Document Security – why secure documents?

Document Security systems & Viewers.

Many businesses need to secure documents to prevent unathorized use and enable secure document sharing.  But what document security system should you invest in, and what secure document viewers are best for your business – web, installed, or plugins?

There are many reasons why businesses need to secure documents.  These include protecting personal data (as defined in differing regulations around the world), maintaining secrecy of information (reducing the potential impact of sites such as Wikileaks), and preventing authorized recipients from forwarding confidential information to unauthorized third parties (or keeping copies that they can use themselves).

But when you talk about the requirement to secure documents, you need to have in mind what strategies you are going to put in place to make sure that copying or extracting the content of the documents you have protected is both difficult and painful.  You have to accept that if you can read it off a screen then a cell-phone can take a picture of it.

But how you counteract the situation of necessary disclosure depends significantly on your approach to revealing documents as much as to how you secure documents – two sides of the same coin!

Not all operating systems and environments are the same, and that goes for security functionality as much as anything else when you are protecting documents from being copied and passed on.  The key to secure operation is as much about how and where you make documents available.

There are some things you have to guard against.  For instance, Apple iOS specifically forbids the use of Private APIs and limits access to user information and control hardware of iOS devices such as camera, Bluetooth and WiFi.  In a paper on the subject of iOS sandbox security, J. Han et al have proposed a means of avoiding detection by the Apple review by making dynamic calls from obfuscated code (a similar approach to attacks against the original Adobe PDFs running code) and these are understood to be currently effective.  Although such methods would allow browser viewers and installed ones as well to gain more control of the operating environment, it has to be counterbalanced by the wisdom of precipitating a bare knuckle fight with a very powerful opponent.  So although techniques exist for gaining a higher level of control in iOS it is unlikely that fine control of screen grabbing applications or use of printers as against printer drivers set to produce PDF documents can be achieved in these environments.

Secure document Viewers – which are best?

When you secure documents with DRM, the documents are encrypted so that only the intended recipient(s) can view them, and the DRM controls determine what an authorized user can do with the document(s).  Users need to have an application that will both decrypt the documents and obey the DRM controls that have been applied.  Below we discuss the various options available.

Web viewers for secure documents

A very popular method of displaying secure documents uses a web browser as the Viewer application, and programming the actions of the Viewer using JavaScript.  This is highly effective as an approach because, regardless of the target operating environment, it is likely that the most popular browsers are going to run in a reliable manner.

That said, there are important restrictions that have to be kept in mind.  The browser does not necessarily have authority to question the activities in the operating system.  It was not developed to handle secure documents, so it may not be constructed in a way that resists attacks such as enveloping it and using plug-ins to try and interrupt the activity of rendering a protected document to screen and diverting the output into a file to be collected later.  This is not so easy to do in practice, and there may be standards in some corporations that forbid loading plug-ins, or will only load plug-ins that have been proven to be safe in operation.  Also, browsers may not be able to carry out system level functions such as checking the use of specific keys, or reading process lists, as these would be inappropriate actions for a browser to take.

Browser viewers have to be online to work, and it is not always possible to have an Internet connection available just when and where you need it.  And although much is said about multi-factor authentication it is still an industry in its infancy and highly error prone.  So such systems still have to fall back on the user entering an ID and password, which they can show to others.  You can resist that problem by limiting the number of simultaneous users accepted (so only one user can login at a time with a specific set of credentials), and breaking the password does not remove the document security controls you have applied.

Nevertheless, browser based Viewers are very popular for simplifying transportability and access from any location (unless geographic or location specific IP addresses are also being used to control access to secure documents).

Installed viewers for secure documents

Installed Viewers offer much stronger controls in a number of situations for document security.

It may seem unlikely, but the Windows platform offers the most effective series of security features of the various operating systems in common use today.  You are able to detect the use of special keys such as Print Screen.  You are able to find out exactly what processes are running, and you have better information as to if the printer you are connecting to is a real one or a virtual printer.  Although there are probably more hacking tools available for the PC environment, it is possible to use techniques such as code encryption and code obfuscation to make it more difficult for the hacker to gain access to either the core code itself or to find ways of injecting code into the run-time system to subvert processing and redirect the unencrypted output to a file.

Installed Viewers also cater for offline use of secure documents, because they are able to lock into a specific machine identity and control licensing information specifically for that machine.  So that means that licensing secrets can be transported separately from the documents that have been protected, and then processed because the machine identity can be relied upon.  Because of this, it is possible to do away with having a user identification process because the machine can be securely identified.  This can also be extended to verifying the physical identity of labelled devices such as USB flash drives.

Application plug-ins for secure documents

When you secure documents you may think the simplest solution is for users to use a native application (i.e. MS-Word if the protected document is a Word document) and have a plug-in that decrypts and obeys the DRM controls.  In an ideal world this would sound to be the best solution.

However, plug-ins are prone to security risks – they cannot prevent other plugins from loading that could extract an unencrypted copy of the document – and they often stop working every time the native application is updated.  So, a system that poses both a security risk and a usability one is evidently not the way forward.

What system should you use for your document security?

The decision to go with a browser based system or an installed Viewer system is a matter of risk analysis.

If you secure documents for offline use, users will need to install Viewers so documents can be viewed securely without an Internet connection.  You therefore need to be sure that credentials cannot be successfully moved from computer to computer so the documents may only be used by the intended recipient(s).  If you are relying on documents only lasting for a period of time your solution must make sure time and date functions cannot be falsified so that documents last forever.

If you secure documents for online use then you can think about implementing a browser system.  However, you must accept that more than one recipient is able to use the same credentials to login – although you can stop simultaneous users and lock users to specific locations with country and IP restrictions.  Browser based viewers are very popular where users cannot install applications on their computer systems because Ports 80 and 443 are generally accessibly.  This avoids having difficult conversations with internal IT departments who may not wish to install applications or plug-ins into architectures that are stable and reliable.

Many companies adopt both systems where secure documents are viewed mainly on installed authorized devices and specific external users given Web Viewer access where they cannot install a Viewer application.  This provides a more flexible approach to document security where Web Viewer users can be given access to less sensitive documents because the operating environment is not as secure.