%5b1%5dwhite%20paper%20-%20fasoo%20enterprise%20drm%202013-3q%20v4.pdf

Global Business

3Q/2013

White Paper – Fasoo Enterprise

Digital Rights Management

Fasoo

396 World Cup Buk-ro, Mapo-gu

Seoul, 121-795, Korea

+82-2-300-9000

+82-2-300-9400

8/28/2013


Seoul 121-795, Korea tel: +82-2-300-9000 | fax: +82-2-300-9400 | web: www.fasoo.com

Fasoo | External Communication | Page 1

Information in this document, including URL and other Internet Web site references, is subject to change without

notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses,

logos, people, places, and events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted

in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Fasoo.com, Inc. (Fasoo).

Fasoo may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering

subject matter in this document. Except as expressly provided in any written license agreement from Fasoo, the

furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

© 2013 Fasoo. All rights reserved.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

http://www.fasoo.com/




Table of Contents

Introduction ................................................................................................................................................... 4

Solution ..................................................................................................................................................... 5

Strategy ..................................................................................................................................................... 5

Strategic Intent .......................................................................................................................................... 6

Challenges ..................................................................................................................................................... 6

Policy Enforcement ................................................................................................................................... 6

Policy Management Model ....................................................................................................................... 7

Characteristics and Specifications of Fasoo Enterprise DRM ...................................................................... 8

Architecture............................................................................................................................................... 8

Application Support .............................................................................................................................. 9

Integration ............................................................................................................................................. 9

Authentication ..................................................................................................................................... 10

Policy Management ................................................................................................................................ 10

Blocking Screen Capture .................................................................................................................... 10

Watermark ........................................................................................................................................... 11

Flexible Policy Setting ........................................................................................................................ 11

Dynamic Policy Control and Offline Access ...................................................................................... 11

Intelligent Policy Management: Context Aware Protection ............................................................... 12

Tamper Resistance .................................................................................................................................. 12

Secure Copy & Paste .......................................................................................................................... 12

Secure Export ...................................................................................................................................... 12

Trusted Clock ...................................................................................................................................... 12

Usage Log and Audit Trail ..................................................................................................................... 13

Fasoo Enterprise DRM Suite ...................................................................................................................... 13

Document Security Domain .................................................................................................................... 13

Server DSD FED Product, Fasoo Secure Document .............................................................................. 14

Ad-hoc DSD FED Product, Fasoo Secure Exchange.............................................................................. 15

PC DSD FED Product, Fasoo Secure Node ............................................................................................ 16

Extended FED Products .......................................................................................................................... 17

Fasoo Secure Print .............................................................................................................................. 17

Fasoo ePrint ........................................................................................................................................ 17





Fasoo Secure Screen ........................................................................................................................... 17

Fasoo Mobile Solution ........................................................................................................................ 18

Context Aware Protection ................................................................................................................... 18

Fasoo Usage Tracer ............................................................................................................................. 18

Summary ..................................................................................................................................................... 18





Introduction

The latest IT technology enables us to communicate and collaborate at the speed of light and at the same

time confronts organizations with risks of losing intellectual properties, trade secrets, classified

documents and personally identifiable information (PII) with just one click. Documents are considered

secure while they remain within a controlled boundary, such as a content management system,

collaborative repositories, email inboxes, and file system folders. But these documents are legitimately

downloaded to desktops, laptops and other devices by authorized users, where they can be easily copied

and forwarded somewhere else. Authorized users are free to do whatever they want with the information

they receive after access is granted – no restrictions on what can be done with the data or where it can be

sent.

Documents should be protected persistently, whether at rest in storage, in transit or in use. The market is

demanding data-centric security solutions. Enterprise Digital Rights Management (EDRM) or

Information Rights Management (IRM) is a data-centric security solution that ensures robust file-based

security and allows enterprises to protect, control and track sensitive documents containing intellectual

property, trade secrets, PII, etc. To maximize the capabilities of EDRM, it should support various

rendering applications (such as Microsoft Word, Excel, PowerPoint, Adobe Reader…), cover the entire

document lifecycle, and provide an open security platform for existing enterprise systems. Fasoo EDRM

has been designed and developed to meet such requirements. Numerous large-scale enterprise-wide

deployments have proven its effectiveness and scalability. Furthermore, context-aware intelligence has

been added to Fasoo EDRM, which makes the solution more convenient and easy to use.

In addition, the emergence of cloud and mobile computing in the enterprise has brought new IT

challenges. In recent years many organizations believed cloud and mobile strategies were never going to

be a part of their enterprise IT strategy. Their beliefs have shifted as tablets and smartphones are not only

taking over consumer markets, but are becoming ubiquitous throughout the enterprise. Rapid increase in

mobile device usage and high demands for cloud solutions and services has left IT with significant

challenges, especially security issues. The challenge with seamlessly sharing information is that IT and

corporate security may not have control over the information. Perimeter-based security works well when

information remains within the corporate network. Unfortunately defining the boundaries of a corporate

network are very difficult as mobile devices access information in the cloud, from any place and at any

time. Most organizations must adopt flexible approaches to work tools and locations. An increasingly

mobile workforce uses a mix of organization-managed and personal (unmanaged) devices from home,

while on the road and from higher-risk global locations. Information security must enable mobility and

the consumerization of devices, applications, collaboration tools, and social networking for both business

and personal reasons. Simultaneously, organizations must protect information and their reputations by

detecting, controlling and preventing threats. Rather than focusing on perimeter and device security,

Fasoo recognized that data-centric security is the best way to overcome these issues. Since most

organizations are concerned with sensitive and confidential information getting into the wrong hands,

controlling the information itself is the best approach to meeting that goal.

Until recently, EDRM has been considered a complementary and niche solution. EDRM is becoming an

essential security infrastructure component for every enterprise application system as mobile and cloud





computing diversify and expand the enterprise IT environment. Fasoo EDRM is continuously evolving to

accommodate such trends.

Solution

EDRM or IRM solutions help companies maintain the confidentiality of sensitive corporate intellectual

property and customer personal information. This is necessary to secure a company’s strategic business

advantage and protect its intrinsic value, as well as to comply with government and industry security

regulations, in a world that is increasingly digital and mobile. While nearly every company

acknowledges the need for strong protection of their digital assets, they face significant hurdles in

deploying full-fledged solutions in a company-wide manner. Given the adverse global economic climate,

companies are limiting capital expenditure and seeking to lower operating expenditure in an effort to

control costs. This may limit an organization’s willingness to spend on a new or expanded budget for IT

investment. However, many decision makers in IT security area believe investments in security should

increase due to dynamic changes in enterprise IT environments including the recent emergence of cloud

computing, and proliferation of tablets and smartphones.

EDRM was historically viewed as complex to deploy, and it would impact existing workflows, employee

productivity and interaction with stakeholders outside the company. The general market perception on

EDRM was about creating additional work for enterprise IT departments. While the overall benefits of

EDRM are recognized, these perceptions continue to have an impact on adoption rates. Nevertheless,

Fasoo has carefully crafted and executed its competitive strategy to thrive and grow in this promising but

challenging landscape for the last 13 years. Fasoo is uniquely positioned as an independent vendor of

EDRM products. The solution has unique technology characteristics that make it broadly applicable to a

wide variety of applications and file formats, while providing strong security and interoperability with

major network security and digital asset management components. Fasoo is unique in its proven ability to

deploy very large scale EDRM installations. Fasoo is experienced in crafting and executing its

competitive strategy as it solidifies its leadership. Fasoo is leveraging the strength of its unique

technology, ongoing R&D improvements, comprehensive product capability, and effective use of

competitive intelligence.

Strategy

Fasoo’s technology approach is driven by security and practical considerations. It overrides an

application’s memory space and provides strong document protection that integrates smoothly with the

end user experience for third party applications where the EDRM vendor does not have access to the

program code. This is a difficult approach for several reasons, including risk of performance impact and

the requirement of keeping pace with application and document format updates. Fasoo has developed the

technical strength and deployment process to execute this well. Another unique Fasoo strength is its

ability to scale operations across large enterprises, which are often a patchwork of identity management

and client application systems. Fasoo has a lot of experience securing information enterprise-wide for

large, globally distributed companies. For example, its flagship installation for Company A spans over

170,000 internal users and over 1 million total users of affiliates and partners worldwide. Other

competitors rarely have experiences of installations at this scale. Historically, enterprises in major

markets have deployed EDRM on a need-driven basis, for a given department or a specific set of users at





a time. Today there is a drive to employ EDRM uniformly for all enterprise employees. Fasoo’s strategy

of combining a highly interoperable product with customization services as needed has positioned it well

to organically fulfill this growing demand.

Strategic Intent

Fasoo has a detailed understanding of competing technology approaches and the strengths and

weaknesses of current market incumbents. Fasoo’s product and service strategies all leverage this

intelligence. Fasoo’s strategies are strong understanding of customer requirements and future trends, and

technologies that are aligned with existing enterprise infrastructure and security needs. Fasoo’s strategy

is to position the company as a provider of data-centric security, EDRM technology that is not only

agnostic to digital asset management, server software and Data Loss Prevention (DLP) systems, but also

interoperates with all market leading applications and platforms and is scalable to meet the needs of large

enterprises with global footprints.

Challenges

Even a single document can travel through many enterprise application systems and also it can be

converted in different formats during its lifecycle. What will happen if an EDRM solution is only

applicable to a fraction of document types circulated in enterprise? In such case, it is inevitable to convert

the DRM-enabled document in one format to a plain document in another unsupported format in some

workflow stages. What if an EDRM solution is just tied into an application server like Enterprise Content

Management (ECM) and the same EDRM solution cannot be applicable in other application systems like

other vendor’s ECM or Enterprise Resource Planning (ERP)? It will end up with multiple islands of

security domains. Information needs to travel across the security domains without losing security.

Unfortunately, it is not quite practical to deploy EDRM solutions from different vendors in one

organization. It may cause unwanted conflicts between programs, and it is impossible to make it

interoperable. Effective EDRM solution should be designed with a vision that EDRM capability will be

required on every information system in future. Thus, it should be neutral to any sort of enterprise

application systems.

Policy Enforcement

The one key challenge in implementing EDRM, in contrast to perimeter security solutions or encryption,

is to enforce policy persistently even when document is being used. To achieve such persistent control,

the functions of rendering applications need to be constrained accordingly. For example, if a user does

not have the permission to print a Word document, the print function of Word must be disabled anyhow.

However, many document formats and rendering applications are being used in enterprise-wide

environment. The partial list includes Microsoft Office, Adobe Reader, CAD, GIS, Graphics and SW

development tools. For this reason, EDRM vendors always face challenges to keep up with the updates

of rendering applications.

There would be three different approaches to enforce policy at the endpoint as described in Table 1.

Embedding approach can be used if it is possible to modify the source codes of rendering applications or

if it is reasonable to rewrite the whole rendering applications for EDRM. In reality, only Microsoft can





modify Microsoft Office for EDRM while Adobe can do with Acrobat. There are a lot more rendering

applications used in enterprise environment from different vendors. A company cannot use as many

EDRM solutions as the number of rendering application vendors. Rewriting rendering application for

EDRM is not practical considering cost and the fact that users seldom want to switch their rendering

applications.

Some rendering applications provide interfaces for plug-ins to third parties. But not all rendering

applications are equipped with such interfaces. Sometimes, the interfaces are insufficient to implement

EDRM functions fully. Another serious problem of the plug-in method is that it is not robust enough.

Determined users may easily disable the plug-in (e.g., Visual Basic tampering). OS filter is a kind of

plug-in in OS level. Similar to the plug-in method, it does have limitations on security and EDRM

functionality. Kernel mode filtering in Windows for example can control the application to some extent.

But crackers may obstruct or crack communication while reading or writing plain data.

Runtime overriding is to override the behavior of rendering application at runtime. Rendering

applications are communicating with OS through APIs. The APIs can be overridden in memory at

runtime. This method is capable of controlling complete features and functions of the applications, and

minimizing risks of losing data from cracking attempts. However, developing commercial quality

product using runtime overriding method requires lots of know-how, efforts and time.

So far, little progress has been made towards the standardization or interoperability of EDRM. If there is

such a standard and every rendering application vendor follows that, the enforcement of policy at the

endpoint will not be an issue anymore. Until then, the efforts to develop secure rendering environment

should be continued to cope with the imminent requests from market.

Table 1. Comparison of DRM Client Technology

Embedding Plug-in Runtime overriding

Security High Low High

Applicability Very limited Limited Any application

Cost Low Medium High

Policy Management Model

Another big challenge in designing EDRM solutions is that it is very difficult to build a complete policy

model for documents traveling literally all over the world. It sometimes looks infeasible to cover the

entire lifecycle of documents.

Many organizations have deployed application systems, such as ECM, ERP, Product Lifecycle

Management (PLM), email, file-servers, etc., to manage corporate information effectively. Tons of

documents are stored there and these would be the first target to apply EDRM to reinforce the existing

ACL. The basic model here is to make documents DRM-enabled when downloaded, so that ACL can be

extended beyond its protective confines. It looks simple and clear, but it gets complicated if that

particular document is meant for legitimate external sharing. Also, there are documents created from





desktops and not registered in the repository yet. These unregistered documents need to be protected with

EDRM as well.

EDRM solutions can be differentiated depending on the policy management models to meet the security

requirements of documents along their lifecycle. It will determine how widely, persistently, the security

policy can reach.

Characteristics and Specifications of Fasoo Enterprise DRM

Architecture

Fasoo Enterprise DRM (FED) products share the same, core EDRM architecture, whose features are

different from the others to serve the different requirements. The general architecture of FED consists of

four major processes (DRM Client, Packager, DRM Server and rendering application) and three key

objects (document, DRM-enabled document and License - refer to “Policy Management” section).

To enable DRM for a document, the document needs to be packaged (encrypted) through Packager. The

document is converted into a DRM-enabled document. The DRM-enabled document cannot be read

without DRM Client. When a user tries to open a DRM-enabled document with DRM Client, it requests

License to DRM Server. DRM Server issues a License according to the policy for the user and the

document. Then, DRM Client un-package the DRM-enabled document and feed the data to rendering

application and keep control of the rendering environment not to allow any attempt to take out the

decrypted data without proper License.

Figure 1. FED Architecture

Following steps describe packaging in detail:





Encrypts a plain document with a document key (AES)

Encrypts the document key with the server public key (RSA)

Encrypts the metadata with a metadata key (RC4)

Assemble a DRM-enabled document with encrypted metadata and encrypted document

The metadata includes: document ID, server URL, encrypted document key and other document related

data. The document encryption algorithm can be interchanged to another if the functional features are the

same. For example, AES can be replaced with 3DES if necessary.

When a license is requested from a DRM Client, it provides DRM Server with the encrypted metadata,

user info and device info. DRM Server generates a License based on licensing policy. A License is

encrypted with a License key (RC4), and the License contains document key encrypted by a symmetric

key associated with the device info and permissions that user can have on that document. This

cryptography mechanism is the basis of FED products, and extended to accommodate different

requirements.

Application Support

DRM Client in Windows environment supports most native applications that users are familiar with,

rather than third-party viewers or editors. Thus, DRM Client becomes transparent to users. Using

additional viewer or editor may often slash the usability and eventually affect the productivity of users.

DRM Client on Windows is overriding the Win32 API to control the rendering applications. Therefore,

FED is capable of controlling complete features and functions of the applications, and minimizing risks of

losing data from cracking attempts. It covers most of document formats and rendering applications being

used in enterprise-wide environment such as Microsoft Word, Excel, PowerPoint, Project, Visio, Notepad,

WordPad, Paint, Adobe Reader, AutoCAD, Catia, I-deas, NX, Pro/E, etc. New applications are being

added continuously, and most up-to-date list is available upon request. Fasoo DRM Client API is also

available for those who want to develop a rendering application compatible with DRM Client. FED is not

limited to PC platform as it is now available on mobile devices such as iPhone, iPad, Android phones and

tablets, allowing authorized users to access DRM-enabled documents on such mobile devices. Most

recently, browser accessible option and lite version of DRM Client are being developed also. These

approaches will allow organizations to have some flexibility options for cross-platform & multi-device

environment.

Integration

When implementing EDRM onto existing enterprise systems, there are two areas that should be integrated.

Those two are packaging and authentication. For packaging, Packager should be integrated into the

document flow for convenience and security, like automatic packaging at download. This will save users’

interactions and disallow skipping encryption. Authentication system should be integrated not to log on

twice and also for a consistent policy management. FED provides ready-to-install interface modules if

possible. In case such interface modules are unavailable, it is necessary to develop custom-made

interface modules with APIs provided. FED provides Packager API and SSO API for various

development environments. They support C, C++ (COM) and Java (JNI) on platforms such as Windows,

Linux, Sun Solaris, IBM AIX, and HP-UX.





Authentication

FED does not carry its own authentication system. Instead, SSO API and ready-made interface modules

are provided. However, for ad-hoc external users, a proprietary authentication, Fasoo Email Based

Authentication (FEBA, refer to “Ad-hoc DSD FED Product, Fasoo Secure Exchange” section) is built

into the relevant FED product. FEBA allows robust and secure authentication without managing

directories for random external users.

Policy Management

DRM policy defines who can do what with a document on which device. Any user must be authenticated

first and a device is also authenticated and associated with a user. A user can have multiple devices but

the number can be restricted as a part of policy. License is basically a token to open a DRM-enabled

document on a specific device with specific permissions and time constraints. License is issued from

DRM Server based upon the licensing policy. Licensing policy is a function of user, device, document

and other contexts (time and location). Various combinations of permissions can be assigned as in Table

2 to a document.

Table 2. DRM Permissions

DRM permission Description

DRM-enabled

View_Only/Edit

Allows authorized user to open a DRM-enabled

document for “view on the screen only” or “view, edit

and save”. Edited DRM-enabled document will have the

original permission.

No_Print/Print_Watermark/Print Allows “no print”, “print only with watermark” or

“print”.

No_Screen_Capture/Screen_Capture Allows “no screen capture” or “screen capture”.

DRM-disabled Un-package Allows everything without any restriction, even retrieval

of a plain document.

In addition, the licensing policy is able to grant offline access for business travelers, restrict view count

for top secret documents and limit devices used only for specific workforce.

Blocking Screen Capture

FED blocks all known third-party screen-capture tools and Print Screen function of Windows. Even the

attempts are blocked to capture screens through virtual machine or remote access tool. However, screen

capture is a very useful tool sometimes, for example, if you are making a product demonstration kit with

screenshots. In FED, it is recognized as one of standard permissions to a document. When users do not

have screen capture permission, then FED blocks only the window of secured document, not blocking the

whole screen.

Screen capture permission can be extended to server-based computing (SBC) environment. SBC, such as

Citrix XenApp has been in the market quite long but gained little attraction. As virtualization tools

become popular, it gets momentum in the market for simpler management and better security. Yet, there

are many security issues. For example, sensitive documents in XenApp servers can be taken out by





XenApp users who have access to the documents, and the users can also take screenshot while the

document is being used. Therefore, the EDRM products needs to be deployed in back-end application

systems and multi-user version of DRM Client should be installed on the XenApp servers. On the

XenApp client side, screen capture should be controlled. Fasoo Secure Screen (FSS) add-on module is

designed to control screen capture on XenApp client environment. Without FSS, DRM-enabled

document with no screen capture permission cannot be viewed on the XenApp client since it may be

considered as an illegal remote access. Remote access from XenApp client with FSS is treated as

exception, and FSS blocks all the other remote access attempts. To force users to install FSS, XenApp

connection is allowed only with FSS. FED makes it possible for users to take advantage of SBC with full

DRM capability.

Watermark

Once a document is printed, the printout can end up in wrong hands and it cannot be protected just by

software. Watermark on printout may contain identifiable information and it can be used to trace back

who has printed the document, when and where. Visible watermarks are also useful when you want to

widely release sample content but you want to make it inappropriate for anyone to use it. FED can

enforce visible watermarking on each page. Visible watermarks may include text or images of identifiable

information, such as company, division, title, user name, IP address etc. FED inserts visible watermarks

using Win32 API overriding method that visible watermark information is injected before it gets to

printer driver. Fasoo visible watermarks can be inserted on any printer even from virtual printing

environment, having no printer dependency. In FED, watermark print is also considered as a standard

permission on any DRM-enabled document.

Flexible Policy Setting

Basically, any policy can be defined for each document or document group with various combinations of

permissions and constraints for each user or user group. Users can be grouped arbitrarily, for example, by

roles, positions, divisions, etc. Documents can be grouped by classifications with any criteria. Most

enterprises, however, prefer to define a set of templates first and assign one of them to a document, for

convenience.

Dynamic Policy Control and Offline Access

Policy is bound to a document when a License is issued, not when packaging. This late binding makes it

possible to change policy at any time if necessary and it will be applied to all documents even if it is

already packaged and sent wherever. Typical License is one-time License. Whenever a DRM-enabled

document is opened, DRM Client requests a new License and the DRM Server will issue a new one based

on the most recent policy. Thus, policy for any DRM-enabled document can be changed or revoked at

any time, regardless of where it resides or how many copies have been made.

One drawback of this late binding is that it requires every device to be connected to the DRM Server.

There are some occasions when it is not possible. In such cases, a multiple usable License with time limit

can be used, instead of a one-time usable License. The multiple usable License can be used repeatedly

until the time limit expires. As a result, the document can be used even without connection to the DRM

Server. Another way of supporting offline is issuing a special offline License with time limit for specific

periods of time for a specific user though approval workflow. This will change all Licenses on the device





as multiple usable Licenses. This feature is very useful when users travel where network is not available.

To avoid the abuse of this feature, an approval process may be required prior to issuing such a special

offline License.

Intelligent Policy Management: Context Aware Protection

Depending on the content of a document, selective packaging is made possible. Packager is usually

integrated in document workflow and it is turned on automatically. This may result in excessive security.

With Context Aware Protection (CAP) add-on module, Packager runs only if the target document

contains a certain context pattern. There may be cases when packaging is not enforced and left to the

hand of user. Usually, this will end up with insufficient security. FED can be enforced any time when

the target document contains a certain pattern. A pattern can be defined in regular expression. At the

same time, a document can be classified into pre-defined categories, based on context. For example, a

document contains social security numbers, addresses and phone numbers then it can be classified as a

document with PII. If a document contains the code name of a special project, then it can be classified as

top secret. Then, a pre-defined policy can be applied automatically without user intervention. It can

reduce the burden of packaging documents that may not have sensitive information. It also minimizes the

risk of documents left un-packaged by the negligence of users.

Most recently, DLP and EDRM vendors are collaborating to provide combined offerings. Fasoo also

supports DLP integration for customers who want to deploy both DLP and EDRM. By integrating

EDRM with DLP, DLP is basically sensing context of documents at end-points or network boundaries,

and EDRM is encrypting the sensitive documents. CAP is sensing context of documents while context is

in use, and protecting the documents throughout the entire document lifecycle. This tight integration can

offer more rooms for flexible and robust policy, while applying EDRM policy through document lifecycle.

Tamper Resistance

FED is equipped with many tamper resistance features including secure copy & paste, secure export and

trusted clock. Some other codes are also inserted to prevent memory hacking, reverse engineering and

attempts to disable DRM processes.

Secure Copy & Paste

Windows clipboard is controlled to prevent copy from a DRM-enabled document to a plain document,

while it is allowed between secured documents if the user has a proper permission. Secure Copy & Paste

is allowed when the user has more permission to the source document than that to the target document,

subject to the condition that the target document should be at least editable. This Secure Copy & Paste

concept is very unique in FED and gives convenience without losing security. “Secure Copy & Paste” is

patent pending technology of Fasoo.

Secure Export

There are several ways to export the content of a file such as, “print as a file”, and “export content in

other formats”. FED also encrypts all exported files, which inherit the policy of source documents.

Trusted Clock

FED maintains a trusted clock, rather than relying on local PC clock.





Usage Log and Audit Trail

User/file activities of sensitive data could be useful to run forensic analysis, yet they are still considered

as detective measures. Tremendous amount of accumulated log data for sensitive documents has brought

new challenges to organizations. Organizations are looking for a better decision-making framework for

proactively seeking possible data breaches and acting on early stage. Fasoo Usage Tracer (FUT) allows

organizations to set a clipping level for usage patterns of users and alert risk of possible data breaches by

detecting inappropriate patterns and activities in advance. It will not only work as preventive measures to

strengthen overall security of organization, but bring out values from user/file activities of sensitive data.

Every usage log of DRM-enabled documents is sent to the DRM Server. Even when the document has

been used offline, the usage log will be sent to the DRM Server when the device is re-connected. FED

offers suitable tools for document owner or administrator to review and audit activities of users and

documents. Every policy change on the server side is also logged for audit trail. Security breaches by

arbitrary changes of policy can be identified.

Fasoo Enterprise DRM Suite

FED suite consists of several products that can be used alone or combined together to extend the coverage.

Document Security Domain

After numerous EDRM deployments, Document Security Domain (DSD) concept has been developed. A

DSD is referring to a boundary within which security policies for documents are maintained. Throughout

the whole lifecycle of a specific document, it moves along several DSDs.

Let’s examine the lifecycle of a document, for example a MSRP table and the desirable security policy

related to it. While the document is edited by a sales manager on his/her desktop and circulated for an





approval, the document should be kept secret only within the persons on the approval process. After the

approval process, the price list will be uploaded to ECM system and become available to all internal sales.

At this stage, the user boundary should be widened to all internal sales but it should be read-only. If a

new partner joins as a distributor, the document needs to be shared with them. Then the partner should be

allowed to view, but not to re-distribute to anyone else.

In this example, the document belongs to at least three different DSDs along its workflow. Crossing a

DSD, the security policy may change and the responsibility for document security may belong to a

different person, and the system to authenticate users also needs to be changed.

DSDs can be categorized into three major types as follows: Server DSD, Ad-hoc DSD, and PC DSD.

FED products are designed to meet different DSD requirements separately for security and manageability

reasons.

PC DSD stands for the domain where documents are being created and edited but not registered on the

server yet. The documents may not be final version and official yet, but still they may contain a lot of

sensitive information and should be secured. To support this domain, EDRM should be enabled from the

creation of a document. The security policy of documents at this stage can be defined best, based on the

author’s security privilege.

When the documents are checked into an ECM, the document is controlled by the ACL of ECM.

However, the security policy cannot be maintained if the documents are downloaded from the ECM. This

is why EDRM is required to protect documents on ECM. Server DSD stands for the domain that is

controlled by a server like ECM. The security policy of this domain is generally the extension of the ACL,

persistently with more security options that are available only with EDRM. User authentication should be

integrated to that of the server to extend the existing ACL systematically. It is natural that the

administrator of the server will be responsible for the security of Server DSD documents.

At some point of document lifecycle, the document needs to be sent to a person who is not within the

current authentication boundary. In this case, neither PC DSD nor Server DSD authentication can be

applied to the external users. Ad-hoc DSD has evolved to serve this domain, and requires a new

authentication system to cover random user boundary.

Server DSD FED Product, Fasoo Secure Document

Fasoo Secure Document (FSD) protects, controls and tracks documents that have left the protective

confines of the repository. Figure 2 illustrates FSD integrated with a document repository, which can be

ECM, ERP, PLM or any sort of application server. The user authentication is integrated so as not to log

in again once a user has logged in the target application system. Packager is installed on the repository to

package files at download on the fly. Documents are kept un-encrypted on the repository. It could be a

security risk that there are plain documents on the server, while indexing of such plain files are not

interrupted by encryption. This is a tradeoff between security and usability. Daily routine policy

management can be done mostly on the application server not on the FSD Server. FSD provides tools to

integrate with existing authentication system and Packager API on multiple platforms.





Figure 2. General Flow of Data and SW Components for FSD

Ad-hoc DSD FED Product, Fasoo Secure Exchange

Fasoo Secure Exchange (FSE) protects, controls and tracks external communication documents and email

messages (designed for ad-hoc, non-managed users). Ad-hoc DSD’s main concern is how to authenticate

users. The user boundary cannot be known in advance, and is continuously changing. FSE offers a patent

pending authentication method, called FEBA, where email ID is used as its user ID and it is validated and

associated with device information. FEBA makes it simple to manage such random users with sufficient

security. FSE includes a standalone Packager, Outlook plug-in Packager and API that can be embedded in

existing systems. FSE Server usually resides inside the front-end firewall, DMZ so that it can be accessed

by external users. FSE enables sharing confidential documents through any media with anyone who has

email ID. Figure 3 describes the processes involved in sending and receiving FSE documents.





Figure 3. General Flow of Data and SW Components for FSE

PC DSD FED Product, Fasoo Secure Node

Fasoo Secure Node (FSN) protects, controls and tracks internal communication documents created or

edited at PC. FSN packages documents when users are creating new documents or editing plain

documents on his/her desktops or laptops. Policy of FSN can be established depending on user, group,

rank or role. The default policy of an author will be applied to a newly encrypted file and later on, the

policy of that document can be changed by the author if he has the full permission. FSN can easily be

deployed after synchronizing with existing authentication system, or without any integration.





Figure 4. General Flow of Data and SW Components for FSN

Extended FED Products

Fasoo Secure Print

Fasoo Secure Print (FSP) deters users from leaking important information through printouts by adding a

visible watermark to the printout. The watermark contains company name, user ID, IP address, printing

time, etc. and helps tracing the source of the information in case of the printout leakage. All printing

activities and printed contents are logged to help identify and narrow down the leakage source.

Fasoo ePrint

Fasoo ePrint is a comprehensive printing management solution that provides the functionality of both

printer-related cost reduction and security. Regarding cost reduction, it enables CPP (cost per page)

reduction like toner control, and paper usage control. As for security, it can allow or block printing job

based on the predefined permission or context-awareness, and provide watermarking and pull printing for

printout security.

Fasoo Secure Screen

Fasoo Secure Screen (FSS) deters users from leaking important information through the monitor screen

photographed with digital cameras or smartphones by adding a visible watermark to the screen. The

screen watermark contains company name, user ID, IP address, time, etc. and helps trace the source of the





information. FSS also block screen capture tools and print screen function, and even stop attempts to

capture screen through virtual machines and remote desktops.

Fasoo Mobile Solution

Fasoo Mobile Solution (FMS) protects documents on mobile devices such as smartphones and tablets, by

extending EDRM functionality to mobile devices. DRM-enabled documents on mobile devices are safe

persistently, even if the devices are lost or stolen.

Context Aware Protection

Context Aware Protection (CAP) detects content patterns of regular expressions such as PII, credit card

number, etc. and secures the relevant documents selectively according to the results of detection. CAP can

be embedded into FED products such as FSN, FSD, FSE and FSP to make the existing security policy

stricter

Fasoo Usage Tracer

Fasoo Usage Tracer (FUT) monitors usage patterns of DRM-enabled documents, detects and alerts risks

of possible data breaches based on predefined rules while using FED products. FUT also provides the

monitoring results in the illustrative dashboard and comprehensive statistics of the document activities

periodically.

Summary

FED enables to protect documents persistently on any device at any time throughout the entire document

lifecycle. It is a big advantage of FED that almost all kinds of documents formats in the enterprise

environment can be protected, including ordinary office documents, graphics and engineering drawings.

FED is not limited to PC platform as it is now available on mobile devices such as iPhone, Android phone

and iPad. For each document, FED can control detailed permission to documents such as view, edit, print,

print watermark, screen watermark and screen capture. Further constraints can be imposed, such as

number of devices, valid access period and number of access.

FED is well prepared to meet various security requirements of different phases of document lifecycle.

Enterprises have deployed lots of application systems to share documents internally. Documents, however,

become out of control and vulnerable to loss once downloaded or checked out from the application

systems such ECM, ERP, etc. FED is finely tuned for easy integration with existing systems. It is also

equipped with the patented e-mail-based authentication technology to protect documents shared

externally with partners or customers. Even documents created and used on PC can be secured by FED

before they are shared internally or externally. Furthermore printouts and screens can be overlaid with

watermarks. It helps to trace the source of breach and makes users more cautious about handling their

printouts and taking pictures of their screens.

Recently, Fasoo upgraded EDRM to another level, which makes EDRM smarter and easier to use. It is

made possible to set security policy automatically according to the content of document. The policy also

can be adjusted without user intervention based on access time, device location and document usage

history. This context-aware protection will make EDRM more secure without hurting usability and lessen





the burden of the EDRM administrator significantly. Collecting and analyzing log data intelligently in

real time, FED can alert administrators to irregular or unusual user activities. Furthermore, most recently,

Fasoo developed the comprehensive printer management solution for security and cost-down relating to

printers. FED has become a core security infrastructure of enterprises and is also evolving as the very

solution to secure data on the cloud and mobile computing environment.
