OraNA :: Oracle News Aggregator

This question came up recently where someone was trying to sync a users rights with the Oracle IRM desktop from the IRM server. The environment was all hosted inside a VMWare image and unfortunately due to the nature of the way the Windows environment, when hosted inside a VMWare image,

reports it's network connectivity status, the IRM Desktop can have problems synchronizing rights. I thought I would quickly write the answer to this up in case anyone is building an IRM environment in VMWare.

The detail in this problem is when the Oracle IRM Desktop tries to do a sync, it first makes an operating system check to see if the machine is online or offline. However the Windows call made can often return a state of offline, even when there is valid connectivity. It seems to be an issue with the underlying VMWare network layer and the Windows operating system. Therefore we added some code which bypass these checks and always assume the system is online. This code can be used by adding the following two registry settings.

Note: This registry change is intended only when you are running both the Oracle IRM Desktop and server from inside a VMWare image. If you are hosting the IRM server in the VMWare and accessing content from another, non VMWare environment, you do not need to make this change.

	It seems to be happening every week, sensitive information is being lost from Health care organizations. This time email is the culprit.

Blue Cross & Blue Shield of Louisiana have had to announce an incident where a document was accidentally attached to an email sent to a group of about 1,700 brokers. The document contained social security numbers, phone numbers and addresses. Fortunately the information was about the same group of people the email was sent to, no customer information was involved. But it still demonstrates that how easy mistakes like this can happen and how Blue Cross & Blue Shield are required, by law, to make this information public knowledge. Fines for such incidents are often incurred although no details of a fine have been reported in this case.

Oracle IRM can prevent such incidents in many ways. Firstly, if this document had been classified and protected using IRM and the recipients had not been given rights to this classification, then the document would never have been accessible by this group brokers. This is often the most valuable aspect of using an IRM technology. Having a classification which only allows access to confidential information to those within your organization so that if the document or email is accidentally lost, attached and forwarded via email or stolen, it is unusable for anyone outside your organization.

However what if the document had been protected incorrectly to a classification which the brokers had access? Oracle IRM separates the rights to content from the documents and instead stores all this information on the centralized Oracle IRM server. In this case once the mistake had been realized/reported, the Blue Cross & Blue Shield classification manager could simply deny access to this, or many documents even after they have been distributed. When the brokers then attempt to access the document in the email, they are denied. Even those who were able to access the documents before the organization knew of the error would be denied access once their rights had been changed. They may however still have access to other content, in the same classification. Such is the flexibility of the Oracle IRM classification model.

Once again Beehive has been demonstrated to be an excellent example of how Oracle IRM can be integrated to extend security well beyond the confines of the application. We love Beehive, and it seems that Beehive loves us. We are the sealing wax of Beehive! Ok, I promise not to make any cheap references in the following with regards to the name of the Beehive product... On Wednesday, Jamie Rancourt and Indira Vidyaprakash, principal product managers for Beehive, hosted a session in the Marriot Hotel called "Collaboration Beyond Standalone Clients". Many existing collaboration environments are spread across many systems. Your email may reside in both an Exchange server and in PST files on your local machine. You have documents stored in both content repositories and on external USB drives, instant messaging clients store message histories both on the server and on your local systems... information, as we know is all over the place and out of control.

With Beehive you are able to unify all this information using Workspaces. Continuing Oracle's Open Standards and Enterprise 2.0 messages, all of the Beehive components can be resurfaced in other environments, such as portals, websites and you can use any clients to access mail, messaging and other Beehive services.

In this session, they went a bit deeper when showing Oracle IRM inside Beehive than the high level overview given by Chuck and Charles during the Monday keynote. The Beehive team showed the integration with IRM in a live demonstration and started by moving a document into a Beehive Workspace. It was given the category "Seal" and behind the scenes this assigned a flag to the file which kicked off a BPEL process to seal the document with IRM. In real time the file was then sealed and this was evident when the icon changed within the Beehive UI.

The file was then emailed to another user, however that user did not have any rights to open the file and the Oracle IRM Desktop client denied access. Because the error message functionality in IRM uses a web page, it allowed the access denied message to also contain information about the owner of the document which was dynamically obtained from the IRM server. So the user then contacted this owner and requested access. The document owner agreed and then moved the document within Beehive from his personal Workspace into a group Workspace, checking that the new user had read-only rights in that Workspace. The remote user then attempted to reopen the file and this time, hey presto, it opened!

The document owner then updated the user's rights in Beehive to allow editing and when the user reopened the file he found he had edit rights. Finally they then took this to the next step by revoking the user's rights completely and again this was locally propagated, once again disallowing the user to open the content.

This live demonstration showed the fantastic opportunities for the integration of IRM using the coming release of the Oracle IRM 11g Server, where rights do not need to be managed directly on the IRM Server but can be fully delegated to an external system, such as Beehive. We hope to see these prototyped demonstrations become reality over the coming months as the Beehive colony swarms to create the propolis which will ensure users of sensitive information inside the hive do not get stung when content leaves the nest!

I'm sorry, I just could not resist...

Well it has been very, very busy here at Open World and i've not been able to get my blogs written as fast as I would like and I resisted the urge to write benile rubbish into the pages in a desperate attempt to get content up. The DEMOgrounds have been very busy, quite a lot of people have been making the association with the True Delete demonstration inside Beehive with the Oracle IRM technology that drives the functionality. I'm just getting chance now to spare an hour and put up some of what we've captured during the past few days.

On Tuesday I sat through Thomas Kurian's keynote speech. Thomas is the senior vice president of Oracle Fusion Middleware, the technology organization Oracle IRM is aligned with. His presentation covered information integration using Oracle Data Integrator, business intelligence, performance management and then onto content management and collaboration. The main message being the ability to "Capture, Store, Manage, and Secure all forms of Content".

Security is my key focus here and Thomas led into content security with Oracle's Secure Enterprise Search. This technology, combining your access rights from the identitiy management system, allows for the ability to search across the enterprise returning on information to which the user legitimately has access. SES is now integrated into the content management system and is being integrated with many of the middleware technologies.

A natural progression from this is, if you can only search for content to which you have rights, security should also apply when you actually attempt to open that information. I'll let Thomas, in his own words, describe how IRM fits in here...

"Documents live within the repository for very short periods of time, most people take a document that's checked into the repository where it is secure, download it, attach it to email and send it to other people. Oracle IRM enforces security permissions on documents, even when they've been sent out of the repository. So only authorized people can see documents no matter where they access the information from..."

This highlights a very important point, if you use an encryption technology, such as IRM, to protect your most valuable content, you MUST also allow for authorized users to be able to use full text search methods to find the information whilst it is still encrypted. Oracle IRM is the only technology which exposes this ability and has been integrated not only with the content management repositories but also with the Windows Explorer on your desktop.

And following all of this, was once again, the message that these technologies are all integrated into Oracle BeeHive as well as other Oracle applications such as Siebel.

Well it's the end of the first full day of Oracle Open World 2008 and i'm shattered. This morning we saw an excellent keynote around the new collaboration server from Oracle, Beehive. Part of this included a demonstration which had an element of Oracle IRM. This means that no matter where your documents and emails, that are being shared via a Beehive Workspace, ultimately reside, they are persistantly secured and protected using Oracle IRM. The buzz has travelled so fast it's made it into an InformationWeek blog already.

I also got mugged by the guys at the Oracle Fusion Middleware lounge to record a video postcard.

Charles Phillips and Chuck Rozwat during their Open World keynote speech today demonstrated how an IRM integration has been prototyped to protect documents that are stored in a Workspace within Beehive. They described security as one of the main features of the Beehive platform; IRM extends this security when documents and emails are used outside the Beehive environment. As Chuck said, "I am a hoarder of documents", he often saves documents to his local machine where it is easer to work on them. However in doing so any security that applied to the document whilst it resided in the repository is lost when removed. Not so with IRM, rights to the content, as defined inside Beehive, are persistantly applied even when the document is moved beyond the storage area of the Workspace. So Chuck saved a document down to the local machine, then Charles deleted the original document inside the Beehive Workspace with "True Delete". When Chuck next went to open the locally saved copy, he was denied access because of the true delete. This shows an important element of the new 11g release of Oracle IRM. We are able to delegate the request for rights from the IRM server to anything, in this instance it is the Beehive server but could well be a content management system, records management application,
anything which stores rights about access to information. In this demo when Charles true-deleted the document, it automatically revoked all access to all copies of the document via IRM. So when Chuck tried to access the locally saved document it talked to the IRM server which denied access to the document. In fact it would deny access to any copy that exists anywhere, both inside and outside of Beehive and inside or outside the traditional enterprise security perimeters such as the firewall.
I had the chance to speak with James Leask, the IRM Developer flown over from the UK to work with the Beehive team and prototyping the integration. James said "The new 11g server due for release next year, has a highly extensible architecture allowing me to quickly write a plugin to delegate rights to the Beehive server. It was written in Java and uses web services.". James was available behind the scenes during the demonstration incase last minute changes were required. However everything went very smoothly, so much so, it was hard to beleive that it was live software being shown and not just slideware.	"Implementing the integration was simple, it only took about a day. Leaving me the rest of the week to enjoy San Francisco!" James Leask, IRM Developer

Oracle Open World 2008 starts today in downtown San Francisco. No expense spared they close off Howard Street for the entire duration of the event. Wednesday evening Treasure Island, in the middle of the bay, will host concerts headlined by Elvis Costello, Seal and UB40 (Will Red Red Wine become the new Oracle anthem?). The phrase "paint the town red" really does apply this week! I will be attending all week and joined by key members of the IRM team in Oracle. Andy Peet, sat with me now helping me punch out this article, is the product manager for IRM. Ensuring we listen to customers, Andy has been visiting some high profile strategic companies in the week leading up to OOW as well as enduring my poor humour. Ryan Carroll, VP of IRM Engineering, is also flying in tonight and will be joining us in the DEMOgrounds at stand A9. Ryan heads up the awesome development team based in Reading, England. Last, but not least, Dr Martin Lambert, the creator and founder of the Oracle IRM technology has recently moved from the UK to the bay area, bringing his expertise to Oracle HQ.

"The OpenWolrd opening keynote is going to show some really exciting integration work between Oracle IRM and Beehive." Andy Peet Oracle IRM will get its first main exposure during OpenWorld in the Charles Phillips and Chuck Rozwat keynote speech at 9am PST in Moscone North, Hall D. You can also view it streamed live or on demand via Oracle.com. I asked Andy for an insight into what the keynote will offer; "They will be demonstrating a ground breaking integration of Oracle Information Rights Management with Oracle Beehive; showing the use of IRM in work spaces and document versioning. It's so cool, make sure you don't miss it. Work space users' rights are delegated directly from their rights in Beehive, so if a user's rights are changed in Beehive they are automatically changed in all of their documents. Document versioning enables a new version of a document to be issued and stops users from accessing older versions ensuring they always have up-to-date information. This integration, whilst fully operational, is based on the next generation IRM Server, our 11g release. It is not currently available, but has been prototyped for this presentation by great collaborative work between the Beehive and IRM development teams. Great work guys!"

Here is one website you do not want your company name to appear on, http://datalossdb.org/. What is it?

"DataLossDB, formerly the Attrition.org Data Loss Database Open Source, is an research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database."

Basically the public at large submit to this website any known security breaches in the form of hacked websites, lost documents, media, laptops etc. It is a vastly improved interface to the former website, http://attrition.org/. People can now search by date, by incident type, industry even by what is the largest known loss of records! A leader board on which you will all want to avoid being in the top ten.

The Daily Telegraph, a UK newspaper, has just reported on some research done by the Ponemon Institute for Dell computers has found that in a year about 800,000 laptops are either lost or stolen at airports all over the world. Shocking numbers, consider how many of these laptops contain sensitive information which is now totally out of the owner’s control.

The research highlights some scary statistics. In the US about 12,000 laptops go missing each week, 10% within Los Angeles. When asking the travelers if they took any steps to protect their content they found nearly 60% admitted no protection around their confidential information.

How do you protect against losing such devices? You may have encrypted the hard disk, but what if the laptop was in a laptop bag and the sensitive documents resided on a USB drive or a CD/DVD in the bag? Did you protect these storage devices? DLP solutions might be able to destroy the copies of the documents, but of course it needs some form of remote access to the laptop to issue the self destruct commands. The report is doing the rounds with other news websites that are toting varying methods on how to solve the problem and the issue of laptop theft has been in the press for many years.

Of course, I’m leading to the use of information rights management as the best solution. Not only would IRM ensure the documents were encrypted and access to them denied once the laptops and related devices are lost, but the responsibility for protecting the information doesn't need to rely on the end user. Deploying IRM and integrating with things like the content management system, network file storage systems and also providing users with pre-sealed document templates ensures that content is correctly classified and protected without placing a burden on the end user make that decision.

We obviously use Oracle IRM within the company and a few years ago we had someone loose a laptop at an airport (Don't worry Mark, I won't name and shame... oops). Our response was simple, we disabled his Windows account credentials and temporarily revoked his rights to content on the IRM server whilst we sorted out new account details and reset passwords. We were safe in the knowledge that all the important documents on that laptop were secure.

If you want to learn more about how this technology can help you protect your organizations content either contact your Oracle sales representative or email us and we can give you access to our easy to use online evaluation system.