Wednesday, July 12, 2006

Another preventable theft of IPR? Maybe.

In my position as a technical evangelist, I often get opinions flying at me left, right and centre (note "correct" spelling of "centre") of issues. One recent issue that blew me away was in response to a news bit about how the FBI allegedly stopped an espionage ring from stealing a secret Coca-Cola recipe and selling it to rival Pepsi.

Given I usually talk about how using Adobe LiveCycle Policy Server could have prevented such things, many people were eager to come up to me and express that I should write about this. I am hesitant to make any such claims for a number of reasons. First - if you are dealing with people who have access to information and they are really intent on betraying your organization and leaking the information outside, there is little you can do to stop them. Employing some advanced information assurance technology like Adobe Policy Server or Microsoft’s Rights Management Server will do little to thwart someone with a pen, paper and access to the recipe or a digital camera. Secondly, if you can render something once, you can capture it and re-serialize it to distribute electronically later. The side channel art of deception is also commonly referred to as "Social Engineering".

People looking at Policy Server need to be very clear on their expectations. Policy server can do a number of very important things to protect digital property. Looking at the scenario at Coca-Cola, I would have recommended the following:

  1. Any recipe document should have been policy protected and available only to a very small list of people who were supposed to have access to it. I would also place a large watermark on the document so each of them know that if they release the document it can be traced back to them.

  2. I would audit the list of people who have access rights and immediately suspend rights to anyone who no longer needs to have the information.

  3. When the document is stored, it would always be encrypted using the AES 128 bit cipher.

  4. I would regularly audit the trail of document interactions to see if there are any patterns that would indicate a problem such as an employee repeatedly rendering it and trying things like Printing, Control-Printscreen, Cutting and Pasting etc. If these patterns persevere, it could be indicative of a problem.

  5. In the event that the recipe did leak out, I would immediately make that document non-render able.

  6. Each document involved in the process would have it's entire process model documented and would be immediately deprecated and non-render able once it is no longer required.

In short, no matter what security system you put in effect, someone can and will find a way around. What Applications like Policy Server do is make it more difficult for people to do front channel attacks, often drawing more attention to themselves as they have to develop side channel tactics.

On a side note, no one has yet claimed the $500.00 I offered if this Adobe Policy Server protected document could be rendered. It is still up for grabs if anyone thinks they can defeat Policy Server. The cash is sitting here – waiting for you.

No comments:

Post a Comment

Do not spam this blog! Google and Yahoo DO NOT follow comment links for SEO. If you post an unrelated link advertising a company or service, you will be reported immediately for spam and your link deleted within 30 minutes. If you want to sponsor a post, please let us know by reaching out to duane dot nickull at gmail dot com.