Articles

Tutorials

Tech Corners

Lori's Corner

JavaScript Corner

Acrobat 3D Corner

Ask an expert



Send this page





MAY 2006

John Landwehr: Raising Acrobat security awareness

Kurt Foss, Editor, AcrobatUsers.com

  
0 Votes

John Landwehr, Director of Security Solutions and Strategy at Adobe Systems, knows — and welcomes — a challenge. In fact, he prefers to see what he believes to be a general lack of awareness about the varied Acrobat security features and solutions as a significant opportunity to educate customers. “In a number of cases, many security features have been in the current and past versions of Acrobat for some time, but customers do not realize they are there,” he says. “As such, there is a big opportunity to raise awareness about the security tools and techniques built into Acrobat."

Many users who haven't kept up with the relevant security developments are still of the mindset where protecting PDF files relies strictly on a couple basic password options in Acrobat — requiring one password just to open a file and/or a separate password to make changes to a document.

Creating a Secure eEnvelope
Follow this step-by-step tutorial in our Learning Center.

Over the years and product versions, the notion of securing PDF documents with Acrobat expanded into a more complex method of enabling or disabling any of a select set of file permissions, such as whether or not to allow printing, content extraction, editing and so on.

Today, Landwehr says, "our security solutions are beginning to get much more integrated into a variety of other Adobe business units and products."

“That includes not only new and enhanced capabilities within the desktop product, such as creating secure eEnvelopes,” he says, “but also new server-based solutions — primarily the Adobe LiveCycle Policy Server — designed to meet the needs of enterprise-wide document workflows, both inside and outside the firewall.” The use of default and custom policies extends document protection beyond delivery, allowing the document creator to specify the authorized users and uses, and control all aspects of what happens to a document, for example, allowing access to be time-limited, tracked or even dynamically revoked in real time. (Policies [PDF: 89 KB]   can be also created in Acrobat 7 on the desktop using a Web-based interface.)

Adobe's current security solutions are designed to cover:

  • Confidentiality: Who has access to the document
  • Authorization: What someone can do with the document
  • Accountability: What someone has done with the document
  • Integrity: Whether a document has been altered
  • Authenticity: Who is the source of the document

As a result of this broader integration across the also-expanding company — most recently including the acquisition of Macromedia and its line of products — information about Acrobat and PDF security features has become more widely distributed across the Adobe.com site. In January 2006, Landwehr and a number of security team colleagues launched a company blog called Security Matters, as an outlet for "news, views and other informal discussions about Adobe Systems Information Assurance initiatives that protect information by ensuring their authenticity, integrity, confidentiality/privacy and non-repudiation."

Landwehr says the blog, updated regularly during the past few months, provides a single entry point for the public to see what's new in the area of security solutions, including topics such as Digital Rights Management (DRM), Information Rights Management (IRM), digital signatures, Public Key Infrastructure (PKI) and identity management. "It's less about personal views and more about Adobe products, partners and market opportunities," he says. One of the early entries — titled "Where to go for more security information? — perfectly highlights the situation Landwehr described about security information being distributed throughout the company. The blog's compilation of resources and links for specific aspects of Acrobat security includes:

  • Overview of Adobe information security solutions
  • Technical information on Acrobat and PDF Security, LiveCycle Policy Server, LiveCycle Document Security Server and LiveCycle Reader Extensions
  • Adobe's security partner ecosystem
  • Adobe product security advisories
  • Report security vulnerabilities or incidents in Adobe products or services
  • Form for submitting a privacy complaint
  • Form for reporting a suspected software pirates
  • Enterprise Developer Program for evaluation of LiveCycle software

A recent security-related topic of interest to those who regularly or occasionally need to selectively remove sensitive information in publicly available PDF files, as in the release of previously classified government documents, is a recent series of whitepapers on proper redaction techniques. The National Security Agency (NSA) released an updated report in February 2006 titled "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted from Word to PDF" [PDF: 562 KB]   that addresses several commonly made mistakes, a number of which have led to high-profile incidents in which failed, widely reported redaction efforts at various agencies or organizations led to unintentional revelations, at best embarrassing and at worst, compromising individual privacy or national security.

The cause is almost invariably the result of user error, such as putting an easily circumvented, filled-in rectangle on top of text or images in an attempt to obscure the information. In an article headlined "Acrobat user gaffe exposes classified Defense information," Government Computer News (GCN) reported on a failed redaction incident last year involving a military report posted on the Internet. GCN quotes Landwehr explaining that this "information security breach arose from not using a third-party redaction tool in Adobe Acrobat, the application that prepared the PDF." He notes that the document's author "simply changed the background color of the text to match the font," adding that "had they used an actual redaction tool on the PDF, the text would have been completely removed."

Adobe recently released its own report titled "Redaction of Confidential Information in a Document," [PDF: 593 KB]   that details techniques that can be accomplished with Acrobat alone, such as using the Drawing Markup tools, flattening the file, converting to TIFF and then reconverting the multiple image files back to PDF. Landwehr says the Acrobat-only method "addresses all of the use cases I saw from customer incidents last year."

Another common error is the failure to remove application metadata (revision history and other information about the document) in MS Word files prior to conversion to PDF — the not-meant-to-be-public metadata can be discovered in the resulting PDF. Both the NSA and Adobe reports cover the best ways to sanitize — scrub hidden data — documents prior to converting to PDF, including the features available in the PDFMaker utility that works with the MS Office applications.

One more application of Acrobat's security-and-control capabilities highlighted in the security blog recently is digital signatures. Following a pair of panel discussions in which he participated at the RSA Conference 2006, an industry forum for all things security-related, Landwehr provided an overview of "how the highly competitive BioPharma industry is working together to develop a system using digital signatures in PDF to bring life-saving drugs to market faster, cheaper and more securely." He says that the Signature and Authentication For Everyone (SAFE) user-identity standard aims to enable "more trusted, secure and legally enforceable paperless healthcare transactions," by "replacing hand-written paper signatures with digital signatures in PDF documents."

"An electronic document alone was not sufficient without providing security measures to track authenticity and integrity of the electronic information," Landwehr says. "Digital signatures are used so these electronic documents are cryptographically signed from investigators, to clinical research organizations, to sponsors, and ultimately to the FDA — to significantly improve the security of these documents as they move from organization to organization."

Landwehr suggests four security best practices to help users understand and make greater use of Acrobat's security-and-control capabilities:

  • "Always check your metadata before you publish a document externally to make sure it only shows what you want it to show and nothing more."
  • "Use the security capabilities to restrict modification, copying and pasting, printing, or even who can open a document."
  • "Utilize the certify-document capabilities if you want to show document recipients that it really came from you and hasn't been changed."
  • "Use the digital signature capability if you want to show an alternative to handwritten signatures for documents or forms that require approval or consent."

Additional Security Resources

Security Matters - Archives
Blogblogs.adobe.com/security/archives.html

Adobe Acrobat security demo
www.adobe.com/products/acrobat/vector/acro_sec_movie.html

Redaction of Information
Blogecf.cand.uscourts.gov/cand/faq/tips/redacting.htm

Electronic Discovery Resources: PDF redaction lapse
Blogsoundevidence.discoveryresources.org...

Data exposure: Using software to redact personal data from public documents
Blogwww.computerworld.com/printthis...

Article Feedback

Share your thoughts. Tell us what you think about this article.
There are no member comments on this article
Log in to leave comments


<< Back to Articles main menu.

Community Connections

Add your comments to this article

AUCnews

Subscribe to the monthly AUC newsletter.

Recent News



RSS feeds are now available from AcrobatUsers.com!
Learn more



AcrobatUsers.com  >>  User Groups • News • Events • Articles • Blogs • How To • Resources • Member Log in