1. IRMSECURE
Protect What You Share
N o r t h A m e r i c a
I R M S e c u r e
2 8 0 0 S k y m a r k A v e n u e , # 4
M i s s i s s a u g a , O n t a r i o , L 4 W 5 A 6
C A N A D A
Te l : +1 . 9 0 5 . 3 6 6 . 4 4 4 4 / F a x : +1 . 9 0 5 . 3 61 . 0 7 8 9
Europe
SecuLogica /IRM Secure
Werdener Strasse 8
40277Duesseldorf
GERMANY
Tel:+49.211.1780.7778
WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m
SecuLogica:
Technical Whitepaper
2. IRMSECURE
Protect What You Share
Contents
Executive Summary 2
Product functionality 3
Architecture 5
Solution Components 5
User hierarchy 6
Deployment alternatives 7
SecuLogica as a Service 7
SecuLogica On Premises 7
Hardware requirements 8
Deployment requirements 9
Double URL and IP 9
Enabling an e-mail agent 9
LDAP or Active Directory integration 9
Security 11
Infrastructure: High availability, physical and logical security 11
User login 11
Username and password 11
External ID Provider (OpenID / OAuth) 11
LDAP or Active Directory 12
Communications 12
Client to Server 12
Plugins to Core-Client 12
Encryption 12
Offline enabling 13
Availability window 13
Watermarks 13
Screen capture 13
Activity Log 13
Supported file types 14
SecuLogica Viewer 14
API for Plugins 14
Plugin MS-Office for Windows 14
Plugin MS-Outlook for Windows 15
Plugin AutoCAD 15
Browser Plugins (Internet Explorer, Firefox and Chrome) 15
Multimedia files 15
Supported devices 16
Advanced Features 16
“Protected” Folders 16
Sharepoint integration 16
Federation of Servers and trust relationships 17
How it works 17
External users 17
SecuLogica Server Repository 18
API for external service providers (or SecuLogica client for servers) 18
SecuLogica with Cloud services 19
SecuLogica Drag’ n Drop 20
Sharing photographs with SecuLogica 21
Licensing model 21
3. IRMSECURE
Protect What You Share
2
Executive Summary
SecuLogica is an IRM (Information Rights Management) solution that provides a technology standard for the
industry. It allows individual users and companies to control their files wherever they are. With SecuLogica, users
can protect and track the use of any copy of their documents and change, at their discretion, who can access
those files and what actions can be done with them.
It leverages and complements the latest technology trends: cloud, mobile, social as well as traditional IT envi-
ronments. It is designed for universal use for both corporate and private users being available for a wide set of
devices and file formats delivering maximum ease of use, smooth deployment and minimal or no maintenance
effort.
SecuLogica’s vision is to become a standard for protecting the information we share and store on the Internet.
Key elements for this vision are: Interoperability so that any SecuLogica user can exchange information with
anyone securely, be it a corporate or private user: Ease of use so that the technology can be used by anyone,
anywhere on any device and a groundbreaking Business Model.
4. IRMSECURE
Protect What You Share
3
Product functionality
SecuLogica helps its customers protect what they share by making the process as easy as possible.
SecuLogica delivers a solution that allows users and companies to keep control of their files wherever
they are, track the use of any copy of their documents, and change, whenever they want, who can access
and what actions can be done with their files.
SecuLogica is designed to provide both security and usability.
The design principles for the product are:
* Any document: the most relevant file formats are supported. Additional file extensions will be
added to address customer demand.
* Any device: PC, Mac, Tablets, Smartphones. It is available for all relevant platforms on the
market
* Any user: we serve corporate users and individual users in a federated manner. Everyone regis
tered on any SecuLogica enabled service can exchange information securely.
* Cloud ready: We integrate with most cloud services.
* Affordable: Our pricing model was designed to make SecuLogica cost effective for everyone.
We provide a free version of our product that enables anyone to share information securely
* Easy to use: with nearly no learning curve required to use the product/service
* Easy to deploy: can be acquired as SaaS or On Premise
* Secure: keys and documents are never together.
* Real time: Change in permissions has immediate effect.
SecuLogica implements three steps when protecting any type of file:
1. Encrypt the file with AES 128 or 256. This produces a copy of the file with a .proton extension.
This new file is the one exchanged with other users, the original file is no longer used for inter-
change. The .proton file can be shared by any channel such as email, USB, cloud services.
2. Define permissions on the .proton file: select the users or groups that can access it and estab
lish the actions that can be done by those users on the file
3. Both the key used to encrypt the file and the metadata with the users and permissions are
stored in the SecuLogica key server.
Every time a user wants to open a .proton file, the permissions for that user are checked and the access
restrictions applied.
The permissions are defined by the file owner. The concepts that can be enabled/disabled for a given
user or group of users are: Read, Print, Edit, Copy and Manage as follows:
5. IRMSECURE
Protect What You Share
4
* A document with READ permissions can only be viewed and cannot be modified. Screen capture preven-
tion techniques are used: the clipboard is disabled, “cut & paste” cannot be done and screen capture apps
are also disabled.
* A document with PRINT permissions can be printed and read but cannot be modified.
* A document with EDIT permissions can be modified but all changes are stored in the same protected file.
The same screen capture techniques as described for READ permission are applied. This will be useful for
documents that are distributed to a limited community of contributors that need to deliver modifications to
the document in a controlled manner.
* A document with COPY permissions can be modified and saved with a different name. This permission
effectively gives full access and rights to the document, making it possible to extract and copy its content.
* A user with MANAGE permission can define and change the permissions of a document. This allows dele-
gation of authority for managing permissions. The permissions that the user can manage for other users are
limited to the permissions he or she has been granted.
Permissions like forward, email or any other related to the transmission of the content are useless in the
SecuLogica working model as ALL content travels encrypted and permissions are centrally managed and
checked every time a file is opened.
This working model allows the file owner to remove/change permissions at any time. That change is applied
in real time to all copies of the file no matter how these copies have been shared.
Advanced features can be defined for additional file protection. Watermarks can be set for display and print.
Time window of accessibility can be defined for a document; nobody can access the file before the starting
date/time and after the ending date/time.
Offline access to files can also be defined.
Another important concept is the “Protected folder”. A folder can be created, protected and set permissions
in the same way as an individual file. Once the folder is created, every file stored in it will be automatically
protected with the same access permissions as the folder. This folder can be local, shared or cloud-based.
SecuLogica protects documents at rest, in motion and in use:
* Once a document is protected, the encryption is persistent on any type of storage media.
* Content is always protected as only encrypted information travels over the network.
* SecuLogica provides control when the files are in use. This is done using Plugins or viewers depending on
the file type. The user never gets full control of the file being accessed as the permissions are enforced by the
Plugin or viewer applicable to the file format.
SecuLogica does not store user files. It only stores the encryption keys, the permissions assigned
(who has access and what kind of access) and the document activity logs (who, when and how uses
your files).
6. IRMSECURE
Protect What You Share
5
SecuLogica is a client-server application.
The server is responsible for:
* storing the keys used for encryption
* managing user authentication and permissions
* storing activity logs
The client is the software installed on the user device and communicates with the server in order to:
* authenticate the user
* create and store a new key when the user encrypts a file
* retrieve the key when the user wants to access a protected file and has the required permissions
* send activity log events each time a user accesses the protected document
To show the content of the protected files the client application uses the SecuLogica viewer for some
types of files (images, PDF, plain text, HTML…). Other types of files are opened natively in the applica-
tion where they were created (Word, Excel, PowerPoint…); in this case a plugin is needed.
The application Plugins ensure the rights and configuration settings of the protected file are respected
when the file is accessed.
Solution Components
7. IRMSECURE
Protect What You Share
6
User hierarchy
Users can be registered in SecuLogica as standalone users or as users belonging to an organization.
Standalone users are the owners of the documents they protect (though they have the ability to transfer
ownership to other users). Standalone users of the SecuLogica public server can have a Basic (free) or a Premi-
um account. The premium profile provides full functionality to standalone users.
Users belonging to an organization are managed by one or more administrators. The files these users
protect belong to the organization and the administrators have control over user permissions and can access
the activity logs.
Supervisors of the organization have access to a control panel where they can do the following:
* manage groups of users in the organization
* manage permissions of the files protected by members of the organization
* access the activity log either by protected files or by users
Administrators of the organizations have the following permissions in addition to the permissions that a
supervisor has:
* manage the users in the organization and their profiles
* configure the organization settings
8. IRMSECURE
Protect What You Share
The supervisors and administrators do not necessarily have access to the documents; it is import-
ant to note that the roles of system administrators and security administrators can be separated.
The system administrator is responsible for the general configuration of the server, and one of his
functions is to configure the server so that it may be visible to other SecuLogica servers, thus
creating a server federation. This role allows creating new organizations or domains, and accessing
a complete log of the system activity, not only the activity related with documents.
Deployment alternatives
SecuLogica as a Service
SecuLogica is offered as a public service where, following the hierarchy of users described above,
home users, professionals and organizations coexist, using SecuLogica’s features without infrastruc-
ture ownership costs.
The SecuLogica service is provided from an infrastructure housed in professional data centers with
the highest levels of security and availability. More information on this is included in the Security
chapter.
SecuLogica On Premises
SecuLogica also is available to install in the customer’s facilities. The installation requires a software
license that determines the maximum number of users, expiration date, etc... This license includes
a unique server identification that allows federation between servers; for this purpose all licensed
servers are registered in a centralized repository.
SecuLogica is deployed in a fortified Linux-Debian system with the necessary scripts for easy setup
and updates. In order to ensure that the system remains updated with application upgrades and
system security patches, auto-deployable update packages are delivered from our servers.
The database management system used by the application is MySQL 5. The server application is
deployed in a Tomcat 7 web application server. In addition, an Apache 2 HTTP server is used to
manage all HTTP connections to the system.
Custom installation of the server, including customization of the client application, is also possible
with consulting and integration services.
If the On Premises deployment includes the Drag´n Drop service and/or the Web Client API, an
additional Windows Server 2012 R2 is required to deploy both services.
7
9. IRMSECURE
Protect What You Share
8
Hardware requirements
SecuLogica does not require a large amount of resources as the information passed in the
client-server communications use little bandwidth and the storage requirements are minimal. Storage
space required is based on the length of the log history a user wants to keep accessible online on the
server. Taking into account that every log record (created when you open a protected file, edit it,
change its permissions, etc.) requires approximately 300 bytes, a reasonable assumption is that 1GB
is enough to store around 1 million events.
Furthermore, since encryption and decryption of the files is performed locally, the server does not
require additional processing power more than the average amount required by web application
servers.
The Window Server 2012R2 for the Drag´nDrop service requires more computing power than the
SecuLogica key server as this has to decrypt and render the content to multiple users simultaneously.
There are multiple deployment alternatives depending on the high availability and disaster recovery
requirements to be met, starting from a single server and growing to a highly available architecture.
These aspects are discussed in detail in the “Required Infrastructure to Install SecuLogica” docu-
ment.
A detailed deployment example of a high performance infrastructure with all services configured in
HA is shown below:
10. IRMSECURE
Protect What You Share
Deployment requirements
For installation of a server in-house, either as a virtual appliance or as a custom installation, the following
requirements must be considered.
Double URL and IP
The SecuLogica server requires two HTTPS interfaces:
* User web interface: The user manages permissions through this interface. The SSL certificate provided
by SecuLogica with the license should be replaced by a certificate signed by a trusted CA in order to avoid
warning messages issued by the browsers.
* Client application interface: Through this interface the SecuLogica client application communicates in
the background with the server without user intervention. This SSL interface requires client authentication
and both sides need to verify the communication authenticity.
In order to be able to use different SSL configurations, these two different interfaces must be accessed
through TCP port 443 of two different IP addresses, or through two different TCP ports in only one IP
address,. Both interfaces may be referred to by two different subdomain names for complete SSL certifi-
cate validation.
Enabling an e-mail agent
SecuLogica sends emails to communicate with users, and the SecuLogica server must be allowed to send
e-mails. The SecuLogica Virtual Appliance is preconfigured to use its own SMTP server but this configura-
tion can be modified to use an external SMTP server.
The emails are used to validate users and to send requests for permissions.
LDAP or Active Directory integration
Organizations can configure an LDAP or Active Directory as the data source to authenticate users, as well
as to obtain users and groups of users that can be used to manage permissions of protected files.
This integration is configured at the organization level in the user hierarchy, not at the server level. This
allows SecuLogica to be integrated with the directory regardless of the way it is implemented: as a service,
a virtual appliance or a custom installation.
Multiple directories or directory subsets, can be configured for each organization.
9
11. IRMSECURE
Protect What You Share
The integration consists on configuring the connection to the directory and mapping a few directory fields:
* Connection data
o Protocol (LDAP)
o LDAP server URL and Port
o Search base
* Authentication data
o User
o Password
* User mapping
o User base DN
o Object Class
o User Filter
o User Id attribute
o Username attribute
o User Real Name attribute
o User email attribute
* Group mapping
o Group base DN
o Object Class
o Group Filter
o Group Id attribute
o Group Real Name attribute
o Group Member attribute
10
12. IRMSECURE
Protect What You Share
Security
SecuLogica was created with the goal of enabling users to share information on the internet with complete
confidence. Although absolute and total security does not exist, using SecuLogica will enable the user to
get closer to that goal.
Infrastructure: High availability, physical and logical security
The SecuLogica service is provided from a cluster of servers housed in multiple data centers with the high-
est safety standards implemented including perimeter controls, video surveillance and on-site security
professionals. Important also is the use of protective measures against network security problems such as
distributed denial of service (DDoS), man in the middle attacks (MITM) and package tracking.
The most sensitive information stored in our databases, like encryption keys or personal data (email, pass-
word, etc.) are stored encrypted. The disk is also encrypted thus ensuring the user data is protected both
from malicious access to the servers and even from physical theft of the disks.
User login
Data security is ultimately defined by the how secure access to that data is. The administrator of the Secu-
Logica Corporate Service can decide which authentication method the users of the organization must use.
Username and password
Initial registration with SecuLogica requires the choice of a unique username and password. These creden-
tials can be stored in the client application, this way allowing the SecuLogica client to connect to the server
in the background without having to re-enter the credentials every time you protect or open a protected
file.
External ID Provider (OpenID / OAuth)
SecuLogica allows users to authenticate against external identification providers compliant with OpenID or
OAuth protocols; this mechanism enables access SecuLogica with a Google, Yahoo, Twitter or LinkedIn
account. Facebook connection has also been implemented so a user can access SecuLogica through your
Facebook account.
In the Corporate Service and with Corporate Servers implemented in-house, we can offer optional authenti-
cation services to provide the highest standards of security required: biometrics, smart card, OTC, etc.
A user with a SAML2 compliant Access Management system in place can configure SecuLogica to leverage
the corporate access management solution as a trusted party to authenticate users.
Using this authentication method SecuLogica redirects the request to external web pages for user authenti-
cation. The external service validates the user and communicates back to SecuLogica the authorization
result. With this method SecuLogica neither stores nor has the ability to see a user’s credentials.
Furthermore, integration with cloud single-sign-on services is also possible. 11
13. IRMSECURE
Protect What You Share
LDAP or Active Directory
The third authentication method available is to validate user’s credentials in a private Directory (LDAP or
Microsoft Active Directory). In this case the user enters his or her username and password in SecuLogica and
SecuLogica sends the request to the private Directory for authentication. SecuLogica serves as a gateway for
the credentials but it does not store them.
Communications
Client to Server
All connections to SecuLogica servers are encapsulated by a secure channel that uses
SSL (Secure Sockets Layer) 2048 bits, the standard used for network connections over the Internet.
The SSL channel requires client authentication, thus in the hypothetical case a vulnerability is detected in the
client side, the client connection request from that version would be rejected and the client would be forced
to upgrade.
Plugins to Core-Client
SecuLogica plugins are classified in either of two categories dependent on whether or not it has access to
decrypted data.
Plugins requiring access to decrypted data (eg. Internet browser plugins) communicate with the
SecuLogica Core-Client application through HTTP. This access is delegated to the dedicated
SecuLogica secure viewers.
Those plugin that render decrypted files and therefore do not access it directly communicate with the
SecuLogica Core-Client through HTTPS. Using client authentication, the Core-Client validates that the
plugin is genuine and also validates it on the server.
Encryption
Files are protected using the AES algorithm. The encryption key is generated randomly in the server with
a variable length that the user can configure locally in client preferences (128 or 256 bits, by default 256). The
encryption is done on the computer or mobile device and the file never leaves the device during the encryp-
tion process. SecuLogica stores only encryption keys and user permissions – user files are never stored on
SecuLogica servers and remain in possession of the user at all times.
The databases containing the encryption keys are themselves encrypted, ensuring ongoing security in the
event of an attempted theft. Having the encryption key and user file on separate servers adds an
additional layer of protection.
12
14. IRMSECURE
Protect What You Share
Offline enabling
Enabling the offline-use property in SecuLogica will allow a user to access a document when he or she is
offline. If this property is enabled the client will store the use-license in a local database which will allow
the file to be opened when there is not a connection to the server. This local database is encrypted with
an AES-256 algorithm with a key that is changed before it is re-encrypted in the database. Offline
permission can be time-limited and document activity is stored locally and is sent to the Server immedi-
ately upon reinstatement of the connection.
Availability Window
SecuLogica’s functionality includes the ability to time-limit access to a document both by date and time
of day.
Watermarks
The SecuLogica Online control console includes the ability to apply a Watermark to any protected
document by the activation of a simple toggle. The watermark is completely customizable by the docu-
ment’s owner and also has built-in functionality to force printing of user, date and time data on a printed
document.
Screen capture
In an effort to prevent a user from using Screen Capture (Print Screen) to circumvent the limits that have
placed on his or her permissions, SecuLogica automatically disables known keystrokes (CTRL-P, Print
Screen) and detects the execution of screen capture software (Snipping Tool, SnagIT, Camtasia, Record-
er, Greenshot etc.)
Unfortunately screen capture cannot be avoided in Mac, iOS or Android devices. However, with the use
of SecuLogica, one can be assured that only users with permissions can have access to the file and any
screen capture event will be registered within the activity log (see below).
Despite these measures, SecuLogica always recommends the use of a Watermark for sensitive docu-
ments to mitigate the instances of a user capturing an image of his or her monitor with a camera.
Activity Log
A valuable functionality of SecuLogica is the Activity Log. This log is simply accessed by the file owner
and is updated every time an action occurs on a protected file. The actions logged include: open, edit,
save, save as, unprotect, print screen attempts and any rights modifications. The log also differentiates
actions done online or offline. The log also captures the Username, IP address, OS, HW Identifier and
Result of any action.
13
15. IRMSECURE
Protect What You Share
14
Supported file types
SecuLogica provides different alternatives to render the protected files:
SecuLogica Viewer
The following file extensions are managed by the SecuLogica viewer:
* Image formats: .jpg, .jpeg, .gif, .png, .bmp, .tiff, .tif
* PDF: .pdf (Note: Foxit and Phantom PDF is supported by use of a Plugin)
* Text formats: .txt, .as, .mx, .ada, .ads, .adb, .asm, .asp, .au3, .sh, .bsh, .bat, .cmd, .nt, .c, .ml, .mli,
.sml, .thy, .cmake, .cbl, .cbd, .cdb, .cdc, .cob, .h, .hpp, .cpp, .cxx, .cc, .cs, .css, .d, .diff, .patch, .f, .f90,
.f95, m, .f2k, .hs, .lhs, .las, .html, .htm, .shtml, .shtm, .xhtml, .ini, .inf, .reg, .url, .iss, .java, .js, .jsp, .kix,
.lsp, .lisp, .lua, .mak, .m, .nfo, .nsi, .nsh, .pas, .inc, .pl, .pm, .plx, .php, .php3, .phtml, .ps, .ps1,
.properties, .py, .pyw, .r, .rc, .rb, .rbw, .scm, .smd, .ss, .st, .sql, .tcl, .tex, .vb, .vbs, .v, .vhd, .vhdl, .xml,
.xsml, .xsl, .xsd, .kml, .wsdl, .yml, .log
When rendering text files, a user can also edit them directly from the viewer.
* Microsoft Office: in iOS and Mac, a viewer is used for the Microsoft Word, Excel and PowerPoint formats,
however in Windows systems these files are opened through an add-on in Microsoft Office
API for Plugins
An API for programmers to integrate applications with SecuLogica is built in. This integration allows the files
to be rendered in the native format of specialized applications.
Plugin MS-Office for Windows
The MS-Office for Windows Plugin allows users to use all the features of Word, Excel and PowerPoint with-
out compromising the file’s protection.
Below is a list of the file extensions managed by this plugin:
* MS Word: .doc, .docx, .rtf
* MS Excel: .xls, .xlsx, .xlsm, .xlsb, .csv
* MS PowerPoint: .ppt, .pptx, .pptm
The integration with MS Office is developed based in the MS Office SDK. An important consideration in the
development of SecuLogica was to avoid the use of Microsoft RMS or solutions based on “hooking tech-
niques.”
The development team believed that because using RMS format involves storing the encryption key and
permissions in the document itself, document security can be compromised. Additionally, system hooking
can cause system instability in many installations. This avoids installation problems for both personal use and
enterprise use.
16. IRMSECURE
Protect What You Share
15
Plugin MS-Outlook for Windows:
The SecuLogica plugin for MS-Outlook allows the user to:
* Protect the full body of an email. If preferred, a subset of selected text can be encrypted.
* Protect the attachments (on user request).
* Assign read permissions to all recipients on the protected content
Note: If an encrypted email is sent to a non-registered recipient, they will receive a system-generated
invitation to register as a SecuLogica user.
Plugin AutoCAD
SecuLogica supports AutoCAD 2010 and later via the use of a Plugin. These plugins also have functionality
with the AutoDesk DWG TrueView viewer.
The plugin supports the formats:
* .dwg
* .dxf (the plugin converts it to .dwg)
providing encryption, as well as viewing and editing capabilities.
Browser Plugins (Internet Explorer, Firefox and Chrome):
SecuLogica provides plugins for these browsers that allow the user to view protected text and images and
also protect text. This simplifies the use of SecuLogica with webmail clients or using encrypted information
on any webpage.
Multimedia files
Video and audio formats can be protected with SecuLogica. The reproduction of these formats in iOS and
Android is done natively, and in desktop systems (Windows and Mac) is performed with a special compila-
tion of VLC (VideoLAN) that includes a SecuLogica plugin providing DRM functionality. The VLC software is
a free download that needs only to be done once.
The file extensions supported depends on the operating system:
* Windows and OS X: .f4v, .flv, .gvp, .dvdmedia, .xa, .ape, .flac, .wv, .tta, .mpc, .ram, .rm, .rmvb, .mod,
.xm, .it, .aiff, .aif, .amr, .aob, .dts, .spx, .wav, .vob, .a52, .ac3, .aac, .opus, .ogm, .ogg, .oga, .ogv, .ogx,
.oma, .voc, .vqf, .anx, . axv, .gxf, .mxf, .avi, .mov, .moov, .qt, .divx, .dv, .asf, .wma, .wmv, .wm, .mpg,
.mpeg, .mpeg1, .mpeg2, .m1v, .m2a, .mp1, .mp2, .mp3, .m2p, .ts, .m2ts, .mts, .mt2s, .m2v, .mpv,
.mpa, .mp4, .mpeg4, .m4v, .m4a, .3gp, .mid, .mlp, .mka, .mkv, . webm, .rec, .rmi, .s3m, .vro, .tod, .nsv,
.nuv
* Android:
o video: mp4, 3gp, 3gpp, webm
o audio: 3gp, mp3, 3gpp, wav, m4a
* iOS:
o video: mov, mp4, m4v
o audio: mp3, wav, aiff, m4a, acc
Additional file formats are added based on market demand. SecuLogica welcomes customer’s requests to
add specific, currently unsupported formats.
17. IRMSECURE
Protect What You Share
16
Supported devices
SecuLogica works on all commonly used platforms such as Windows PC, Apple Mac, Android Smart-
phones and Tablets, iOS devices (iPhone, iPad) and BlackBerry10 Smartphones. We closely track the
market evolution and will support new platforms as they gain market relevance.
Advanced Features
“Protected” Folders
In order to simplify the protection of files with a predefined configuration of permissions, SecuLogica has
introduced the concept of “Protected folders”. A Protected folder is a folder in the file system where the
user has assigned SecuLogica permissions. It is important to note that all documents in the Protected
Folder have this protection, whether they existed in the folder before it was protected or added after the
protection was placed on it.
This process features a daemon that monitors all Protected folders and launches SecuLogica when a user
adds a file to one of them. SecuLogica automatically protects the file and prompts the user to apply the
desired permissions.
Note that the user who copies a file in a Protected folder could be different to the user who is monitoring
the folder. This has important applications in enterprise environments - e.g. an administrator protects a
shared folder where other applications like ERPs or reporting systems drop information. Because this
information is in a protected folder, that protection will remain in place even after being exported from the
original source.
Note: that the protection of shared folders is dependent on the following:
* In order for a user, who connects remotely from their own SecuLogica client to protect or manage
shared folders, SecuLogica must be installed as a service within a Windows server with the shared
folders to protect properly mapped. Please see the document “SecuLogica Client Advanced
Guide” for instructions.
* The Protected folders contains two XML files that cannot be manipulated:
.SecuLogica-folder.xmly .SecuLogica-pendings.xml. In the case of shared folders these files should
be protected by the security of the operative system, to assure that only the administrators or the
user running the SecuLogica service have access to modify them.
Sharepoint integration
Customers that use SharePoint 2010 and 2013 can protect document libraries. In a similar manner as the
Protected folder concept, any document stored in a Sharepoint library will be protected. SharePoint access
rights are applied as the equivalent SecuLogica permissions automatically.
18. IRMSECURE
Protect What You Share
Federation of Servers and trust relationships
Private SecuLogica servers can establish a “trust relationship” with other SecuLogica servers, meaning that
users on one SecuLogica server can protect a document and grant permissions to users registered in other
SecuLogica servers.
How it works
A trust relationship between two SecuLogica servers is established when both sides agree to accept the
relationship with each other. To reduce the administrative task of managing trust relationships, a server can
declare itself as “public” which means it automatically has established a trust relationship with any other server
also declared as “public”.
External users
Below is how the system manages encryption keys and user authentications when two servers are involved.
When two servers maintain a trust relationship two actions are allowed:
* Each server can search for users in the other server
* A user can authenticate in server A with an authentication token issued by server B, where the user is
registered and that has a trust relationship established with A.
Users can assign permissions to a document to users that reside on servers other than their own. In this
instance SecuLogica requests an authentication token from the remote server be sent to the server where the
document resides in order to validate the access request. Because the two servers both see each other as
“trusted”this time-sensitive token is accepted and the remote user is granted access to the document, with
whatever permissions that were granted.
17
19. IRMSECURE
Protect What You Share
18
SecuLogica Server Repository
To build these protocols it is required that communications be signed by each server and that a central reposi-
tory validates the signatures. Thus, all servers have to be registered in this central repository.
API for external service providers (or SecuLogica client for servers)
SecuLogica offers an API for integration of SecuLogica in other services. For example, an ERP that permits the
download of protected information with read permission for the user logged in the ERP or a cloud storage
platform where a file could be protected, its log can be audited or assigned automatic permissions following
predefined rules without leaving the user interface of the platform.
The API offers a set of RESTful web services and is provided by an atomic piece of software that we can see as a
SecuLogica client running in a server to offer the web interface. This software provides the API to the SecuLogi-
ca public server, but could also be licensed for an enterprise to work with a private SecuLogica server installed
on premise.
As a SecuLogica client, it allows the encryption and decryption of files, the viewing or modifying of permissions
and access of the activity log.
The API has been used to develop integrations with many cloud storage solutions:
* Dropbox
* box.com
* Google Drive
* ownCloud
* Microsoft SharePoint
20. IRMSECURE
Protect What You Share
19
SecuLogica with Cloud services
SecuLogica’s functionality includes the option to share through Dropbox, Box, Google Drive and OwnCloud
directly from SecuLogica. You can do this with the SecuLogica option “share” which will automatically associ-
ate your SecuLogica and Cloud accounts and provide you with a link that allows you to send the protected file
and manage its permissions.
The installation of a plugin accessed directly from SecuLogica allows a user to protect and manage file permis-
sions without ever leaving the cloud application. See the following image for an example extracted from
Google Drive.
21. IRMSECURE
Protect What You Share
20
SecuLogica Drag’ n Drop
To allow the users that cannot install the SecuLogica application (because they are in a closed environment or in
a public point of access) to access protected files, SecuLogica offers, as an independent service, SecuLogica
Drag’n drop. This website allows users to upload a file to be protected or, if it is protected, to show the file in a
web viewer after the authentication and permission process has been completed.
To maximize security, the user authentication in SecuLogica Drag’n Drop is done via the OAuth2 protocol
against the SecuLogica server. Because this process ensures that the server holding the file remains different
from the SecuLogica server that manages keys and permissions, encryption integrity and security are main-
tained at all times.
An additional functionality of the Drag’n Drop folder gives a user the ability to send someone else the URL of an
encrypted file. This is particularly useful when using Dropbox or any other Cloud-based storage solution. The
user would share the link from within the SecuLogica client and the recipient would have two options: either he
or she could download the file to view it within their own SecuLogica client or view it within the SecuLogica
Drag’n Drop folder. This can avoid the confusion that some recipient experience when receiving a protected file
for the first time.
Please note that only the following file types are supported by SecuLogica Drag’n Drop:
* Microsoft Office 2007 and onwards: docx, xlsx, pptx
* PDF
* Image: jpg, jpeg, gif, png, bmp, tiff, tif
* Text: protects all the text-format extensions detailed for the SecuLogica Client – visualizes
the extensions .txt and .xml
22. IRMSECURE
Protect What You Share
21
With SecuLogica Drag’n Drop, the user is uploading files, therefore it is important to take into account
how the security of the information is protected.
* Files are uploaded in a SSL connection
* The uploaded, unprotected file is removed from the server immediately after it is encrypted; the newly
encrypted file is retained on the server for a short time until it is downloaded.
* To view an encrypted file within the Drag’n Drop folder, SecuLogica decrypts the file, converts it to
images and immediately removes the decrypted file from the viewer. The file remains in the viewer until
the user closes the session at which time the file is no longer available.
* It is critical to note that the SecuLogica key server and the SecuLogica Drag’n Drop server are separate
machines and do not reside in the same location to maximize data integrity.
Sharing photographs with SecuLogica
This feature is designed to share “Protected” photos among users of mobile devices. When a user sends
a photo to another SecuLogica user the following occurs:
* The recipient is granted read permission
* The protected image is uploaded to a server
* A push notification is sent to each recipient
* The recipients receive a notification and can download the protected image
* The image remains viewable on the server for one week before it is automatically deleted.
Licensing model
SecuLogica is subscription based – pricing is based on a one-year subscription that can be cancelled or
renewed at the subscription’s anniversary. A subscription grants the user use and maintenance rights.
Most contracts are single year, but multi-year contract arrangements are available. Pricing is based on
volume – the more licenses purchased by an organization the lower the cost per licence will be.
Connectors are free of charge. Customers are free to use the technology on any device with any file
format with a single license price. Plugins for AutoCAD or FoxitPDF require separate license per user.
Two optional modules (SecuLogica Web Client Software and SecuLogica Drag’n Drop) are licensed and
priced separately, independent of the number of the licenses purchased by the user. These modules are
only required to be licensed in an On-Premise installation.
SecuLogica can be used free of charge by individuals for basic functionality. This functionality is typically
sufficient for external users of a Corporation as it allows them to protect and unprotect content of any
supported format on any device. In this way, Corporations do not need to pay a license for the external
users with whom they need to exchange information. SecuLogica offers an Invitation mechanism that
allows both Corporates and individuals to invite users to become members of the SecuLogica service at
no cost for them.
23. IRMSECURE
Protect What You Share
About IRM Secure
IRM Secure is a high growth security software product company, providing security solutions in the
areas of information usage control, Information Rights Management (IRM) and secure outsourcing.
We are the exclusive Integrator in North America for SecuLogica.
Our expertise lies in the control of information post distribution, irrespective of its location and mode
of transfer.
With this the receiver is able / not-able to distribute, edit, print, copy-paste, screen-grab
information from a secured document.
It is also possible to remotely destruct the documents at the receiver’s end at any time.
Along with our Fortune 500 clients, some of the largest companies in banking, financial services,
insurance, engineering services, and educational institutes use our technology to secure unstructured
data that is used internally or provided to a vendor for outsourced processes.
To contact IRMSecure please email us at info (at) irmsecure.com
IRMSECURE
Protect What You Share
North America
IRM Secure
2800 Skymark Avenue, #4
Mississauga, Ontario, L4W5A6
CANADA
Tel: 905.366.4444 / Fax: 905.361.0789
Europe
SecuLogica /IRM Secure
Werdener Strasse 8
40277Duesseldorf
GERMANY
Tel:+49.(0).211.1780.7778
WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m