle IRM is delivering: </li></ul><ul><li>  </li></ul><ul><ul><li>Secure access to documents for partners, suppliers and manufacturers </li></ul></ul><ul><ul><li>The ability to revoke users’ rights </li></ul></ul><ul><ul><li>Remote access to data for track-side technicians </li></ul></ul><ul><ul><li>Centrally managed access rights across the globe </li></ul></ul><ul><ul><li>All applications directly store files within the central repository </li></ul></ul>
    27. 27. Case Study : Beckman Coulter <ul><li>Industry: Life Sciences </li></ul><ul><li>Annual revenue: US$2.76 billion </li></ul><ul><li>Employees: 10,000 </li></ul><ul><li>Key benefits: </li></ul><ul><ul><li>Bespoke content management and portal integrations </li></ul></ul><ul><ul><li>Enabled the company to connect the sales force </li></ul></ul><ul><ul><li>Prevented redistribution of valuable information </li></ul></ul><ul><ul><li>Eliminated the need to maintain similar data </li></ul></ul><ul><ul><li>Confidence that information is only provided to intended recipients </li></ul></ul><ul><ul><li>Ability to revoke access to incorrect or out-of-date documents </li></ul></ul>
    28. 28. Basic IRM Deployment Architecture IRM Server WebLogic External User DMZ (or Intranet) Internet / External Networks Corporate Network F I R E W A L L F I R E W A L L Load balancer Eg OHS F I R E W A L L Web Services LDAP Server Database Server
    29. 29. Classification-based rights management Manageable security at enterprise scale <ul><li>Oracle IRM manages access to information in terms of </li></ul><ul><ul><li>Existing business processes, such as “Board Communications” </li></ul></ul><ul><ul><li>Existing information classifications, such as “Highly Restricted” </li></ul></ul><ul><ul><li>Existing employee roles, such as “Reviewer” </li></ul></ul><ul><ul><li>Existing users/groups in enterprise directories, such as “Sales” </li></ul></ul><ul><li>Oracle IRM’s classification-based rights management is the key breakthrough that enables management of encryption at enterprise scale </li></ul><ul><li>Because end users, business process owners and IT admins can all understand and manage it! </li></ul>Classification: “Board Communications” Classification: “Company Announcements” CFO All Employees Documents Health+Safety Issues.sdoc HR procedures.spdf Sales pipeline.sxls New customers Roles Contributor Reader Reviewer Print Edit Comment Open Open Open Documents Roles Contributor Reader Reviewer Print Edit Comment Open Open Open Sales strategy Q3 Figures.sxls 2008 Business Plan.sppt ACME competitive review.sdoc HR Director