Why revoking document access is important & how to do it effectively.
In this blog, we discuss the different types of document revocation and what solutions you can use to implement them for PDF documents.
When it comes to document protection, much of the focus is on prevention – stopping documents from leaking, preventing editing, and preventing sharing. The reality, however, is that a system that does not account for failure is not an effective system. Or, as renowned security professional Bruce Schneier puts it:
While hyperbolic, the message is clear. No security system, document or otherwise, is one hundred percent effective. If you do not have the tools in place to detect and act on misuse, you are forgoing a key part of the security process.
This is one of the reasons that document revocation is so important. Even with the best document security tools in place, you can’t account for everything. Perhaps an employee inadvertently sent the wrong document to the wrong people. Perhaps you believe from tracking usage that somebody you sent a document to is misusing it. Or maybe it’s something less malicious: the information you provided initially is simply out of date.
Generally, then the need to revoke documents falls into two categories: planned and unplanned. We’ll be exploring each today, as well as the controls you need to execute them and the type of solution you should be looking for to deliver this.
The most common reason for documents to be revoked is because they have outlived their usefulness. Much like food, many documents have a “sell-by date” – a time after which the information in them is considered too outdated and potentially dangerous. This is especially true with material like training courses, where documents may be constantly updated. Keeping old documents in circulation could result in new or old employees referring to practices that are no longer the best way of doing things.
Embargo and copyright expiry are other common reasons for revocation. Documents may be distributed internally or to press ahead of time, then revoked and reworked for public release. With books, meanwhile, copyright expires 70-years after the author’s death. As a result, you may want to expire paid documents and issue new, copyright-free ones at that point, or remove current restrictions after the fact.
For libraries and digital book rental services, document expiry is an essential part of business. To retain the “loan” structure and prevent illegal distribution, it’s necessary to cut off a reader’s access after a defined period or extend that access after a loan is extended. You also need controls to stop copying and DRM removal, or the user will just create a new copy of the document without the same restrictions. Optionally, you may want to expire documents after a number of opens, views or prints.
While most of us would prefer all of our document revoking to fall into the former category, it’s sadly rarely the case. There are many scenarios in which it’s necessary to remove access to a document on the fly.
For publishers, for example, it may be necessary to revoke copies of an e-book with a major error and redistribute the accurate version. Membership associations and subscription services, too, may have to revoke access to a document suddenly when a member decides to cancel or when dues are not paid.
Perhaps the most crucial use for document revocation, though, is removing access when a document is misused. Whether it’s a publisher fallen prey to piracy or an enterprise whose confidential meeting minutes have leaked, having the ability to revoke access can greatly reduce harm.
To be able to do so, however, organizations must have comprehensive controls in place. The document needs to be checked over the internet to ensure that access is still allowed, either on each open or at regular intervals. It’s also necessary to have the ability to revoke access to a single or all documents on a per-user and per-publication basis.
Choosing the right solution
Though several types of solutions claim to protect documents, such as secure data rooms and Adobe’s PDF security, most don’t have the controls necessary to effectively enforce both types of revocation.
Secure data rooms
Secure data rooms usually use passwords as an authentication method to access the secure server space that houses the document. This is not effective for multiple reasons. Firstly, a user can just share their login password to grant somebody else access to the document.
Finally, they miss out on the core aspect of security mentioned earlier: the ability to revoke the document if it does leak. Once a user downloads, prints to PDF, or otherwise extracts a document, the admin loses all control over it. It can no longer be revoked or tracked.
Adobe PDF security
Adobe security that uses password encryption can be trivially bypassed in numerous ways. Documents can be decrypted with a password for viewing, and that password can be passed onto others. Though users can place a separate password to prevent editing, printing, copy-pasting, etc., this is enforced not by cryptography but by the viewer application itself. All somebody needs to do to bypass it is use a viewer application that does not enforce the permissions password, or upload it to an online removal tool.
Adobe Acrobat has no built-in revocation tools either, so once a document is distributed there’s no ‘undo’ button.
Azure Information Protection
MicroSoft Azure Information Protection or RMS provides protection of documents in the cloud. It enables admins to encrypt MS document formats, and, through policies embedded in the documents, prevent the content from being decrypted by unauthorized users. Specific document operations like printing, copying, editing, forwarding, etc. can be allowed or disallowed, tracking can be enabled, and admins can revoke protected files remotely.
However, an attack in 2016 showed that authorized users could remove the protection, thus rendering it useless. This paper details how to break Microsoft RMS – it covers all RMS implementations, including Azure rights management, AD RMS and Office 365. All a end-user needs is view access to remove the RMS protection from a protected file.
PDF DRM solutions
For serious protection, the best choice is a fully-fledged PDF DRM system like Locklizard Safeguard. With Safeguard, organizations can manage everything on the fly from a web portal, revoking documents and applying print, view, and time limits, while effectively cutting out unauthorized copying. At the same time, it has less overhead and requires less groundwork than traditional certificate-based systems, making it a no-brainer for document expiry and revocation.
Here’s how it works:
- You encrypt a PDF on your local PC and add any DRM controls you want to enforce.
- Your protected PDF is saved to your disk and a document record is created on the Admin System.
- You create a user account for each user you want to view your protected confidential PDF.
- An email is automatically sent to the user with a link to the Viewer and their license file.
- Once the Viewer is installed and the license file activated (clicked-on) it is registered to that device and cannot be registered elsewhere (unless otherwise specified).
- You control from the Admin System which protected documents each user can access.
- You distribute your DRM protected PDF just like any other file (email, file sharing site, etc.).
Thus, only people who are authorized to view the document can open or print it, and nobody can edit or copy it. Depending on your DRM license controls and restrictions, you can also deny users the ability to screengrab or view outside of select countries or locations. Safeguard also allows admins to track document views/prints to identify misuse.
How to revoke document access using Safeguard PDF DRM
Safeguard PDF security allows you to revoke document access for all users, individual users, and devices (in case a device is lost or compromised). Note: Revocation cannot occur in offline access mode. Documents must be set to connect to the licensing server when opened, either every time or when an Internet connection is available.
Revoking a user account so they can no longer view any documents
Revoking a user account can be useful in a number of circumstances. For publishers, the most common use case is when a user purchases an ebook and then performs a chargeback on their credit card. You may also want to revoke a user’s access to all documents if they leave your company or you suspect them of misuse:
- In the ‘Customers’ tab, click ‘Manage’, then tick the user’s name
- Change the ‘With all checked’ dropdown to ‘Suspend’ and press ‘OK’
- Press ‘SUSPEND’ on the confirmation dialog.
Revoking a document so that it can no longer be viewed by anyone
If you want to stop a document from being accessible to all users, you can do so. This is handy if the document has a mistake in it and you need to re-issue it, if the document it out of copyright, if one was distributed accidentally, etc.
- Open the ‘Documents’ tab and press the ‘Details’ arrow next to the document you’d like to revoke.
- In the details panel, find the ‘Manage Access’ section and press ‘Grant or revoke access’.
- Press ‘Check’ link to check all users and change ‘With all checked’ to ‘Revoke Access’.
Press ‘OK’ to apply the changes. None of the customers in your database will be able to access the document.
Revoking access on certain devices
Safeguard restricts documents to devices, but what happens if that device is lost, stolen, or purposefully given away? Even if your device is encrypted without a password or physical security key, you should not assume your documents are safe. Instead, revoke the device’s access in the ‘Customer’ section of the admin portal:
- Click the ‘Details’ arrow next to the customer whose device you’d like to revoke.
- Press ‘Suspend or Activate’ next to the ‘Device:’ section under the ‘License information’ heading.
- Tick the machine(s), change the ‘With all checked:’ dropdown to ‘Suspend’ and press ‘OK’.
Revoking individual user access to a document
It’s a good practice to revoke a user’s access to a document when they no longer have a reasonable reason to access the information. This can be achieved through the ‘Documents’ tab in the admin portal:
- Press the ‘Details’ arrow next to the document and click ‘Grant or revoke access’.
- Tick the users you’d like to revoke, change ‘With all checked’ to ‘Revoke Access’ and click ‘OK’.
The best PDF security solution
To summarize, Safeguard represents a significant upgrade in security compared to other solutions on the market. Through the use of strong cryptography, secure licensing, and a bespoke file format/viewer application, it is able to prevent authorized viewing, copying, editing, screenshotting, and more. Crucially, there are also mitigations in place should the system fail (for example somebody loses their device).
Though DRM can be more expensive than other solutions, in the vast majority of cases it will outlive its value. Leaks and piracy can cost organizations millions, while a PDF DRM solution can be had for a few thousand dollars.