SlideShare une entreprise Scribd logo

IRM Secure on SecuLogica Technical Whitepaper

J
Jim Kitchen
1  sur  23
Télécharger pour lire hors ligne
IRMSECURE Protect What You Share N o r t h A m e r i c a I R M S e c u r e 2 8 0 0 S k y m a r k A v e n u e , # 4 M i s s i s s a u g a , O n t a r i o , L 4 W 5 A 6 C A N A D A Te l : +1 . 9 0 5 . 3 6 6 . 4 4 4 4 / F a x : +1 . 9 0 5 . 3 61 . 0 7 8 9 Europe SecuLogica /IRM Secure Werdener Strasse 8 40277Duesseldorf GERMANY Tel:+49.211.1780.7778 WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m SecuLogica: Technical Whitepaper
IRMSECURE Protect What You Share Contents Executive Summary 2 Product functionality 3 Architecture 5 Solution Components 5 User hierarchy 6 Deployment alternatives 7 SecuLogica as a Service 7 SecuLogica On Premises 7 Hardware requirements 8 Deployment requirements 9 Double URL and IP 9 Enabling an e-mail agent 9 LDAP or Active Directory integration 9 Security 11 Infrastructure: High availability, physical and logical security 11 User login 11 Username and password 11 External ID Provider (OpenID / OAuth) 11 LDAP or Active Directory 12 Communications 12 Client to Server 12 Plugins to Core-Client 12 Encryption 12 Offline enabling 13 Availability window 13 Watermarks 13 Screen capture 13 Activity Log 13 Supported file types 14 SecuLogica Viewer 14 API for Plugins 14 Plugin MS-Office for Windows 14 Plugin MS-Outlook for Windows 15 Plugin AutoCAD 15 Browser Plugins (Internet Explorer, Firefox and Chrome) 15 Multimedia files 15 Supported devices 16 Advanced Features 16 “Protected” Folders 16 Sharepoint integration 16 Federation of Servers and trust relationships 17 How it works 17 External users 17 SecuLogica Server Repository 18 API for external service providers (or SecuLogica client for servers) 18 SecuLogica with Cloud services 19 SecuLogica Drag’ n Drop 20 Sharing photographs with SecuLogica 21 Licensing model 21
IRMSECURE Protect What You Share 2 Executive Summary SecuLogica is an IRM (Information Rights Management) solution that provides a technology standard for the industry. It allows individual users and companies to control their files wherever they are. With SecuLogica, users can protect and track the use of any copy of their documents and change, at their discretion, who can access those files and what actions can be done with them. It leverages and complements the latest technology trends: cloud, mobile, social as well as traditional IT envi- ronments. It is designed for universal use for both corporate and private users being available for a wide set of devices and file formats delivering maximum ease of use, smooth deployment and minimal or no maintenance effort. SecuLogica’s vision is to become a standard for protecting the information we share and store on the Internet. Key elements for this vision are: Interoperability so that any SecuLogica user can exchange information with anyone securely, be it a corporate or private user: Ease of use so that the technology can be used by anyone, anywhere on any device and a groundbreaking Business Model.
IRMSECURE Protect What You Share 3 Product functionality SecuLogica helps its customers protect what they share by making the process as easy as possible. SecuLogica delivers a solution that allows users and companies to keep control of their files wherever they are, track the use of any copy of their documents, and change, whenever they want, who can access and what actions can be done with their files. SecuLogica is designed to provide both security and usability. The design principles for the product are: * Any document: the most relevant file formats are supported. Additional file extensions will be added to address customer demand. * Any device: PC, Mac, Tablets, Smartphones. It is available for all relevant platforms on the market * Any user: we serve corporate users and individual users in a federated manner. Everyone regis tered on any SecuLogica enabled service can exchange information securely. * Cloud ready: We integrate with most cloud services. * Affordable: Our pricing model was designed to make SecuLogica cost effective for everyone. We provide a free version of our product that enables anyone to share information securely * Easy to use: with nearly no learning curve required to use the product/service * Easy to deploy: can be acquired as SaaS or On Premise * Secure: keys and documents are never together. * Real time: Change in permissions has immediate effect. SecuLogica implements three steps when protecting any type of file: 1. Encrypt the file with AES 128 or 256. This produces a copy of the file with a .proton extension. This new file is the one exchanged with other users, the original file is no longer used for inter- change. The .proton file can be shared by any channel such as email, USB, cloud services. 2. Define permissions on the .proton file: select the users or groups that can access it and estab lish the actions that can be done by those users on the file 3. Both the key used to encrypt the file and the metadata with the users and permissions are stored in the SecuLogica key server. Every time a user wants to open a .proton file, the permissions for that user are checked and the access restrictions applied. The permissions are defined by the file owner. The concepts that can be enabled/disabled for a given user or group of users are: Read, Print, Edit, Copy and Manage as follows:
IRMSECURE Protect What You Share 4 * A document with READ permissions can only be viewed and cannot be modified. Screen capture preven- tion techniques are used: the clipboard is disabled, “cut & paste” cannot be done and screen capture apps are also disabled. * A document with PRINT permissions can be printed and read but cannot be modified. * A document with EDIT permissions can be modified but all changes are stored in the same protected file. The same screen capture techniques as described for READ permission are applied. This will be useful for documents that are distributed to a limited community of contributors that need to deliver modifications to the document in a controlled manner. * A document with COPY permissions can be modified and saved with a different name. This permission effectively gives full access and rights to the document, making it possible to extract and copy its content. * A user with MANAGE permission can define and change the permissions of a document. This allows dele- gation of authority for managing permissions. The permissions that the user can manage for other users are limited to the permissions he or she has been granted. Permissions like forward, email or any other related to the transmission of the content are useless in the SecuLogica working model as ALL content travels encrypted and permissions are centrally managed and checked every time a file is opened. This working model allows the file owner to remove/change permissions at any time. That change is applied in real time to all copies of the file no matter how these copies have been shared. Advanced features can be defined for additional file protection. Watermarks can be set for display and print. Time window of accessibility can be defined for a document; nobody can access the file before the starting date/time and after the ending date/time. Offline access to files can also be defined. Another important concept is the “Protected folder”. A folder can be created, protected and set permissions in the same way as an individual file. Once the folder is created, every file stored in it will be automatically protected with the same access permissions as the folder. This folder can be local, shared or cloud-based. SecuLogica protects documents at rest, in motion and in use: * Once a document is protected, the encryption is persistent on any type of storage media. * Content is always protected as only encrypted information travels over the network. * SecuLogica provides control when the files are in use. This is done using Plugins or viewers depending on the file type. The user never gets full control of the file being accessed as the permissions are enforced by the Plugin or viewer applicable to the file format. SecuLogica does not store user files. It only stores the encryption keys, the permissions assigned (who has access and what kind of access) and the document activity logs (who, when and how uses your files).
IRMSECURE Protect What You Share 5 SecuLogica is a client-server application. The server is responsible for: * storing the keys used for encryption * managing user authentication and permissions * storing activity logs The client is the software installed on the user device and communicates with the server in order to: * authenticate the user * create and store a new key when the user encrypts a file * retrieve the key when the user wants to access a protected file and has the required permissions * send activity log events each time a user accesses the protected document To show the content of the protected files the client application uses the SecuLogica viewer for some types of files (images, PDF, plain text, HTML…). Other types of files are opened natively in the applica- tion where they were created (Word, Excel, PowerPoint…); in this case a plugin is needed. The application Plugins ensure the rights and configuration settings of the protected file are respected when the file is accessed. Solution Components
IRMSECURE Protect What You Share 6 User hierarchy Users can be registered in SecuLogica as standalone users or as users belonging to an organization. Standalone users are the owners of the documents they protect (though they have the ability to transfer ownership to other users). Standalone users of the SecuLogica public server can have a Basic (free) or a Premi- um account. The premium profile provides full functionality to standalone users. Users belonging to an organization are managed by one or more administrators. The files these users protect belong to the organization and the administrators have control over user permissions and can access the activity logs. Supervisors of the organization have access to a control panel where they can do the following: * manage groups of users in the organization * manage permissions of the files protected by members of the organization * access the activity log either by protected files or by users Administrators of the organizations have the following permissions in addition to the permissions that a supervisor has: * manage the users in the organization and their profiles * configure the organization settings
IRMSECURE Protect What You Share The supervisors and administrators do not necessarily have access to the documents; it is import- ant to note that the roles of system administrators and security administrators can be separated. The system administrator is responsible for the general configuration of the server, and one of his functions is to configure the server so that it may be visible to other SecuLogica servers, thus creating a server federation. This role allows creating new organizations or domains, and accessing a complete log of the system activity, not only the activity related with documents. Deployment alternatives SecuLogica as a Service SecuLogica is offered as a public service where, following the hierarchy of users described above, home users, professionals and organizations coexist, using SecuLogica’s features without infrastruc- ture ownership costs. The SecuLogica service is provided from an infrastructure housed in professional data centers with the highest levels of security and availability. More information on this is included in the Security chapter. SecuLogica On Premises SecuLogica also is available to install in the customer’s facilities. The installation requires a software license that determines the maximum number of users, expiration date, etc... This license includes a unique server identification that allows federation between servers; for this purpose all licensed servers are registered in a centralized repository. SecuLogica is deployed in a fortified Linux-Debian system with the necessary scripts for easy setup and updates. In order to ensure that the system remains updated with application upgrades and system security patches, auto-deployable update packages are delivered from our servers. The database management system used by the application is MySQL 5. The server application is deployed in a Tomcat 7 web application server. In addition, an Apache 2 HTTP server is used to manage all HTTP connections to the system. Custom installation of the server, including customization of the client application, is also possible with consulting and integration services. If the On Premises deployment includes the Drag´n Drop service and/or the Web Client API, an additional Windows Server 2012 R2 is required to deploy both services. 7
IRMSECURE Protect What You Share 8 Hardware requirements SecuLogica does not require a large amount of resources as the information passed in the client-server communications use little bandwidth and the storage requirements are minimal. Storage space required is based on the length of the log history a user wants to keep accessible online on the server. Taking into account that every log record (created when you open a protected file, edit it, change its permissions, etc.) requires approximately 300 bytes, a reasonable assumption is that 1GB is enough to store around 1 million events. Furthermore, since encryption and decryption of the files is performed locally, the server does not require additional processing power more than the average amount required by web application servers. The Window Server 2012R2 for the Drag´nDrop service requires more computing power than the SecuLogica key server as this has to decrypt and render the content to multiple users simultaneously. There are multiple deployment alternatives depending on the high availability and disaster recovery requirements to be met, starting from a single server and growing to a highly available architecture. These aspects are discussed in detail in the “Required Infrastructure to Install SecuLogica” docu- ment. A detailed deployment example of a high performance infrastructure with all services configured in HA is shown below:
IRMSECURE Protect What You Share Deployment requirements For installation of a server in-house, either as a virtual appliance or as a custom installation, the following requirements must be considered. Double URL and IP The SecuLogica server requires two HTTPS interfaces: * User web interface: The user manages permissions through this interface. The SSL certificate provided by SecuLogica with the license should be replaced by a certificate signed by a trusted CA in order to avoid warning messages issued by the browsers. * Client application interface: Through this interface the SecuLogica client application communicates in the background with the server without user intervention. This SSL interface requires client authentication and both sides need to verify the communication authenticity. In order to be able to use different SSL configurations, these two different interfaces must be accessed through TCP port 443 of two different IP addresses, or through two different TCP ports in only one IP address,. Both interfaces may be referred to by two different subdomain names for complete SSL certifi- cate validation. Enabling an e-mail agent SecuLogica sends emails to communicate with users, and the SecuLogica server must be allowed to send e-mails. The SecuLogica Virtual Appliance is preconfigured to use its own SMTP server but this configura- tion can be modified to use an external SMTP server. The emails are used to validate users and to send requests for permissions. LDAP or Active Directory integration Organizations can configure an LDAP or Active Directory as the data source to authenticate users, as well as to obtain users and groups of users that can be used to manage permissions of protected files. This integration is configured at the organization level in the user hierarchy, not at the server level. This allows SecuLogica to be integrated with the directory regardless of the way it is implemented: as a service, a virtual appliance or a custom installation. Multiple directories or directory subsets, can be configured for each organization. 9
IRMSECURE Protect What You Share The integration consists on configuring the connection to the directory and mapping a few directory fields: * Connection data o Protocol (LDAP) o LDAP server URL and Port o Search base * Authentication data o User o Password * User mapping o User base DN o Object Class o User Filter o User Id attribute o Username attribute o User Real Name attribute o User email attribute * Group mapping o Group base DN o Object Class o Group Filter o Group Id attribute o Group Real Name attribute o Group Member attribute 10
IRMSECURE Protect What You Share Security SecuLogica was created with the goal of enabling users to share information on the internet with complete confidence. Although absolute and total security does not exist, using SecuLogica will enable the user to get closer to that goal. Infrastructure: High availability, physical and logical security The SecuLogica service is provided from a cluster of servers housed in multiple data centers with the high- est safety standards implemented including perimeter controls, video surveillance and on-site security professionals. Important also is the use of protective measures against network security problems such as distributed denial of service (DDoS), man in the middle attacks (MITM) and package tracking. The most sensitive information stored in our databases, like encryption keys or personal data (email, pass- word, etc.) are stored encrypted. The disk is also encrypted thus ensuring the user data is protected both from malicious access to the servers and even from physical theft of the disks. User login Data security is ultimately defined by the how secure access to that data is. The administrator of the Secu- Logica Corporate Service can decide which authentication method the users of the organization must use. Username and password Initial registration with SecuLogica requires the choice of a unique username and password. These creden- tials can be stored in the client application, this way allowing the SecuLogica client to connect to the server in the background without having to re-enter the credentials every time you protect or open a protected file. External ID Provider (OpenID / OAuth) SecuLogica allows users to authenticate against external identification providers compliant with OpenID or OAuth protocols; this mechanism enables access SecuLogica with a Google, Yahoo, Twitter or LinkedIn account. Facebook connection has also been implemented so a user can access SecuLogica through your Facebook account. In the Corporate Service and with Corporate Servers implemented in-house, we can offer optional authenti- cation services to provide the highest standards of security required: biometrics, smart card, OTC, etc. A user with a SAML2 compliant Access Management system in place can configure SecuLogica to leverage the corporate access management solution as a trusted party to authenticate users. Using this authentication method SecuLogica redirects the request to external web pages for user authenti- cation. The external service validates the user and communicates back to SecuLogica the authorization result. With this method SecuLogica neither stores nor has the ability to see a user’s credentials. Furthermore, integration with cloud single-sign-on services is also possible. 11
IRMSECURE Protect What You Share LDAP or Active Directory The third authentication method available is to validate user’s credentials in a private Directory (LDAP or Microsoft Active Directory). In this case the user enters his or her username and password in SecuLogica and SecuLogica sends the request to the private Directory for authentication. SecuLogica serves as a gateway for the credentials but it does not store them. Communications Client to Server All connections to SecuLogica servers are encapsulated by a secure channel that uses SSL (Secure Sockets Layer) 2048 bits, the standard used for network connections over the Internet. The SSL channel requires client authentication, thus in the hypothetical case a vulnerability is detected in the client side, the client connection request from that version would be rejected and the client would be forced to upgrade. Plugins to Core-Client SecuLogica plugins are classified in either of two categories dependent on whether or not it has access to decrypted data. Plugins requiring access to decrypted data (eg. Internet browser plugins) communicate with the SecuLogica Core-Client application through HTTP. This access is delegated to the dedicated SecuLogica secure viewers. Those plugin that render decrypted files and therefore do not access it directly communicate with the SecuLogica Core-Client through HTTPS. Using client authentication, the Core-Client validates that the plugin is genuine and also validates it on the server. Encryption Files are protected using the AES algorithm. The encryption key is generated randomly in the server with a variable length that the user can configure locally in client preferences (128 or 256 bits, by default 256). The encryption is done on the computer or mobile device and the file never leaves the device during the encryp- tion process. SecuLogica stores only encryption keys and user permissions – user files are never stored on SecuLogica servers and remain in possession of the user at all times. The databases containing the encryption keys are themselves encrypted, ensuring ongoing security in the event of an attempted theft. Having the encryption key and user file on separate servers adds an additional layer of protection. 12
IRMSECURE Protect What You Share Offline enabling Enabling the offline-use property in SecuLogica will allow a user to access a document when he or she is offline. If this property is enabled the client will store the use-license in a local database which will allow the file to be opened when there is not a connection to the server. This local database is encrypted with an AES-256 algorithm with a key that is changed before it is re-encrypted in the database. Offline permission can be time-limited and document activity is stored locally and is sent to the Server immedi- ately upon reinstatement of the connection. Availability Window SecuLogica’s functionality includes the ability to time-limit access to a document both by date and time of day. Watermarks The SecuLogica Online control console includes the ability to apply a Watermark to any protected document by the activation of a simple toggle. The watermark is completely customizable by the docu- ment’s owner and also has built-in functionality to force printing of user, date and time data on a printed document. Screen capture In an effort to prevent a user from using Screen Capture (Print Screen) to circumvent the limits that have placed on his or her permissions, SecuLogica automatically disables known keystrokes (CTRL-P, Print Screen) and detects the execution of screen capture software (Snipping Tool, SnagIT, Camtasia, Record- er, Greenshot etc.) Unfortunately screen capture cannot be avoided in Mac, iOS or Android devices. However, with the use of SecuLogica, one can be assured that only users with permissions can have access to the file and any screen capture event will be registered within the activity log (see below). Despite these measures, SecuLogica always recommends the use of a Watermark for sensitive docu- ments to mitigate the instances of a user capturing an image of his or her monitor with a camera. Activity Log A valuable functionality of SecuLogica is the Activity Log. This log is simply accessed by the file owner and is updated every time an action occurs on a protected file. The actions logged include: open, edit, save, save as, unprotect, print screen attempts and any rights modifications. The log also differentiates actions done online or offline. The log also captures the Username, IP address, OS, HW Identifier and Result of any action. 13
IRMSECURE Protect What You Share 14 Supported file types SecuLogica provides different alternatives to render the protected files: SecuLogica Viewer The following file extensions are managed by the SecuLogica viewer: * Image formats: .jpg, .jpeg, .gif, .png, .bmp, .tiff, .tif * PDF: .pdf (Note: Foxit and Phantom PDF is supported by use of a Plugin) * Text formats: .txt, .as, .mx, .ada, .ads, .adb, .asm, .asp, .au3, .sh, .bsh, .bat, .cmd, .nt, .c, .ml, .mli, .sml, .thy, .cmake, .cbl, .cbd, .cdb, .cdc, .cob, .h, .hpp, .cpp, .cxx, .cc, .cs, .css, .d, .diff, .patch, .f, .f90, .f95, m, .f2k, .hs, .lhs, .las, .html, .htm, .shtml, .shtm, .xhtml, .ini, .inf, .reg, .url, .iss, .java, .js, .jsp, .kix, .lsp, .lisp, .lua, .mak, .m, .nfo, .nsi, .nsh, .pas, .inc, .pl, .pm, .plx, .php, .php3, .phtml, .ps, .ps1, .properties, .py, .pyw, .r, .rc, .rb, .rbw, .scm, .smd, .ss, .st, .sql, .tcl, .tex, .vb, .vbs, .v, .vhd, .vhdl, .xml, .xsml, .xsl, .xsd, .kml, .wsdl, .yml, .log When rendering text files, a user can also edit them directly from the viewer. * Microsoft Office: in iOS and Mac, a viewer is used for the Microsoft Word, Excel and PowerPoint formats, however in Windows systems these files are opened through an add-on in Microsoft Office API for Plugins An API for programmers to integrate applications with SecuLogica is built in. This integration allows the files to be rendered in the native format of specialized applications. Plugin MS-Office for Windows The MS-Office for Windows Plugin allows users to use all the features of Word, Excel and PowerPoint with- out compromising the file’s protection. Below is a list of the file extensions managed by this plugin: * MS Word: .doc, .docx, .rtf * MS Excel: .xls, .xlsx, .xlsm, .xlsb, .csv * MS PowerPoint: .ppt, .pptx, .pptm The integration with MS Office is developed based in the MS Office SDK. An important consideration in the development of SecuLogica was to avoid the use of Microsoft RMS or solutions based on “hooking tech- niques.” The development team believed that because using RMS format involves storing the encryption key and permissions in the document itself, document security can be compromised. Additionally, system hooking can cause system instability in many installations. This avoids installation problems for both personal use and enterprise use.
IRMSECURE Protect What You Share 15 Plugin MS-Outlook for Windows: The SecuLogica plugin for MS-Outlook allows the user to: * Protect the full body of an email. If preferred, a subset of selected text can be encrypted. * Protect the attachments (on user request). * Assign read permissions to all recipients on the protected content Note: If an encrypted email is sent to a non-registered recipient, they will receive a system-generated invitation to register as a SecuLogica user. Plugin AutoCAD SecuLogica supports AutoCAD 2010 and later via the use of a Plugin. These plugins also have functionality with the AutoDesk DWG TrueView viewer. The plugin supports the formats: * .dwg * .dxf (the plugin converts it to .dwg) providing encryption, as well as viewing and editing capabilities. Browser Plugins (Internet Explorer, Firefox and Chrome): SecuLogica provides plugins for these browsers that allow the user to view protected text and images and also protect text. This simplifies the use of SecuLogica with webmail clients or using encrypted information on any webpage. Multimedia files Video and audio formats can be protected with SecuLogica. The reproduction of these formats in iOS and Android is done natively, and in desktop systems (Windows and Mac) is performed with a special compila- tion of VLC (VideoLAN) that includes a SecuLogica plugin providing DRM functionality. The VLC software is a free download that needs only to be done once. The file extensions supported depends on the operating system: * Windows and OS X: .f4v, .flv, .gvp, .dvdmedia, .xa, .ape, .flac, .wv, .tta, .mpc, .ram, .rm, .rmvb, .mod, .xm, .it, .aiff, .aif, .amr, .aob, .dts, .spx, .wav, .vob, .a52, .ac3, .aac, .opus, .ogm, .ogg, .oga, .ogv, .ogx, .oma, .voc, .vqf, .anx, . axv, .gxf, .mxf, .avi, .mov, .moov, .qt, .divx, .dv, .asf, .wma, .wmv, .wm, .mpg, .mpeg, .mpeg1, .mpeg2, .m1v, .m2a, .mp1, .mp2, .mp3, .m2p, .ts, .m2ts, .mts, .mt2s, .m2v, .mpv, .mpa, .mp4, .mpeg4, .m4v, .m4a, .3gp, .mid, .mlp, .mka, .mkv, . webm, .rec, .rmi, .s3m, .vro, .tod, .nsv, .nuv * Android: o video: mp4, 3gp, 3gpp, webm o audio: 3gp, mp3, 3gpp, wav, m4a * iOS: o video: mov, mp4, m4v o audio: mp3, wav, aiff, m4a, acc Additional file formats are added based on market demand. SecuLogica welcomes customer’s requests to add specific, currently unsupported formats.
IRMSECURE Protect What You Share 16 Supported devices SecuLogica works on all commonly used platforms such as Windows PC, Apple Mac, Android Smart- phones and Tablets, iOS devices (iPhone, iPad) and BlackBerry10 Smartphones. We closely track the market evolution and will support new platforms as they gain market relevance. Advanced Features “Protected” Folders In order to simplify the protection of files with a predefined configuration of permissions, SecuLogica has introduced the concept of “Protected folders”. A Protected folder is a folder in the file system where the user has assigned SecuLogica permissions. It is important to note that all documents in the Protected Folder have this protection, whether they existed in the folder before it was protected or added after the protection was placed on it. This process features a daemon that monitors all Protected folders and launches SecuLogica when a user adds a file to one of them. SecuLogica automatically protects the file and prompts the user to apply the desired permissions. Note that the user who copies a file in a Protected folder could be different to the user who is monitoring the folder. This has important applications in enterprise environments - e.g. an administrator protects a shared folder where other applications like ERPs or reporting systems drop information. Because this information is in a protected folder, that protection will remain in place even after being exported from the original source. Note: that the protection of shared folders is dependent on the following: * In order for a user, who connects remotely from their own SecuLogica client to protect or manage shared folders, SecuLogica must be installed as a service within a Windows server with the shared folders to protect properly mapped. Please see the document “SecuLogica Client Advanced Guide” for instructions. * The Protected folders contains two XML files that cannot be manipulated: .SecuLogica-folder.xmly .SecuLogica-pendings.xml. In the case of shared folders these files should be protected by the security of the operative system, to assure that only the administrators or the user running the SecuLogica service have access to modify them. Sharepoint integration Customers that use SharePoint 2010 and 2013 can protect document libraries. In a similar manner as the Protected folder concept, any document stored in a Sharepoint library will be protected. SharePoint access rights are applied as the equivalent SecuLogica permissions automatically.
IRMSECURE Protect What You Share Federation of Servers and trust relationships Private SecuLogica servers can establish a “trust relationship” with other SecuLogica servers, meaning that users on one SecuLogica server can protect a document and grant permissions to users registered in other SecuLogica servers. How it works A trust relationship between two SecuLogica servers is established when both sides agree to accept the relationship with each other. To reduce the administrative task of managing trust relationships, a server can declare itself as “public” which means it automatically has established a trust relationship with any other server also declared as “public”. External users Below is how the system manages encryption keys and user authentications when two servers are involved. When two servers maintain a trust relationship two actions are allowed: * Each server can search for users in the other server * A user can authenticate in server A with an authentication token issued by server B, where the user is registered and that has a trust relationship established with A. Users can assign permissions to a document to users that reside on servers other than their own. In this instance SecuLogica requests an authentication token from the remote server be sent to the server where the document resides in order to validate the access request. Because the two servers both see each other as “trusted”this time-sensitive token is accepted and the remote user is granted access to the document, with whatever permissions that were granted. 17
IRMSECURE Protect What You Share 18 SecuLogica Server Repository To build these protocols it is required that communications be signed by each server and that a central reposi- tory validates the signatures. Thus, all servers have to be registered in this central repository. API for external service providers (or SecuLogica client for servers) SecuLogica offers an API for integration of SecuLogica in other services. For example, an ERP that permits the download of protected information with read permission for the user logged in the ERP or a cloud storage platform where a file could be protected, its log can be audited or assigned automatic permissions following predefined rules without leaving the user interface of the platform. The API offers a set of RESTful web services and is provided by an atomic piece of software that we can see as a SecuLogica client running in a server to offer the web interface. This software provides the API to the SecuLogi- ca public server, but could also be licensed for an enterprise to work with a private SecuLogica server installed on premise. As a SecuLogica client, it allows the encryption and decryption of files, the viewing or modifying of permissions and access of the activity log. The API has been used to develop integrations with many cloud storage solutions: * Dropbox * box.com * Google Drive * ownCloud * Microsoft SharePoint
IRMSECURE Protect What You Share 19 SecuLogica with Cloud services SecuLogica’s functionality includes the option to share through Dropbox, Box, Google Drive and OwnCloud directly from SecuLogica. You can do this with the SecuLogica option “share” which will automatically associ- ate your SecuLogica and Cloud accounts and provide you with a link that allows you to send the protected file and manage its permissions. The installation of a plugin accessed directly from SecuLogica allows a user to protect and manage file permis- sions without ever leaving the cloud application. See the following image for an example extracted from Google Drive.
IRMSECURE Protect What You Share 20 SecuLogica Drag’ n Drop To allow the users that cannot install the SecuLogica application (because they are in a closed environment or in a public point of access) to access protected files, SecuLogica offers, as an independent service, SecuLogica Drag’n drop. This website allows users to upload a file to be protected or, if it is protected, to show the file in a web viewer after the authentication and permission process has been completed. To maximize security, the user authentication in SecuLogica Drag’n Drop is done via the OAuth2 protocol against the SecuLogica server. Because this process ensures that the server holding the file remains different from the SecuLogica server that manages keys and permissions, encryption integrity and security are main- tained at all times. An additional functionality of the Drag’n Drop folder gives a user the ability to send someone else the URL of an encrypted file. This is particularly useful when using Dropbox or any other Cloud-based storage solution. The user would share the link from within the SecuLogica client and the recipient would have two options: either he or she could download the file to view it within their own SecuLogica client or view it within the SecuLogica Drag’n Drop folder. This can avoid the confusion that some recipient experience when receiving a protected file for the first time. Please note that only the following file types are supported by SecuLogica Drag’n Drop: * Microsoft Office 2007 and onwards: docx, xlsx, pptx * PDF * Image: jpg, jpeg, gif, png, bmp, tiff, tif * Text: protects all the text-format extensions detailed for the SecuLogica Client – visualizes the extensions .txt and .xml
IRMSECURE Protect What You Share 21 With SecuLogica Drag’n Drop, the user is uploading files, therefore it is important to take into account how the security of the information is protected. * Files are uploaded in a SSL connection * The uploaded, unprotected file is removed from the server immediately after it is encrypted; the newly encrypted file is retained on the server for a short time until it is downloaded. * To view an encrypted file within the Drag’n Drop folder, SecuLogica decrypts the file, converts it to images and immediately removes the decrypted file from the viewer. The file remains in the viewer until the user closes the session at which time the file is no longer available. * It is critical to note that the SecuLogica key server and the SecuLogica Drag’n Drop server are separate machines and do not reside in the same location to maximize data integrity. Sharing photographs with SecuLogica This feature is designed to share “Protected” photos among users of mobile devices. When a user sends a photo to another SecuLogica user the following occurs: * The recipient is granted read permission * The protected image is uploaded to a server * A push notification is sent to each recipient * The recipients receive a notification and can download the protected image * The image remains viewable on the server for one week before it is automatically deleted. Licensing model SecuLogica is subscription based – pricing is based on a one-year subscription that can be cancelled or renewed at the subscription’s anniversary. A subscription grants the user use and maintenance rights. Most contracts are single year, but multi-year contract arrangements are available. Pricing is based on volume – the more licenses purchased by an organization the lower the cost per licence will be. Connectors are free of charge. Customers are free to use the technology on any device with any file format with a single license price. Plugins for AutoCAD or FoxitPDF require separate license per user. Two optional modules (SecuLogica Web Client Software and SecuLogica Drag’n Drop) are licensed and priced separately, independent of the number of the licenses purchased by the user. These modules are only required to be licensed in an On-Premise installation. SecuLogica can be used free of charge by individuals for basic functionality. This functionality is typically sufficient for external users of a Corporation as it allows them to protect and unprotect content of any supported format on any device. In this way, Corporations do not need to pay a license for the external users with whom they need to exchange information. SecuLogica offers an Invitation mechanism that allows both Corporates and individuals to invite users to become members of the SecuLogica service at no cost for them.
IRMSECURE Protect What You Share About IRM Secure IRM Secure is a high growth security software product company, providing security solutions in the areas of information usage control, Information Rights Management (IRM) and secure outsourcing. We are the exclusive Integrator in North America for SecuLogica. Our expertise lies in the control of information post distribution, irrespective of its location and mode of transfer. With this the receiver is able / not-able to distribute, edit, print, copy-paste, screen-grab information from a secured document. It is also possible to remotely destruct the documents at the receiver’s end at any time. Along with our Fortune 500 clients, some of the largest companies in banking, financial services, insurance, engineering services, and educational institutes use our technology to secure unstructured data that is used internally or provided to a vendor for outsourced processes. To contact IRMSecure please email us at info (at) irmsecure.com IRMSECURE Protect What You Share North America IRM Secure 2800 Skymark Avenue, #4 Mississauga, Ontario, L4W5A6 CANADA Tel: 905.366.4444 / Fax: 905.361.0789 Europe SecuLogica /IRM Secure Werdener Strasse 8 40277Duesseldorf GERMANY Tel:+49.(0).211.1780.7778 WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m

Recommandé

Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
FinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedFinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedPhillip Stalnaker
 
8 isecurity database
8 isecurity database8 isecurity database
8 isecurity databaseAnil Pandey
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Scality RING Security White Paper
Scality RING Security White PaperScality RING Security White Paper
Scality RING Security White PaperPhillip Tribble
 
Unisys Stealth Black
Unisys Stealth BlackUnisys Stealth Black
Unisys Stealth BlackGlobal Consulting
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerJerome J. Penna
 

Recommandé

Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
FinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedFinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedPhillip Stalnaker
 
8 isecurity database
8 isecurity database8 isecurity database
8 isecurity databaseAnil Pandey
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Scality RING Security White Paper
Scality RING Security White PaperScality RING Security White Paper
Scality RING Security White PaperPhillip Tribble
 
Unisys Stealth Black
Unisys Stealth BlackUnisys Stealth Black
Unisys Stealth BlackGlobal Consulting
 
Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerJerome J. Penna
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Securing Open Source Databases
Securing Open Source DatabasesSecuring Open Source Databases
Securing Open Source DatabasesGazzang
 
Gazzang pci v1[1]
Gazzang pci v1[1]Gazzang pci v1[1]
Gazzang pci v1[1]Gazzang
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012Валерий Коржов
 
TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06Tyson Supasatit
 
Forward unisys
Forward unisysForward unisys
Forward unisysDekkinga, Ewout
 
One name unify them all
One name unify them allOne name unify them all
One name unify them allBizTalk360
 
Azure information protection_datasheet_en-us
Azure information protection_datasheet_en-usAzure information protection_datasheet_en-us
Azure information protection_datasheet_en-usKjetil Lund-Paulsen
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Papitha Velumani
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection Syed Sabhi Haider
 
Vaultize corp three-pager v14
Vaultize corp three-pager v14Vaultize corp three-pager v14
Vaultize corp three-pager v14Sameer (Sam) Vitkar
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...SubmissionResearchpa
 
Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionInka Traktman
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
SecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overviewSecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overviewsecurusvault
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohnsqlserver.co.il
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based EncryptionDavid Dye
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerBehnam Mohammadi
 
Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Juan Ignacio Oller Aznar
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructureIntel IT Center
 
Escuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajasEscuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajasmarianagladis
 
Revista3
Revista3Revista3
Revista3body&health
 

Contenu connexe

Tendances

Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Securing Open Source Databases
Securing Open Source DatabasesSecuring Open Source Databases
Securing Open Source DatabasesGazzang
 
Gazzang pci v1[1]
Gazzang pci v1[1]Gazzang pci v1[1]
Gazzang pci v1[1]Gazzang
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012Валерий Коржов
 
One name unify them all
One name unify them allOne name unify them all
One name unify them allBizTalk360
 
Azure information protection_datasheet_en-us
Azure information protection_datasheet_en-usAzure information protection_datasheet_en-us
Azure information protection_datasheet_en-usKjetil Lund-Paulsen
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Papitha Velumani
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection Syed Sabhi Haider
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...SubmissionResearchpa
 
Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionInka Traktman
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
SecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overviewSecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overviewsecurusvault
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohnsqlserver.co.il
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based EncryptionDavid Dye
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerBehnam Mohammadi
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructureIntel IT Center
 

Tendances (20)

Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
 
Securing Open Source Databases
Securing Open Source DatabasesSecuring Open Source Databases
Securing Open Source Databases
 
Gazzang pci v1[1]
Gazzang pci v1[1]Gazzang pci v1[1]
Gazzang pci v1[1]
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012
 
TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06TP564_DriveTrust_Oct06
TP564_DriveTrust_Oct06
 
Forward unisys
Forward unisysForward unisys
Forward unisys
 
One name unify them all
One name unify them allOne name unify them all
One name unify them all
 
Azure information protection_datasheet_en-us
Azure information protection_datasheet_en-usAzure information protection_datasheet_en-us
Azure information protection_datasheet_en-us
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
 
Microsoft Azure Information Protection
Microsoft Azure Information Protection Microsoft Azure Information Protection
Microsoft Azure Information Protection
 
Vaultize corp three-pager v14
Vaultize corp three-pager v14Vaultize corp three-pager v14
Vaultize corp three-pager v14
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...
 
Secure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protectionSecure deduplication-evault-endpoint-protection
Secure deduplication-evault-endpoint-protection
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
SecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overviewSecurusVault Swiss Data Backup overview
SecurusVault Swiss Data Backup overview
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohn
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based Encryption
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL Server
 
Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)Windows 10: Security Focus (part II)
Windows 10: Security Focus (part II)
 
Cloud computing security infrastructure
Cloud computing security infrastructureCloud computing security infrastructure
Cloud computing security infrastructure
 

En vedette

Escuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajasEscuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajasmarianagladis
 
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PT
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PTHahnemuehle PhotoRag Book & Album, 220 g/m²_PT
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PTHahnemühle FineArt GmbH
 
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979DICOMOL SL
 
Seo básico para pymes
Seo básico para pymesSeo básico para pymes
Seo básico para pymesIñaki Tovar
 
What are the Differences between Remote, Contact and Plasma Modes
What are the Differences between Remote, Contact and Plasma ModesWhat are the Differences between Remote, Contact and Plasma Modes
What are the Differences between Remote, Contact and Plasma ModesSpooky2 Rife
 
Social permaculture
Social permacultureSocial permaculture
Social permacultureJosh Gomez
 
The use of technology in psychology
The use of technology in psychologyThe use of technology in psychology
The use of technology in psychologyPaulo Arieu
 
Reserva ecologica-el-ángel
Reserva ecologica-el-ángelReserva ecologica-el-ángel
Reserva ecologica-el-ángelSandra Ruiz
 
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...Foro Global Crossing
 
Presupuesto Web CéSar
Presupuesto Web CéSarPresupuesto Web CéSar
Presupuesto Web CéSarAlberto
 
Presentation to the UN in Sarajevo
Presentation to the UN in SarajevoPresentation to the UN in Sarajevo
Presentation to the UN in SarajevoMarc Wright
 
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...01ranero
 

En vedette (20)

Escuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajasEscuela normal urbana federal cuautladesventajas
Escuela normal urbana federal cuautladesventajas
 
Revista3
Revista3Revista3
Revista3
 
Anurag_Ghosh
Anurag_GhoshAnurag_Ghosh
Anurag_Ghosh
 
13.ICON Brochure
13.ICON Brochure13.ICON Brochure
13.ICON Brochure
 
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PT
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PTHahnemuehle PhotoRag Book & Album, 220 g/m²_PT
Hahnemuehle PhotoRag Book & Album, 220 g/m²_PT
 
Centrul Medical Mediclass
Centrul Medical MediclassCentrul Medical Mediclass
Centrul Medical Mediclass
 
20210
2021020210
20210
 
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979
First Catalogue / Primer Catalogo / Primer Catàleg DICOMOL 1979
 
Seo básico para pymes
Seo básico para pymesSeo básico para pymes
Seo básico para pymes
 
What are the Differences between Remote, Contact and Plasma Modes
What are the Differences between Remote, Contact and Plasma ModesWhat are the Differences between Remote, Contact and Plasma Modes
What are the Differences between Remote, Contact and Plasma Modes
 
Social permaculture
Social permacultureSocial permaculture
Social permaculture
 
Factores desarrollo métodos
Factores desarrollo métodosFactores desarrollo métodos
Factores desarrollo métodos
 
The use of technology in psychology
The use of technology in psychologyThe use of technology in psychology
The use of technology in psychology
 
Reserva ecologica-el-ángel
Reserva ecologica-el-ángelReserva ecologica-el-ángel
Reserva ecologica-el-ángel
 
Evangelismo
EvangelismoEvangelismo
Evangelismo
 
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...
Información segura, negocios seguros. ¿Ceguera o ignorancia? ¿Cuánto sabemos ...
 
Presupuesto Web CéSar
Presupuesto Web CéSarPresupuesto Web CéSar
Presupuesto Web CéSar
 
Presentation to the UN in Sarajevo
Presentation to the UN in SarajevoPresentation to the UN in Sarajevo
Presentation to the UN in Sarajevo
 
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...
Outsourcing e insourcing su deducción fiscal ranero abogados mayo 12...
 
Que es BASC
Que es BASCQue es BASC
Que es BASC
 

Similaire à IRM Secure on SecuLogica Technical Whitepaper

Cryptolab cse datasheet v1.1.pdf
Cryptolab cse datasheet v1.1.pdfCryptolab cse datasheet v1.1.pdf
Cryptolab cse datasheet v1.1.pdfMassimo Bertaccini
 
IRJET- Protection of Personal Data on Distributed Cloud using Biometrics
IRJET- Protection of Personal Data on Distributed Cloud using BiometricsIRJET- Protection of Personal Data on Distributed Cloud using Biometrics
IRJET- Protection of Personal Data on Distributed Cloud using BiometricsIRJET Journal
 
Secure Enterprise File Sharing and Mobile Content Management
Secure Enterprise File Sharing and Mobile Content ManagementSecure Enterprise File Sharing and Mobile Content Management
Secure Enterprise File Sharing and Mobile Content ManagementBlackBerry
 
Secure File Sharing Basics - What Every File Sharing Provider Should Have
Secure File Sharing Basics - What Every File Sharing Provider Should HaveSecure File Sharing Basics - What Every File Sharing Provider Should Have
Secure File Sharing Basics - What Every File Sharing Provider Should HaveBoxHQ
 
LogicalDOC Security Systems
LogicalDOC Security SystemsLogicalDOC Security Systems
LogicalDOC Security SystemsLogicalDOC
 
It securepro 10 nov 2010
It securepro 10 nov 2010It securepro 10 nov 2010
It securepro 10 nov 2010Agora Group
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116IJRAT
 
Hybrid Cryptography Algorithm Based Secured Storage Android App
Hybrid Cryptography Algorithm Based Secured Storage Android AppHybrid Cryptography Algorithm Based Secured Storage Android App
Hybrid Cryptography Algorithm Based Secured Storage Android AppIRJET Journal
 
SME Providing an Enterprise File Fabric™ for Scality
SME Providing an Enterprise File Fabric™ for ScalitySME Providing an Enterprise File Fabric™ for Scality
SME Providing an Enterprise File Fabric™ for ScalityHybrid Cloud
 
SME ENTERPRISE FILE FABRIC FOR SOFTLAYER
SME ENTERPRISE FILE FABRIC FOR SOFTLAYERSME ENTERPRISE FILE FABRIC FOR SOFTLAYER
SME ENTERPRISE FILE FABRIC FOR SOFTLAYERHybrid Cloud
 
Document Management System or Digital Folder.pptx
Document Management System or Digital Folder.pptxDocument Management System or Digital Folder.pptx
Document Management System or Digital Folder.pptxBIS Safety
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxMohammad512578
 
Securus Swiss Cloud Storage Solutions
Securus Swiss Cloud Storage SolutionsSecurus Swiss Cloud Storage Solutions
Securus Swiss Cloud Storage Solutionssecurusvault
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like DropboxIRJET Journal
 
The Enterprise File Fabric for Vecima MediaScaleX
The Enterprise File Fabric for Vecima MediaScaleXThe Enterprise File Fabric for Vecima MediaScaleX
The Enterprise File Fabric for Vecima MediaScaleXHybrid Cloud
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxAgusto Sipahutar
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 

Similaire à IRM Secure on SecuLogica Technical Whitepaper (20)

Cryptolab cse datasheet v1.1.pdf
Cryptolab cse datasheet v1.1.pdfCryptolab cse datasheet v1.1.pdf
Cryptolab cse datasheet v1.1.pdf
 
IRJET- Protection of Personal Data on Distributed Cloud using Biometrics
IRJET- Protection of Personal Data on Distributed Cloud using BiometricsIRJET- Protection of Personal Data on Distributed Cloud using Biometrics
IRJET- Protection of Personal Data on Distributed Cloud using Biometrics
 
Secure Enterprise File Sharing and Mobile Content Management
Secure Enterprise File Sharing and Mobile Content ManagementSecure Enterprise File Sharing and Mobile Content Management
Secure Enterprise File Sharing and Mobile Content Management
 
Secure File Sharing Basics - What Every File Sharing Provider Should Have
Secure File Sharing Basics - What Every File Sharing Provider Should HaveSecure File Sharing Basics - What Every File Sharing Provider Should Have
Secure File Sharing Basics - What Every File Sharing Provider Should Have
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM Datasheet
 
LogicalDOC Security Systems
LogicalDOC Security SystemsLogicalDOC Security Systems
LogicalDOC Security Systems
 
It securepro 10 nov 2010
It securepro 10 nov 2010It securepro 10 nov 2010
It securepro 10 nov 2010
 
Paper id 712019116
Paper id 712019116Paper id 712019116
Paper id 712019116
 
Hybrid Cryptography Algorithm Based Secured Storage Android App
Hybrid Cryptography Algorithm Based Secured Storage Android AppHybrid Cryptography Algorithm Based Secured Storage Android App
Hybrid Cryptography Algorithm Based Secured Storage Android App
 
Secure Objects
Secure ObjectsSecure Objects
Secure Objects
 
SME Providing an Enterprise File Fabric™ for Scality
SME Providing an Enterprise File Fabric™ for ScalitySME Providing an Enterprise File Fabric™ for Scality
SME Providing an Enterprise File Fabric™ for Scality
 
SME ENTERPRISE FILE FABRIC FOR SOFTLAYER
SME ENTERPRISE FILE FABRIC FOR SOFTLAYERSME ENTERPRISE FILE FABRIC FOR SOFTLAYER
SME ENTERPRISE FILE FABRIC FOR SOFTLAYER
 
Document Management System or Digital Folder.pptx
Document Management System or Digital Folder.pptxDocument Management System or Digital Folder.pptx
Document Management System or Digital Folder.pptx
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptx
 
Tech Vault Solution
Tech Vault SolutionTech Vault Solution
Tech Vault Solution
 
Securus Swiss Cloud Storage Solutions
Securus Swiss Cloud Storage SolutionsSecurus Swiss Cloud Storage Solutions
Securus Swiss Cloud Storage Solutions
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like Dropbox
 
The Enterprise File Fabric for Vecima MediaScaleX
The Enterprise File Fabric for Vecima MediaScaleXThe Enterprise File Fabric for Vecima MediaScaleX
The Enterprise File Fabric for Vecima MediaScaleX
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptx
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
 

IRM Secure on SecuLogica Technical Whitepaper

  • 1. IRMSECURE Protect What You Share N o r t h A m e r i c a I R M S e c u r e 2 8 0 0 S k y m a r k A v e n u e , # 4 M i s s i s s a u g a , O n t a r i o , L 4 W 5 A 6 C A N A D A Te l : +1 . 9 0 5 . 3 6 6 . 4 4 4 4 / F a x : +1 . 9 0 5 . 3 61 . 0 7 8 9 Europe SecuLogica /IRM Secure Werdener Strasse 8 40277Duesseldorf GERMANY Tel:+49.211.1780.7778 WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m SecuLogica: Technical Whitepaper
  • 2. IRMSECURE Protect What You Share Contents Executive Summary 2 Product functionality 3 Architecture 5 Solution Components 5 User hierarchy 6 Deployment alternatives 7 SecuLogica as a Service 7 SecuLogica On Premises 7 Hardware requirements 8 Deployment requirements 9 Double URL and IP 9 Enabling an e-mail agent 9 LDAP or Active Directory integration 9 Security 11 Infrastructure: High availability, physical and logical security 11 User login 11 Username and password 11 External ID Provider (OpenID / OAuth) 11 LDAP or Active Directory 12 Communications 12 Client to Server 12 Plugins to Core-Client 12 Encryption 12 Offline enabling 13 Availability window 13 Watermarks 13 Screen capture 13 Activity Log 13 Supported file types 14 SecuLogica Viewer 14 API for Plugins 14 Plugin MS-Office for Windows 14 Plugin MS-Outlook for Windows 15 Plugin AutoCAD 15 Browser Plugins (Internet Explorer, Firefox and Chrome) 15 Multimedia files 15 Supported devices 16 Advanced Features 16 “Protected” Folders 16 Sharepoint integration 16 Federation of Servers and trust relationships 17 How it works 17 External users 17 SecuLogica Server Repository 18 API for external service providers (or SecuLogica client for servers) 18 SecuLogica with Cloud services 19 SecuLogica Drag’ n Drop 20 Sharing photographs with SecuLogica 21 Licensing model 21
  • 3. IRMSECURE Protect What You Share 2 Executive Summary SecuLogica is an IRM (Information Rights Management) solution that provides a technology standard for the industry. It allows individual users and companies to control their files wherever they are. With SecuLogica, users can protect and track the use of any copy of their documents and change, at their discretion, who can access those files and what actions can be done with them. It leverages and complements the latest technology trends: cloud, mobile, social as well as traditional IT envi- ronments. It is designed for universal use for both corporate and private users being available for a wide set of devices and file formats delivering maximum ease of use, smooth deployment and minimal or no maintenance effort. SecuLogica’s vision is to become a standard for protecting the information we share and store on the Internet. Key elements for this vision are: Interoperability so that any SecuLogica user can exchange information with anyone securely, be it a corporate or private user: Ease of use so that the technology can be used by anyone, anywhere on any device and a groundbreaking Business Model.
  • 4. IRMSECURE Protect What You Share 3 Product functionality SecuLogica helps its customers protect what they share by making the process as easy as possible. SecuLogica delivers a solution that allows users and companies to keep control of their files wherever they are, track the use of any copy of their documents, and change, whenever they want, who can access and what actions can be done with their files. SecuLogica is designed to provide both security and usability. The design principles for the product are: * Any document: the most relevant file formats are supported. Additional file extensions will be added to address customer demand. * Any device: PC, Mac, Tablets, Smartphones. It is available for all relevant platforms on the market * Any user: we serve corporate users and individual users in a federated manner. Everyone regis tered on any SecuLogica enabled service can exchange information securely. * Cloud ready: We integrate with most cloud services. * Affordable: Our pricing model was designed to make SecuLogica cost effective for everyone. We provide a free version of our product that enables anyone to share information securely * Easy to use: with nearly no learning curve required to use the product/service * Easy to deploy: can be acquired as SaaS or On Premise * Secure: keys and documents are never together. * Real time: Change in permissions has immediate effect. SecuLogica implements three steps when protecting any type of file: 1. Encrypt the file with AES 128 or 256. This produces a copy of the file with a .proton extension. This new file is the one exchanged with other users, the original file is no longer used for inter- change. The .proton file can be shared by any channel such as email, USB, cloud services. 2. Define permissions on the .proton file: select the users or groups that can access it and estab lish the actions that can be done by those users on the file 3. Both the key used to encrypt the file and the metadata with the users and permissions are stored in the SecuLogica key server. Every time a user wants to open a .proton file, the permissions for that user are checked and the access restrictions applied. The permissions are defined by the file owner. The concepts that can be enabled/disabled for a given user or group of users are: Read, Print, Edit, Copy and Manage as follows:
  • 5. IRMSECURE Protect What You Share 4 * A document with READ permissions can only be viewed and cannot be modified. Screen capture preven- tion techniques are used: the clipboard is disabled, “cut & paste” cannot be done and screen capture apps are also disabled. * A document with PRINT permissions can be printed and read but cannot be modified. * A document with EDIT permissions can be modified but all changes are stored in the same protected file. The same screen capture techniques as described for READ permission are applied. This will be useful for documents that are distributed to a limited community of contributors that need to deliver modifications to the document in a controlled manner. * A document with COPY permissions can be modified and saved with a different name. This permission effectively gives full access and rights to the document, making it possible to extract and copy its content. * A user with MANAGE permission can define and change the permissions of a document. This allows dele- gation of authority for managing permissions. The permissions that the user can manage for other users are limited to the permissions he or she has been granted. Permissions like forward, email or any other related to the transmission of the content are useless in the SecuLogica working model as ALL content travels encrypted and permissions are centrally managed and checked every time a file is opened. This working model allows the file owner to remove/change permissions at any time. That change is applied in real time to all copies of the file no matter how these copies have been shared. Advanced features can be defined for additional file protection. Watermarks can be set for display and print. Time window of accessibility can be defined for a document; nobody can access the file before the starting date/time and after the ending date/time. Offline access to files can also be defined. Another important concept is the “Protected folder”. A folder can be created, protected and set permissions in the same way as an individual file. Once the folder is created, every file stored in it will be automatically protected with the same access permissions as the folder. This folder can be local, shared or cloud-based. SecuLogica protects documents at rest, in motion and in use: * Once a document is protected, the encryption is persistent on any type of storage media. * Content is always protected as only encrypted information travels over the network. * SecuLogica provides control when the files are in use. This is done using Plugins or viewers depending on the file type. The user never gets full control of the file being accessed as the permissions are enforced by the Plugin or viewer applicable to the file format. SecuLogica does not store user files. It only stores the encryption keys, the permissions assigned (who has access and what kind of access) and the document activity logs (who, when and how uses your files).
  • 6. IRMSECURE Protect What You Share 5 SecuLogica is a client-server application. The server is responsible for: * storing the keys used for encryption * managing user authentication and permissions * storing activity logs The client is the software installed on the user device and communicates with the server in order to: * authenticate the user * create and store a new key when the user encrypts a file * retrieve the key when the user wants to access a protected file and has the required permissions * send activity log events each time a user accesses the protected document To show the content of the protected files the client application uses the SecuLogica viewer for some types of files (images, PDF, plain text, HTML…). Other types of files are opened natively in the applica- tion where they were created (Word, Excel, PowerPoint…); in this case a plugin is needed. The application Plugins ensure the rights and configuration settings of the protected file are respected when the file is accessed. Solution Components
  • 7. IRMSECURE Protect What You Share 6 User hierarchy Users can be registered in SecuLogica as standalone users or as users belonging to an organization. Standalone users are the owners of the documents they protect (though they have the ability to transfer ownership to other users). Standalone users of the SecuLogica public server can have a Basic (free) or a Premi- um account. The premium profile provides full functionality to standalone users. Users belonging to an organization are managed by one or more administrators. The files these users protect belong to the organization and the administrators have control over user permissions and can access the activity logs. Supervisors of the organization have access to a control panel where they can do the following: * manage groups of users in the organization * manage permissions of the files protected by members of the organization * access the activity log either by protected files or by users Administrators of the organizations have the following permissions in addition to the permissions that a supervisor has: * manage the users in the organization and their profiles * configure the organization settings
  • 8. IRMSECURE Protect What You Share The supervisors and administrators do not necessarily have access to the documents; it is import- ant to note that the roles of system administrators and security administrators can be separated. The system administrator is responsible for the general configuration of the server, and one of his functions is to configure the server so that it may be visible to other SecuLogica servers, thus creating a server federation. This role allows creating new organizations or domains, and accessing a complete log of the system activity, not only the activity related with documents. Deployment alternatives SecuLogica as a Service SecuLogica is offered as a public service where, following the hierarchy of users described above, home users, professionals and organizations coexist, using SecuLogica’s features without infrastruc- ture ownership costs. The SecuLogica service is provided from an infrastructure housed in professional data centers with the highest levels of security and availability. More information on this is included in the Security chapter. SecuLogica On Premises SecuLogica also is available to install in the customer’s facilities. The installation requires a software license that determines the maximum number of users, expiration date, etc... This license includes a unique server identification that allows federation between servers; for this purpose all licensed servers are registered in a centralized repository. SecuLogica is deployed in a fortified Linux-Debian system with the necessary scripts for easy setup and updates. In order to ensure that the system remains updated with application upgrades and system security patches, auto-deployable update packages are delivered from our servers. The database management system used by the application is MySQL 5. The server application is deployed in a Tomcat 7 web application server. In addition, an Apache 2 HTTP server is used to manage all HTTP connections to the system. Custom installation of the server, including customization of the client application, is also possible with consulting and integration services. If the On Premises deployment includes the Drag´n Drop service and/or the Web Client API, an additional Windows Server 2012 R2 is required to deploy both services. 7
  • 9. IRMSECURE Protect What You Share 8 Hardware requirements SecuLogica does not require a large amount of resources as the information passed in the client-server communications use little bandwidth and the storage requirements are minimal. Storage space required is based on the length of the log history a user wants to keep accessible online on the server. Taking into account that every log record (created when you open a protected file, edit it, change its permissions, etc.) requires approximately 300 bytes, a reasonable assumption is that 1GB is enough to store around 1 million events. Furthermore, since encryption and decryption of the files is performed locally, the server does not require additional processing power more than the average amount required by web application servers. The Window Server 2012R2 for the Drag´nDrop service requires more computing power than the SecuLogica key server as this has to decrypt and render the content to multiple users simultaneously. There are multiple deployment alternatives depending on the high availability and disaster recovery requirements to be met, starting from a single server and growing to a highly available architecture. These aspects are discussed in detail in the “Required Infrastructure to Install SecuLogica” docu- ment. A detailed deployment example of a high performance infrastructure with all services configured in HA is shown below:
  • 10. IRMSECURE Protect What You Share Deployment requirements For installation of a server in-house, either as a virtual appliance or as a custom installation, the following requirements must be considered. Double URL and IP The SecuLogica server requires two HTTPS interfaces: * User web interface: The user manages permissions through this interface. The SSL certificate provided by SecuLogica with the license should be replaced by a certificate signed by a trusted CA in order to avoid warning messages issued by the browsers. * Client application interface: Through this interface the SecuLogica client application communicates in the background with the server without user intervention. This SSL interface requires client authentication and both sides need to verify the communication authenticity. In order to be able to use different SSL configurations, these two different interfaces must be accessed through TCP port 443 of two different IP addresses, or through two different TCP ports in only one IP address,. Both interfaces may be referred to by two different subdomain names for complete SSL certifi- cate validation. Enabling an e-mail agent SecuLogica sends emails to communicate with users, and the SecuLogica server must be allowed to send e-mails. The SecuLogica Virtual Appliance is preconfigured to use its own SMTP server but this configura- tion can be modified to use an external SMTP server. The emails are used to validate users and to send requests for permissions. LDAP or Active Directory integration Organizations can configure an LDAP or Active Directory as the data source to authenticate users, as well as to obtain users and groups of users that can be used to manage permissions of protected files. This integration is configured at the organization level in the user hierarchy, not at the server level. This allows SecuLogica to be integrated with the directory regardless of the way it is implemented: as a service, a virtual appliance or a custom installation. Multiple directories or directory subsets, can be configured for each organization. 9
  • 11. IRMSECURE Protect What You Share The integration consists on configuring the connection to the directory and mapping a few directory fields: * Connection data o Protocol (LDAP) o LDAP server URL and Port o Search base * Authentication data o User o Password * User mapping o User base DN o Object Class o User Filter o User Id attribute o Username attribute o User Real Name attribute o User email attribute * Group mapping o Group base DN o Object Class o Group Filter o Group Id attribute o Group Real Name attribute o Group Member attribute 10
  • 12. IRMSECURE Protect What You Share Security SecuLogica was created with the goal of enabling users to share information on the internet with complete confidence. Although absolute and total security does not exist, using SecuLogica will enable the user to get closer to that goal. Infrastructure: High availability, physical and logical security The SecuLogica service is provided from a cluster of servers housed in multiple data centers with the high- est safety standards implemented including perimeter controls, video surveillance and on-site security professionals. Important also is the use of protective measures against network security problems such as distributed denial of service (DDoS), man in the middle attacks (MITM) and package tracking. The most sensitive information stored in our databases, like encryption keys or personal data (email, pass- word, etc.) are stored encrypted. The disk is also encrypted thus ensuring the user data is protected both from malicious access to the servers and even from physical theft of the disks. User login Data security is ultimately defined by the how secure access to that data is. The administrator of the Secu- Logica Corporate Service can decide which authentication method the users of the organization must use. Username and password Initial registration with SecuLogica requires the choice of a unique username and password. These creden- tials can be stored in the client application, this way allowing the SecuLogica client to connect to the server in the background without having to re-enter the credentials every time you protect or open a protected file. External ID Provider (OpenID / OAuth) SecuLogica allows users to authenticate against external identification providers compliant with OpenID or OAuth protocols; this mechanism enables access SecuLogica with a Google, Yahoo, Twitter or LinkedIn account. Facebook connection has also been implemented so a user can access SecuLogica through your Facebook account. In the Corporate Service and with Corporate Servers implemented in-house, we can offer optional authenti- cation services to provide the highest standards of security required: biometrics, smart card, OTC, etc. A user with a SAML2 compliant Access Management system in place can configure SecuLogica to leverage the corporate access management solution as a trusted party to authenticate users. Using this authentication method SecuLogica redirects the request to external web pages for user authenti- cation. The external service validates the user and communicates back to SecuLogica the authorization result. With this method SecuLogica neither stores nor has the ability to see a user’s credentials. Furthermore, integration with cloud single-sign-on services is also possible. 11
  • 13. IRMSECURE Protect What You Share LDAP or Active Directory The third authentication method available is to validate user’s credentials in a private Directory (LDAP or Microsoft Active Directory). In this case the user enters his or her username and password in SecuLogica and SecuLogica sends the request to the private Directory for authentication. SecuLogica serves as a gateway for the credentials but it does not store them. Communications Client to Server All connections to SecuLogica servers are encapsulated by a secure channel that uses SSL (Secure Sockets Layer) 2048 bits, the standard used for network connections over the Internet. The SSL channel requires client authentication, thus in the hypothetical case a vulnerability is detected in the client side, the client connection request from that version would be rejected and the client would be forced to upgrade. Plugins to Core-Client SecuLogica plugins are classified in either of two categories dependent on whether or not it has access to decrypted data. Plugins requiring access to decrypted data (eg. Internet browser plugins) communicate with the SecuLogica Core-Client application through HTTP. This access is delegated to the dedicated SecuLogica secure viewers. Those plugin that render decrypted files and therefore do not access it directly communicate with the SecuLogica Core-Client through HTTPS. Using client authentication, the Core-Client validates that the plugin is genuine and also validates it on the server. Encryption Files are protected using the AES algorithm. The encryption key is generated randomly in the server with a variable length that the user can configure locally in client preferences (128 or 256 bits, by default 256). The encryption is done on the computer or mobile device and the file never leaves the device during the encryp- tion process. SecuLogica stores only encryption keys and user permissions – user files are never stored on SecuLogica servers and remain in possession of the user at all times. The databases containing the encryption keys are themselves encrypted, ensuring ongoing security in the event of an attempted theft. Having the encryption key and user file on separate servers adds an additional layer of protection. 12
  • 14. IRMSECURE Protect What You Share Offline enabling Enabling the offline-use property in SecuLogica will allow a user to access a document when he or she is offline. If this property is enabled the client will store the use-license in a local database which will allow the file to be opened when there is not a connection to the server. This local database is encrypted with an AES-256 algorithm with a key that is changed before it is re-encrypted in the database. Offline permission can be time-limited and document activity is stored locally and is sent to the Server immedi- ately upon reinstatement of the connection. Availability Window SecuLogica’s functionality includes the ability to time-limit access to a document both by date and time of day. Watermarks The SecuLogica Online control console includes the ability to apply a Watermark to any protected document by the activation of a simple toggle. The watermark is completely customizable by the docu- ment’s owner and also has built-in functionality to force printing of user, date and time data on a printed document. Screen capture In an effort to prevent a user from using Screen Capture (Print Screen) to circumvent the limits that have placed on his or her permissions, SecuLogica automatically disables known keystrokes (CTRL-P, Print Screen) and detects the execution of screen capture software (Snipping Tool, SnagIT, Camtasia, Record- er, Greenshot etc.) Unfortunately screen capture cannot be avoided in Mac, iOS or Android devices. However, with the use of SecuLogica, one can be assured that only users with permissions can have access to the file and any screen capture event will be registered within the activity log (see below). Despite these measures, SecuLogica always recommends the use of a Watermark for sensitive docu- ments to mitigate the instances of a user capturing an image of his or her monitor with a camera. Activity Log A valuable functionality of SecuLogica is the Activity Log. This log is simply accessed by the file owner and is updated every time an action occurs on a protected file. The actions logged include: open, edit, save, save as, unprotect, print screen attempts and any rights modifications. The log also differentiates actions done online or offline. The log also captures the Username, IP address, OS, HW Identifier and Result of any action. 13
  • 15. IRMSECURE Protect What You Share 14 Supported file types SecuLogica provides different alternatives to render the protected files: SecuLogica Viewer The following file extensions are managed by the SecuLogica viewer: * Image formats: .jpg, .jpeg, .gif, .png, .bmp, .tiff, .tif * PDF: .pdf (Note: Foxit and Phantom PDF is supported by use of a Plugin) * Text formats: .txt, .as, .mx, .ada, .ads, .adb, .asm, .asp, .au3, .sh, .bsh, .bat, .cmd, .nt, .c, .ml, .mli, .sml, .thy, .cmake, .cbl, .cbd, .cdb, .cdc, .cob, .h, .hpp, .cpp, .cxx, .cc, .cs, .css, .d, .diff, .patch, .f, .f90, .f95, m, .f2k, .hs, .lhs, .las, .html, .htm, .shtml, .shtm, .xhtml, .ini, .inf, .reg, .url, .iss, .java, .js, .jsp, .kix, .lsp, .lisp, .lua, .mak, .m, .nfo, .nsi, .nsh, .pas, .inc, .pl, .pm, .plx, .php, .php3, .phtml, .ps, .ps1, .properties, .py, .pyw, .r, .rc, .rb, .rbw, .scm, .smd, .ss, .st, .sql, .tcl, .tex, .vb, .vbs, .v, .vhd, .vhdl, .xml, .xsml, .xsl, .xsd, .kml, .wsdl, .yml, .log When rendering text files, a user can also edit them directly from the viewer. * Microsoft Office: in iOS and Mac, a viewer is used for the Microsoft Word, Excel and PowerPoint formats, however in Windows systems these files are opened through an add-on in Microsoft Office API for Plugins An API for programmers to integrate applications with SecuLogica is built in. This integration allows the files to be rendered in the native format of specialized applications. Plugin MS-Office for Windows The MS-Office for Windows Plugin allows users to use all the features of Word, Excel and PowerPoint with- out compromising the file’s protection. Below is a list of the file extensions managed by this plugin: * MS Word: .doc, .docx, .rtf * MS Excel: .xls, .xlsx, .xlsm, .xlsb, .csv * MS PowerPoint: .ppt, .pptx, .pptm The integration with MS Office is developed based in the MS Office SDK. An important consideration in the development of SecuLogica was to avoid the use of Microsoft RMS or solutions based on “hooking tech- niques.” The development team believed that because using RMS format involves storing the encryption key and permissions in the document itself, document security can be compromised. Additionally, system hooking can cause system instability in many installations. This avoids installation problems for both personal use and enterprise use.
  • 16. IRMSECURE Protect What You Share 15 Plugin MS-Outlook for Windows: The SecuLogica plugin for MS-Outlook allows the user to: * Protect the full body of an email. If preferred, a subset of selected text can be encrypted. * Protect the attachments (on user request). * Assign read permissions to all recipients on the protected content Note: If an encrypted email is sent to a non-registered recipient, they will receive a system-generated invitation to register as a SecuLogica user. Plugin AutoCAD SecuLogica supports AutoCAD 2010 and later via the use of a Plugin. These plugins also have functionality with the AutoDesk DWG TrueView viewer. The plugin supports the formats: * .dwg * .dxf (the plugin converts it to .dwg) providing encryption, as well as viewing and editing capabilities. Browser Plugins (Internet Explorer, Firefox and Chrome): SecuLogica provides plugins for these browsers that allow the user to view protected text and images and also protect text. This simplifies the use of SecuLogica with webmail clients or using encrypted information on any webpage. Multimedia files Video and audio formats can be protected with SecuLogica. The reproduction of these formats in iOS and Android is done natively, and in desktop systems (Windows and Mac) is performed with a special compila- tion of VLC (VideoLAN) that includes a SecuLogica plugin providing DRM functionality. The VLC software is a free download that needs only to be done once. The file extensions supported depends on the operating system: * Windows and OS X: .f4v, .flv, .gvp, .dvdmedia, .xa, .ape, .flac, .wv, .tta, .mpc, .ram, .rm, .rmvb, .mod, .xm, .it, .aiff, .aif, .amr, .aob, .dts, .spx, .wav, .vob, .a52, .ac3, .aac, .opus, .ogm, .ogg, .oga, .ogv, .ogx, .oma, .voc, .vqf, .anx, . axv, .gxf, .mxf, .avi, .mov, .moov, .qt, .divx, .dv, .asf, .wma, .wmv, .wm, .mpg, .mpeg, .mpeg1, .mpeg2, .m1v, .m2a, .mp1, .mp2, .mp3, .m2p, .ts, .m2ts, .mts, .mt2s, .m2v, .mpv, .mpa, .mp4, .mpeg4, .m4v, .m4a, .3gp, .mid, .mlp, .mka, .mkv, . webm, .rec, .rmi, .s3m, .vro, .tod, .nsv, .nuv * Android: o video: mp4, 3gp, 3gpp, webm o audio: 3gp, mp3, 3gpp, wav, m4a * iOS: o video: mov, mp4, m4v o audio: mp3, wav, aiff, m4a, acc Additional file formats are added based on market demand. SecuLogica welcomes customer’s requests to add specific, currently unsupported formats.
  • 17. IRMSECURE Protect What You Share 16 Supported devices SecuLogica works on all commonly used platforms such as Windows PC, Apple Mac, Android Smart- phones and Tablets, iOS devices (iPhone, iPad) and BlackBerry10 Smartphones. We closely track the market evolution and will support new platforms as they gain market relevance. Advanced Features “Protected” Folders In order to simplify the protection of files with a predefined configuration of permissions, SecuLogica has introduced the concept of “Protected folders”. A Protected folder is a folder in the file system where the user has assigned SecuLogica permissions. It is important to note that all documents in the Protected Folder have this protection, whether they existed in the folder before it was protected or added after the protection was placed on it. This process features a daemon that monitors all Protected folders and launches SecuLogica when a user adds a file to one of them. SecuLogica automatically protects the file and prompts the user to apply the desired permissions. Note that the user who copies a file in a Protected folder could be different to the user who is monitoring the folder. This has important applications in enterprise environments - e.g. an administrator protects a shared folder where other applications like ERPs or reporting systems drop information. Because this information is in a protected folder, that protection will remain in place even after being exported from the original source. Note: that the protection of shared folders is dependent on the following: * In order for a user, who connects remotely from their own SecuLogica client to protect or manage shared folders, SecuLogica must be installed as a service within a Windows server with the shared folders to protect properly mapped. Please see the document “SecuLogica Client Advanced Guide” for instructions. * The Protected folders contains two XML files that cannot be manipulated: .SecuLogica-folder.xmly .SecuLogica-pendings.xml. In the case of shared folders these files should be protected by the security of the operative system, to assure that only the administrators or the user running the SecuLogica service have access to modify them. Sharepoint integration Customers that use SharePoint 2010 and 2013 can protect document libraries. In a similar manner as the Protected folder concept, any document stored in a Sharepoint library will be protected. SharePoint access rights are applied as the equivalent SecuLogica permissions automatically.
  • 18. IRMSECURE Protect What You Share Federation of Servers and trust relationships Private SecuLogica servers can establish a “trust relationship” with other SecuLogica servers, meaning that users on one SecuLogica server can protect a document and grant permissions to users registered in other SecuLogica servers. How it works A trust relationship between two SecuLogica servers is established when both sides agree to accept the relationship with each other. To reduce the administrative task of managing trust relationships, a server can declare itself as “public” which means it automatically has established a trust relationship with any other server also declared as “public”. External users Below is how the system manages encryption keys and user authentications when two servers are involved. When two servers maintain a trust relationship two actions are allowed: * Each server can search for users in the other server * A user can authenticate in server A with an authentication token issued by server B, where the user is registered and that has a trust relationship established with A. Users can assign permissions to a document to users that reside on servers other than their own. In this instance SecuLogica requests an authentication token from the remote server be sent to the server where the document resides in order to validate the access request. Because the two servers both see each other as “trusted”this time-sensitive token is accepted and the remote user is granted access to the document, with whatever permissions that were granted. 17
  • 19. IRMSECURE Protect What You Share 18 SecuLogica Server Repository To build these protocols it is required that communications be signed by each server and that a central reposi- tory validates the signatures. Thus, all servers have to be registered in this central repository. API for external service providers (or SecuLogica client for servers) SecuLogica offers an API for integration of SecuLogica in other services. For example, an ERP that permits the download of protected information with read permission for the user logged in the ERP or a cloud storage platform where a file could be protected, its log can be audited or assigned automatic permissions following predefined rules without leaving the user interface of the platform. The API offers a set of RESTful web services and is provided by an atomic piece of software that we can see as a SecuLogica client running in a server to offer the web interface. This software provides the API to the SecuLogi- ca public server, but could also be licensed for an enterprise to work with a private SecuLogica server installed on premise. As a SecuLogica client, it allows the encryption and decryption of files, the viewing or modifying of permissions and access of the activity log. The API has been used to develop integrations with many cloud storage solutions: * Dropbox * box.com * Google Drive * ownCloud * Microsoft SharePoint
  • 20. IRMSECURE Protect What You Share 19 SecuLogica with Cloud services SecuLogica’s functionality includes the option to share through Dropbox, Box, Google Drive and OwnCloud directly from SecuLogica. You can do this with the SecuLogica option “share” which will automatically associ- ate your SecuLogica and Cloud accounts and provide you with a link that allows you to send the protected file and manage its permissions. The installation of a plugin accessed directly from SecuLogica allows a user to protect and manage file permis- sions without ever leaving the cloud application. See the following image for an example extracted from Google Drive.
  • 21. IRMSECURE Protect What You Share 20 SecuLogica Drag’ n Drop To allow the users that cannot install the SecuLogica application (because they are in a closed environment or in a public point of access) to access protected files, SecuLogica offers, as an independent service, SecuLogica Drag’n drop. This website allows users to upload a file to be protected or, if it is protected, to show the file in a web viewer after the authentication and permission process has been completed. To maximize security, the user authentication in SecuLogica Drag’n Drop is done via the OAuth2 protocol against the SecuLogica server. Because this process ensures that the server holding the file remains different from the SecuLogica server that manages keys and permissions, encryption integrity and security are main- tained at all times. An additional functionality of the Drag’n Drop folder gives a user the ability to send someone else the URL of an encrypted file. This is particularly useful when using Dropbox or any other Cloud-based storage solution. The user would share the link from within the SecuLogica client and the recipient would have two options: either he or she could download the file to view it within their own SecuLogica client or view it within the SecuLogica Drag’n Drop folder. This can avoid the confusion that some recipient experience when receiving a protected file for the first time. Please note that only the following file types are supported by SecuLogica Drag’n Drop: * Microsoft Office 2007 and onwards: docx, xlsx, pptx * PDF * Image: jpg, jpeg, gif, png, bmp, tiff, tif * Text: protects all the text-format extensions detailed for the SecuLogica Client – visualizes the extensions .txt and .xml
  • 22. IRMSECURE Protect What You Share 21 With SecuLogica Drag’n Drop, the user is uploading files, therefore it is important to take into account how the security of the information is protected. * Files are uploaded in a SSL connection * The uploaded, unprotected file is removed from the server immediately after it is encrypted; the newly encrypted file is retained on the server for a short time until it is downloaded. * To view an encrypted file within the Drag’n Drop folder, SecuLogica decrypts the file, converts it to images and immediately removes the decrypted file from the viewer. The file remains in the viewer until the user closes the session at which time the file is no longer available. * It is critical to note that the SecuLogica key server and the SecuLogica Drag’n Drop server are separate machines and do not reside in the same location to maximize data integrity. Sharing photographs with SecuLogica This feature is designed to share “Protected” photos among users of mobile devices. When a user sends a photo to another SecuLogica user the following occurs: * The recipient is granted read permission * The protected image is uploaded to a server * A push notification is sent to each recipient * The recipients receive a notification and can download the protected image * The image remains viewable on the server for one week before it is automatically deleted. Licensing model SecuLogica is subscription based – pricing is based on a one-year subscription that can be cancelled or renewed at the subscription’s anniversary. A subscription grants the user use and maintenance rights. Most contracts are single year, but multi-year contract arrangements are available. Pricing is based on volume – the more licenses purchased by an organization the lower the cost per licence will be. Connectors are free of charge. Customers are free to use the technology on any device with any file format with a single license price. Plugins for AutoCAD or FoxitPDF require separate license per user. Two optional modules (SecuLogica Web Client Software and SecuLogica Drag’n Drop) are licensed and priced separately, independent of the number of the licenses purchased by the user. These modules are only required to be licensed in an On-Premise installation. SecuLogica can be used free of charge by individuals for basic functionality. This functionality is typically sufficient for external users of a Corporation as it allows them to protect and unprotect content of any supported format on any device. In this way, Corporations do not need to pay a license for the external users with whom they need to exchange information. SecuLogica offers an Invitation mechanism that allows both Corporates and individuals to invite users to become members of the SecuLogica service at no cost for them.
  • 23. IRMSECURE Protect What You Share About IRM Secure IRM Secure is a high growth security software product company, providing security solutions in the areas of information usage control, Information Rights Management (IRM) and secure outsourcing. We are the exclusive Integrator in North America for SecuLogica. Our expertise lies in the control of information post distribution, irrespective of its location and mode of transfer. With this the receiver is able / not-able to distribute, edit, print, copy-paste, screen-grab information from a secured document. It is also possible to remotely destruct the documents at the receiver’s end at any time. Along with our Fortune 500 clients, some of the largest companies in banking, financial services, insurance, engineering services, and educational institutes use our technology to secure unstructured data that is used internally or provided to a vendor for outsourced processes. To contact IRMSecure please email us at info (at) irmsecure.com IRMSECURE Protect What You Share North America IRM Secure 2800 Skymark Avenue, #4 Mississauga, Ontario, L4W5A6 CANADA Tel: 905.366.4444 / Fax: 905.361.0789 Europe SecuLogica /IRM Secure Werdener Strasse 8 40277Duesseldorf GERMANY Tel:+49.(0).211.1780.7778 WWW.IRMSECURE.COMi n f o @ i r m s e c u r e . c o m