NORTH AMERICA:  
800 707 4492
UK & EUROPE:  
+44 (0) 1292 430290
sales@locklizard.com
Locklizard
  • Products
    • Our DRM software
      • Product Overview
        • Restrict PDF use
        • Watermark PDF
        • Expire PDF
        • Revoke PDF
        • Disable Print
        • Track PDF
      • Safeguard PDF Security
      • Safeguard Enterprise
    • Secure PDF Viewers
      • Viewer Overview
      • Viewer Demo
      • Web Viewer
      • USB Viewer
    • Add-ons
      • All Add-ons
      • Web Publisher
      • Safeguard Portable USB
      • Ecommerce API
      • Command Line
      • Own Branding
      • Custom Email
    • Purchase
    • Book a Demo
  • Solutions
    • Industry sectors
      • All Industries
      • Auctions
      • Engineering
      • Government
      • Healthcare
      • Libraries
      • Mergers & Acquisitions
      • Publishing Ebooks
      • Publishing Media
      • Publishing Standards
      • Membership Associations
      • Reports & Analysis
      • Tax Advisors
      • Training & Education
    • Vertical sectors
      • All Sectors
      • Board Documents
      • Internal Company Use
      • Large Publishers
      • Small Publishers
    • Business processes
      • Processes Overview
      • Secure Document Sharing
      • Sell Documents Securely
      • Document Retention
      • Prevent Document Leakage
      • Internal Document Control
      • Regulatory Compliance
      • Secure PDF Forms
      • Secure Data Rooms
      • Data Room Security
      • Application Integration
    • Business benefits
    • Regulatory compliance
      • Compliance Overview
      • NIST & DFAR Compliance
  • Downloads
    • Free 15 day trial
    • Viewers
      • Windows Viewer
      • Mac Viewer
      • iOS Viewer
      • Android Viewer
    • Writers
    • Manuals
  • Support
    • Support
    • FAQs
    • Guides
    • Videos
    • White papers
  • About Us
    • Contact us
    • Our customers
      • Customer Overiew
      • Case Studies
      • Testimonials
    • Our technology
    • Blog
    • Why Locklizard?
      • Competitors
      • PDF DRM protection
      • Password protect PDF
      • Product Awards
  • Search
  • Menu Menu

Document Security Certifications

in Blog, Document Security, DRM, PDF Security

Document security solutions, certifications and systems redundancy.

Are security certifications and systems redundancy all they cracked up to be?  Quality standards may tell you about the process but not about the implementation and updates will render previous certifications invalid.

Document security and IT security certifications

A great deal is made these days about certifying business processes, including security ones.  Having well documented procedures and processes may be part of the licensing requirements for a financial institution or a nuclear facility development.  And perhaps the grandfather of the management documentation system standards was the introduction in 1979 of the British Standard BS 5750 for ‘quality management systems’ later to become ISO 9000.

This introduced the idea that confidence in a product could be gained from using an approved quality management system and quality manuals.  But what meaning should be taken for snapshots of documentary processes in the realm of IT and document security systems?

IT Security quality standards

In the IT Security world the USA Department of Defense developed in 1983 the TCSEC – this looked at how you could assess the effectiveness of computer security controls built into a computer system.  This was followed in the 1990s by the ITSEC developed in Europe.  These were replaced by the ISO standard ‘The Common Criteria for evaluating security systems’, which developed the idea of Evaluation Assurance Level as being the depth and rigor of an evaluation against the security claims made for the security target of evaluation.  It does NOT say the security is better the higher the level, but that the claim made is that is has been better evaluated.

The problem with the certification process is that it is essentially a paper based analysis where the process(es) to be followed are documented and then checked to see that the process(es) can be followed.  What it does not do is say if the process(es) link together to form overall effective security.  We may not be able to see how well evaluated the security functionality was.

So what can go wrong with the process?

1.  Incomplete specifications for document security processes

So take for example the following document security method – a file is to be encrypted with a symmetric key which must travel with the file.  The cryptographic modules are certified as being suitable.  The software code is developed according to standards which are suitable for applications development.  The process is documented.

However, nothing is mentioned about the protection mechanisms for the key, and if they work, and how they are verified, whilst protecting the cryptographic mechanisms will have been addressed very thoroughly.  Further, higher level protection mechanisms including code obfuscation and encryption or even running virtual machines to carry out commands and protect data (especially personal data) may have been used but are likely not to be documented.

All of these things may be mentioned as options in a document protection scheme but are only found by verifying that they are both present and properly configured.  And they may need provision for testing in a variety of environments because some anti-virus products report protected programs as rogue because the same techniques are used by hackers to prevent their programs from being recognized and reprogrammed or removed.

2. Lack of evaluation

One of the most horrifying failures to implement and carry out best practice led to the collapse of Barings Bank in 1995.

A manger in Barings Futures Singapore was able to place and authorize purchases and sales in the stock and money markets, and was able to cause computer systems to report losses as gains.  This was against best practice, but was not picked up by either internal compliance or the auditors until far too late.

3.  Reliable Audits

It was reported in the Independent on 10 July 2019 that, “Overall, only 75% of the sample of audits from among Britain’s 350 largest-listed companies for the year ending December 2017 met quality standards.”  That is not to suggest that audits themselves are of no value but to note that they may not always report on every situation or challenge management sufficiently.

Auditors may also have to rely on internal ‘experts’ to help them understand the systems in place and of course the information given could be biased.

4.  Product updates and changes

Perhaps the greatest enemy of any document security system or IT system is change.  Any WordPress site manager gets used to the regularity with which updates break previously perfectly sound systems without any warning, affecting both the main site functionality and the underlying security.  So there are even greater effects when Operating Systems and their components are updated.  When considering document security systems these are two aspects that are critical.

The impact of change of user functionality can lead to security failure – being unable to prevent printing a secured document, for instance, can be catastrophic for application system security even if the SSL technical controls work just fine and make sure the document is not falsified.

Changing or upgrading the version of PHP used in a server can have unforeseen consequences simply because of the complexity of testing security functionality is time consuming and therefore expensive as compared with the approach of putting it in and seeing what happens (suck it and see), which one can argue is what UAT testing is about?  Most applications manufacturers have some reliance on end users finding errors because there are many more people focused on the task.

Security certifications will no longer be valid once either the document security software or a system on which it runs are updated since even minor changes can have significant unintended results.  This is especially true when relying on plugins and browser environments which are highly vulnerable to application and operating system updates.

Does systems redundancy make up for testing?

Availability, sometimes part of a Service Level Agreement, is a difficult topic which comes somewhere out of risk analysis and business requirements.  High availability is considered the desired application goal even if there is no document specifying what that means in terms of equipment which you can install and control and systems where you cannot.

Chief among these things you can control are firewalls and routers and servers.  So you can make hay while the sun shines and put in redundant hardware and failover switching until the cows come home.  And hope that on the day it all actually happens according to very carefully tested plans – which need documenting rather a lot!

Chief among the things you can’t control is the public Internet, which is where things are very different.  As happened in the early lockdown phases of Covid-19 there was a massive move to using public Internet connections as the carrier for commercial infrastructure.  This put the Internet under tremendous strain and systems experienced response difficulties they had never thought about (only to find that no amount of redundancy or failover would solve this problem).

If you have ever experienced DNS cache poisoning (where bad DNS IP addresses get propagated into the DNS replication mechanism and are distributed) then you know how easily systems can be affected.  For a day or so getting to some web sites will be hit-and-miss depending on which ISP you connected through as to if you got the right connection or not.  There is no hot-line to contact and you have to sit and wait for the Authoritative Name Server admins to fix it.  And no, you don’t have redundancy hardware for that.

And finally redundancy may not work as planned.

Back in April 2004 Computer Weekly reported that a fire in a BT cabling tunnel in Manchester England took out telephones, faxes and access to networks including mobiles for 130,000 businesses, and the resulting loss of capacity had impacts 100 miles away from the disaster location. Although buildings were not affected disaster recovery plans were activated which also involved major businesses and call centres because there was no way of getting circuits restored and re-cabled quickly.  The conclusion is that everyone thought they had redundant systems and connections, but found out maybe not.  No amount of quality standards at the applications level could ever allow for the unplanned – like a bomb going off in the City of London taking out the office infrastructure but leaving the telecoms alone.

Conclusions

IT Security Certifications may help manufacturers focus on security points that may have been missed at the design stage, and that can be valuable.  But certifications do not tell the whole story.  Just as important is the web history of the results of attacks against the security application since hackers like to prove a point.

Also errors become part of history and often have to be supported.  On 17 May 2020 Wired published an article over shortcomings recently found in PGP, the biggest file encryption security program of all.  It commented, “One of the many problems with PGP is its age, says Green. It was first developed in 1991 (“when we didn’t really know anything about crypto”) and then standardized into OpenPGP from 1997.  The science of cryptography has advanced dramatically since then, but PGP hasn’t, and any new implementations have to remain compatible with the features of previous tools, which can leave them vulnerable to similar exploits.”  Adobe has a similar problem with PDF password protection.  So when certifying document security solutions, do you include history that has to be supported?

There is a danger that redundant systems turn out to be just that, and not sacrificial defenses.  Rather like certifications, you need to understand what the claims are, what versions of a system they refer to (and the versions of the underlying architecture) and how well they have been evaluated.  Always remember Gilb’s hypothesis, “fixing one bug in any application creates two bugs, only one of which is likely to be found.”

Tags: document security, document security audits, document security certifications, document security methods, document security processes, document security redundancy, document security solutions, document security standards, document security systems
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Reddit
  • Share by Mail
https://www.locklizard.com/wp-content/uploads/2020/09/security-certifications.png 288 479 Ryan Maskell /wp-content/uploads/2015/02/logo.png Ryan Maskell2020-08-21 21:51:432022-11-18 15:18:16Document Security Certifications

Free Trial

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

Protect IPR

See why thousands of companies use Locklizard to safeguard their documents and increase revenue streams.

  • Our Customers
  • Customer Testimonials
  • Customer Case Studies
  • Locklizard vs Competitors

Latest Posts

  • Amazon DRM & Kindle publishing is penalizing authorsMarch 10, 2023 - 6:51 pm
  • Adobe Experience Manager & Cloud Document SecurityFebruary 28, 2023 - 7:38 pm
  • How to prevent users removing security from PDF filesFebruary 20, 2023 - 7:40 pm
  • How to protect a Word document without a passwordFebruary 10, 2023 - 6:25 pm
  • Using Dynamic Watermarks to Protect DocumentsJanuary 31, 2023 - 7:13 pm
PDF DRM Features
  • Protect PDF files
  • Stop PDF sharing
  • Stop PDF copying
  • Restrict PDF editing
  • Add PDF watermarks
  • Disable PDF printing
  • Stop screenshots
  • Expire PDF files
  • Revoke PDF files
  • Lock PDF to devices
  • Lock PDF to IP
  • Track PDF opens

How To Guides

Prevent PDF security removal
Protect Word without password
Add a dynamic watermark
Password protect Google Doc
Add a watermark in Word
Make a PDF non editable
How to create a stamped PDF
How to prevent ebook piracy
Password protect a Word doc
How to protect a PDF securely
How to revoke document access
Change PDF security settings
How to disable printing of PDFs
Sell online courses securely
How to add security to a PDF
Encrypt a PDF without Acrobat
Share documents securely
How to prevent PDF sharing
Protect confidential documents
How to publish ebooks securely
How to restrict PDF editing
How to password protect a PDF
How to protect ebooks
How to sell Reports securely
How to make a PDF read only
How to send a PDF securely
How to watermark a PDF
How to lock a PDF from editing
How to encrypt a PDF
How to make a PDF expire
How to password protect a PDF
How to protect online courses
How to email a PDF securely

Try Safeguard today

Start protecting your PDF files and documents from sharing & piracy

PRODUCTS

Product Overview
Safeguard
Safeguard Enterprise

Add-ons

  • eCommerce API
  • Command Line
  • USB Protect
  • Web Publisher
  • Own Branding
  • Custom Email

Secure PDF Viewers

  • Web Viewer
  • USB Viewer

SECURITY FEATURES

Stop copying, editing, saving
Disable PDF Prints
Block Screenshots
Disable Copy Paste
Dynamic Watermarks
Expiry & Self Destruct
Revoke Documents
Device Locking
Location Locking
Track PDF Use

PRICING

Purchase & Pricing
Instant Quote

RESOURCES

FAQs
Locklizard Blog
Knowledgebase
Security Guides
White Papers
Viewer Demo
Videos

DOWNLOADS

Secure Viewers

  • Windows
  • Mac OS X
  • iOS
  • Android

Writers
Product Manuals
FREE Trial

DOCUMENT SECURITY

Share Documents Securely
Protect Online Courses
Stop Ebook Piracy
Document Encryption
Secure PDF Distribution
Protect Confidential Documents
Ebook DRM

Protect PDF Files

  • PDF Copy Protection
  • Lock PDF files
  • Encrypt PDF
  • Secure PDF
  • PDF DRM

INDUSTRY SECTORS

Training & Elearning
Publishing Ebooks
Publishing Standards
Online Libraries
Membership Associations
Engineering
Government
Healthcare
Mergers & Acquisitions
Secure Reports From Theft

  ABOUT US

About Us
Our DRM Technology

Customers

  • Case Studies
  • Testimonials

Locklizard vs Competitors

  • Secure Data Rooms

Company Brochure

  CONTACT

sales@locklizard.com
support@locklizard.com

Business Hours:
Mon – Fri: 8AM to 5PM EST
Tel (US): +1 800 707 4492
Tel (UK): +44 (0)1292 430290

© Copyright 2004-2022 Locklizard Limited. All rights reserved.Privacy Policy|GDPR Policy|Cookie Policy|SITE MAP

Scroll to top