Are Data Rooms Secure?

The Hidden Truth Behind ‘Secure’ Data Rooms – are they Snake Oil?

Secure data room systems don’t stop users sharing documents.  Here we cut through the hype and explain why they are useless for secure document sharing.

Secure Virtual Data Rooms & Data Room Security

Some people believe that smoking is not bad for you or that the earth is flat, while others equally believe that secure data rooms are a safe way to securely share documents.  Here we explain why that is just not true.

Is a secure data room really secure?

Like any marketing term, it all depends on how you define ‘secure’ and what parts of the system are deemed secure in order to obtain the ‘secure’ label.

There is only one question you need to ask a secure data room provider – “Does your system stop users sharing documents?”.

The truthful answer to that question will be always be No.  Authorized users can share their login credentials or links with other non-authorized users and therefore your documents.

Data Room Security – most secure virtual data room, highly secure data room and other meaningless jargon

Most ‘secure’ data rooms make a big thing about how secure their data (server) systems are with terms such as ‘most secure virtual data room’, ‘most secure data room’, ‘highly secure data room, etc.  It is completely meaningless.

Many secure virtual data room or v-rooms, cloud hosted secure data room or secure virtual data room systems publish their security credentials and certification credentials on their web sites to show you just how secure they are.  Something along the lines of:

ISO/IEC 27001:2013 is widely considered the gold standard in information security management systems.

That sounds important and secure right?  Does this mean it stops authorized users sharing your documents with non-authorized users?  Does any claim provided by a secure data room state this?  NO.

So why are these claims made?  They are there to make you believe their systems are fit for purpose (whatever that might be).  It is the equivalent of a food manufacturer concentrating solely on how healthy their cereal bar is because it contains 0% fat when it is 80% sugar.  Or a housing developer displaying a fire certificate for cladding on a house when it is situated in a flood plain and 12 feet away from a river.  In other words, you might be being a bit misled.

In other words, secure data rooms are not as secure as they might first seem.

Is encryption of data-at-rest in a secure room important?

Secure data room systems say they are secure because they store your data encrypted at rest on a secure backbone (e.g. AWS hosted server) that is itself certified.  That’s just as well since if your documents are being decrypted on the server before being delivered to the browser, that could mean thousands of temporary files containing your document content just sitting there in the clear.  You would therefore hope that the server hosting these could not be readily hacked and that temporary files are cleaned up (i.e. deleted) after use.

So yes, encryption of data at rest in a secure data room is important to stop hackers gaining access to your documents, but it is just one component of data room security.

Is it safe to store sensitive documents in the cloud?

If you have confidential or sensitive business documents you might want to question why you would want to upload them to someone else’s server as unprotected files.  Even if they are encrypted, what happens to your original unprotected documents – are they definitely deleted and are any temp files left over from the process?

A more sensible approach would to not let them leave your computer or domain to begin with, protect them locally and then distribute protected documents as you see fit (this may or may not include uploading them to a cloud server).  However this is not what secure data room systems allow you to do.

Can a data room that relies on a login & password ever be secure?

Here is where every secure data room falls apart.

Let’s face it, any system that relies on a login system where a username and password is manually entered is clearly not very secure.  If your objective of using a secure data room is for secure document sharing (i.e. making sure only specific users can open your documents) and yet users can share their login credentials with others (and therefore your documents) then that purpose has already been defeated.

Most secure data room systems don’t even bother limiting how many instances of the same user credentials are being used at the same time.  So for example, user ‘Jo Bloggs’ could be logged in 30 times from different locations at the same time and you would never know.

Can Two Factor Authentication (2FA) provide foolproof security?

Some secure virtual data room solutions claim that their system stops sharing by using 2FA as an additional security measure.  Even if you extend the login process with 2FA, users can forward that information to others – you cannot prevent this.  Some systems for example require users to enter their email address again when clicking on a link to a document – they then click on a second link to identify themselves as the email owner (this link is sent to the email address they enter) – but they can still give that second link to other users by forwarding the email.  The same is true of a PIN or any other form of secondary validation.

A much more sensible and secure approach to the login process would be locking documents to devices so they cannot be shared with others, but this is not achievable in a browser environment where no software is installed on the client.

Can document tracking provide accountability?

Ha I hear you cry, we can track what documents a user has opened and see if this is always from the same location (via the IP address).

If you have a lot of users using the system, that is a lot of tracking work to do.

You are also are assuming that only the authorized user (you are not actually tracking a specific user, just someone who has used those login credentials) has opened those documents.

And then there is the IP information and what that relates to.  Here we need to have a quick lesson in browser proxies and VPNs.  Most anti-virus software has a proxy installed as standard, enabling users to browse the web securely – just choose your location and the system will automatically assign a different IP address for you each time.  With VPN systems you get to choose a dedicated IP address (or static IP) and multiple users can use the same VPN.  So clearly the tracking data is not worth the paper it is written on – so it is therefore lucky that this information is just digital.

On a different note, many users regularly change IP address, and/or share the same IP address with many other users at the same time.  Also switching from wifi to mobile data changes a user’s IP address.  And most home internet connections change IP addresses daily.  So clearly IP tracking cannot be relied upon.

Are browsers effective in ensuring data security?

Not only are browser environments inherently slow (bad luck if you have either large or complex documents) they are also highly insecure.

They were not built with security in mind and code in the browser can be easily manipulated using third party plugins, JavaScript, and direct debugging (Developer mode).  So DRM controls you thought were being enforced (usually by the use of JavaScript) could be bypassed without you even knowing about it.  For an example of how insecure JavaScript-based browser controls are, see how easy it is to bypass Google Docs security

In addition, there is a limit to what you can control, and stopping screen grabbing and printing to PDF is not possible.

• High Quality Screenshots
  Most users have some type of screen grabbing application installed on their computer. Whether this is a dedicated program such as Snag-it, a Paint editing program, or just Windows Snipping Tool.  All do a good job of taking high-quality screenshots of document content and secure data room systems can do nothing to prevent this with their limited control over the browser.
• Printing to PDF
  There may be occasions when you want to allow printing so users have a physical copy of a document. The bad news if you let users do this from the secure data room system since they can just print to a file driver (say PDF) instead of a physical printer.  Any protection is automatically removed and users now have an unprotected PDF document to use as they wish or share with others.

Enabling offline use of documents can compromise data room security

Not everyone has access to the Internet 100% of the time so it should be expected that users will want to view documents offline.

Most secure data room systems enable you to let users download PDF files so they do not have to be connected to the Internet to view them.

However, the downloaded PDF files are either not protected (e.g. Digify, DocSend, etc.), or are password protected PDF files – see removing PDF password protection.  So you might want to question why you are using a secure data room solution to begin with if the end result is users being able to download unprotected PDF files.

Does using digital watermarks on documents provide any additional security?

Most secure data room systems enable you to add watermarks to your documents.  If however you let users download PDF files those watermarks can be easily removed using a PDF Editor such as Adobe Acrobat.  This is because they are added as a layer to the PDF file and that layer can be removed in one go.

So digital watermarks for downloaded documents don’t provide any additional security since you can no longer identify the user who shared your documents.

Secure Data Rooms usability issues

And that’s just the data room security issues.  Some of these systems are so poorly designed it is a struggle to manage more than a handful of documents and users.  For example, if you want to have a PDF file that expires at different times for different users you have to upload the file multiple times (one for each user) or create multiple links to the same file.  This quickly becomes unmanageable if you have lots of users and documents to share.  It is much simpler to use an existing document management system and just have secure PDF files made available in it.

So the moral of the story is, do not be fooled by the security credentials and security claims branded by secure data rooms – they are mere marketing hype.

Locklizard as a secure data room alternative

Locklizard provides actual secure document sharing, ensuring your documents cannot be shared with others regardless of their location.

Our document security software locks PDF documents to authorized devices so they cannot be shared, and enforces the same DRM controls for both online and offline documents.  Our secure PDF Viewers can be installed on Windows, Mac, iOS and Android.  They stop screen grabbing and printing to PDF and prevent watermarks being removed by PDF editing software.  There are no login credentials to enter (keys are transparently managed and securely transmitted and store without user intervention) so they cannot be shared with others.

Compared to secure data room systems, Locklizard provide an extensive range of PDF expiry controls, enabling you to protect a document just once yet limit individual access (different dates) for each user.  You protect PDF files on your local computer (no uploading of unprotected files to a cloud server) and can integrate protected PDF files into your existing systems just like any other file.

We don’t tie you into monthly pricing which can soon add up over a period of time, with annual and perpetual licenses both available.  You can choose to host with us or on premise in your own environment.

Locklizard’s PDF DRM security products enable you to share documents securely regardless of their location, enforcing access and use controls.  Stop sharing, piracy and theft of content by taking a free 15 day trial.