Protecting confidential documents

Protection of commercially sensitive and confidential documents.

Protecting confidential and commercially sensitive documents requires more than just encryption. Here we explain why document DRM is required to control how documents are used once they have been distributed.

Protect confidential & sensitive documents – stop sharing and leakage

There are a very broad number of documents in the organization that contain confidential, commercially sensitive, or personally sensitive information.  Some of them are just for internal use.  Others must be shared with a bewildering array of outside organizations who do not necessarily share your definitions of sensitivity and protection, causing you to enforce your views over theirs.

Locklizard Digital Rights Management (DRM) technologies offer a way forwards, allowing the information owner/distributor to exert control over the use of confidential and sensitive documents once they are electronically secured and distributed, preventing recipients from readily misusing or ignoring the constraints the owner wants to apply.

Distributing and managing commercially sensitive & confidential documents

In every organization there are vast numbers of documents containing sensitive information that should not be in public circulation, including:

• Mergers and acquisitions proposals and documentation
• Internal procedures (including lending criteria and corporate evaluation)
• Legal disclosure (aka Discovery)
• Product planning (including risk analysis)
• Internal inquiries (also investigations)
• Market analyses (own and competitive)
• Business agreements (distribution and licensing)
• Staff reports (disciplinary and review)
• Sales documentation (pricing margins)
• Repair manuals (diagrams, parts lists, substitutions)
• Contracts (tendering process, final terms)
• Board minutes (agenda, surrounding documents, decisions)
• and so on…….

It seems to be quite a considerable list, but actually it’s just the tip of the iceberg.  And most of these sensitive documents are currently sent on paper or as emails or as PDF documents, with little thought about the confidentiality of the information being sent and especially how to control what the recipient can do with the sensitive information once it is in their control.

And that’s the problem with most protection systems.  They look at protecting the information when it is going from one place to another, or while on the server(s).  But they don’t address what a recipient can do with the information once they have it.  Most, if not all the time, you don’t want the recipient to be able to do anything more than see the sensitive information, and just sometimes to be able to make a printed copy.

So that is the challenge that WikiLeaks, Assange and Snowden have so ably demonstrated to governments and corporate bodies alike.  Even the most secret national and commercial and personal information can be trivially copied and redistributed and the normal security mechanisms appear powerless to stop this.

An obvious solution to controlling commercially sensitive and confidential information – implementing DRM document management controls – is only taking shape now.  What was the delay?

Using DRM to protect confidential & sensitive documents – stop sharing and leakage

DRM is not a technology that has always been there, otherwise implementing it would have been a no-brainer.  So why has it taken so long to establish high quality document DRM services?

Historically, attention has always been given to protecting access to files rather than on controlling the use of the contents.  But the advent of digital publishing has ushered in the requirement for Digital Rights Management (DRM) technologies to be developed that are relevant to documents and their contents.

The concept of DRM might date back to the 1960s where IBM considered having more persistent controls over files but decided they had to place too much reliance on physical controls to make it workable.  This mirrors the eternal debate between complexity and usability, where usability has always won the day and security was left out in the cold.

In the mid 90’s InterTrust patented a number of ways of monetising access to information using security techniques, and fought a number of patent battles, more successfully monetising use of their patents than selling products.

But the real inhibitor to introducing DRM technology was the lack of horsepower in the desktop PC to manage all the encryption since most serious volume encryption was done by hardware and not software.

DRM did develop to answer the desires of the film and music industries until the Content Scramble System was hacked in 1999.  But the nail in the music DRM coffin was delivered by Steve Jobs at Apple, who argued that (in music) everything was sold DRM free so why bother with the costs?  On the other hand the Electronic Frontier Foundation (EFF) were trying to make the argument that anything passed over the Internet must be freely accessible for study and comment.

PDF document DRM saw daylight around 1997 with developments in the print publishing industry where there was a demand for protecting digital books for general public distribution.  But little attention at the time was paid to business and corporate use and protection of confidential documents.

It was another step change to use PDF DRM in the corporate environment for commercially sensitive documents, because they had also been relying on domain and network access controls instead of looking at controlling content.

What features make DRM controls so good for protecting confidential & sensitive information?

DRM controls are focused on what a document recipient is able to do with the content, where and for how long they can use it for.  So content controls are focused on a series of objectives:

Preventing unauthorised access

• encryption to stop unauthorised use
• licensing to identify authorized users/locations

Stopping making uncontrolled copies

• stopping screen grabbing
• stopping copying and pasting
• stopping Save and Save As

Controlling dates when content can be used

• cannot be used before date
• cannot be used after date
• can only be read a fixed number of times or days

Controlling where documents can be used

• restricting use to specific devices
• locking to specific IP addresses or networks
• allow or deny use in specific countries

Identifying the licensed user

• optionally can be viewed with watermarks on the screen;
• optionally can be printed with watermarks on the printout

Controlling document printing

• printing can be prevented
• printing can detect file drivers and refuse to use them
• numbers of prints taken can be limited

Tracking document use

• Log when documents are viewed and printed
• Log when and where this occurred

Combining these overarching DRM functions allows corporate departments to fine tune the restrictions that are applied to sensitive documents whether they are in the corporate domain or not.  This is very important since some documents will need to be limited to parts of the internal corporate network (the electronic equivalent of Chinese walls) whilst others must be accessible in foreign domains that the corporate body has no wish to connect directly to at any level.

DRM controls for confidential and sensitive commercial documents can be both by document content and by recipient(s), allowing a very fine-grained approach.  Encryption prevents unauthorised users from any kind of use of the contents, including getting control of licenses and applying them to additional machines, unless the information administrator has decided to allow that.

Why Locklizard to protect your confidential and business sensitive documents?

Locklizard has been developing the advanced document DRM controls we have discussed for PDF documents since 2004 and is a recognized market leader and specialist in the subject.

Our document DRM solutions enable you to protect your confidential and sensitive documents regardless of where they are stored, preventing sharing and leakage.  Securely share confidential and commercially sensitive documents within an organisation and externally with third parties while retaining full control over their use.