drm

Protect Sensitive Documents

Protect confidential & business sensitive documents: stop sharing, theft

  Free Trial & Demo

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

Confidential & sensitive document protection – protect digital & electronic business documents

  Confidential do not distribute: Stopping document leakage, sharing & theft of proprietary information

All companies have sensitive and confidential documents or proprietary information that they need to share.  Often, this data must be shared securely both inside and outside their organization.  If organizations do not keep confidential do not distribute documents within the distribution list, they may cause a company harm (revenue loss, brand reputation, fines, etc.).  The need to protect sensitive and confidential documents from disclosure and stop sharing and leakage is therefore a high priority.

There are many document security solutions available commercially that are sold to address the protection of confidential and sensitive data and to stop sharing and document leakage, but how do they stack up?

pdf security

What is a sensitive document?

There’s no strict definition surrounding which types of documents should and should not constitute a confidential or sensitive document.  It is down to the organization to decide where the line should be drawn based on the risk to the business and laws in their country.

In a general sense, however, confidential and sensitive documents are those that are not part of routine operation.  The sensitive classification is typically reserved for documents that, when shared with unauthorized parties, could lead to negative consequences for the business or people mentioned in the document.

This could include, for example, customer personal information or medical records, preliminary financial figures, etc.  Confidential documents could also include marketing plans, trade secrets, or patentable inventions.

  Data Leakage Prevention or DLP solutions


DLP solutions consist of a set of data security software tools to stop document sharing and leakage by preventing users from sending sensitive and confidential documents outside the corporate network.  DLP is effectively an extension of the old access control systems with added encryption and endpoint protection (i.e. disabling USB ports or monitoring or blocking printing).

You need to either configure a system manually and/or let the DLP system use your rules to classify documents as confidential etc. so that documents on servers or networks can be monitored accordingly and the correct policies (which you have created) and your controls are applied.  This may be, for example, stopping copying of documents to USB devices or ensuring confidential and sensitive documents (containing key words or creators) are encrypted and can only be decrypted by authorized users.

Generally, documents moved outside the internal network cannot be decrypted because of the inability to gain access to the DLP’s key management system.  While this ensures documents remain safe inside the enterprise, it raises issues if users need to work on or with information outside the network or if organizations need to disclose sensitive and confidential documents securely with third parties.

DLP systems also have other weaknesses, such as:

  • if a user is authorized to open a document they can copy/paste and screen grab content using third-party screen grabbers or copy using remote sessions.
  • to work with specific applications (e.g. Outlook) they require users to install plugins. Plugins have their own problems such as sometimes failing to work after the host application has been updated or clashing with other plugins.  Interfaces are often undocumented.
  • they can also be costly in terms of initial deployment (the time taken to configure the system since configuring policies is a lengthy and complex process) which may not be practical if there are just a handful of confidential and sensitive documents that need protecting or that should not leave the enterprise.

DLP systems have their use as they can help prevent a security breach and make it harder for attackers to gain access to important files.  However, this only applies as long as confidential and sensitive documents are to remain within the corporate network.  In practice, this will usually not be the case.

  Access control


The most common file access control system is Windows Active Directory (AD).  This consists of a set of services that run on Windows server to manage access to networked resources (computers and other devices, such as printers, on a network).

Confidential and sensitive documents are not held encrypted, but AD can work in conjunction with AD RMS (Active Directory Rights Management Services) to encrypt content such as email and Word documents.

Again, it is an internal system (there is no concept of sharing confidential and sensitive documents securely with third parties that do not use the same system or domain) and it only works with Windows devices.

  File Encryption


Encrypting files to prevent unauthorized access is at the heart of every document security system.  Many organizations use encryption software to protect sensitive files at rest (in storage),when being sent to others over the Internet, or for backup purposes.

Sending sensitive and confidential documents securely by email is commonplace in most organizations, and for those that don’t want to get into the complexities of setting up a Windows-based Certification Authority, public key infrastructure, and issuing certificates, there is always the ability to password protect attachments.

However, encryption can only go so far in protecting information.  Once an authorized user has access to an encrypted file, they can decrypt it and do what they like with it, since there are no controls in place to prevent copying and sharing.

  Enterprise Rights Management & Cloud based rights management


Windows has a couple of Document Rights Management systems for organizations to choose from.  Either AD RMS or Azure RMS.  AD RMS is an on-site solution hosted on an organization’s own servers whereas Azure RMS is hosted by Microsoft in the cloud.

Azure rights management (Azure RMS) is probably the most commonly deployed cloud-based RMS for Windows systems.  And it is great as long as you only need to protect documents generated by Windows applications (limited support is provided for some Adobe applications).  It still uses Windows Active Directory, but this is now cloud-based and is called Azure AD.

Azure RMS is a policy-driven system and works in the same way as a DLP, in that you have to classify documents and create policies in order to enable document protection.  Initial deployment and ongoing configuration can therefore be both time-consuming and costly.

Azure RMS has several advantages over AD RMS:

  • you do not have to configure additional servers
  • it supports mobile devices
  • authentication is performed in the cloud rather than on an internal network
  • provides document tracking and document revocation

Azure RMS has been built as an internal document system rather than one designed for sharing sensitive and confidential documents with third parties.  However, external users can be added more easily to the system, provided they have a Microsoft account or are also using Azure AD for authentication.  This does compel external users to sign up using a Microsoft-approved account though, and their organization may not wish them to install external mail accounts on the desktop.

It is also worth bearing in mind that if a user has been given view access to a file they can bypass document restrictions.  See How to break Microsoft RMS.

  Locklizard Digital Rights Management (DRM)


Locklizard has taken a simplified approach to protecting confidential and sensitive documents that requires less management overhead and protects information and its use throughout its lifecycle.

There are no policies, public key, or directory systems to configure.  You apply document controls (such as stopping printing, expiry, etc.) when documents are protected using a simple tabbed interface, and assign user access via an easy-to-use administration system.  All key management is handled by the system and there are no insecure passwords or plugins.  A wide variety of document controls can be implemented and changed on-the-fly for individual users. For example, you can protect a document with zero prints (so no one can print it) and then enable individual users to print it.  Similarly, you can set a document to expire on a specific date, but change this date for specific users.  The key document controls – stopping sharing, copying, editing, printing, etc. – remain part of the document and are always enforced regardless of where your documents are located.

Locklizard locks the use of confidential and sensitive documents to authorized user’s devices and you can further prevent use outside authorized locations (e.g. the office).  This enables you to easily protect confidential documents in the workplace, controlling the use of sensitive and confidential documents on BYOD where they could potentially be used by others in locations not under your control.  By locking document use to machines and locations, Locklizard ensures your confidential not for distribution documents are tightly controlled.

If you want to allow users to print confidential documents then you can add dynamic watermarks with user-identifiable information that are applied to printed copies.  This helps discourages users from sharing printouts with others.

Locklizard enables you to share sensitive and confidential documents securely with third parties and to protect confidential documents from disclosure.  You have full control over document access and use at all times.  You can track and log document use and instantly revoke access when required.

  What is the best document protection for confidential & sensitive business documents?


In conclusion, there are many different types of document security systems available to protect digital or electronic documents that are confidential not for distribution and sensitive in nature.  DRM enables you to protect confidential documents and proprietary information and data regardless of its location.  It significantly extends the old IT controls and provides a much finer-grained control over the ability of the user to make use of a document.

You need to bear in mind:

  • how many documents you really need to protect
  • whether sharing documents securely with third parties is a must
  • how much control you need over document use
  • whether watermarks, such as confidential watermarks, can be easily removed
  • whether document activity should be logged
  • how long the system will take to implement
  • how much ongoing maintenance is required

Then implement the simplest document protection solution that works best for you.

How to protect sensitive documents on your computer

How to protect sensitive documents

In Safeguard Secure PDF Writer, choose the document protection options you want to apply:

  1. Stop printing, allow printing or limit the number of prints.
  2. Add dynamic watermarks to viewed and or printed pages.  Dynamic variables replace actual user and system data when the document is viewed/printed so you only have to protect the document once for all users.
  3. Make the document expire  on a specific date, after a number of views, after a number of prints, or after a number of days from opening – access is automatically ceased.
  4. Stop screen grabbing (even from remote connections) applications and prevent use of Windows print screen.
  5. Log document views and prints.
Safeguard’s default protection
  • Stops users editing, copying and pasting content
  • Locks PDF files to specific devices so they cannot be shared with others
  • There are no passwords for users to enter, manage, or remove
  • You can revoke PDFs at any time regardless of where they reside

Once protected, distribute them just like any other file (email, web site, etc.).

  How to dispose of sensitive or confidential documents

Generally, you should follow whatever guidelines your employer recommends when it comes to confidential document disposal.  However, it is worth noting that simply deleting a document does not dispose of it, as digital copies can easily be made.  It’s much better to make the file useless by removing the ability for anybody to decrypt it. For this purpose, you can use Locklizard, which gives you several options for the revocation of sensitive documents no matter where they reside:

  1. Revoke the document after a certain date
  2. Revoke the document a certain number of days since first open
  3. Revoke after a specific number of opens
  4. Revoke after a specific number of prints
  5. Revoke manually for all users or a specific user

Revocation can happen automatically after a certain time period, or manually when required.  You can find a full breakdown on how to perform each of these processes in our dedicated revocation guide.  Here we’ll focus on how to destroy a sensitive document so that it cannot be viewed by anyone.

  1. Open the ‘Documents’ tab and press the ‘Details’ arrow next to the document you’d like to revoke.
  2. In the details panel, find the ‘Manage Access’ section and press ‘Grant or revoke access’.
  3. Press ‘Check’ link to check all users and change ‘With all checked’ to ‘Revoke Access’.

    Press ‘OK’ to apply the changes.  Users now cannot access the document.

   How to share confidential documents online


If you want to securely share a confidential document online, it must be encrypted first.  The key to secure online document sharing is ensuring that the file itself is useless to unauthorized users.  If you can make sure that only those on authorized devices can open it, it does not matter whether the file is hosted on a secure cloud server or your public-facing website.

However, it’s important to choose a solution where the encryption is not easily bypassed (for example by entering or removing a password or manipulating a security vulnerability).  The solution must also have good support for sharing in the first place, or you’ll spend more time getting documents to users than they’ll even spend reading them.

For these reasons, Adobe Acrobat security, Access Control, and ERM solutions are a no-go.  File Encryption software such as PGP is a fairly good choice, provided you trust that the recipient will not share the document with others after they decrypt it and do not mind needing to communicate public keys in advance.

Document DRM is perhaps the best solution, as it allows you to send encrypted documents without prior communication from the recipient and has several measures in place to ensure that documents cannot be viewed outside of authorized devices.

  How to safely send confidential or sensitive documents via email


The best way to send confidential or sensitive document via email is to encrypt with a PDF DRM solution first.  Once a PDF has been encrypted with Safeguard Writer, the encrypted file cannot be opened by anybody who does not have a valid license file installed on their PC.  As this license file can only be activated on a single PC (unless you decide otherwise), you know that the document can only be opened by authorized users.

Further, Locklizard prevents unauthorized copying, editing, screenshotting, and printing to make sure that the document cannot be shared via other means.  Though you can send a PGP encrypted file via email instead, it will not have these protections and as a result authorized users will be able to share the decrypted document.

What about Gmail confidential mode?

Though you would expect Gmail’s confidential mode to be perfect for this purpose, this would be a dangerous assumption.  All confidential mode does is disable the print, forward, and download buttons in the Gmail web client and add an expiry date.  It does not apply any additional protection to email attachments and therefore documents.

Additionally, any user who is not using the Gmail website/app will be still be able to print, and forward messages.  Even those who are using the Gmail site can obtain a permanent copy of the email by simply right-clicking the web page and pressing “Save As”.

You are far better off using a PDF DRM solution or standard file encryption, alongside an end-to-end encrypted email service.

  Placing a confidential watermark on documents

Most organizations place a confidential watermark on documents that informs users how they should treat the information in it. “Confidential. Do not distribute” is a common example.

However, watermarks can also perform a secondary purpose – deterring authorized users from sharing.  For some users, a warning that a document is confidential is enough to make the stakes clear.  Others need a more strong reminder through a watermark that clearly states their name and email address. This makes it clear that any leaked document can be easily traced back to them.

There are a few aspects to consider with identifying watermarks, however:

  1. How long is it going to take you to add personalized, identifying information to each copy of each document you distribute?
  2. Can the watermark be easily removed?  If it can, it is not going to act as much as a deterrent.  Your leaker will simply delete it and share a non-watermarked version.

Most watermarking tools are not able to solve these two issues.  Locklizard Safeguard can, by combining a dynamic watermarking tool (see dynamic watermarks below) with DRM controls to prevent the removal of watermarks.

   Printing confidential documents

Ideally, you should not allow users to print confidential documents at all.  Allowing printing always represents a risk as you lose visibility and control over the document.  However, in scenarios where printing is necessary, limiting the number of prints for each user and adding a print watermark to the document will help to prevent users from creating copies and sharing them.

Limit the number of prints
  1. Right-click your PDF and choose ‘Make secure PDF’.
  2. Open the ‘Printing & Viewing’ tab.
  3. Tick ‘Allow Printing’, and ‘Limit number of copies to:’. You can optionally tick ‘No access after print copies depleted’.
  4. Press ‘Publish’ at the bottom of the window once you have applied any other controls.
Add a print watermark to your document

Watermarks can be a great way to establish the expectations surrounding a document and deter unauthorized sharing.  Here’s how to add a print only watermark to a PDF:

  1. Right-click your PDF in Windows File Explorer and select the option “Make Secure PDF”.
  2. Add a text watermark to your PDF.

    In the “Print Watermarks” tab check the “Add Print Watermark” box.  When typing your text, you can add dynamic information by clicking the edit icon and choosing your dynamic variables.  For example, %UserName% and %Email% to identify the user.  The “Position” and “Opacity” sliders allow you to adjust where the watermark sits on the page and its transparency, while the font icon, “Aa”, enables you to adjust font color, size, and formatting options.
  3. Optionally, add a watermark image to your PDF.

    In the “Print Watermarks > Image Watermark” tab, check the ‘Add Image watermark’ box.  Browse for the image watermark you want to add.  A large background watermark is usually a good idea, as it will be visible anywhere on the page.  The opacity slider allows you to do this without being too obtrusive.
  4. Save your watermarks and other security controls by pressing the “Publish” at the bottom of the PDF Writer window.

    Make sure you have any other security controls you want to apply selected before you do so, as outlined earlier in this article.  Once you publish your PDF, by default users will not be able to share, edit, copy or paste content, print, or take screenshots using screen capture tools.  As a result, they can’t remove your watermark or distribute a version with the protection stripped.

Why Locklizard to protect confidential business documents & sensitive proprietary information?

Locklizard provides a stronger alternative to password security, file encryption & deal room systems.  It is less complex to setup than Microsoft & Adobe RMS, provides additional security, and is easier to maintain.
  • No Passwords

    There are no passwords for users to enter so they cannot be shared.  Keys are transparently and securely transferred to authorized devices and locked to those devices.

    Users cannot share access information, and therefore your protected documents with others.

  • Secure Distribution

    Full control over document distribution:

    • Secure documents on your local computer – no uploading of unprotected files to a server where they could be compromized.  You retain full control over unprotected documents and ensure they can never be exposed to the wrong people.
    • Distribute protected documents just like any other file – upload them to a cloud server, your website, send by email or distribute on USB, etc.
  • DRM Controls

    DRM controls give you full control over document use:

    • Stop copying and copy paste into other applications.
    • Restrict editing and prevent content modification.
    • Stop screen grabbing – stops users from taking high-quality screen grabs using screen grabbing tools.
    • Prevent printing (or limit the number of prints).  If printing is allowed then we automatically prevent printing to file drivers (e.g. PDF files).
    • Enforce printing of colour documents in black & white or grayscale.
    • Expire documents after a number of days use, views, prints, or on a fixed date.
    • Revoke documents and user access instantly (regardless of where they are located).
    • Allow offline use – no forcing of users to be online to view protected documents.
  • Device & location locking

    Control the devices and locations protected documents can be accessed from.

    • Automatically locks document use to authorized devices to prevent sharing.
    • Control the number of devices for each user that your protected documents can be used on.
    • Lock use to locations to control where your protected documents can be used from (e.g. office only).  This gives you full control over BYOD use since documents on a laptop or other mobile device will be available for use in the office but not when taken home.
  • Non-Removable Dynamic Watermarks

    Add dynamic watermarks to viewed and/or printed pages.  Dynamic variables are automatically replaced by user data at print/view time.

    You might want to do this for example if you allowing printing and want to make sure that if photocopies are made that they clearly identify the user who was originally given access.

    You only have to protect a document once for all users rather than having to protect documents individually for each user in order to display unique user-identifiable information (username, email, etc.).

    Locklizard watermarks cannot be easily removed (unlike Office and Adobe watermarks which can be removed in a single action) since we prevent PDF editing and stop screenshots.

  • Simple to use

    Protect sensitive and confidential documents by right clicking on them in Windows Explorer.

    Manage users and document access via our web-based administration system.

    Automate document protection, user management and document access with our command line and API tools.

  • Cost Savings

    No charges per document or user – one set price for unlimited documents and users.

Locklizard takes your document security seriously.  Share sensitive and confidential documents securely without insecure passwords or plug-ins, and enforce access, location, expiry, and usage controls.  Our DRM technology enables you to protect confidential documents, important files, and proprietary information with ease, and ensures documents remain safe regardless of their location with US Gov Strength encryption, licensing, and DRM controls.  Protected document content is decrypted in memory and no temporary files are used.  Protect confidential business documents from disclosure, prevent unauthorized distribution, and track and log use.

See our customer testimonials or read our case studies to see why thousands of organizations use Locklizard PDF security to protect sensitive documents from unauthorized access and use.

   FAQs

What is the best way to protect sensitive documents on your computer?

The best way to protect sensitive and confidential documents is to use a PDF DRM tool like Locklizard Safeguard PDF.  This will ensure that your documents can only be viewed by authorized users regardless of whether they are a part of your organization or a third-party.  Critically, even authorized users won’t be able to extract content from the document by screen grabbing, printing, copy-pasting, etc. without your permission.

How should I dispose of confidential documents?

Generally, you should follow whatever guidelines your employer recommends when it comes to the destruction of confidential documents.  However, it is worth noting that simply deleting a document does not dispose of it, as infinite digital copies can be made.  It’s much better to make the file useless by removing the ability for anybody to decrypt it.

Should I use digital rights management to keep my documents confidential?

Digital Rights Management (DRM) solutions are one of the best ways to ensure that documents remain confidential.  They protect documents on any device, regardless of whether it’s part of your corporate network.  DRM software prevents unauthorized sharing effectively: stopping screenshots, printing, copy-pasting, and editing while providing dynamic watermarks, automatic and manual document expiry, and more.

Is it ok to save an important document as a Google Doc?

Absolutely not.  While it is possible to work on confidential documents in Google Docs, it represents a major risk.  Google Docs security is trivial to bypass and its watermarks are easy to remove.  Users can easily print, download, and copy-paste from documents due to inherent weaknesses in JavaScript-based browser security.

Is it safe to upload confidential documents to Telegram?

Not without additional protection.  Telegram does support end-to-end encryption in secret chats, and this includes attachment encryption.  However, it does nothing to provide protection once the receiver opens or downloads the file, at which point digital copies sit decrypted on their PC.  They can then share them with anybody they like with no restrictions.

To stop authorized users from leaking a document, it’s best to protect it with a PDF DRM solution before you send it via Telegram.

Is it okay to save confidential documents in the cloud?

Again, it depends.  Uploading an unencrypted document to a cloud storage service such as Google Drive is a bad idea for a number of reasons:

  1. Compromizing an account’s password grants an attacker access to all of that account’s documents. Even a strong password can be shared with ease.
  2. You are handing sensitive information to a cloud storage provider in a form that they can view.  This may break privacy, confidentiality, and compliance regulations.
  3. If the server that your documents are stored on is compromised, attackers also have access to all of your confidential information.
  4. Though cloud storage services often let you restrict access to a document to specific users, their browser-based protection is not able to prevent authorized users from creating a copy of the document to share with somebody else.

So, if you do upload documents to the cloud, make sure they are encrypted first.  You can do so with standard file encryption software, but you are better off using PDF DRM software as it has more security measures that ensure documents cannot be opened or shared with unauthorized users.

Is password protection suitable for private and confidential documents?

No.  Even when paired with encryption, password-protecting sensitive documents is a bad idea.  Passwords are too easy to crack and, more importantly, regardless of password strength, too easy to share.  If your security relies on a single string of (often predictable) letters and numbers, then it is not going to be effective for very long.  Adobe Acrobat password protection for example can be easily broken, and restrictions instantly removed.

Is the Avast sensitive documents feature effective?

The first question to ask is how does Avast protect sensitive documents and is that compatible with the needs of a modern business?  It doesn’t take much digging to figure out that Avast’s Sensitive Data Shield is designed only to protect sensitive files on your local hard drive in the case that it is compromised by malware or a hacker.  Avast’s description is vague but reading between the lines it appears to be a basic data loss prevention (DLP) tool designed to prevent the extraction of information from your PC.  It comes with all the pitfalls associated with DLP systems mentioned above, and likely then some.

The bottom line is that Avast’s sensitive documents feature is of some use if you’re trying to keep documents stored on your local PC safe.  However, it won’t stop documents from being shared with others by authorized users and it doesn’t provide any protection once the file has left your PC.  It’s really a consumer tool designed to prevent identity theft etc. rather than a business solution.

Customer Testimonials