White Paper - Fasoo Enterprise DRM 2014-1Q v1.2 PDF

White Paper - Fasoo Enterprise
DRM
Global Business
1Q/2014
Fasoo
396 World Cup Buk-ro, Mapo-gu
Seoul, 121-795, Korea
+82-2-300-9000
+82-2-300-9400

Seoul 121-795, Korea
tel: +82-2-300-9000 | fax: +82-2-300-9400 | web: www.fasoo.com
Information in this document, including URL and other Internet Web site references, is subject to change without
notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Fasoo.com, Inc. (Fasoo).
Fasoo may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Fasoo, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
2014 Fasoo. All rights reserved.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Fasoo | External Communication | Page 1

Table of Contents
Introduction ................................................................................................................................................... 4
Solution ..................................................................................................................................................... 5
Strategy ..................................................................................................................................................... 5
Strategic Intent .......................................................................................................................................... 6
Challenges ..................................................................................................................................................... 6
Policy Enforcement ................................................................................................................................... 6
Policy Management Model ....................................................................................................................... 7
Characteristics and Specifications of Fasoo Enterprise DRM ...................................................................... 8
Architecture............................................................................................................................................... 8
Application Support .............................................................................................................................. 9
Integration ............................................................................................................................................. 9
Authentication ..................................................................................................................................... 10
Policy Management ................................................................................................................................ 10
Blocking Screen Capture .................................................................................................................... 10
Watermark........................................................................................................................................... 11
Flexible Policy Setting ........................................................................................................................ 11
Dynamic Policy Control and Offline Access ...................................................................................... 11
Intelligent Policy Management: Context Aware Protection ............................................................... 12
Tamper Resistance .................................................................................................................................. 12
Secure Copy & Paste .......................................................................................................................... 12
Secure Export ...................................................................................................................................... 12
Trusted Clock ...................................................................................................................................... 12
Usage Log and Audit Trail ..................................................................................................................... 13
Fasoo Enterprise DRM Suite ...................................................................................................................... 13
Document Security Domain .................................................................................................................... 13
Server DSD FED Product, Fasoo Secure Document .............................................................................. 14
Ad-hoc DSD FED Product, Fasoo Secure Exchange.............................................................................. 15
PC DSD FED Product, Fasoo Secure Node ............................................................................................ 16
Extended FED Products .......................................................................................................................... 17
Fasoo Secure Print .............................................................................................................................. 17
Fasoo ePrint ........................................................................................................................................ 17

Fasoo Secure Screen ........................................................................................................................... 17

Fasoo Mobile Solution ........................................................................................................................ 18
Context Aware Protection ................................................................................................................... 18
Fasoo Usage Tracer............................................................................................................................. 18
Summary ..................................................................................................................................................... 18

Introduction
The latest IT technology enables us to communicate and collaborate at the speed of light and at the same
time confronts organizations with risks of losing intellectual properties, trade secrets, classified
documents and personally identifiable information (PII) with just one click. Documents are considered
secure while they remain within a controlled boundary, such as a content management system,
collaborative repositories, email inboxes, and file system folders. But these documents are legitimately
downloaded to desktops, laptops and other devices by authorized users, where they can be easily copied
and forwarded somewhere else. Authorized users are free to do whatever they want with the information
they receive after access is granted no restrictions on what can be done with the data or where it can be
sent.
Documents should be protected persistently, whether at rest in storage, in transit or in use. The market is
demanding data-centric security solutions. Enterprise Digital Rights Management (EDRM) or
Information Rights Management (IRM) is a data-centric security solution that ensures robust file-based
security and allows enterprises to protect, control and track sensitive documents containing intellectual
property, trade secrets, PII, etc. To maximize the capabilities of EDRM, it should support various
rendering applications (such as Microsoft Word, Excel, PowerPoint, Adobe Reader), cover the entire
document lifecycle, and provide an open security platform for existing enterprise systems. Fasoo EDRM
has been designed and developed to meet such requirements. Numerous large-scale enterprise-wide
deployments have proven its effectiveness and scalability. Furthermore, context-aware intelligence has
been added to Fasoo EDRM, which makes the solution more convenient and easy to use.
In addition, the emergence of cloud and mobile computing in the enterprise has brought new IT
challenges. In recent years many organizations believed cloud and mobile strategies were never going to
be a part of their enterprise IT strategy. Their beliefs have shifted as tablets and smartphones are not only
taking over consumer markets, but are becoming ubiquitous throughout the enterprise. Rapid increase in
mobile device usage and high demands for cloud solutions and services has left IT with significant
challenges, especially security issues. The challenge with seamlessly sharing information is that IT and
corporate security may not have control over the information. Perimeter-based security works well when
information remains within the corporate network. Unfortunately defining the boundaries of a corporate
network are very difficult as mobile devices access information in the cloud, from any place and at any
time. Most organizations must adopt flexible approaches to work tools and locations. An increasingly
mobile workforce uses a mix of organization-managed and personal (unmanaged) devices from home,
while on the road and from higher-risk global locations. Information security must enable mobility and
the consumerization of devices, applications, collaboration tools, and social networking for both business
and personal reasons. Simultaneously, organizations must protect information and their reputations by
detecting, controlling and preventing threats. Rather than focusing on perimeter and device security,
Fasoo recognized that data-centric security is the best way to overcome these issues. Since most
organizations are concerned with sensitive and confidential information getting into the wrong hands,
controlling the information itself is the best approach to meeting that goal.
Until recently, EDRM has been considered a complementary and niche solution. EDRM is becoming an
essential security infrastructure component for every enterprise application system as mobile and cloud

computing diversify and expand the enterprise IT environment. Fasoo EDRM is continuously evolving to
accommodate such trends.
Solution
EDRM or IRM solutions help companies maintain the confidentiality of sensitive corporate intellectual
property and customer personal information. This is necessary to secure a companys strategic business
advantage and protect its intrinsic value, as well as to comply with government and industry security
regulations, in a world that is increasingly digital and mobile. While nearly every company
acknowledges the need for strong protection of their digital assets, they face significant hurdles in
deploying full-fledged solutions in a company-wide manner. Given the adverse global economic climate,
companies are limiting capital expenditure and seeking to lower operating expenditure in an effort to
control costs. This may limit an organizations willingness to spend on a new or expanded budget for IT
investment. However, many decision makers in IT security area believe investments in security should
increase due to dynamic changes in enterprise IT environments including the recent emergence of cloud
computing, and proliferation of tablets and smartphones.
EDRM was historically viewed as complex to deploy, and it would impact existing workflows, employee
productivity and interaction with stakeholders outside the company. The general market perception on
EDRM was about creating additional work for enterprise IT departments. While the overall benefits of
EDRM are recognized, these perceptions continue to have an impact on adoption rates. Nevertheless,
Fasoo has carefully crafted and executed its competitive strategy to thrive and grow in this promising but
challenging landscape for the last 13 years. Fasoo is uniquely positioned as an independent vendor of
EDRM products. The solution has unique technology characteristics that make it broadly applicable to a
wide variety of applications and file formats, while providing strong security and interoperability with
major network security and digital asset management components. Fasoo is unique in its proven ability to
deploy very large scale EDRM installations. Fasoo is experienced in crafting and executing its
competitive strategy as it solidifies its leadership. Fasoo is leveraging the strength of its unique
technology, ongoing R&D improvements, comprehensive product capability, and effective use of
competitive intelligence.
Strategy
Fasoos technology approach is driven by security and practical considerations. It overrides an
applications memory space and provides strong document protection that integrates smoothly with the
end user experience for third party applications where the EDRM vendor does not have access to the
program code. This is a difficult approach for several reasons, including risk of performance impact and
the requirement of keeping pace with application and document format updates. Fasoo has developed the
technical strength and deployment process to execute this well. Another unique Fasoo strength is its
ability to scale operations across large enterprises, which are often a patchwork of identity management
and client application systems. Fasoo has a lot of experience securing information enterprise-wide for
large, globally distributed companies. For example, its flagship installation for Company A spans over
170,000 internal users and over 1 million total users of affiliates and partners worldwide. Other
competitors rarely have experiences of installations at this scale. Historically, enterprises in major
markets have deployed EDRM on a need-driven basis, for a given department or a specific set of users at

a time. Today there is a drive to employ EDRM uniformly for all enterprise employees. Fasoos strategy
of combining a highly interoperable product with customization services as needed has positioned it well
to organically fulfill this growing demand.
Strategic Intent
Fasoo has a detailed understanding of competing technology approaches and the strengths and
weaknesses of current market incumbents. Fasoos product and service strategies all leverage this
intelligence. Fasoos strategies are strong understanding of customer requirements and future trends, and
technologies that are aligned with existing enterprise infrastructure and security needs. Fasoos strategy
is to position the company as a provider of data-centric security, EDRM technology that is not only
agnostic to digital asset management, server software and Data Loss Prevention (DLP) systems, but also
interoperates with all market leading applications and platforms and is scalable to meet the needs of large
enterprises with global footprints.
Challenges
Even a single document can travel through many enterprise application systems and also it can be
converted in different formats during its lifecycle. What will happen if an EDRM solution is only
applicable to a fraction of document types circulated in enterprise? In such case, it is inevitable to convert
the DRM-enabled document in one format to a plain document in another unsupported format in some
workflow stages. What if an EDRM solution is just tied into an application server like Enterprise Content
Management (ECM) and the same EDRM solution cannot be applicable in other application systems like
other vendors ECM or Enterprise Resource Planning (ERP)? It will end up with multiple islands of
security domains. Information needs to travel across the security domains without losing security.
Unfortunately, it is not quite practical to deploy EDRM solutions from different vendors in one
organization. It may cause unwanted conflicts between programs, and it is impossible to make it
interoperable. Effective EDRM solution should be designed with a vision that EDRM capability will be
required on every information system in future. Thus, it should be neutral to any sort of enterprise
application systems.
Policy Enforcement
The one key challenge in implementing EDRM, in contrast to perimeter security solutions or encryption,
is to enforce policy persistently even when document is being used. To achieve such persistent control,
the functions of rendering applications need to be constrained accordingly. For example, if a user does
not have the permission to print a Word document, the print function of Word must be disabled anyhow.
However, many document formats and rendering applications are being used in enterprise-wide
environment. The partial list includes Microsoft Office, Adobe Reader, CAD, GIS, Graphics and SW
development tools. For this reason, EDRM vendors always face challenges to keep up with the updates
of rendering applications.
There would be three different approaches to enforce policy at the endpoint as described in Table 1.
Embedding approach can be used if it is possible to modify the source codes of rendering applications or

if it is reasonable to rewrite the whole rendering applications for EDRM. In reality, only Microsoft can
modify Microsoft Office for EDRM while Adobe can do with Acrobat. There are a lot more rendering
applications used in enterprise environment from different vendors. A company cannot use as many
EDRM solutions as the number of rendering application vendors. Rewriting rendering application for
EDRM is not practical considering cost and the fact that users seldom want to switch their rendering
applications.
Some rendering applications provide interfaces for plug-ins to third parties. But not all rendering
applications are equipped with such interfaces. Sometimes, the interfaces are insufficient to implement
EDRM functions fully. Another serious problem of the plug-in method is that it is not robust enough.
Determined users may easily disable the plug-in (e.g., Visual Basic tampering). OS filter is a kind of
plug-in in OS level. Similar to the plug-in method, it does have limitations on security and EDRM
functionality. Kernel mode filtering in Windows for example can control the application to some extent.
But crackers may obstruct or crack communication while reading or writing plain data.
Runtime overriding is to override the behavior of rendering application at runtime. Rendering
applications are communicating with OS through APIs. The APIs can be overridden in memory at
runtime. This method is capable of controlling complete features and functions of the applications, and
minimizing risks of losing data from cracking attempts. However, developing commercial quality
product using runtime overriding method requires lots of know-how, efforts and time.
So far, little progress has been made towards the standardization or interoperability of EDRM. If there is
such a standard and every rendering application vendor follows that, the enforcement of policy at the
endpoint will not be an issue anymore. Until then, the efforts to develop secure rendering environment
should be continued to cope with the imminent requests from market.
Table 1. Comparison of DRM Client Technology
Embedding
Plug-in
Runtime overriding
Security
High
Low
High
Applicability
Very limited
Limited
Any application
Cost
Low
Medium
High
Policy Management Model

Another big challenge in designing EDRM solutions is that it is very difficult to build a complete policy
model for documents traveling literally all over the world. It sometimes looks infeasible to cover the
entire lifecycle of documents.
Many organizations have deployed application systems, such as ECM, ERP, Product Lifecycle
Management (PLM), email, file-servers, etc., to manage corporate information effectively. Tons of
documents are stored there and these would be the first target to apply EDRM to reinforce the existing
ACL. The basic model here is to make documents DRM-enabled when downloaded, so that ACL can be
extended beyond its protective confines. It looks simple and clear, but it gets complicated if that

particular document is meant for legitimate external sharing. Also, there are documents created from
desktops and not registered in the repository yet. These unregistered documents need to be protected with
EDRM as well.
EDRM solutions can be differentiated depending on the policy management models to meet the security
requirements of documents along their lifecycle. It will determine how widely, persistently, the security
policy can reach.
Characteristics and Specifications of Fasoo Enterprise DRM

Architecture
Fasoo Enterprise DRM (FED) products share the same, core EDRM architecture, whose features are
different from the others to serve the different requirements. The general architecture of FED consists of
four major processes (DRM Client, Packager, DRM Server and rendering application) and three key
objects (document, DRM-enabled document and License - refer to Policy Management section).
To enable DRM for a document, the document needs to be packaged (encrypted) through Packager. The
document is converted into a DRM-enabled document. The DRM-enabled document cannot be read
without DRM Client. When a user tries to open a DRM-enabled document with DRM Client, it requests
License to DRM Server. DRM Server issues a License according to the policy for the user and the
document. Then, DRM Client un-package the DRM-enabled document and feed the data to rendering
application and keep control of the rendering environment not to allow any attempt to take out the
decrypted data without proper License.
Figure 1. FED Architecture
Following steps describe packaging in detail:

Encrypts a plain document with a document key (AES)

Encrypts the document key with the server public key (RSA)
Encrypts the metadata with a metadata key (RC4)
Assemble a DRM-enabled document with encrypted metadata and encrypted document
The metadata includes: document ID, server URL, encrypted document key and other document related
data. The document encryption algorithm can be interchanged to another if the functional features are the
same. For example, AES can be replaced with 3DES if necessary.
When a license is requested from a DRM Client, it provides DRM Server with the encrypted metadata,
user info and device info. DRM Server generates a License based on licensing policy. A License is
encrypted with a License key (RC4), and the License contains document key encrypted by a symmetric
key associated with the device info and permissions that user can have on that document. This
cryptography mechanism is the basis of FED products, and extended to accommodate different
requirements.
Application Support
DRM Client in Windows environment supports most native applications that users are familiar with,
rather than third-party viewers or editors. Thus, DRM Client becomes transparent to users. Using
additional viewer or editor may often slash the usability and eventually affect the productivity of users.
DRM Client on Windows is overriding the Win32 API to control the rendering applications. Therefore,
FED is capable of controlling complete features and functions of the applications, and minimizing risks of
losing data from cracking attempts. It covers most of document formats and rendering applications being
used in enterprise-wide environment such as Microsoft Word, Excel, PowerPoint, Project, Visio, Notepad,
WordPad, Paint, Adobe Reader, AutoCAD, Catia, I-deas, NX, Pro/E, etc. New applications are being
added continuously, and most up-to-date list is available upon request. Fasoo DRM Client API is also
available for those who want to develop a rendering application compatible with DRM Client. FED is not
limited to PC platform as it is now available on mobile devices such as iPhone, iPad, Android phones and
tablets, allowing authorized users to access DRM-enabled documents on such mobile devices. Most
recently, browser accessible option and lite version of DRM Client are being developed also. These
approaches will allow organizations to have some flexibility options for cross-platform & multi-device
environment.
Integration
When implementing EDRM onto existing enterprise systems, there are two areas that should be integrated.
Those two are packaging and authentication. For packaging, Packager should be integrated into the
document flow for convenience and security, like automatic packaging at download. This will save users
interactions and disallow skipping encryption. Authentication system should be integrated not to log on
twice and also for a consistent policy management. FED provides ready-to-install interface modules if
possible. In case such interface modules are unavailable, it is necessary to develop custom-made
interface modules with APIs provided. FED provides Packager API and SSO API for various
development environments. They support C, C++ (COM) and Java (JNI) on platforms such as Windows,
Linux, Sun Solaris, IBM AIX, and HP-UX.

Authentication
FED does not carry its own authentication system. Instead, SSO API and ready-made interface modules
are provided. However, for ad-hoc external users, a proprietary authentication, Fasoo Email Based
Authentication (FEBA, refer to Ad-hoc DSD FED Product, Fasoo Secure Exchange section) is built
into the relevant FED product. FEBA allows robust and secure authentication without managing
directories for random external users.
Policy Management
DRM policy defines who can do what with a document on which device. Any user must be authenticated
first and a device is also authenticated and associated with a user. A user can have multiple devices but
the number can be restricted as a part of policy. License is basically a token to open a DRM-enabled
document on a specific device with specific permissions and time constraints. License is issued from
DRM Server based upon the licensing policy. Licensing policy is a function of user, device, document
and other contexts (time and location). Various combinations of permissions can be assigned as in Table
2 to a document.
Table 2. DRM Permissions
DRM permission
View_Only/Edit
DRM-enabled
No_Print/Print_Watermark/Print
DRM-disabled
Description
Allows authorized user to open a DRM-enabled
document for view on the screen only or view, edit
and save. Edited DRM-enabled document will have the
original permission.
Allows no print, print only with watermark or
print.
No_Screen_Capture/Screen_Capture
Allows no screen capture or screen capture.
Un-package
Allows everything without any restriction, even retrieval

of a plain document.
In addition, the licensing policy is able to grant offline access for business travelers, restrict view count
for top secret documents and limit devices used only for specific workforce.
Blocking Screen Capture

FED blocks all known third-party screen-capture tools and Print Screen function of Windows. Even the
attempts are blocked to capture screens through virtual machine or remote access tool. However, screen
capture is a very useful tool sometimes, for example, if you are making a product demonstration kit with
screenshots. In FED, it is recognized as one of standard permissions to a document. When users do not
have screen capture permission, then FED blocks only the window of secured document, not blocking the
whole screen.
Screen capture permission can be extended to server-based computing (SBC) environment. SBC, such as
Citrix XenApp has been in the market quite long but gained little attraction. As virtualization tools
become popular, it gets momentum in the market for simpler management and better security. Yet, there
are many security issues. For example, sensitive documents in XenApp servers can be taken out by

XenApp users who have access to the documents, and the users can also take screenshot while the
document is being used. Therefore, the EDRM products needs to be deployed in back-end application
systems and multi-user version of DRM Client should be installed on the XenApp servers. On the
XenApp client side, screen capture should be controlled. Fasoo Secure Screen (FSS) add-on module is
designed to control screen capture on XenApp client environment. Without FSS, DRM-enabled
document with no screen capture permission cannot be viewed on the XenApp client since it may be
considered as an illegal remote access. Remote access from XenApp client with FSS is treated as
exception, and FSS blocks all the other remote access attempts. To force users to install FSS, XenApp
connection is allowed only with FSS. FED makes it possible for users to take advantage of SBC with full
DRM capability.
Watermark
Once a document is printed, the printout can end up in wrong hands and it cannot be protected just by
software. Watermark on printout may contain identifiable information and it can be used to trace back
who has printed the document, when and where. Visible watermarks are also useful when you want to
widely release sample content but you want to make it inappropriate for anyone to use it. FED can
enforce visible watermarking on each page. Visible watermarks may include text or images of identifiable
information, such as company, division, title, user name, IP address etc. FED inserts visible watermarks
using Win32 API overriding method that visible watermark information is injected before it gets to
printer driver. Fasoo visible watermarks can be inserted on any printer even from virtual printing
environment, having no printer dependency. In FED, watermark print is also considered as a standard
permission on any DRM-enabled document.
Flexible Policy Setting

Basically, any policy can be defined for each document or document group with various combinations of
permissions and constraints for each user or user group. Users can be grouped arbitrarily, for example, by
roles, positions, divisions, etc. Documents can be grouped by classifications with any criteria. Most
enterprises, however, prefer to define a set of templates first and assign one of them to a document, for
convenience.
Dynamic Policy Control and Offline Access

Policy is bound to a document when a License is issued, not when packaging. This late binding makes it
possible to change policy at any time if necessary and it will be applied to all documents even if it is
already packaged and sent wherever. Typical License is one-time License. Whenever a DRM-enabled
document is opened, DRM Client requests a new License and the DRM Server will issue a new one based
on the most recent policy. Thus, policy for any DRM-enabled document can be changed or revoked at
any time, regardless of where it resides or how many copies have been made.
One drawback of this late binding is that it requires every device to be connected to the DRM Server.
There are some occasions when it is not possible. In such cases, a multiple usable License with time limit
can be used, instead of a one-time usable License. The multiple usable License can be used repeatedly
until the time limit expires. As a result, the document can be used even without connection to the DRM
Server. Another way of supporting offline is issuing a special offline License with time limit for specific
periods of time for a specific user though approval workflow. This will change all Licenses on the device

as multiple usable Licenses. This feature is very useful when users travel where network is not available.
To avoid the abuse of this feature, an approval process may be required prior to issuing such a special
offline License.
Intelligent Policy Management: Context Aware Protection

Depending on the content of a document, selective packaging is made possible. Packager is usually
integrated in document workflow and it is turned on automatically. This may result in excessive security.
With Context Aware Protection (CAP) add-on module, Packager runs only if the target document
contains a certain context pattern. There may be cases when packaging is not enforced and left to the
hand of user. Usually, this will end up with insufficient security. FED can be enforced any time when
the target document contains a certain pattern. A pattern can be defined in regular expression. At the
same time, a document can be classified into pre-defined categories, based on context. For example, a
document contains social security numbers, addresses and phone numbers then it can be classified as a
document with PII. If a document contains the code name of a special project, then it can be classified as
top secret. Then, a pre-defined policy can be applied automatically without user intervention. It can
reduce the burden of packaging documents that may not have sensitive information. It also minimizes the
risk of documents left un-packaged by the negligence of users.
Most recently, DLP and EDRM vendors are collaborating to provide combined offerings. Fasoo also
supports DLP integration for customers who want to deploy both DLP and EDRM. By integrating
EDRM with DLP, DLP is basically sensing context of documents at end-points or network boundaries,
and EDRM is encrypting the sensitive documents. CAP is sensing context of documents while context is
in use, and protecting the documents throughout the entire document lifecycle. This tight integration can
offer more rooms for flexible and robust policy, while applying EDRM policy through document lifecycle.
Tamper Resistance
FED is equipped with many tamper resistance features including secure copy & paste, secure export and
trusted clock. Some other codes are also inserted to prevent memory hacking, reverse engineering and
attempts to disable DRM processes.
Secure Copy & Paste

Windows clipboard is controlled to prevent copy from a DRM-enabled document to a plain document,
while it is allowed between secured documents if the user has a proper permission. Secure Copy & Paste
is allowed when the user has more permission to the source document than that to the target document,
subject to the condition that the target document should be at least editable. This Secure Copy & Paste
concept is very unique in FED and gives convenience without losing security. Secure Copy & Paste is
patent pending technology of Fasoo.
Secure Export
There are several ways to export the content of a file such as, print as a file, and export content in
other formats. FED also encrypts all exported files, which inherit the policy of source documents.
Trusted Clock
FED maintains a trusted clock, rather than relying on local PC clock.

Usage Log and Audit Trail

User/file activities of sensitive data could be useful to run forensic analysis, yet they are still considered
as detective measures. Tremendous amount of accumulated log data for sensitive documents has brought
new challenges to organizations. Organizations are looking for a better decision-making framework for
proactively seeking possible data breaches and acting on early stage. Fasoo Usage Tracer (FUT) allows
organizations to set a clipping level for usage patterns of users and alert risk of possible data breaches by
detecting inappropriate patterns and activities in advance. It will not only work as preventive measures to
strengthen overall security of organization, but bring out values from user/file activities of sensitive data.
Every usage log of DRM-enabled documents is sent to the DRM Server. Even when the document has
been used offline, the usage log will be sent to the DRM Server when the device is re-connected. FED
offers suitable tools for document owner or administrator to review and audit activities of users and
documents. Every policy change on the server side is also logged for audit trail. Security breaches by
arbitrary changes of policy can be identified.
Fasoo Enterprise DRM Suite

FED suite consists of several products that can be used alone or combined together to extend the coverage.
Document Security Domain

After numerous EDRM deployments, Document Security Domain (DSD) concept has been developed. A
DSD is referring to a boundary within which security policies for documents are maintained. Throughout
the whole lifecycle of a specific document, it moves along several DSDs.
Lets examine the lifecycle of a document, for example a MSRP table and the desirable security policy
related to it. While the document is edited by a sales manager on his/her desktop and circulated for an

approval, the document should be kept secret only within the persons on the approval process. After the
approval process, the price list will be uploaded to ECM system and become available to all internal sales.
At this stage, the user boundary should be widened to all internal sales but it should be read-only. If a
new partner joins as a distributor, the document needs to be shared with them. Then the partner should be
allowed to view, but not to re-distribute to anyone else.
In this example, the document belongs to at least three different DSDs along its workflow. Crossing a
DSD, the security policy may change and the responsibility for document security may belong to a
different person, and the system to authenticate users also needs to be changed.
DSDs can be categorized into three major types as follows: Server DSD, Ad-hoc DSD, and PC DSD.
FED products are designed to meet different DSD requirements separately for security and manageability
reasons.
PC DSD stands for the domain where documents are being created and edited but not registered on the
server yet. The documents may not be final version and official yet, but still they may contain a lot of
sensitive information and should be secured. To support this domain, EDRM should be enabled from the
creation of a document. The security policy of documents at this stage can be defined best, based on the
authors security privilege.
When the documents are checked into an ECM, the document is controlled by the ACL of ECM.
However, the security policy cannot be maintained if the documents are downloaded from the ECM. This
is why EDRM is required to protect documents on ECM. Server DSD stands for the domain that is
controlled by a server like ECM. The security policy of this domain is generally the extension of the ACL,
persistently with more security options that are available only with EDRM. User authentication should be
integrated to that of the server to extend the existing ACL systematically. It is natural that the
administrator of the server will be responsible for the security of Server DSD documents.
At some point of document lifecycle, the document needs to be sent to a person who is not within the
current authentication boundary. In this case, neither PC DSD nor Server DSD authentication can be
applied to the external users. Ad-hoc DSD has evolved to serve this domain, and requires a new
authentication system to cover random user boundary.
Server DSD FED Product, Fasoo Secure Document

Fasoo Secure Document (FSD) protects, controls and tracks documents that have left the protective
confines of the repository. Figure 2 illustrates FSD integrated with a document repository, which can be
ECM, ERP, PLM or any sort of application server. The user authentication is integrated so as not to log
in again once a user has logged in the target application system. Packager is installed on the repository to
package files at download on the fly. Documents are kept un-encrypted on the repository. It could be a
security risk that there are plain documents on the server, while indexing of such plain files are not
interrupted by encryption. This is a tradeoff between security and usability. Daily routine policy
management can be done mostly on the application server not on the FSD Server. FSD provides tools to
integrate with existing authentication system and Packager API on multiple platforms.

Figure 2. General Flow of Data and SW Components for FSD
Ad-hoc DSD FED Product, Fasoo Secure Exchange

Fasoo Secure Exchange (FSE) protects, controls and tracks external communication documents and email
messages (designed for ad-hoc, non-managed users). Ad-hoc DSDs main concern is how to authenticate
users. The user boundary cannot be known in advance, and is continuously changing. FSE offers a patent
pending authentication method, called FEBA, where email ID is used as its user ID and it is validated and
associated with device information. FEBA makes it simple to manage such random users with sufficient
security. FSE includes a standalone Packager, Outlook plug-in Packager and API that can be embedded in
existing systems. FSE Server usually resides inside the front-end firewall, DMZ so that it can be accessed
by external users. FSE enables sharing confidential documents through any media with anyone who has
email ID. Figure 3 describes the processes involved in sending and receiving FSE documents.

Figure 3. General Flow of Data and SW Components for FSE
PC DSD FED Product, Fasoo Secure Node

Fasoo Secure Node (FSN) protects, controls and tracks internal communication documents created or
edited at PC. FSN packages documents when users are creating new documents or editing plain
documents on his/her desktops or laptops. Policy of FSN can be established depending on user, group,
rank or role. The default policy of an author will be applied to a newly encrypted file and later on, the
policy of that document can be changed by the author if he has the full permission. FSN can easily be
deployed after synchronizing with existing authentication system, or without any integration.

Figure 4. General Flow of Data and SW Components for FSN
Extended FED Products

Fasoo Secure Print
Fasoo Secure Print (FSP) deters users from leaking important information through printouts by adding a
visible watermark to the printout. The watermark contains company name, user ID, IP address, printing
time, etc. and helps tracing the source of the information in case of the printout leakage. All printing
activities and printed contents are logged to help identify and narrow down the leakage source.
Fasoo ePrint
Fasoo ePrint is a comprehensive printing management solution that provides the functionality of both
printer-related cost reduction and security. Regarding cost reduction, it enables CPP (cost per page)
reduction like toner control, and paper usage control. As for security, it can allow or block printing job
based on the predefined permission or context-awareness, and provide watermarking and pull printing for
printout security.
Fasoo Secure Screen

Fasoo Secure Screen (FSS) deters users from leaking important information through the monitor screen
photographed with digital cameras or smartphones by adding a visible watermark to the screen. The
screen watermark contains company name, user ID, IP address, time, etc. and helps trace the source of the

information. FSS also block screen capture tools and print screen function, and even stop attempts to
capture screen through virtual machines and remote desktops.
Fasoo Mobile Solution

Fasoo Mobile Solution (FMS) protects documents on mobile devices such as smartphones and tablets, by
extending EDRM functionality to mobile devices. DRM-enabled documents on mobile devices are safe
persistently, even if the devices are lost or stolen.
Context Aware Protection

Context Aware Protection (CAP) detects content patterns of regular expressions such as PII, credit card
number, etc. and secures the relevant documents selectively according to the results of detection. CAP can
be embedded into FED products such as FSN, FSD, FSE and FSP to make the existing security policy
stricter
Fasoo Usage Tracer

Fasoo Usage Tracer (FUT) monitors usage patterns of DRM-enabled documents, detects and alerts risks
of possible data breaches based on predefined rules while using FED products. FUT also provides the
monitoring results in the illustrative dashboard and comprehensive statistics of the document activities
periodically.
Summary
FED enables to protect documents persistently on any device at any time throughout the entire document
lifecycle. It is a big advantage of FED that almost all kinds of documents formats in the enterprise
environment can be protected, including ordinary office documents, graphics and engineering drawings.
FED is not limited to PC platform as it is now available on mobile devices such as iPhone, Android phone
and iPad. For each document, FED can control detailed permission to documents such as view, edit, print,
print watermark, screen watermark and screen capture. Further constraints can be imposed, such as
number of devices, valid access period and number of access.
FED is well prepared to meet various security requirements of different phases of document lifecycle.
Enterprises have deployed lots of application systems to share documents internally. Documents, however,
become out of control and vulnerable to loss once downloaded or checked out from the application
systems such ECM, ERP, etc. FED is finely tuned for easy integration with existing systems. It is also
equipped with the patented e-mail-based authentication technology to protect documents shared
externally with partners or customers. Even documents created and used on PC can be secured by FED
before they are shared internally or externally. Furthermore printouts and screens can be overlaid with
watermarks. It helps to trace the source of breach and makes users more cautious about handling their
printouts and taking pictures of their screens.
Recently, Fasoo upgraded EDRM to another level, which makes EDRM smarter and easier to use. It is
made possible to set security policy automatically according to the content of document. The policy also
can be adjusted without user intervention based on access time, device location and document usage
history. This context-aware protection will make EDRM more secure without hurting usability and lessen

the burden of the EDRM administrator significantly. Collecting and analyzing log data intelligently in
real time, FED can alert administrators to irregular or unusual user activities. Furthermore, most recently,
Fasoo developed the comprehensive printer management solution for security and cost-down relating to
printers. FED has become a core security infrastructure of enterprises and is also evolving as the very
solution to secure data on the cloud and mobile computing environment.

White Paper - Fasoo Enterprise DRM 2014-1Q v1.2 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

White Paper - Fasoo Enterprise DRM 2014-1Q v1.2 PDF

Uploaded by

Copyright:

Available Formats

White Paper - Fasoo Enterprise

396 World Cup Buk-ro, Mapo-gu

Fasoo | External Communication | Page 1

396 World Cup Buk-ro, Mapo-gu

Fasoo | External Communication | Page 2

396 World Cup Buk-ro, Mapo-gu

Fasoo Secure Screen ........................................................................................................................... 17

Fasoo | External Communication | Page 3

396 World Cup Buk-ro, Mapo-gu

Fasoo | External Communication | Page 4

396 World Cup Buk-ro, Mapo-gu

Fasoo | External Communication | Page 5

396 World Cup Buk-ro, Mapo-gu

Fasoo | External Communication | Page 6

396 World Cup Buk-ro, Mapo-gu

Policy Management Model

Fasoo | External Communication | Page 7

396 World Cup Buk-ro, Mapo-gu

Characteristics and Specifications of Fasoo Enterprise DRM

Following steps describe packaging in detail:

Fasoo | External Communication | Page 8

396 World Cup Buk-ro, Mapo-gu

Encrypts a plain document with a document key (AES)

Fasoo | External Communication | Page 9

396 World Cup Buk-ro, Mapo-gu

Allows no screen capture or screen capture.

Allows everything without any restriction, even retrieval

Blocking Screen Capture

Fasoo | External Communication | Page 10

396 World Cup Buk-ro, Mapo-gu

Flexible Policy Setting

Dynamic Policy Control and Offline Access

Fasoo | External Communication | Page 11

396 World Cup Buk-ro, Mapo-gu

Intelligent Policy Management: Context Aware Protection

Secure Copy & Paste

Fasoo | External Communication | Page 12

396 World Cup Buk-ro, Mapo-gu

Usage Log and Audit Trail

Fasoo Enterprise DRM Suite

Document Security Domain

Fasoo | External Communication | Page 13

396 World Cup Buk-ro, Mapo-gu

Server DSD FED Product, Fasoo Secure Document

Fasoo | External Communication | Page 14

396 World Cup Buk-ro, Mapo-gu

Figure 2. General Flow of Data and SW Components for FSD

Ad-hoc DSD FED Product, Fasoo Secure Exchange

Fasoo | External Communication | Page 15

396 World Cup Buk-ro, Mapo-gu

Figure 3. General Flow of Data and SW Components for FSE

PC DSD FED Product, Fasoo Secure Node

Fasoo | External Communication | Page 16

396 World Cup Buk-ro, Mapo-gu

Figure 4. General Flow of Data and SW Components for FSN

Extended FED Products

Fasoo Secure Screen

Fasoo | External Communication | Page 17

396 World Cup Buk-ro, Mapo-gu

Fasoo Mobile Solution

Context Aware Protection

Fasoo Usage Tracer