Vincera, Inc. - VIP Frequently Asked Questions

With automated conversion of over 300 types of digital assets to Adobe’s PDF, VIP delivers business intelligence, data loss prevention, and business friendly digital rights management in one software solution for all your business-ready documents and digital assets. With automated conversion to Adobe’s PDF your data in motion is fingerprinted to detect tampering, digitally watermarked as a unique document thread, encrypted for protection and associated to a security policy to ensure secure distribution and access. With every desktop fingerprinted and document behavior monitored, VIP Alerts and Reports meet management, compliance and audit requirements for managing your digital assets and sensitive information throughout the document thread.

Conceptually, the Vincera Document Thread™ is the culmination of distribution and usage knowledge acquired by VIP as data in motion is distributed to an original recipient and throughout the tree of subsequent recipients. Technologically, the Vincera Document Thread™ is the culmination of the unique digital watermark that identifies the original recipient of data in motion, the fingerprint of the source digital asset, and the fingerprint of every desktop and laptop from which the “document” is accessed. Through this knowledge and technology, the Vincera Document Thread™ adds the ability to protect, monitor, measure and manage data in motion as it is distributed and redistributed during the normal course of business. The Vincera Document Thread™ is the foundation for distribution audit trails and eforensics.

VIP Document Security Policies establish rules that will pertain to all VIP protected documents, such as: if authentication is required; whether offline access is allowed or not; expiration timings; and allowing certain functions within the protected documents. These policies are used in the tracking of document distribution, enforce document security, report document usage metrics and are the basis for the Vincera Document Thread™. A VIP Document Security Policy travels with every instance of a VIP protected PDF document.

Only VIP document security software with its patent-pending Vincera Document Thread™ enables a process Vincera calls “business friendly distribution,” whereby users of VIP are empowered to apply the appropriate security level and decide what action to take based on document threading and the knowledge gleaned. Vincera’s business friendly distribution allows companies to maintain control over all e-distributed content with maximum ease and speed, so that commerce is furthered, not hindered, by enacting the necessary document security measures. This meets the needs of InfoSec, compliance, risk and privacy officers in all industries concerned with safeguarding intellectual property and other sensitive data in motion.

VIP Alerts are automated emails sent by the VIP system to designated recipients when unusual document distribution and usage is detected. These alerts are triggered when usage and/or distribution thresholds (VIP Alert Thresholds) are exceeded.

VIP Alert Thresholds are configurable (by the VIP Administrator) limits to document usage and/or distribution that, if exceeded, trigger an automated VIP Alert to be sent to designated recipients. VIP Alert Thresholds are one avenue to making the monitoring and measuring of document usage and distribution actionable.

The VIP Adobe Acrobat Plug-in is a small piece of software (1.14 MB) required for viewing documents protected by VIP. The Plug-in must be installed on each client machine that will be viewing VIP protected documents. This is a one-time requirement.

A Vincera Document Thread™, which tracks every instance of a particular PDF, can be disabled manually with the click of a button by a VIP System Administrator or automatically by VIP when an Alert Threshold has been exceeded. Once disabled, every instance of a PDF within a particular Vincera Document Thread™ is no longer accessible. This management feature could be used, for instance, to disable all Vincera Document Threads™ that originated with a former employee or former business partner. And, if circumstances require it, a Vincera Document Thread™ can also be re-enabled by a VIP System Administrator with a similar click of a button to re-establish access to all PDFs within a Vincera Document Thread™.

Because VIP is based on a framework of Business Friendly Distribution, its operational impact on document recipients is minimal. A one-time download of the VIP Adobe Acrobat Plug-in is required to view VIP-protected PDFs on a particular machine. Subsequently, each time a recipient attempts access to (i.e. attempts to open) a VIP-protected PDF, a small splash screen is briefly displayed prior to the PDF being opened (or having accessed denied):

No. With its Business Friendly Distribution architecture, VIP can be effectively plugged into portal-specific use cases. For instance, VIP can be established at an enterprise department level, such as legal or HR, and then efficiently migrated to other areas within the enterprise.

To track Vincera Document Threads™, does VIP require the transmission of any personally identifiable information relating to document recipients?

No, VIP does not add any personally identifying information about the original recipient or subsequent recipients to the encrypted PDF file or associated security policy file that travels with a PDF.

Yes, online PDF usage and distribution tracking is reported in real-time. If offline usage of a PDF is allowed, the usage information is reported at the next availability of an Internet connection.

With VIP, all the endpoints of an electronic document's distribution and redistribution can be traced and captured?

Yes, with VIP all the endpoints of an electronic document’s distribution and redistribution are traced and captured. For a document access (open or denied, online or offline), VIP fingerprints the machine, captures the IP address and has the ability to capture other parameters like MAC address, Windows Login and Device Serial Number creating a document thread.

The software only operates on PDF?

The final protection is applied to a PDF document. However, VIP can convert most file formats (Office, Images, Presentations, CAD etc.) into PDF documents without loss of data.

How are the documents disabled?

In most cases when a policy threshold is exceeded, the administrator of the VIP system gets an email alert. The email alert has a link to the VIP Reporting Client from where he/she can disable a document with a single click of a button. Alternatively, you can set a rule to automatically disable a document when a threshold is exceeded or an administrator can directly go to the VIP Reporting Client and view reports and disable documents. Importantly, in all cases the actions of the administrator are recorded and can be reported upon. Also, once a document is disabled it can be re-enabled by a simple click of a button.

Can a document be monitored in stealth mode?

VIP’s messages are completely configurable and optional. Vincera recommends that a company provide a message to the PDF end user that they are viewing a protected PDF and that to view the PDF - the PDF needs to connect to the Access Control Engine. Although, this is recommended, a company may choose to display no messages, in which case the end user will not be aware of the communication and in essence the document will be monitored in stealth mode.

What is the size of Vincera’s component?

The Vincera Adobe Plug-in installer (one time install) is 1.3 MB. The Policy File that gets downloaded when the PDF is opened is 135 KB (very small). The file size increase in the PDF due to protection is 12 KB (extremely negligible).

Is a client required to make it work?

Vincera is an Adobe Plug-In partner and our solution requires that the client download an Adobe Plug-In. To view a VIP document, you need to download and install Vincera’s Adobe plug-in. This plug-in is Adobe Certified and gets installed in Abode’s plug-in directory. It is approximately 1 MB in size and downloads/installs within 2 minutes on a DSL/Cable connection.

Is a copy of Acrobat, WORD or another program not considered part of your software or "client" needed to make it work?

As part of the VIP process we convert any digital format, we can convert approximately 300 different source formats, to the Adobe PDF. This enables us apply additional document security at the copy, print, save as level within the process. As VIP converts all document types to an end state Adobe PDF, to view a VIP document – Adobe Acrobat 6.0 or higher needs to be installed on the client machine. Adode Acrobat is freely available at http://www.adobe.com/products/acrobat/readstep2.html.

Does the system operate on Windows?

VIP runs on a Windows client. VIP documents work on Windows 2000 and greater, while VIP Server installation works on Windows 2003 Server.

Does the system operate on MAC?

VIP documents works on MAC OS X 10.4 for PowerPC and Intel. VIP Server installation is not supported on MAC.

Does the System operate with other *NIX based systems (SUN, BSD, Linux)?

VIP documents do not work on SUN, BSD, Linux because Adobe does not fully support encryption/security on these operating systems. VIP Server installation is supported on Linux and SUN.

Through user management control, who can access the document?

VIP invokes your authentication process, i.e. LDAP and/or Active Directory, eDirectory, including multi-factor authentication, so that all access control is setup once and centrally managed. This capability is executed via Security Policies that are associated to document groups. In this way, the security level of the data in the document can match the security level of the data when it is at rest.

Through user management control, who can edit the document?

Via a point-n-click interface you can allow or dis-allow the ability for a recipient to add comments to the document. This is executed via the Security Policy associated with the document.

Through user management control, who can save the document?

Whereby a document can be “save as” the security policy of the original source document is also applied to the copy. The copy is also managed as part of the source documents thread so that in the event that the document thread is disabled then the copy is also disabled. Additionally, metrics are maintained on the copy just as they are on the source.

Through user management control, who can physically print the document?

Via a point-n-click interface you can allow or dis-allow the ability for a recipient to print the document. This is executed via the Security Policy associated with the document.

Through user management control, who can screen print/screen capture the document. (Does it work against screen scraping utilities?

VIP does not currently address this scenario. We have had discussions with Adobe and they have noted that they are working on a solution that will be available to VIP when it is generally available.

Are there other user functions that the user management controls?

VIP enables the administrator to disable/enable documents on a global basis or on a more granular basis such as by recipient or by document thread. VIP also generates email alerts that are exception based and notify the administrator when a business rule has been violated. The VIP system also supports expiration dates that automatically disable the associated document and document threads. The VIP reporting systems tracks and reports by the number of views for a document, the number of machines that a document is opened on including taking a fingerprint of the machine that is very useful in the event that you need to execute a forensic audit regarding the distribution (document thread) of the document (this fingerprint is configurable).

Does VIP have the ability to easily/automatically serialize the document displayed, for each user that will be accessing it, in a fashion that is difficult to obfuscate or eliminate (like a watermark across the page) in case other digital imagery is used to capture the document (such as a digital camera picture of a screen)?

VIP enables both the physical watermarking (watermark across the page) and the digital watermarking of the document. The digital watermark is the establishment of the document thread and enables you to determine the original recipient of every document and establishes a unique identifier for the document thread. This watermark coupled with the fingerprint of the document allows you to determine if the document has been tampered. The watermark plus fingerprint plus the fingerprint of the recipient machine creates the document thread.

Do VIP administrators have the ability to restrict the user’s ability to shave knowledge of other users or those user’s privileges even within a virtual environment?

The privileges of a user are dictated by the security policy associated to the document and is based on the security requirements of the data in motion. VIP is based upon data security requirements within the document and not on the user community. This is the same for VIP as it is for the data when it is at rest.

What kind of group management capabilities does VIP offer?

VIP takes advantage of groups within your authentication process. You can also deploy VIP at a functional gateway and enforce functional roles security, i.e. every email sent by the legal department will have a certain security policy associated with it.

Can one ID be in multiple groups with different privilege levels?

This would only be a limit of your authentication system as far as VIP is concerned. The user would be required to authenticate, given the security policy this may or may not be required and it may include multi-factor authentication, and the security policy would point to the appropriate authentication system and include group information.

What kind of document encryption does VIP perform?

With VIP documents you currently have the option of choosing between 128 bit RC4 and 128 bit AES. On our roadmap is the option to support 256 bit AES.

It appears that every client has to have the Vincera plug-in in order to work with the particular files. How is deployment of the plugin typically handled on a large scale (internal/external)?

Yes, every client needs the Vincera plug-in. The deployment can be handed internally, i.e. pushed to each client by an IT administrator or externally by downloading it from the client’s website or from Vincera’s website (http://www.vincera.com/acrobat_plugin.html).

It appears that the Vincera product is a J2EE application, what application servers/versions are currently supported (i.e. JBoss, Weblogic, Websphere etc)?

As Vincera’s installation already has JBoss embedded within it, there is no need to support JBoss within an application server. The version of JBoss embedded within Vincera’s installation is 4.0.3.

How are file conversions handled? I believe I read somewhere that everything is converted to PDF. Is this a manual or automated process? What file types are supported?

File conversion is handled through a third party file conversion tool. The process is automatic and the Vincera Intelligent Protection (VIP) can handle over 300 file formats, including all Office documents (Word, Excel, PowerPoint, Project), Image Documents (JPEG, GIF, BMP, TIFF etc.) and Drawing Documents (like CAD,Visio).

Do all documents have to be converted to a PDF and why?

Yes, all documents have to be converted to a PDF. VIP is for end state business ready documents. VIP is not for collaborative documents.

Does conversion of high resolution graphics to PDF cause a loss in resolution?

VIP uses a third party tool to do the conversion of 300 different file formats to PDF. This tool does not cause a loss in resolution when converting an image file (high res) to a PDF.

Does VIP store any meta-data within the PDF?

Yes, VIP stores the unique thread identifier within a PDF’s meta-data. This thread identifier is the most important component of the Vincera Document Thread.

What hash algorithm does VIP use to protect the meta-data?

VIP uses a private GUID and not a hash to protect the meta-data. GUIDs are better than hashes because they cannot be reverse engineered and are always guarantee to be unique.

Can a VIP protected PDF’s security be comprised?

If the document was protected using High Security then it would be extremely difficult to comprise the security of a VIP protected PDF document. VIP leverages Adobe’s security handler to encrypt the PDF. All the security rules and decryption key is stored in a policy file which in high security mode is not stored on the client’s machine and is downloaded every time a client tries to open the document. The VIP plug-in is light weight and if modified will cause the VIP protected PDF to not open.

How does VIP compare to those products that protect corporations from external attacks, i.e. when you receive an email they make sure that the email does not have a virus, or is not spam, or does not have spy ware, etc.? These type of products also protect companies from IM and Web threats.

These products focus on in-bound communication. On the out-bound communication they may encrypt email but do not provide any other functionality like VIP does with tracking, watermarking, auditing, access control and enabling the document thread. VIP protects, monitor, measures and manages out-bound content throughout the distribution life cycle.