Sanford Bingham

Recent Posts

Microsoft RMS: Standard or Stranglehold?

Posted by Sanford Bingham

 

pdf.pngSave a print-friendly version of this post (PDF)

 

“Standards allow different layers to evolve independently and therefore faster and better.”

- Sir Tim Berners-Lee, Founder and Director of the W3C

 

The World Wide Web is built upon standards, at every level. Because of Web standards, users can access information from multiple different browsers on a variety of platforms and operating systems, and organizations can choose from a diverse set of servers and databases to host content. This arrangement has worked well for more than twenty years, encouraging innovation and competition—as long as the information being served is intended to flow freely and without restriction. However if the contents’ owners want to control access to their information through encryption and authentication, the interoperability of the Web breaks down. The means of decrypting content for secure viewing has always required a separate, proprietary viewer or plug-in, because there is no Web standard for rights management at the file level.w3cSmall.png

Opinions differ on the wisdom and feasibility of implementing DRM for consumer content on the Web (although the channeling of rights-managed content into closed platforms such as Amazon Kindle and Apple iBooks has rendered opposition somewhat futile), but the absence of a security standard in the enterprise has created a vacuum into which a private corporation (namely Microsoft) could come to dominate the creation, distribution and consumption of information from end-to-end. Imagine a scenario in which the entire document workflow of the Fortune 1000 is beholden to a single vendor for its authoring applications, user identity management, decryption keys, usage data and other private and proprietary information.

Aside from wiping out entire categories of cloud storage platforms and security vendors, a private monopoly in rights management technology would prevent its customers from choosing among workflow and server technologies, and put their data at risk of a potentially catastrophic security breach if any vulnerabilities were exploited. The vast majority of encrypted documents would be secured with a single proprietary method. Further, such a monopoly would threaten the fundamental framework of the Web, which was originally designed to enable servers and clients on different platforms, from different vendors, to speak to each other in a common language. Without a published standard for handling encrypted documents on the Web, it becomes possible, even necessary, to limit usage to a single viewer or editor—the one sold by the same vendor of the productivity suite, identity framework and encryption tools.

 

The Mirage of Cloud Security

How could we be at risk of a rights-management monopoly, when the cloud era has disrupted incumbent vendors and the dominant players now encourage integration via open APIs? In his blog post from 2013 “The Rise of The Cloud Stack,” Aaron Levie of Box proclaimed “From this diversity of systems, customers will get choice, and with this choice we’ll see better applications and solutions emerge. At a lower cost, and at a higher quality.” The cloud stack was supposed to free us from single-vendor “ecosystems” so we could migrate between increasingly sophisticated platforms. But as we will see, the lack of a standard document security protocol has instead resulted in a Babel-like city of secure towers that don’t speak the same language, and therefore can’t interoperate.

cloud-platforms.png

First, let’s look at how cloud services handle user identity management, because any workable rights management scheme depends on user identity to determine whether or not to decrypt a file. One of the keys to the evolution of the cloud stack is the availability of what Gartner Group has named Identity and Access Management as a Service (IDaaS). Using an IDaaS service, a company can create a Single Sign-On (SSO) system for a variety of different, and often interconnected, cloud applications. With a single login, a user might now update a record in Salesforce, triggering an alert in Slack, updating a spreadsheet in Google Docs and a report in Box.

From the perspective of a network administrator, it is necessary that these new workflows also be auditable and their use controlled. So the “Access Management” part of IDaaS has become an important new element of the information security toolkit. In the example above, it is also critical that the administrator be able to revoke access to all the applications in that workflow all at once. In the current environment the granularity of IDaaS is normally at the application level; i.e. the IDaaS vendor controls access to the cloud provider itself, with that cloud provider managing access internally based on the identity provided.

In some cases, the cloud vendor may implement access control at the document-level, but the identification and permissioning of documents is specific to that environment. That is, there is no mechanism exposed by IDaaS vendors by which a document exported from Google Docs and imported into Box or Dropbox can be tracked or controlled as it moves from one environment to the next. Every cloud provider that offers some form of DRM is an island, and every protected document is trapped on that island.

 

RMS: Bundling Security and Identity

If there is no standard for document-level security in the cloud, what about behind the firewall, in the enterprise? There are multiple competing approaches to Enterprise Document Rights Management (EDRM), including the one developed by my company, FileOpen Systems. Each is functionally a silo; there is no standard for DRM interoperation. Among the EDRM solutions, the largest (by installed base or market share) and best-known framework is Microsoft Rights Management Services (RMS). It can certainly be argued that RMS is the de facto standard for controlled distribution of MS Office documents; the question is whether it can or should be the basis of a more formal web standard.

Microsoft RMS is a framework for DRM implemented natively in the Microsoft Office suite of products and also by third parties for some PDF viewers. The RMS software was introduced in 2003, evolving from and ultimately replacing an eBook DRM system, Microsoft Reader, which was introduced in 2000 and discontinued around 2007. Today RMS is predominantly, perhaps exclusively, focused on enterprise use-cases and workflows. The functionality was originally bundled into Windows Server 2003 and remains a part of the core Windows Server product. The RMS system is also tightly integrated with Microsoft's Active Directory product, indeed is formally named "Active Directory Rights Management Services" (AD RMS).

RMS-workflow.png

The tight integration of RMS with Windows Server has impeded adoption by entities not primarily using the Microsoft stack; RMS cannot be implemented directly in environments using Linux, or other Unix derivatives, at the server. Further, the reliance upon Active Directory has reduced the utility of the system for external document distribution, insofar as the Active Directory environment of the document creator and that of the document consumer are rarely integrated. Microsoft is now addressing this concern via the federation of Active Directory networks using Azure Active Directory (Azure AD) and the cloud version of RMS (Azure RMS). These cloud-based systems for identity management and DRM are intended, among other things, to simplify the process of distributing encrypted content outside the firewall.

Microsoft has also integrated the RMS functionality into a number of clients on desktop and mobile platforms, under the banner “Office everywhere, encryption everywhere.” This initiative addresses both document security in the MS Office suites and message security in the Microsoft mail clients, via S/MIME. Viewing of RMS-protected documents on iOS can now be done in third-party viewer applications or with Azure RMS in the Microsoft Office applications for Mac, iOS and Android.

Support for PDF files in the RMS environment is implemented via partners, including Foxit, Nitro and Nuance, and in Adobe Acrobat/Reader via a plug-in from GigaTrust. RMS-encrypted PDF cannot be opened in the Microsoft Reader application, which is the default handler for PDF on Windows 8.1 and later, nor by the embedded PDF viewer in Microsoft Edge (or any other browser).

 

Standard or Stranglehold?

The presence of the RMS client in the primary Microsoft Office applications enables workflows in which effectively any user can distribute encrypted content to any other user, without a requirement that either install new software. No other DRM system can make that claim. And while this situation is reminiscent of Microsoft’s bundling of Internet Explorer with Windows, which was ultimately sanctioned by the US courts, the integration of Microsoft’s DRM into Microsoft’s Office applications has not been the subject of any antitrust actions. So it is likely that the bundling will continue, and continue to be an advantage for Microsoft in the enterprise, as long as Office remains the primary vehicle for document creation and collaboration.

Similarly, the bundling of RMS with Windows Server and Active Directory is not optional, as the RMS functionality depends upon proprietary logic in the Microsoft Server stack. Use of RMS with any alternative webserver is not supported. We assume that Microsoft tightly integrated the RMS client and server functionality in order to increase the security and reliability of the system rather than as a competitive strategy, but the result is indistinguishable. There is no set of APIs and no licensing framework that would permit an independent vendor to create an alternative to the Microsoft implementation of RMS in Windows Server, or a cloud service that could be used as a replacement for Azure RMS.

While the original on-premises version of RMS required use of Active Directory for identity provision, the Azure RMS product offers the option of a federated identity mechanism, meaning that other IDaaS vendors can be integrated into an RMS workflow. However, by design, all DRM interactions involving the Azure RMS client/server exchange require a token from the Azure RMS server. So while an alternative identity provider may be provisioned, there is no mechanism in either RMS or Azure RMS for that identity provider to also manage the permissions on the document. In short, the RMS client and server cannot be decoupled.

openvsclosed.png

As a result of these Microsoft design choices, it is not possible for an entity that chooses not to use Microsoft Server to implement RMS inside the firewall, nor is it possible for an entity using Azure RMS to operate with full independence from Microsoft. An IDaaS vendor can provide primary identity management, but cannot independently provide access control at the document level, as this capability necessarily involves the sharing of user and client data with Microsoft.

 

An Alternative: Standards-Based DRM

Microsoft’s approach is fundamentally at odds with the core design of the World Wide Web, which is premised on the loose coupling of client and server functionality. It is, for example, inconceivable today that a browser vendor would attempt to require use of a particular, and proprietary, server in order to implement SSL. An entity publishing data on the World Wide Web today can exert complete control over the code used at the webserver, to the point of having the option to write that code anew in any language and run it on any hardware, provided that the result properly implements the required protocols, all of which are public.

It follows that any attempt to create a standard system for DRM on the World Wide Web would, at a minimum, need to support this degree of client/server independence. However, DRM systems are rarely designed around open interfaces, at least partly due to a tendency to think that the most secure system is one in which the developer has control over both ends of the client/server interaction. Moreover, DRM differs from standard cryptographic implementations because one side of the interaction, the client, is not necessarily a willing participant in the secrecy of the conversation, and indeed may be an adversary.

So a completely open source DRM system is likely to be impossible. What can work, as demonstrated by the implementation chosen for the W3C Encrypted Media Extensions (EME), is the combination of a compiled binary client library and an open interface to an arbitrary key management system. EME is now embedded in multiple applications and platforms, and allows content distributors to manage protected video files using one or a combination of key management and delivery systems (Google Widevine, Apple FairPlay, Microsoft PlayReady, Adobe Primetime, etc.)

 

The FileOpen Rights Management Layer

The original design of the FileOpen DRM software, first articulated in 1997, described the same general architecture. FileOpen rights management was explicitly designed to work with any external identity provider, and to permit the entity encrypting documents to specify all relevant metadata (e.g. document identifiers, encryption keys). In the company’s early years, the only way to implement FileOpen software was to develop a custom server to manage customer and document identities and to implement business logic governing usage. Today, commercial "PermissionServer" implementations are available in .NET and PHP, and multiple cloud services are built around the FileOpen Client and protocol, which is published.

The architecture of FileOpen rights management is such that is not tied to any particular document format or viewing application. This differs markedly from Microsoft’s approach, which developed RMS for its own Office applications and has demonstrated a clear bias toward those applications with respect to competing tools (e.g. LibreOffice) and formats (e.g. PDF). We believe that decoupling the rights management protocol from the document format and viewer vendor enables organizations to share documents securely with the broadest set of users, inside and outside the firewall. It also protects publishers and document creators from a potentially costly “lock-in” to the format vendor, who would control the keys to encrypted documents and store private data about their end-users.

FileOpenCloud.png

Moreover, because the FileOpen software does not rely upon any particular identity provider, it can be implemented natively by any IDaaS vendor. All such implementations are independent and private, in the sense that information about users/documents/permissions is fully controlled by and visible only to that vendor. Interoperation between IDaaS implementations, or between IDaaS vendors and cloud application providers, or between different cloud application providers, is likewise possible without direct involvement of FileOpen Systems, using the published interfaces of the system.

While FileOpen rights management is not yet a standard, it was designed and continues to be developed around the principles that underlie Web standards. In fact, one of the first and largest sectors to standardize on the FileOpen software is the community of Standards Developing Organizations (SDOs; e.g. ANSI, ASME, Afnor, DIN, etc.). Ultimately, the FileOpen software was designed not to be an end-to-end secure publishing system, or even a complete system for DRM, but a flexible component that can be integrated to extend the functionality of such systems--one thread in a larger, interconnected, Web.

 

Learn more about FileOpen rights management architecture and implementation options for Microsoft Office documents

Contact us for a demo of FileOpen Rights Management for Office

 

 

Topics: document control, drm, Rights Management, cloud, Microsoft RMS

At SPAB 2016, FileOpen CEO Sanford Bingham Asks Standards Publishers: "What Would a Standard for DRM Look Like?"

Posted by Sanford Bingham

Last week I had the honor of speaking to an international group of standards organizations at the Standards Publishing Advisory Board (SPAB) annual meeting, hosted by our partner IHS. Standards Developing Organizations, or “SDOs”, are responsible for disseminating the documents that describe their industry’s or their country’s standards for building, manufacturing, military equipment, and so on (in the U.S., you may have heard of ANSISAE, and ASME standards). Thanks to standards, we have consistency and interoperability in the products and systems we use every day. 

Because of the mission-critical nature of their content, standards publishers are among the most exacting customers a technology company can have, and the choices they make can influence which innovations are successful in the publishing industry at large. Our host, IHS, is one of the largest resellers of standards documents, aggregating the work of hundreds of SDOs and expanding their reach with ecommerce portals and other technical enhancements.SPABlogo.jpg

This may seem like a quiet, boring segment of the publishing industry, but it is anything but. At the heart of standards publishing is a conflict between making essential information widely available to the technicians whose jobs depend on it, and the necessity of earning and protecting revenues for the standards bodies and the publishing companies that serve them.

Opinions run strong among the different SDOs as to how to achieve these dual goals—use DRM technology to prevent unauthorized sharing and uploading to sites with pirated documents? Or pursue copyright enforcement through legal channels, after a breach has been discovered? These questions have led to heated debates among SDOs and standards publishers, but as a community they resemble the U.N., ultimately seeking consensus on important issues (which is, after all, what standards are about). 

From the Format Wars to the Race to Be Everywhere: 20 Years of DRM 

The SPAB audience included many long-time FileOpen customers, as well as DRM skeptics and smaller SDOs who are just beginning to explore technology to protect their intellectual property. Rather than get into a philosophical debate about DRM, I presented a history of digital publishing and the facts of where we are today:

SPAB20Years.001.png

 

The upshot of this 20 year history is that the publishing landscape has become so complex, it is impossible (or would be foolish) for a publisher to choose one distribution channel or file format to distribute their content. Worldwide, the market share of viewing devices and web browsers is fragmented and in flux, with no clear winner (for example, Windows still dominates the desktop OS market, Android vastly outpaces iOS in smartphone operating systems, and Chrome is inching out the competition among Web browsers).

Even Adobe Reader’s market share of the PDF viewer market is being challenged by a long list of 3rd party viewers, many of them implemented without full adherence to the published PDF specification, which can lead to unpredictable changes in document display and behavior. The fracturing of the PDF landscape is both forcing and enabling publishers to provide content in other formats. For example, the Chrome browser does not support complex or DRM’d PDF files, but does include the Flash runtime (even on Linux). Likewise, nearly all mobile devices now have an HTML5-capable browser, so the explosive growth of those devices also creates an enormous new delivery platform. But on non-mobile devices, the HTML5 environment is less secure than either Flash or PDF, so the new environment also imposes a requirement that delivery software positively identify mobile devices as such.

Playing Whack-a Mole with Copyright Infringers

Meanwhile, piracy of standards documents continues to run rampant. Several SDOs described efforts to scan the web for illegally uploaded copies of their content, then sending DMCA (Digital Millennium Copyright Act) takedown notices to the owners of the host websites. One SDO reported having sent more than 150,000 such requests with a compliance rate of less than 50% (most of the sites are outside of the US so not governed by the DMCA legislation). 

So what is a standards publisher to do, and what role can DRM possibly play? The complexity of the publishing landscape poses a big challenge, but also an opportunity to embrace that complexity and use technology to serve the widest possible viewing audience. We’ve been working with a select group of standards publishers to develop a protected publishing system that is invisibleflexible and future-proof. 

FileOpen DocServer (currently in beta) will enable publishers to deliver content seamlessly to the widest range of devices and viewers, with the degree of security they choose, for the best possible end-user experience. Instead of publishing documents based on predictions of users’ devices and platforms, DocServer is based on a “detect, encrypt, deliver” model that serves documents dynamically based on the end-user environment. 

Ultimately, our goals are aligned with those of the standards publishing industry—to enable a frictionless experience for the users consuming documents, while employing technology quietly in the background to preserve the intellectual property and revenues of SDOs and publishers. I closed my talk with a question for the audience: “What would a standard for DRM look like?” We are looking forward to working with our partners to solicit feedback and help define a standard for DRM—because often real progress is the product not just of competition, but of consensus. 

 

Contact Us for a sneak preview of "The New DRM"--FileOpen DocServer

Topics: FileOpen, drm, pdf, Rights Management, Standards Publishing, SDOs

FileOpen Client 0924 for Adobe Acrobat/Reader Released (Win)

Posted by Sanford Bingham

We have released an updated FileOpen plug-in for Adobe Acrobat and Reader on Windows. The Client, Build 0924, implements support for the latest Adobe Acrobat/Reader and Microsoft Windows releases. Specific improvements include:

  • Support for Acrobat/Reader XI
  • Support for Windows 8
  • Assorted bug fixes and minor improvements.

This update replaces the 0920 release from June 2012. FileOpen licensees are encouraged to push this update to their users who are upgrading to Adobe Reader/Acrobat 11. Previous versions of the FileOpen plug-in may not be supported by Adobe Reader/Acrobat 11. 

 

FileOpen Client 0924 is backward-compatible to Adobe Reader/Acrobat 7.

Topics: FileOpen plug-in, Adobe Reader 11, Acrobat 11

FileOpen Client 0917 Released

Posted by Sanford Bingham

We have released an updated FileOpen plug-in for Adobe Acrobat and Reader on Windows. The Client, Build 0917, implements a few patches and bugfixes. Specific improvements include:

    • Improvements to Dynamic Watermarking functionality including the addition of finer-grained color management and imposition of control over fill and stroke, plus a new mechanism for handling page content with complex content arrays.
    • Support for retrieval of cookies in the Google Chrome browser.
    • Improvement to the retrieval of Offline Permission under Reader X protected mode.
    • Additional modifications to eliminate known conflicts with other applications when kernel-level screen capture prevention is invoked.
    • Modification to the .msi installer mechanism to improve detection of Acrobat/Reader.

This update replaces the 0914 release from October 2011.

Topics: FileOpen plug-in, Client Release

New FileOpen Client for Adobe Acrobat and Reader

Posted by Sanford Bingham

FileOpen Systems has released an updated plug-in for Adobe Acrobat and Reader on Windows. The Client, Build 0914, implements minor new functionality, along with multiple patches and bugfixes. Specific improvements include:

    • Addition of new font, color and placement options for Dynamic Watermarks, including an option to store watermarks in Offline Permission with logic to insert current date/time and other data while offline.
    • Improved management of Reader X “protected mode” and Internet Explorer protected mode, enabling full operation including retrieval of cookie data when both programs are in protected mode, also improved cookie handling under Firefox.
    • Architectural modifications to enable the Broker process to operate under Reader X for multiple users on thin-client systems (Citrix XenApp, MS Terminal Server)
    • Modifications to eliminate known conflicts with other applications when kernel-level screen capture prevention is invoked.

This is the first update to the Windows Client for Acrobat and Reader since the 0900 release in March 2011.

Topics: adobe reader, FileOpen plug-in, Client Release, Adobe Reader X protected mode

FileOpen Systems Releases Updated Client Plug-in

Posted by Sanford Bingham

FileOpen Systems has just released the 0900 plug-in to Adobe Reader and Acrobat for Windows, which introduces important new functionality including real-time watermarking, tightened control over screen capture, and full compatibility with Adobe Reader X.

get FileOpen plug-in

Adobe Reader X on Windows includes a new security feature, "protected mode," which is designed to limit the ability of malicious code to infect systems via PDF files. The new FileOpen plug-in operates fully in protected mode, which is the default configuration of Adobe Reader X.

Importantly, Adobe released a security advisory on March 14, 2011 (http://www.adobe.com/support/security/advisories/apsa11-01.html) describing an exploitable vulnerability in the Flash player. The same vulnerability can also affect Adobe Acrobat and Adobe Reader 9, which bundle the Flash player, and Adobe Reader X if operating outside of protected mode.

According to Adobe, "this vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system." They go on to say that while Adobe Acrobat and Reader have not been directly targeted, "Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."

As a precaution, we strongly recommend that all publishers of FileOpen-protected PDFs distribute this new client to their end-users. Recipients of secured PDFs may also install the new plug-in directly from http://plugin.fileopen.com, then confirm that the box is checked at Edit>Preferences>General>Enable protected mode at startup.

Documents distributed with older versions of the FileOpen plug-in are forward-compatible with the new plug-in, so end-users do not need to obtain new documents or permissions from the publisher.

Topics: Client Release, Adobe Reader X protected mode

RIM's "PlayBook" Will Extend FileOpen's Reach on Handheld Devices

Posted by Sanford Bingham

playbookThis week Research in Motion announced a tablet device, named the “BlackBerry PlayBook”, that appears to exceed the specifications of the iPad in every respect other than screen-size. The device, which will debut in the second half of 2011, will have a dual-core processor and 1Gb of memory, a variety of input/output ports, and two cameras (i.e. the ability to videoconference).

Most important for our customers, the PlayBook will run Flash 10.1, and therefore should support both the FileOpen Viewer and our recently released BlackBerry client. This would enable distribution of the same FileOpen-encrypted document to the BlackBerry, PlayBook, and on standard Windows/Macintosh/Linux computers.

The PlayBook will work immediately with BlackBerry Enterprise servers. It runs a Unix-derived microkernel operating system (QNX) that RIM acquired along with the company of the same name earlier this year. Reports describe the OS as extremely secure and capable of true multitasking, something the iOS can’t currently provide. The seven inch screen is smaller than the iPad’s by two inches, but this may be intentional (there are rumors that the next version of the iPad will include a model with a seven-inch screen). 

Check out our press release announcing our support of the BlackBerry platform for document distribution, and stay tuned for more announcements as we extend secure document sharing to the world of smartphones and tablets.

Topics: document control, FileOpen, blackberry, pdf security, RIM, Research in Motion, PlayBook

FileOpen for Handhelds

Posted by Sanford Bingham

This week FileOpen Systems is releasing FileOpen Document Control fileopenbbfor Blackberry™, the first of several implementations of our software for handheld devices. This product release is the first example of general architecture that we expect will permit the expansion of the FileOpen footprint to include a variety of devices and systems. The key idea behind this design can be summed up as “Adapt to the incumbent viewer.”

This is not a new idea, of course: FileOpen has always adapted to the incumbent PDF viewer on the PC/Mac/Linux platform, which is Adobe Acrobat/Reader. However, there currently is no Adobe Reader for Blackberry™. Adobe has released a viewer for the Android OS, which also uses the Java language, so the possibility exists that we’ll see an Adobe Reader for Blackberry™ in the near future. At the moment there are two incumbent viewers on the BlackBerry™ platform:  BeamReader (www.slgmobile.com) and RepliGo (www.cerience.com). Neither product is free (both cost about $15 for a perpetual license), but both do a good job of rendering a PDF entirely on the local device.

Our initial intent had been to create a “FileOpen PDF Viewer” for the BlackBerry™, i.e. to display documents in our own application. However, as the development got underway we discovered that the BlackBerry OS doesn’t permit more than one application to be registered for a particular file type, so if we were to deliver a FileOpen PDF Viewer any user who installed that application would be forced to use it to display all PDFs (even those not encrypted by FileOpen). We could also have changed the file extension from PDF to something else, but doing that violates some of our core design principles (we work with native formats) and doing so for only one device would be a recipe for end-user confusion.

Even if we could, FileOpen Systems has no desire or incentive to displace the incumbent players in the BlackBerry™ PDF viewer market, or even to favor any single player over any other. So we decided on an approach that would allow our application to work with any and all viewers that support the required Java Mobile Edition (JME) functions for interapplication communication. On BlackBerry™ devices where a compliant PDF viewer is present, PDF files encrypted by FileOpen can now be authenticated and modified by our application, then opened and displayed in the incumbent viewer.

Going forward we think this approach will simplify the development of solutions for other handheld devices. Look for more announcements in this space in the coming weeks.

Find out more about FileOpen Document Control for Blackberry™

Request a 30-Day Free Trial of FileOpen Document Control for PDF and Blackberry™!

Topics: document control, FileOpen, blackberry, drm, pdf security, pdf encryption, pdf, RIM

Computerworld Interviews FileOpen Customer for ERM Article

Posted by Sanford Bingham

 

We'd like to thank Elisabeth Horwitt for her mention of FileOpen Systems in a recent Computerworld article, "Enterprise rights management and keeping data in-house," and also to thank Paul Chow of BCA Research for his comments about his company is using FileOpen software in the same piece. 
 
The article describes some of the challenges around Enterprise Rights Management from an IT perspective. It also illuminates one of the important trends now emerging, the interplay between Digital Loss Prevention (DLP) and ERM/DRM. FileOpen has just made available a whitepaper on that subject, "FileOpen and Data Loss Prevention," which explores how the two approaches can complement each other.

Computerworld approached FileOpen customer Paul Chow at BCA Research, who explained why they chose FileOpen's DRM over alternative solutions;

BCA, for example, stopped using LockLizard's IRM product because it required installing a proprietary PDF reader that was not Adobe's, Chow says. "For our client base, that just wouldn't work." In contrast, FileOpen supplies a plug-in to users' existing Adobe readers that can be installed in 30 seconds, he adds.

The article underscores the importance of choosing DRM software which provides tools for managing users and permissions policies, a feature FileOpen has long provided and is soon to release in a web-based interface.

Topics: FileOpen, DLP, digital loss prevention, Computerworld

Alternative PDF Viewers Lag Behind Adobe Reader in Security

Posted by Sanford Bingham

pdf viewersOur colleague Vivek Unune has pointed out yet another attack related to PDF files. 

This one is a bit unusual in that it exploits a PDF language feature (launch action for embedded files), rather than a specific vulnerability. This means that it impacts not only the Adobe Reader, but probably all full-featured PDF viewers (though not all PDF viewers are full featured, see below).

At least one PDF viewer, Foxit Reader, appears to be more vulnerable to this particular exploit than the Adobe Reader. This is not unusual:  most of the PDF exploits that have been uncovered so far, especially the ones related to JavaScript, affect most, if not all, other PDF viewers at least as much as they do the Adobe viewer (http://www.pcworld.com/businesscenter/article/160977/foxit_pdf_viewer_also_open_to_attack_say_researchers.html).

This particular attack requires that the user actively allow the exploit to run, though as the author points out it is quite possible to mask this in such a way as to make it likely that users will go along (and in Foxit the exploit just runs, with no user interaction required). Preventing the exploit in the Adobe viewer is relatively simple (uncheck the box at Edit>Preferences>Trust Manager: Allow opening of non-PDF file attachments with external applications).

The reason one hears so much less about other vulnerable PDF applications is presumably that they are much less widely used.  While there are a great many PDF viewers (see http://en.wikipedia.org/wiki/List_of_PDF_software), only one of them has any significant market share. I can't cite any real data for this claim (if anyone has statistics on penetration levels please send it), but my guess is that the distribution of PDF viewers is similar to that in the Office productivity market (MS Office vs. Corel and Open Office etc.), where the Microsoft share is about 80% overall (see http://www.webmasterpro.de/portal/news/2010/02/05/international-openoffice-market-shares.html). In the PDF world I'd bet that the combined share of all non-Adobe PDF viewers is less than 10% of the total, with the Adobe viewer having the other 90%.

With this in mind I was intrigued to read a review by Duff Johnson of Appligent, http://www.appligent.com/talkingpdf-pdfreaderreview, in which he analyzes a few alternative PDF viewers and finds each of them wanting in many important respects, relative to Adobe's viewer. This functionality-gap is the result of Adobe having invented PDF and working with it longer, with more resources, than anyone else.

Just as we have seen Microsoft over the past five years, perhaps longer, make security a primary objective so too do we now see Adobe prioritizing the effort to stop vulnerabilities. Today the case can reasonably be made that Windows is the most secure OS available (see http://blogs.zdnet.com/hardware/?p=4146, http://www.oreillynet.com/windows/blog/2007/05/is_vista_more_secure_than_mac_1.html, etc.), and the same can be said about the Adobe 9.x viewers relative to all other PDF viewers. Adobe's statements around the beta of the next Acrobat release suggest that security will be an even more important part of that product, along with a variety of other features and functionality that we will discuss as soon as we are permitted to do so.

I should point out that FileOpen's encryption tools work with PDFs generated from a wide range of third-party PDF creation tools, in addition to Adobe Acrobat, as long as the PDFs are compliant with the PDF Specification, now an ISO standard. On the client-side, however, we currently support the Adobe Viewer for secure PDF viewing (in part for the security reasons mentioned above). We have also developed the FileOpen document viewer which can convert PDF content and display it securely in any Flash-enabled web browser, without any need for a client plug-in.

Topics: document control, FileOpen, pdf security, pdf encryption