Protect confidential & business sensitive documents: stop sharing, theft

Data Leakage Prevention or DLP solutions

DLP solutions consist of a set of security software tools to stop document sharing and leakage by preventing users from sending sensitive and confidential documents outside the corporate network.  DLP is effectively an extension of the old access control systems with added encryption and endpoint protection (i.e. disabling USB ports or monitoring or blocking printing).

You need to either configure a system manually and/or let the DLP system use your rules to classify documents as confidential etc. so that documents on servers or networks can be monitored accordingly and the correct policies (which you have created) and your controls are applied.  This may be, for example, stopping copying of documents to USB devices or ensuring confidential and sensitive documents (containing key words or creators) are encrypted and can only be decrypted by authorized users.

Generally, documents moved outside the internal network cannot be decrypted because of the inability to gain access to the DLP’s key management system.  While this ensures documents remain safe inside the enterprise it raises issues if users need to work on or with information outside the network or if organizations need to disclose sensitive and confidential documents securely with third parties.

DLP systems also have other weaknesses, such as:

• if a user is authorized to open a document they can copy/paste and screen grab content using third party screen grabbers or copy using remote sessions.
• to work with specific applications (e.g. Outlook) they require users to install plugins. Plugins have their own problems such as sometimes failing to work after the host application has been updated or clashing with other plugins.  Interfaces are often undocumented.
• they can also be costly in terms of initial deployment (the time taken to configure the system since configuring policies is a lengthy and complex process) which may not be practical if there are just a handful of confidential and sensitive documents that need protecting or that should not leave the enterprise.

So DLP systems have their use as long as confidential and sensitive documents are to remain within the corporate network.  However, in practice this will usually not be the case.

Access control

The most common file access control system is Windows Active Directory (AD).  This consists of a set of services that run on Windows server to manage access to networked resources (computers and other devices, such as printers, on a network).

Confidential and sensitive documents are not held encrypted but AD can work in conjunction with AD RMS (Active Directory Rights Management Services) to encrypt content such as email and Word documents.

Again, it is an internal system (there is no concept of sharing confidential and sensitive documents securely with third parties that do not use the same system or domain) and it only works with Windows devices.

File Encryption

Encrypting files to prevent unauthorized access is at the heart of every document security system.  Many organizations use encryption to protect files at rest (in storage) and when being sent to others or for archiving.

Sending sensitive and confidential documents securely by email is commonplace in most organizations and for those that don’t want to get into the complexities of setting up a Windows-based Certification Authority, public key infrastructure and issuing certificates, there is always the ability to password protect attachments.

However, encryption can only go so far in protecting information.  Once an authorized user has access to an encrypted file they can decrypt it – and then do what they like with it since there are no controls in place to prevent copying and sharing.

Enterprise Rights Management & Cloud based rights management

Windows has a couple of Document Rights Management systems for organizations to choose from.  Either AD RMS or Azure RMS.  AD RMS is an onsite solution hosted on an organization’s own servers whereas Azure RMS is hosted by Microsoft in the cloud.

Azure rights management (Azure RMS) is probably the most commonly deployed cloud-based RMS for Windows systems.  And it is great as long as you only need to protect documents generated by Windows applications (limited support is provided for some Adobe applications).  It still uses Windows Active Directory but this is now cloud based and is called Azure AD.

Azure RMS is a policy driven system and works in the same way as a DLP, in that you have to classify documents and create policies in order to enable document protection.  Initial deployment and ongoing configuration can therefore be both time consuming and costly.

Azure RMS has several advantages over AD RMS:

• you do not have to configure additional servers
• it supports mobile devices
• authentication is performed in the cloud rather than on an internal network
• provides document tracking and document revocation

Azure RMS has been built as an internal document system rather than one designed for sharing sensitive and confidential documents with third parties, but external users can be added more easily to the system if they have a Microsoft account or are also using Azure AD for authentication.  This does, however, compel external users to sign up using a Microsoft approved account, and their organization may not wish them to install external mail accounts on the desktop.

Locklizard Enterprise Rights Management

Locklizard have taken a simplified approach to protecting confidential and sensitive documents that requires less management overhead and protects information and its use throughout its life cycle.

There are no policies, public key, or directory systems to configure.  You apply document controls (such as stopping printing, expiry, etc.) when documents are protected using a simple tabbed interface and assign user access via a simple to use administration system.  All key management is handled by the system and there are no insecure passwords or plugins.  A wide variety of document controls can be implemented and changed on-the-fly for individual users.  For example, you can protect a document with zero prints (so no one can print it) and then enable individual users to print it.  Similarly, you can set a document to expire on a specific date, but change this date for specific users.  The key document controls – stopping sharing, copying, editing, etc. – remain part of the document and are always enforced regardless of where your documents are located.

Locklizard locks the use of confidential and sensitive documents to authorized user’s devices and you can further prevent use outside authorized locations (e.g. the office).  This enables you to control the use of sensitive and confidential documents on BYOD where they could potentially be used by others in locations not under your control.

Locklizard enables you to share sensitive and confidential documents securely with third parties with confidence that you have full control over their access and use at all times.  You can track and monitor document use and instantly revoke access when required.

What is the best document protection for confidential & sensitive business documents?

In conclusion, there are many different types of document security systems available to protect digital or electronic documents that are confidential and sensitive in nature.  DRM significantly extends the old IT controls and provides a much finer grained control over the ability of the user to make use of a document.

You need to bear in mind:

• how many documents you really need to protect
• whether sharing documents securely with third parties is a must
• how much control you need over document use
• whether document activity should be logged
• how long the system will take to implement
• how much ongoing maintenance is required

Then implement the simplest document protection solution that works best for you.