Information Rights Management EDRM Enterprise Digital Rights Management vs DFP Data Flow Protection E.ON IS, Thilo Müller April 2008 EIC 2008
Agenda E.ON IS Introduction DRM and DFP Definition Use Case Challenges Vision Comparison - Classification Conclusion EIC2008 04/2008 Thilo Müller DRM/DFP Seite 2
Service Offering Portfolio Solutions and Processes E.ON IS: one of the top Full Service IT-Provider for the European energy industry EIC2008 04/2008 Thilo Müller DRM/DFP Seite 3
E.ON IS Group - Overview EIC2008 04/2008 Thilo Müller DRM/DFP Seite 4
Identity Management @ E.ON IS Central LDAP Meta Directory, Synchronisation between ADs, HR, Authorisation and Group Management for Applications PKI: Base infrastructure, accompanying PKI deployments Authentication from in- and outside the network External Authentication Remote Access WLAN Guest network authentication Innovation Projects involving OTP, 802.1x Encryption: Notebooks, folders, mails and archives Digital Signature: Centralized service for lawful signing documents, bills, credit notes EIC2008 04/2008 Thilo Müller DRM/DFP Seite 5
Protection is (slowly) climbing the OSI-layers DRM/DFP 2010? Firewall IPaddress Port-security Pre 1980 Web(Proxy)login Web(Proxy)login 7. Application Network process to application 6. Presentation Data representation and encryption 5. Session Interhost communication Segments 4. Transport End-to-end connections and reliability 3. Network Path determination and logical addressing (IP) Frames 2. Data link Physical addressing (MAC & LLC) Bits 1. Physical Media, signal and binary transmission Protect the data itself, not the system IT has to provide user friendly, seamless methods for defining protection rules for digital data for end users EIC2008 04/2008 Thilo Müller DRM/DFP Seite 6
Part 1 - EDRM Agenda E.ON IS Introduction EDRM Definition Use Case Product example : MS RMS Challenges Integration, User Interaction Vision RBAC, external Partners Conclusion EIC2008 04/2008 Thilo Müller DRM/DFP Seite 7
EDRM Definition EDRM means Enterprise Digital Rights Management The protection is document centric A document owner defines who can do what with a document Defined rights include read, edit, print, copy and paste, printscreen and can include time constraints EIC2008 04/2008 Thilo Müller DRM/DFP Seite 8
Use Case EDRM Confidential Documents from HR, Merger and Aquisitions Protection against document copying or copy and pasting, Trojan attacks Email forwarding of confidential documents EIC2008 04/2008 Thilo Müller DRM/DFP Seite 9
MS RMS Solution Seamless Integration in MS environment Already integrated in Vista and Office 2007 PKI integrated, No CRLs needed, AD integrated FIPS140 compliant EIC2008 04/2008 Thilo Müller DRM/DFP Seite 10
EDRM product example MS RMS Microsoft Rights Management Services (RMS) allows users to encrypt data content and assign usage rights. These usage rights are specified down to the level of individual user or group of users and are retained in the structure of the document itself. Applicable controls: User access controls within a document or other materials Use restrictions within a document on a user basis Controls that prevents unauthorised copying Restrictions that prevent tampering with original content Deliver the ability to revoke access to the content These controls are enforced natively through the Microsoft Windows Client, which controls the Office product suite. Source : Microsoft EIC2008 04/2008 Thema Thilo Müller Datum DRM/DFP Bereich Seite 11
EDRM - RMS Architecture overview RAC Database Active Directory 1. The author receives a certificate from the RMS before using RMS for the first time RMS 2. The author defines rights using a RMS enabled application. The document is protected and encrypted. RAC 2 1 3 4 5 RAC 3. The document is distributed 4. The receiver opens the document with a RMS enabled application which checks the user license and the user rights at the RMS server. Author Receiver 5. The RMS RMS Application gains access using the given policy. CLC EIC2008 04/2008 Thilo Müller DRM/DFP Seite 12
EDRM Integration, RMS Architecture overview Certification UK Certification GER Certification n MS SQL MS SQL MS SQL Forrest UK Forrest GER Forrest n Licensing Cluster MS SQL Central AD Repository, user permission check for licensing EIC2008 04/2008 Thilo Müller DRM/DFP Seite 13
EDRM Vision Integration with RBAC HR users gets document to HR documents Documents are automatically EDRM protected. Automatic EDRM protection for incoming Emails and content/context specific for documents Documents are downloaded using a Portal and automatically protected using EDRM. User registration and authorisation can be managed by the Portal Integration of external partners EIC2008 04/2008 Thilo Müller DRM/DFP Seite 14
Part 2 - DFP Agenda E.ON IS Introduction DFP Definition Use Case - USB Protection Product example - Verdasys Digital Guardian Challenges Integration, User Interaction Vision Self Monitoring Clients, Intelligent Data Tagging Conclusion EIC2008 04/2008 Thilo Müller DRM/DFP Seite 15
Definition DFP Data Flow Protection DFP heads at the protection of the movement of data DFP is primarily client specific Specific rules for the client are centrally defined. The user action like moving files or burning cds is monitored, logged or even stopped EIC2008 04/2008 Thilo Müller DRM/DFP Seite 16
Use Case DFP Prevent for example usage of USB memory sticks without encryption in general or just prohibit storage of classified data Different ways to address and to handle this issue like: Allow only a defined set of devices, like e.g. encrypted USB sticks If the USB device does not support encryption, data will be transparently encrypted (company key) without any necessary user interaction Action is totally stopped Users can be prompted with a message that either this action will be completely blocked or a warning message will be shown, but action can still be performed Actions could be controlled upon file operations (read, write, execute, etc.) EIC2008 04/2008 Thilo Müller DRM/DFP Seite 17
DFP product example Verdasys Digital Guardian Protected Client Local Disk Tagged Data copied/moved/saved as to local disk must only be stored in a defined folder! e.g. SAN Storage TAG Allowed! TAG TAG Action! Filer Control Flow of Files Secure Files are encrypted locally using the corporate File & Folder Encryption tool TAG Sensitive Documents are marked ( Tagged ) in the NTFS File System! Tags must be persistent! USB Stick with Encryption Standard USB Stick without Encryption Control Usage of USB Devices EIC2008 04/2008 Thilo Müller DRM/DFP Seite 18
Challenges DFP The client behavior is logged. The logging data is critical because user actions are monitored. Germany has strict laws for recording employee actions. The introduction of such monitoring tools involve the work concil / Betriebsrat. Separation of power for administration has to be used. The client should not be slowed down. The ruleset has to be specific. The user is confronted with new error messages / system behavior. How is the data classified? Depending on team folder z:\team\unit EIC2008 04/2008 Thilo Müller DRM/DFP Seite 19
DFP Vision Additionally to the folder where the data is stored, the content of the document content could influence the classification. According to rules and using encryption, the tagging can be expanded through local user groups. The document classification could be expanded using a document database with similar documents. EIC2008 04/2008 Thilo Müller DRM/DFP Seite 20
Comparison EDRM / DFP - classification Protect every document in the enterprise? closed user group no important document leaves the company, define processes for external communication (Portal?) Protect only confidential documents? according to BND 5% are important (German Secret Service) EDRM use case, user interaction, user schemata, only online usage Content Use filters like mastercard, text confidential, spam filter techniques Context Where is the document stored, which way did it take in the enterprise EIC2008 04/2008 Thilo Müller DRM/DFP Seite 21
Conclusion We see an urgent need for an enterprise wide USB protection and see advantages in an DFP solution which is not bound to one interface like USB or Firewire We see a need for the protection of data using EDRM for but the integration in our architecture has to be simplified maybe using RBAC Both products complement each other. Both products will merge to one suite in the future where data is classified after content and context and protected at application level. EIC2008 04/2008 Thilo Müller DRM/DFP Seite 22
No protection against analog attacks EIC2008 04/2008 Thilo Müller DRM/DFP Seite 23
Questions - RMS Contact Frank Thilo Müller Security Engineer Volker Schwarzhaupt Head of Identity Management E.ON IS Information Rights Management Group, XING https://www.xing.com/net/irm/ EIC2008 04/2008 Thilo Müller DRM/DFP Seite 24
Backup Slides Please overwrite text EIC2008 04/2008 Thilo Müller DRM/DFP Seite 25
RMS process - First Time Authentication RMS 3. Connecting first time RMS MS SQL E.ON PKI Certificate Delivery and maintenance Process lockbox machine certificate 1. Smartcard Login AD 4. Generating machine certificate and installing RMS client 2. Successful authentification Certificate Issuance E.ON PKI EIC2008 04/2008 Thilo Müller DRM/DFP Seite 26
RMS process User registration User 1 1.E.ON PKI 4.user certificate RAC lockbox 2.machine certificate 5. First RMS usage CLC RMS MS SQL RAC 3.user certificates CLC User 2 RAC machine certificate CLC User XXXX CLC E.ON PKI lockbox machine certificate E.ON PKI RAC CLC E.ON PKI lockbox EIC2008 04/2008 Thilo Müller DRM/DFP Seite 27 RAC CLC
RMS process User registration User 1 1.E.ON PKI 4.user certificate RAC lockbox 2.machine certificate 5. First RMS usage CLC RMS MS SQL RAC 3.user certificates CLC User 2 RAC machine certificate CLC User XXXX CLC E.ON PKI lockbox machine certificate E.ON PKI RAC CLC E.ON PKI lockbox EIC2008 04/2008 Thilo Müller DRM/DFP Seite 28 RAC CLC
DRM Delivery Process 1 Offline process 5.Check permissions RMS MS SQL 4. decrypts publishing license 6. encrypts use license RAC RAC sender and receiver user certificate 3. receiver requests use license by sending encrypted publishing license 7.Use license per user E.ON PKI lockbox machine certificate 1.RMS enabled application defines policy 2. Document is delivered to receiver with publishing license 8.DRM application lockbox decrypts use license, user is bound to policy, offline usage now possible EIC2008 04/2008 Thilo Müller DRM/DFP Seite 29
Terminology Review Lockbox: unique per-machine security DLL Stores machine s private key RAC: user s RM Account Certificate Identity of the user [one per user] CLC: user s Client Licensor Certificate Copy of RMS server s public key for publishing [one per user] Also contains publishing keypair for the user PL: document s Publishing License Where rights and content key are stored [one per document] UL: Use License Where user s copy of content key is stored [one per document per user] EIC2008 04/2008 Thilo Müller DRM/DFP Seite 30
Topology Generic Architecture Certification A Certification B Certification n MS SQL MS SQL MS SQL Forest A Forest B Forest n Licensing Cluster MS SQL Central AD Repository, user permission check for licensing EIC2008 04/2008 Thilo Müller DRM/DFP Seite 31
Architecture Certificate A MS SQL Exchange server keys and establish trust Two virtual s Certificate B MS SQL Two virtual s Forest A Connector synchronizing email adresses Location? 2-n virtual s HSM Licensing MS SQL High Security Module appliances protect keys and improve encryption performanc e HSM Forest B Connector synchronizing email adresses At least two virtual s Central AD Repositor EIC2008 04/2008 Thilo Müller DRM/DFP Seite 32 y
DFP Solution Architecture ~ 100 Digital Guardian Agents Data base Laptop Activity Monitoring Web-Based Administrative Access Digital Guardian (DG ) Policies and Rules PC Digital Guardian Management Console (DGMC) EIC2008 04/2008 Thilo Müller DRM/DFP Seite 33