1 © Copyright 2008 EMC Corporation. All rights reserved. Information Rights Management EMC Content Management and Archiving

2 © Copyright 2008 EMC Corporation. All rights reserved. Business Drivers for Content Security  Protect intellectual property –Trade secrets –Competitive information –IP theft –Secured collaboration  Compliance –Regulations –Audits  Risk mitigation –Legal exposure –Data loss –Privacy breaches “Despite massive investment in security technology and services… …fewer than one in five companies feel that all their data is adequately protected.” Source: Enterprise Strategy Group March % 18% 2

3 © Copyright 2008 EMC Corporation. All rights reserved. Implications of Information Loss Stock Plummets 3o%! March 2001 – Cerner Corp’s stock plummets 30% in one day after sensitive from CEO is posted on the internet Case Prejudiced! March 2005 – Morgan Stanley prejudices its own case in court by failing to provide relevant records on a timely basis. Personal Data Lost! October 2007 – The Gap loses laptop 800,000 encrypted job applications. Applications included applicants social security number and birth dates. Trade Secrets Public! August 2007 – The Federal Trade Commission accidentally posts a Finding of Fact document in Whole Foods/Wild Oats anti-trust case on a public server with all text available. Managers Charged! June 2003 – Former Boeing managers charged in a plot to steal trade secrets – Occurs during Lockheed Martin competitive bid Credit Card #’s Stolen! March 2007 – Hackers steal millions of customer credit card numbers from TJ Maxx stores. Stolen cards used to purchase millions of dollars of goods. TJ Maxx sued. 3

4 © Copyright 2008 EMC Corporation. All rights reserved. Regulators Are Getting Involved RegulationWhoData Retention and Data Privacy Gramm-Leach-Bliley Act (GLBA) Financial institutionsEnsure security, confidentiality and integrity of non-public client records (15 U.S.C. § 6801) Health Insurance Portability and Accountability Act (HIPAA) Healthcare IndustryPatient privacy (Sec ) Data encryption is an “addressable” requirement CA 1386 AB 1950 Companies with customers in California Encrypting stored data to prevent identity theft (SEC. 2. Section ) DoD SEC 17.a-4 U.S. GovernmentStorage encryption and secure deletion for records management applications and data archiving VISA CISPMerchants, payments processors Requirement to protect stored data, preferably with strong encryption (s.3) Sarbanes-OxleyU.S. CorporationsIntegrity of financial records and systems (Sec. 404) Consumers Demand Protection and Governments Respond with Regulation

5 © Copyright 2008 EMC Corporation. All rights reserved. The Threat Profile Has Shifted Necessary but insufficient Keeping the bad guys out Perimeter-based Security SolutionBuild and protect perimeters ApproachFirewall, IPS/IDS, anti-malware FocusAccess and availability ThreatDenial of Service, network intrusion, external attack + Assume they’re already in Information-based Security Manage and protect information Identity management, data encryption Authorization and accountability Privacy breach, intellectual property theft, insider attack Addresses root cause 84% of high cost security incidents are a result of insiders sending confidential material outside of their company. — Gartner 2006

6 © Copyright 2008 EMC Corporation. All rights reserved. Solutions Not Addressing the Root Issue Most information security products don’t actually secure information  They protect networks, laptops, and servers  They do little to protect confidentiality and integrity of information Authentication Clients SAN Web Filtering Anti-spyware LAN Anti-virus VPN Anti-virus Firewall Servers Threat Detection Change/Patch Management

7 © Copyright 2008 EMC Corporation. All rights reserved. Authentication Clients SAN Web Filtering Anti-spyware LAN Anti-virus VPN Anti-virus Firewall Servers Threat Detection Change/Patch Management Your Content is in Motion Information is in constant motion throughout its lifecycle, making it difficult to lock down  Perimeters and resources are constantly being traversed

8 © Copyright 2008 EMC Corporation. All rights reserved. Securing Content Across the Enterprise Confirm System is Secure – Auditing Securing the People Authentication Identity Management Access Control & Authorization Securing the Content Encryption (TCS) Digital Shredding (TCS) Retention Management Leaving the Repository – Information Rights Management Ensure System is Secure – Hardening and Validation Documentum Security Overview Inside the Repository

9 © Copyright 2008 EMC Corporation. All rights reserved. Information-Centric Security Protects Dynamic Content  Treat security as an information management problem  Secure information throughout its lifecycle Corporations cannot secure information they do not manage Capture Create Collaborate Version Manage Publish ArchiveRetire Re-archive Query THE LIFECYCLE OF ENTERPRISE CONTENT

10 © Copyright 2008 EMC Corporation. All rights reserved. Information Rights Management IRM actively controls, secures and tracks sensitive and confidential information wherever it resides.

11 © Copyright 2008 EMC Corporation. All rights reserved. EMC IRM Product Suite  ECM Documentum IRM Server (Policy Server) –ECM Documentum IRM Client for Microsoft Office –ECM Documentum IRM Client for Adobe Acrobat –ECM Documentum IRM Client for Lotus Notes –ECM Documentum IRM Client for RIM BlackBerry –ECM Documentum IRM Client for  ECM Documentum IRM Services for Documentum –ECM Documentum IRM Client Bundle  For Microsoft Office and Adobe Acrobat  ECM Documentum IRM Services for eRoom –ECM Documentum IRM Client Bundle  For Microsoft Office and Adobe Acrobat  ECM Documentum IRM SDK  Products with embedded IRM –EMC Infoscape –EMC Documentum Records Manager 11

12 © Copyright 2008 EMC Corporation. All rights reserved. IRM Server Key and Policy Management  Content is always encrypted  The keys are always separated from the content  The local key is destroyed after use Workflow Integrations Desktop Integration IRM Policy Server EMC Documentum eRoom EMC Documentum Repository File Share Content Owner + Policy + Policy

13 © Copyright 2008 EMC Corporation. All rights reserved. Partner Hacker Network IRM Policy Server Content Server EMC IRM Services for Documentum Workflow Secure Data Sharing Corporate VPN Partner Network Internet Author Review

14 © Copyright 2008 EMC Corporation. All rights reserved. Protection automatically applied based on folder, workspace, workflow, etc. EMC Documentum ACLs are interrogated by the IRM server when content is accessed and applied. Policy Server references enterprise directories for authentication and authorization. After authentication, content is viewed securely with policy enforced. Protected content accessed through normal interaction with EMC Documentum Content Server IRM for EMC Documentum Content Server IRM Policy Server ClientEnterprise Directory

15 © Copyright 2008 EMC Corporation. All rights reserved. EMC IRM Architecture Internet Explorer Adobe MS Office MS Outlook and Lotus Notes Xtender eRoom Documentum Admin Webtop Java, WDK-based Web Delivery Gateway File Share API Information Rights Management SDK Authentication Infrastructure ALL Authentication Domains LDAPWinX509RSADocumentumCustom EMC Documentum IRM Server Key MgmtAuthorizationPolicy MgmtAuthenticationAuditingEncryption

16 © Copyright 2008 EMC Corporation. All rights reserved. Features – Protects Native Business Information  Clients for major business applications – –Microsoft Office –Adobe –HTML –RIM Blackberry –Lotus Notes  Works within native application  Allows secure sharing of sensitive documents with internal and external users

17 © Copyright 2008 EMC Corporation. All rights reserved. Features – Rights Enforcement by Policy A document policy defines:  Who can view  What pages can be viewed (PDF only)  When it can be viewed  If copy or edit is allowed  If printing is allowed  If guest access is allowed  If offline viewing is allowed  Automatic expiration  Dynamic watermarks

18 © Copyright 2008 EMC Corporation. All rights reserved. Features – Rights Enforcement by Policy Mandatory and discretionary policy enforcement options  Choose rights enforcement using administratively-defined templates or ad-hoc policies  Flexibility supports organizational rollout  Allows for workgroup and enterprise-wide applications

19 © Copyright 2008 EMC Corporation. All rights reserved. Features – Dynamic Watermarking  Dynamic watermarking can provide visible indication of who printed a copy and when they printed it  Can be used for compliance and auditing  Provide watermarks while viewing and/or when printing  Watermarks are customizable  Watermarks supports Unicode  Watermarks can use LDAP attributes

20 © Copyright 2008 EMC Corporation. All rights reserved. Feature – Dynamic Policy Control Dynamic policy control allows recipient entitlements to be changed on-the-fly when individual roles or business needs change, regardless of where the content resides. Example:  In April a price list with IRM is downloaded by a sales person  The sales person s the price list to a customer  On May 17, prices change and new prices are issued  At that time, rights on the old price list are revoked, affecting all copies, regardless of location NEW

21 © Copyright 2008 EMC Corporation. All rights reserved. Feature – Automatic Expiration Control Rights can also be set to automatically expire  Enforce version control and document retention policies  Access can be revoked no matter where files reside  Example: A monthly price list can be set to automatically revoke all rights at the end of the month 21

22 © Copyright 2008 EMC Corporation. All rights reserved. Feature – Continuous Audit Trail All events in IRM are auditable  IRM provides granular audit trail of what recipients did with the documents, page by page  See who did what, when  Delivers on-going assurance of policy compliance  Auditing is continuous, whether online or offline  Leverage XML logging standards for reporting on audit trail 22

23 © Copyright 2008 EMC Corporation. All rights reserved. Feature – Leverages Existing Authentication Infrastructure  Leverages an organizations exiting authentication security infrastructure –Minimizes impact to administration of E-DRM policies –Speeds deployment  IRM participates in Documentum’s open authentication framework, allowing for integration with –LDAP directories –Multifactor authentication –Single Sign-on –Biometrics –X509.3 certificates –Smart cards 23

24 © Copyright 2008 EMC Corporation. All rights reserved. U.S. Congressional Committee Challenge  National security committees in the U.S. Congress handles tens of thousands of sensitive documents annually, all of which must be carefully controlled.  Prior to adopting IRM, one of the committees kept documents in locked cabinets and used a manual system to log, route and track documents. IRM Solution  Documents are converted to PDF, then are encrypted with a policy that determines how a document can be accessed and used.  Documents are stored on a standard file server and distributed to committee members via .  The committee can now move critical information much quicker while persistently projecting the documents, even after delivery to the committee staff.

25 © Copyright 2008 EMC Corporation. All rights reserved. Ford Motor Company Requirements  Securely share the 10 year “Vehicle Vision” product plan for the Ford brands and keep away from competitors and the media  Require multiple access levels for brand executives  Must be easy to use for 1,000 insiders around the world, including Chairman Bill Ford Jr. IRM Solution  Document owner protects and distributes through portal  No access outside of current insider list  Username watermark raises the bar on distribution “We don’t want to see this in the Detroit Free Press…” Customer Case Study

26 © Copyright 2008 EMC Corporation. All rights reserved. Case Study ROI: 6 month payback, elimination of paper and delivery costs Marketing update price books monthly instead of quarterly Challenges –Sharing price lists and competitive materials with 2000 sales agents and suppliers globally –High cost for logistics to distribute by paper –Competitors placing bounty on our price books IRM Solution –Access is tracked continuously and audited –Ensures only authorized users can access info. –Username is impressed as a watermark –Marketing can irrevocably delete at any time

27 © Copyright 2008 EMC Corporation. All rights reserved. Off Wall Street Requirements  Protect highly valuable financial information sold as a subscription  Ensure that documents are not forwarded to unauthorized users, especially competitors  Regulate what recipients can do with the information (e.g., print, edit) consistently for all reports regardless of who distributes them IRM Solution  “The product has been trouble-free from the start. We've never had a problem with the software, ever.“ —Mark Roberts, CEO  Increases revenue: users cannot access reports without paying for it  Provides policy-based usage controls and audit trail for information access Customer Case Study

28 © Copyright 2008 EMC Corporation. All rights reserved. Industry Use Examples for IRM  Manufacturing –Sharing of new product specifications, planning, R&D, and pricing documents  Government –Share information on a need-to-know basis within intelligence community  Healthcare –Communications with business associates –Control of PHI dissemination  Financial and Legal Services –On-line mergers and acquisitions –Protect customer data –High value research circulation control –Secure distribution of bills of lading 28