Secure Data Rooms & Other Cloud Document DRM systems
Secure Data Room systems require users to login to a web portal to view ‘protected’ documents in a browser.
Most companies make a big thing about how secure their data (server) systems are (protected by firewalls etc.) but that is just diverting people from the real issue of how good (or not) their document protection is.
There are many issues with secure data rooms:
- You have to upload your unprotected documents to a third-party server in the cloud outside of your control. While documents are encrypted, you have no control over what happens to the unprotected documents you uploaded – if anything goes wrong with the process are any temporary files left behind?
- To view ‘protected’ documents, users have to login with an ID and password. There is nothing preventing them from giving this information to others. This can defeat the whole purpose of preventing document sharing.
- In most systems, the same login credentials can be used at the same time on multiple devices.
- Users can screen grab high quality document content using screen grabbing tools.
- If printing is allowed, users can print to PDF files and other unprotected file formats.
- Usually documents are decrypted on the server and delivered to the client in plain text. That is a lot of tempoary files sitting on the server unprotected. Also browsers create their own temporary files so it is possible for users to extract the plain text files.
- You cannot distribute your protected documents as you see fit or easily integrate protected documents into your existing systems – users have to login to a data room with a fixed layout that you cannot change.
- Document controls are limited (e.g. an expiry date and time) and are set at the file, data room or link level. For example, if you want 10 documents to expire at different times for each user, then you have to create 10 files, 10 data rooms, or 10 links per user. It soon becomes unmanageable.
- Costs can rapidly esculate – you are tied into monthly pricing which can soon add up over a period of time.
- Generally there is no option to host on-premise in your own environment.
Two-factor authentication (2FA)
To try and counteract the fact that the login process is insecure (i.e. login details can be shared), some secure data room systems use 2FA as an additional verification measure – this could be a key code sent to a cell phone, a QR code that is scanned, or a link sent to an email address. However there is nothing to stop users passing this information on to others as well.
Since users find 2FA rather annoying if they are not benefitting from it in any way, some companies make this process easier by storing a cookie on the users device so they only have to authenticate again when the cookie expires. This however makes the system less secure since users can edit cookies and copy them from one device to another – ‘Cookie Quick Manager’ (a Firefox plugin) for example lets you edit cookies (change expiry dates) and backup and restore single cookies on to other devices. Other systems like Google Authenticator enable users to backup individual codes and transfer them to other devices.
The graphs and data might look great, but they are totally meaningless. Here you have to understand what or who you are actually tracking – anyone who has the login details.
You cannot rely on IP addresses since users regularly change them (they are dynamically allocated by ISPs); users can use a proxy to access the Internet (included with many anti-virus software); or use a VPN that has a dedicated IP address (so everyone sharing that VPN logs in using the same IP from different locations).
Multiple file type support
Most of these systems say they support multiple file types. In reality they convert files to HTML or PDF format on upload. That is why users can only download PDF files and why printing is often not aligned correctly (if files are converted to HTML).