Professional Documents
Culture Documents
DRM
Global Business
1Q/2014
Fasoo
396 World Cup Buk-ro, Mapo-gu
Seoul, 121-795, Korea
+82-2-300-9000
+82-2-300-9400
Information in this document, including URL and other Internet Web site references, is subject to change without
notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Fasoo.com, Inc. (Fasoo).
Fasoo may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Fasoo, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
2014 Fasoo. All rights reserved.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Introduction ................................................................................................................................................... 4
Solution ..................................................................................................................................................... 5
Strategy ..................................................................................................................................................... 5
Strategic Intent .......................................................................................................................................... 6
Challenges ..................................................................................................................................................... 6
Policy Enforcement ................................................................................................................................... 6
Policy Management Model ....................................................................................................................... 7
Characteristics and Specifications of Fasoo Enterprise DRM ...................................................................... 8
Architecture............................................................................................................................................... 8
Application Support .............................................................................................................................. 9
Integration ............................................................................................................................................. 9
Authentication ..................................................................................................................................... 10
Policy Management ................................................................................................................................ 10
Blocking Screen Capture .................................................................................................................... 10
Watermark........................................................................................................................................... 11
Flexible Policy Setting ........................................................................................................................ 11
Dynamic Policy Control and Offline Access ...................................................................................... 11
Intelligent Policy Management: Context Aware Protection ............................................................... 12
Tamper Resistance .................................................................................................................................. 12
Secure Copy & Paste .......................................................................................................................... 12
Secure Export ...................................................................................................................................... 12
Trusted Clock ...................................................................................................................................... 12
Usage Log and Audit Trail ..................................................................................................................... 13
Fasoo Enterprise DRM Suite ...................................................................................................................... 13
Document Security Domain .................................................................................................................... 13
Server DSD FED Product, Fasoo Secure Document .............................................................................. 14
Ad-hoc DSD FED Product, Fasoo Secure Exchange.............................................................................. 15
PC DSD FED Product, Fasoo Secure Node ............................................................................................ 16
Extended FED Products .......................................................................................................................... 17
Fasoo Secure Print .............................................................................................................................. 17
Fasoo ePrint ........................................................................................................................................ 17
Introduction
The latest IT technology enables us to communicate and collaborate at the speed of light and at the same
time confronts organizations with risks of losing intellectual properties, trade secrets, classified
documents and personally identifiable information (PII) with just one click. Documents are considered
secure while they remain within a controlled boundary, such as a content management system,
collaborative repositories, email inboxes, and file system folders. But these documents are legitimately
downloaded to desktops, laptops and other devices by authorized users, where they can be easily copied
and forwarded somewhere else. Authorized users are free to do whatever they want with the information
they receive after access is granted no restrictions on what can be done with the data or where it can be
sent.
Documents should be protected persistently, whether at rest in storage, in transit or in use. The market is
demanding data-centric security solutions. Enterprise Digital Rights Management (EDRM) or
Information Rights Management (IRM) is a data-centric security solution that ensures robust file-based
security and allows enterprises to protect, control and track sensitive documents containing intellectual
property, trade secrets, PII, etc. To maximize the capabilities of EDRM, it should support various
rendering applications (such as Microsoft Word, Excel, PowerPoint, Adobe Reader), cover the entire
document lifecycle, and provide an open security platform for existing enterprise systems. Fasoo EDRM
has been designed and developed to meet such requirements. Numerous large-scale enterprise-wide
deployments have proven its effectiveness and scalability. Furthermore, context-aware intelligence has
been added to Fasoo EDRM, which makes the solution more convenient and easy to use.
In addition, the emergence of cloud and mobile computing in the enterprise has brought new IT
challenges. In recent years many organizations believed cloud and mobile strategies were never going to
be a part of their enterprise IT strategy. Their beliefs have shifted as tablets and smartphones are not only
taking over consumer markets, but are becoming ubiquitous throughout the enterprise. Rapid increase in
mobile device usage and high demands for cloud solutions and services has left IT with significant
challenges, especially security issues. The challenge with seamlessly sharing information is that IT and
corporate security may not have control over the information. Perimeter-based security works well when
information remains within the corporate network. Unfortunately defining the boundaries of a corporate
network are very difficult as mobile devices access information in the cloud, from any place and at any
time. Most organizations must adopt flexible approaches to work tools and locations. An increasingly
mobile workforce uses a mix of organization-managed and personal (unmanaged) devices from home,
while on the road and from higher-risk global locations. Information security must enable mobility and
the consumerization of devices, applications, collaboration tools, and social networking for both business
and personal reasons. Simultaneously, organizations must protect information and their reputations by
detecting, controlling and preventing threats. Rather than focusing on perimeter and device security,
Fasoo recognized that data-centric security is the best way to overcome these issues. Since most
organizations are concerned with sensitive and confidential information getting into the wrong hands,
controlling the information itself is the best approach to meeting that goal.
Until recently, EDRM has been considered a complementary and niche solution. EDRM is becoming an
essential security infrastructure component for every enterprise application system as mobile and cloud
computing diversify and expand the enterprise IT environment. Fasoo EDRM is continuously evolving to
accommodate such trends.
Solution
EDRM or IRM solutions help companies maintain the confidentiality of sensitive corporate intellectual
property and customer personal information. This is necessary to secure a companys strategic business
advantage and protect its intrinsic value, as well as to comply with government and industry security
regulations, in a world that is increasingly digital and mobile. While nearly every company
acknowledges the need for strong protection of their digital assets, they face significant hurdles in
deploying full-fledged solutions in a company-wide manner. Given the adverse global economic climate,
companies are limiting capital expenditure and seeking to lower operating expenditure in an effort to
control costs. This may limit an organizations willingness to spend on a new or expanded budget for IT
investment. However, many decision makers in IT security area believe investments in security should
increase due to dynamic changes in enterprise IT environments including the recent emergence of cloud
computing, and proliferation of tablets and smartphones.
EDRM was historically viewed as complex to deploy, and it would impact existing workflows, employee
productivity and interaction with stakeholders outside the company. The general market perception on
EDRM was about creating additional work for enterprise IT departments. While the overall benefits of
EDRM are recognized, these perceptions continue to have an impact on adoption rates. Nevertheless,
Fasoo has carefully crafted and executed its competitive strategy to thrive and grow in this promising but
challenging landscape for the last 13 years. Fasoo is uniquely positioned as an independent vendor of
EDRM products. The solution has unique technology characteristics that make it broadly applicable to a
wide variety of applications and file formats, while providing strong security and interoperability with
major network security and digital asset management components. Fasoo is unique in its proven ability to
deploy very large scale EDRM installations. Fasoo is experienced in crafting and executing its
competitive strategy as it solidifies its leadership. Fasoo is leveraging the strength of its unique
technology, ongoing R&D improvements, comprehensive product capability, and effective use of
competitive intelligence.
Strategy
Fasoos technology approach is driven by security and practical considerations. It overrides an
applications memory space and provides strong document protection that integrates smoothly with the
end user experience for third party applications where the EDRM vendor does not have access to the
program code. This is a difficult approach for several reasons, including risk of performance impact and
the requirement of keeping pace with application and document format updates. Fasoo has developed the
technical strength and deployment process to execute this well. Another unique Fasoo strength is its
ability to scale operations across large enterprises, which are often a patchwork of identity management
and client application systems. Fasoo has a lot of experience securing information enterprise-wide for
large, globally distributed companies. For example, its flagship installation for Company A spans over
170,000 internal users and over 1 million total users of affiliates and partners worldwide. Other
competitors rarely have experiences of installations at this scale. Historically, enterprises in major
markets have deployed EDRM on a need-driven basis, for a given department or a specific set of users at
a time. Today there is a drive to employ EDRM uniformly for all enterprise employees. Fasoos strategy
of combining a highly interoperable product with customization services as needed has positioned it well
to organically fulfill this growing demand.
Strategic Intent
Fasoo has a detailed understanding of competing technology approaches and the strengths and
weaknesses of current market incumbents. Fasoos product and service strategies all leverage this
intelligence. Fasoos strategies are strong understanding of customer requirements and future trends, and
technologies that are aligned with existing enterprise infrastructure and security needs. Fasoos strategy
is to position the company as a provider of data-centric security, EDRM technology that is not only
agnostic to digital asset management, server software and Data Loss Prevention (DLP) systems, but also
interoperates with all market leading applications and platforms and is scalable to meet the needs of large
enterprises with global footprints.
Challenges
Even a single document can travel through many enterprise application systems and also it can be
converted in different formats during its lifecycle. What will happen if an EDRM solution is only
applicable to a fraction of document types circulated in enterprise? In such case, it is inevitable to convert
the DRM-enabled document in one format to a plain document in another unsupported format in some
workflow stages. What if an EDRM solution is just tied into an application server like Enterprise Content
Management (ECM) and the same EDRM solution cannot be applicable in other application systems like
other vendors ECM or Enterprise Resource Planning (ERP)? It will end up with multiple islands of
security domains. Information needs to travel across the security domains without losing security.
Unfortunately, it is not quite practical to deploy EDRM solutions from different vendors in one
organization. It may cause unwanted conflicts between programs, and it is impossible to make it
interoperable. Effective EDRM solution should be designed with a vision that EDRM capability will be
required on every information system in future. Thus, it should be neutral to any sort of enterprise
application systems.
Policy Enforcement
The one key challenge in implementing EDRM, in contrast to perimeter security solutions or encryption,
is to enforce policy persistently even when document is being used. To achieve such persistent control,
the functions of rendering applications need to be constrained accordingly. For example, if a user does
not have the permission to print a Word document, the print function of Word must be disabled anyhow.
However, many document formats and rendering applications are being used in enterprise-wide
environment. The partial list includes Microsoft Office, Adobe Reader, CAD, GIS, Graphics and SW
development tools. For this reason, EDRM vendors always face challenges to keep up with the updates
of rendering applications.
There would be three different approaches to enforce policy at the endpoint as described in Table 1.
Embedding approach can be used if it is possible to modify the source codes of rendering applications or
if it is reasonable to rewrite the whole rendering applications for EDRM. In reality, only Microsoft can
modify Microsoft Office for EDRM while Adobe can do with Acrobat. There are a lot more rendering
applications used in enterprise environment from different vendors. A company cannot use as many
EDRM solutions as the number of rendering application vendors. Rewriting rendering application for
EDRM is not practical considering cost and the fact that users seldom want to switch their rendering
applications.
Some rendering applications provide interfaces for plug-ins to third parties. But not all rendering
applications are equipped with such interfaces. Sometimes, the interfaces are insufficient to implement
EDRM functions fully. Another serious problem of the plug-in method is that it is not robust enough.
Determined users may easily disable the plug-in (e.g., Visual Basic tampering). OS filter is a kind of
plug-in in OS level. Similar to the plug-in method, it does have limitations on security and EDRM
functionality. Kernel mode filtering in Windows for example can control the application to some extent.
But crackers may obstruct or crack communication while reading or writing plain data.
Runtime overriding is to override the behavior of rendering application at runtime. Rendering
applications are communicating with OS through APIs. The APIs can be overridden in memory at
runtime. This method is capable of controlling complete features and functions of the applications, and
minimizing risks of losing data from cracking attempts. However, developing commercial quality
product using runtime overriding method requires lots of know-how, efforts and time.
So far, little progress has been made towards the standardization or interoperability of EDRM. If there is
such a standard and every rendering application vendor follows that, the enforcement of policy at the
endpoint will not be an issue anymore. Until then, the efforts to develop secure rendering environment
should be continued to cope with the imminent requests from market.
Table 1. Comparison of DRM Client Technology
Embedding
Plug-in
Runtime overriding
Security
High
Low
High
Applicability
Very limited
Limited
Any application
Cost
Low
Medium
High
particular document is meant for legitimate external sharing. Also, there are documents created from
desktops and not registered in the repository yet. These unregistered documents need to be protected with
EDRM as well.
EDRM solutions can be differentiated depending on the policy management models to meet the security
requirements of documents along their lifecycle. It will determine how widely, persistently, the security
policy can reach.
The metadata includes: document ID, server URL, encrypted document key and other document related
data. The document encryption algorithm can be interchanged to another if the functional features are the
same. For example, AES can be replaced with 3DES if necessary.
When a license is requested from a DRM Client, it provides DRM Server with the encrypted metadata,
user info and device info. DRM Server generates a License based on licensing policy. A License is
encrypted with a License key (RC4), and the License contains document key encrypted by a symmetric
key associated with the device info and permissions that user can have on that document. This
cryptography mechanism is the basis of FED products, and extended to accommodate different
requirements.
Application Support
DRM Client in Windows environment supports most native applications that users are familiar with,
rather than third-party viewers or editors. Thus, DRM Client becomes transparent to users. Using
additional viewer or editor may often slash the usability and eventually affect the productivity of users.
DRM Client on Windows is overriding the Win32 API to control the rendering applications. Therefore,
FED is capable of controlling complete features and functions of the applications, and minimizing risks of
losing data from cracking attempts. It covers most of document formats and rendering applications being
used in enterprise-wide environment such as Microsoft Word, Excel, PowerPoint, Project, Visio, Notepad,
WordPad, Paint, Adobe Reader, AutoCAD, Catia, I-deas, NX, Pro/E, etc. New applications are being
added continuously, and most up-to-date list is available upon request. Fasoo DRM Client API is also
available for those who want to develop a rendering application compatible with DRM Client. FED is not
limited to PC platform as it is now available on mobile devices such as iPhone, iPad, Android phones and
tablets, allowing authorized users to access DRM-enabled documents on such mobile devices. Most
recently, browser accessible option and lite version of DRM Client are being developed also. These
approaches will allow organizations to have some flexibility options for cross-platform & multi-device
environment.
Integration
When implementing EDRM onto existing enterprise systems, there are two areas that should be integrated.
Those two are packaging and authentication. For packaging, Packager should be integrated into the
document flow for convenience and security, like automatic packaging at download. This will save users
interactions and disallow skipping encryption. Authentication system should be integrated not to log on
twice and also for a consistent policy management. FED provides ready-to-install interface modules if
possible. In case such interface modules are unavailable, it is necessary to develop custom-made
interface modules with APIs provided. FED provides Packager API and SSO API for various
development environments. They support C, C++ (COM) and Java (JNI) on platforms such as Windows,
Linux, Sun Solaris, IBM AIX, and HP-UX.
Authentication
FED does not carry its own authentication system. Instead, SSO API and ready-made interface modules
are provided. However, for ad-hoc external users, a proprietary authentication, Fasoo Email Based
Authentication (FEBA, refer to Ad-hoc DSD FED Product, Fasoo Secure Exchange section) is built
into the relevant FED product. FEBA allows robust and secure authentication without managing
directories for random external users.
Policy Management
DRM policy defines who can do what with a document on which device. Any user must be authenticated
first and a device is also authenticated and associated with a user. A user can have multiple devices but
the number can be restricted as a part of policy. License is basically a token to open a DRM-enabled
document on a specific device with specific permissions and time constraints. License is issued from
DRM Server based upon the licensing policy. Licensing policy is a function of user, device, document
and other contexts (time and location). Various combinations of permissions can be assigned as in Table
2 to a document.
Table 2. DRM Permissions
DRM permission
View_Only/Edit
DRM-enabled
No_Print/Print_Watermark/Print
DRM-disabled
Description
Allows authorized user to open a DRM-enabled
document for view on the screen only or view, edit
and save. Edited DRM-enabled document will have the
original permission.
Allows no print, print only with watermark or
print.
No_Screen_Capture/Screen_Capture
Un-package
In addition, the licensing policy is able to grant offline access for business travelers, restrict view count
for top secret documents and limit devices used only for specific workforce.
XenApp users who have access to the documents, and the users can also take screenshot while the
document is being used. Therefore, the EDRM products needs to be deployed in back-end application
systems and multi-user version of DRM Client should be installed on the XenApp servers. On the
XenApp client side, screen capture should be controlled. Fasoo Secure Screen (FSS) add-on module is
designed to control screen capture on XenApp client environment. Without FSS, DRM-enabled
document with no screen capture permission cannot be viewed on the XenApp client since it may be
considered as an illegal remote access. Remote access from XenApp client with FSS is treated as
exception, and FSS blocks all the other remote access attempts. To force users to install FSS, XenApp
connection is allowed only with FSS. FED makes it possible for users to take advantage of SBC with full
DRM capability.
Watermark
Once a document is printed, the printout can end up in wrong hands and it cannot be protected just by
software. Watermark on printout may contain identifiable information and it can be used to trace back
who has printed the document, when and where. Visible watermarks are also useful when you want to
widely release sample content but you want to make it inappropriate for anyone to use it. FED can
enforce visible watermarking on each page. Visible watermarks may include text or images of identifiable
information, such as company, division, title, user name, IP address etc. FED inserts visible watermarks
using Win32 API overriding method that visible watermark information is injected before it gets to
printer driver. Fasoo visible watermarks can be inserted on any printer even from virtual printing
environment, having no printer dependency. In FED, watermark print is also considered as a standard
permission on any DRM-enabled document.
as multiple usable Licenses. This feature is very useful when users travel where network is not available.
To avoid the abuse of this feature, an approval process may be required prior to issuing such a special
offline License.
Tamper Resistance
FED is equipped with many tamper resistance features including secure copy & paste, secure export and
trusted clock. Some other codes are also inserted to prevent memory hacking, reverse engineering and
attempts to disable DRM processes.
Secure Export
There are several ways to export the content of a file such as, print as a file, and export content in
other formats. FED also encrypts all exported files, which inherit the policy of source documents.
Trusted Clock
FED maintains a trusted clock, rather than relying on local PC clock.
approval, the document should be kept secret only within the persons on the approval process. After the
approval process, the price list will be uploaded to ECM system and become available to all internal sales.
At this stage, the user boundary should be widened to all internal sales but it should be read-only. If a
new partner joins as a distributor, the document needs to be shared with them. Then the partner should be
allowed to view, but not to re-distribute to anyone else.
In this example, the document belongs to at least three different DSDs along its workflow. Crossing a
DSD, the security policy may change and the responsibility for document security may belong to a
different person, and the system to authenticate users also needs to be changed.
DSDs can be categorized into three major types as follows: Server DSD, Ad-hoc DSD, and PC DSD.
FED products are designed to meet different DSD requirements separately for security and manageability
reasons.
PC DSD stands for the domain where documents are being created and edited but not registered on the
server yet. The documents may not be final version and official yet, but still they may contain a lot of
sensitive information and should be secured. To support this domain, EDRM should be enabled from the
creation of a document. The security policy of documents at this stage can be defined best, based on the
authors security privilege.
When the documents are checked into an ECM, the document is controlled by the ACL of ECM.
However, the security policy cannot be maintained if the documents are downloaded from the ECM. This
is why EDRM is required to protect documents on ECM. Server DSD stands for the domain that is
controlled by a server like ECM. The security policy of this domain is generally the extension of the ACL,
persistently with more security options that are available only with EDRM. User authentication should be
integrated to that of the server to extend the existing ACL systematically. It is natural that the
administrator of the server will be responsible for the security of Server DSD documents.
At some point of document lifecycle, the document needs to be sent to a person who is not within the
current authentication boundary. In this case, neither PC DSD nor Server DSD authentication can be
applied to the external users. Ad-hoc DSD has evolved to serve this domain, and requires a new
authentication system to cover random user boundary.
Fasoo ePrint
Fasoo ePrint is a comprehensive printing management solution that provides the functionality of both
printer-related cost reduction and security. Regarding cost reduction, it enables CPP (cost per page)
reduction like toner control, and paper usage control. As for security, it can allow or block printing job
based on the predefined permission or context-awareness, and provide watermarking and pull printing for
printout security.
information. FSS also block screen capture tools and print screen function, and even stop attempts to
capture screen through virtual machines and remote desktops.
Summary
FED enables to protect documents persistently on any device at any time throughout the entire document
lifecycle. It is a big advantage of FED that almost all kinds of documents formats in the enterprise
environment can be protected, including ordinary office documents, graphics and engineering drawings.
FED is not limited to PC platform as it is now available on mobile devices such as iPhone, Android phone
and iPad. For each document, FED can control detailed permission to documents such as view, edit, print,
print watermark, screen watermark and screen capture. Further constraints can be imposed, such as
number of devices, valid access period and number of access.
FED is well prepared to meet various security requirements of different phases of document lifecycle.
Enterprises have deployed lots of application systems to share documents internally. Documents, however,
become out of control and vulnerable to loss once downloaded or checked out from the application
systems such ECM, ERP, etc. FED is finely tuned for easy integration with existing systems. It is also
equipped with the patented e-mail-based authentication technology to protect documents shared
externally with partners or customers. Even documents created and used on PC can be secured by FED
before they are shared internally or externally. Furthermore printouts and screens can be overlaid with
watermarks. It helps to trace the source of breach and makes users more cautious about handling their
printouts and taking pictures of their screens.
Recently, Fasoo upgraded EDRM to another level, which makes EDRM smarter and easier to use. It is
made possible to set security policy automatically according to the content of document. The policy also
can be adjusted without user intervention based on access time, device location and document usage
history. This context-aware protection will make EDRM more secure without hurting usability and lessen
the burden of the EDRM administrator significantly. Collecting and analyzing log data intelligently in
real time, FED can alert administrators to irregular or unusual user activities. Furthermore, most recently,
Fasoo developed the comprehensive printer management solution for security and cost-down relating to
printers. FED has become a core security infrastructure of enterprises and is also evolving as the very
solution to secure data on the cloud and mobile computing environment.