Choosing the right Document Security.
Abraham Maslow said in 1966, “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” And that is disturbingly true for most of us – especially product manufacturers who want to sell the security silver bullet (aka snake oil) to cure all ills.
So if you want to ‘secure’ a document, immediately four types of security vendor will be extolling their virtues and wares: Data Leakage Prevention (DLP), Encryption, Digital Rights Management (DRM) and Enterprise Rights Management (ERM)or Information Rights Management (IRM).
Probably the biggest installed market of products is Encryption, because it is the only way to make documents secure if they are delivered to the ‘wrong’ people, and of being sure that they have not been tampered with in any way before delivery.
Adequate cryptography is fundamental to the delivery of a secure system. But it doesn’t just involve choosing an algorithm and you’re done. It also means generating identity keys and managing the distribution of them.
Assuming that is all figured out, you then have to understand what pure encryption is actually doing for you. Pure encryption takes any file and encrypts it just as it is. If you have (or have access to) the key used to encrypt it then you can decrypt it and restore the original file just as it was when it was encrypted. It also means you can then process that file with any tools or applications you wish to use, and that includes modifying, adding or deleting content.
For instance, if the file was in PDF format then the recipient can use a PDF editor to change the original content, and then print it. The original owner of the file cannot prevent them from sending on the original or any number of variants (depending on what they have changed and how obvious the change is). So a secure PDF? But it may be fine, especially if your intent is to allow the recipient to process the file – every day millions of encrypted exchanges are sent between financial institutions moving money and trade information that is essential to the running of commerce and countries. But if you want to control downstream access and use of protected files then encryption is part of the solution, but not all of it.
Data Leakage Prevention (DLP)
As its name implies, DLP is interested in two things: stopping confidential information from getting outside the boundary (usually an internal network with formalised host points such as email servers), and encrypting confidential information for specific approved recipients (generally being sent as email or as an attachment, or being put onto a portable device such as a flash drive or a USB stick).
To run DLP effectively you need to ‘educate’ the product as to words or phrases that are deemed to indicate sensitive information, and that usually means running an application to crawl through all the data in an organization to build a picture of which data are sensitive and who owns them. This is just the start of the DLP process, so don’t hold your breath.
It’s not entirely obvious what DLP systems do with tablet devices and mobile phones and similar that have created so many interesting challenges for an IT department.
The virtue of DLP is trying to spot, on an automate basis, which are sensitive data and which are not, and stopping people from trying to ship out data when it is not authorized. But, like our friend encryption, it has no downstream control once the data have left the building. It is likely to prove an interesting tool for demonstrating compliance with the requirements of the 2016 EU Data Protection Rules in terms of determining access rights and prevention of disclosure, although it will take a fair bit of work to implement. But it doesn’t really hit the spot for controlling the downstream distribution and use of data. Like encryption it is geared up for transmission of data for automated processing, and not really for the distribution of documents that contain sensitive or licensed information that can be used by the recipient but not passed on to anyone else.
Enterprise Rights Management (ERM) or Information Rights Management (IRM)
According to Microsoft, “Azure Rights Management and Active Directory Rights Management are persistent document-level information protection technologies from Microsoft. T hey use permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by authorized users, or accessed by unauthorized people. After permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or email message as part of the contents of the file. Microsoft Office implements support for these technologies by using Information Rights Management (IRM) features.”
In this case they mean by Office 2013 or a subscription to Office 365 and running an RMS server.
So far, so good I hope. And you can share documents between companies that have a federated trust relationship. But it may be a bit more difficult if you have any Mac computers, or are trying to deal with tablets and so on.
So this is a corporate scale product for a corporate implementation. Getting to grips with setting up Federation trusts between partner organizations is essential, and the model looks as if it is best set up to bring together a parent organization and its subsidiaries. It is closer to DRM than to DLP, but requiring a complex infrastructure to be implemented and supported.
Digital Rights Management (DRM)
As the name might suggest, DRM technologies are used to apply granular access and use controls to digital (dematerialized if you prefer) documents. DRM is usually connected to a licensing scheme or system identifying either individual users or machines and granting them use rights, although not usually saving or copying in an unprotected form. It uses encryption to prevent theft or interception, and specialist Viewers that manage and enforce all the permissions and enforce use limitations (number of times viewed, the last date of use, authorised IP address and so on). These can be very granular indeed, and can allow offline use of documents.
DRM systems can usually be applied across many platforms, so there are inherent advantages over proprietary manufacturer implementations. It makes document formats, such as PDF, very important as it is essential that protected documents do not change in appearance when viewed from different platforms and at different resolutions. This makes all the difference between formats (such as HTML) which vary by browser, or applications such as Word, which can alter appearance and layouts depending on which version you are using, and PDF, which has a consistency across all platforms.
From an administration point of view DRM is much simpler to implement than IRM because you do not have to implement complex trust relationships and interlink domains but can implement across any external network. That is because you are licensing individuals and not worrying about generic domain interactions and policies. DRM policies are applied directly to the user, whether they are internal, external or extra-terrestrial. This means that a DRM system may be implemented internally and externally just as readily, and does not require complex structuring of internal domains and resources.
Each of the four technologies has its place, but there is no single technology that addresses all the requirements for secure document control.
Where human interaction with secured documents is concerned (HCI), DRM technologies offer significantly more flexibility for both implementation and granularity of control than any of the other technologies. They are also easier to implement in that you do not have to create an infrastructure or integrate with external infrastructures in order to implement. The range of controls is significantly more granular, because without DRM authorization documents are simply not usable, regardless of where they are stored or sent. The format of choice for DRM documents is PDF as it offers the most consistent presentation over a wide range of operating systems and browsers.
Enterprise Rights Management is an elegant approach to controlling internal documents and to facilitating collaboration in document management and control. It may be an answer to demonstrating compliance with current EU Data Protection regulations. It requires a complex infrastructure, but where there is a corporate IT function there will be the skillset needed for implementation. The internal role performed by IRM may be better complemented by the use of DRM for controlling PDF documents that have to be distributed and controlled over unfriendly networks and devices. DRM provides a more granular control over the onwards distribution of secured documents, and the PDF format is to be preferred for layout presentation purposes across a wide range of devices.
Data Leakage Prevention offers a useful and semi-automated approach to preventing the uncontrolled distribution of sensitive data or personal information. It is not useful as a means of controlling the distribution of secure documents because its focus is on detecting and preventing inappropriate distribution of information. It is likely a good companion to IRM systems for preventing information from leaking out of an internal domain into external domains.
Encryption, ironically, is the tool that is essential to supporting all these other technologies, but the one that offers the least onwards secure document controls. Without encryption the other control technologies would fail. And encryption is fundamental to the secret and provable exchange of machine processible information. Without it our banking and finance industries would stop very suddenly indeed. But it does not control the downstream use of controlled documents, and, as a result, although it is axiomatic to the other technologies, it is a specialist niche product that on its own does not provide the granularity of controls that document owners and distributors are looking for.
So if you are exchanging information for computer processing use pure encryption. If you want to control internal access to documents and collaboration then IRM should suit you. If you want to try and stop people taking controlled documents out of your domain then DLP is for you. If you want to license people to have specific, controlled use of secure documents then you need to use DRM, preferably controlling PDF format documents where you achieve a consistency of appearance, both on screen and in printed form.