So there’s the problem in a nutshell. There are many occasions on which you are obliged to share secrets with people who you cannot control, and you are obliged to take such steps as you reasonably can to reduce their ability to cause harm.
Whilst board minutes are only one example of internal documents that need to be strictly controlled on the one hand, and yet have to go outside of the control of the enterprise, they can contain material that, should it become public for any reason, could have a significant impact upon the share price and future status of the business.
In mergers and acquisitions, the stakes are, perhaps, just blindingly obvious. Information disclosed in this process is usually highly confidential, and misusing the knowledge of that information could be anything from commercially sensitive to requiring explanation to the share trading body of the country in which the enterprise is registered. Or to put it another way, inappropriate disclosure could result in people going to jail.
Types of secure data room solutions
The typical IT based solution relies upon access controls to prevent the unauthorized from gaining access to information (due diligence, compliance, litigation, corporate transactions, etc.). This may be achieved in a number of ways. For users connecting on an internal network it may simply be logon id and password that grants uncontrolled access to everything defined for that user.
Where outsiders have to be given access to information, IT departments create areas on servers, sometimes called virtual data rooms or data rooms, where information can be stored, and access controlled through the use of one or more specific logon id/password combinations, perhaps also using incoming IP address monitoring as a means of limiting the potential for people to give their logon details to others, thus defeating the access control.
This latter approach also allows a degree of monitoring of user activity through the use of cookies, and it can be made to appear more secure by using the SSL service to encrypt the information being transferred between the ends.
What neither of these IT approaches achieves is the ability to prevent the authorized user from taking copies of information to which they have legitimate access, and passing those copies on to others. They also do not provide any linkage that can identify the source of unauthorized distribution.
An alternative approach, especially for internal systems, could be to use a document collaboration system. These have various controls for describing controlled groups, and it may be possible to allow outsiders to have access by making outsiders appear to be insiders (rather like the IT solutions considered above). What is more problematic about this type of solution is that collaboration systems expect documents to be editable, and that there is some hierarchy of users where some approve documents. Commonly in the business cases described above, information is authorized before it is made available, recipients are not allowed to change anything, and some activities, such as printing, may need to be forbidden, or tightly controlled.
Finally there are DRM based solutions. These have significant benefits over the other solutions described, because they can allow authorized recipients to use information without having to grant them access either to internal networks or to servers. Where access is granted for limited periods of time this can be automated so that access automatically lapses without further administrative effort, or can be switched on and off again as suits the situation. These facilities are significantly different from administering ‘secure data rooms’. Finally, DRM solutions have additional features, such as being able to link the authorized user’ s identity to viewed images and printed images, to dissuade them from sharing information in an inappropriate manner, as well as preventing authorized users from being able to readily pass on copies of controlled information.
Cloud based secure data rooms & secure virtual data rooms
The most common type of secure data rooms in use today is the cloud hosted secure data room or secure virtual data room, such as DocSend or Digify. These enable companies to securely share confidential business documents with third parties without having to invest in infrastructure of spend time setting up access control systems. At first glance, cloud hosted secure virtual data rooms seem to be an ideal solution for secure document exchange with external groups. However they do have some major security issues.
Secure data room security issues
- All cloud hosted secure deal rooms rely on passwords for authentication. Passwords, links, and other login credentials can be easily shared with other users (despite any claims to the contrary) so that means your confidential documents can be too.
- Multiple users can login at the same time using the same login credentials.
- Document content is decrypted on the server sand then pass it to the client device using SSL. That might sound secure but browsers save content to temporary files (caching) to speed up rendering. So your unprotected documents could be recovered by users from the browsers temporary file location.
- You have to upload your unprotected documents to a cloud server where they are outside of your control. In theory they are then encrypted and the unprotected version is deleted – but what if something goes wrong and your unprotected documents remain stored on a cloud server for possible future access?
- Because documents are accessed using a browser, there is no security software iinstalled on the local computer / remote device to enforce document controls – this provides easy ways to remove document protection.
- Unknown browser environments (i.e. uncommon browsers), browser plugins and browser development tools can all be used to circumvent the limited security controls.
- Allowing document downloads for offline viewing provides either no or weak protection. Some secure data room providers enable users to view PDF files offline using Adobe Acrobat. However they either provide NO protection (apart from a watermark which can be easily removed), or force users to enable JavaScript or turn off security controls in Acrobat and/other third party PDF readers. This would be a good time to consider who is legally responsible if a user’s system is hacked.
- You have no idea who you are actually tracking since login credentials can be shared with other users, and multiple users can login with the same IP address when using a VPN.
- If you allow printing, users can print to unprotected PDF files.
- Users can take high quality screenshots of document content using screen grabber tools.
See also Is dataroom security adequate for secure document sharing and deal room security.
The security issues above are why secure data room systems are keen to show off their security credentials – i.e. how secure their hosting system backbone is. It needs to be with all those temporary files sitting on the server in the clear when the files are decrypted. You might therefore ask is encryption of data-at-rest in a secure room important? Well yes, if the server gets hacked, but there are clearly easier ways into the system (and access to your documents) than that.
Is encryption of data-at-rest in a secure data room important?
Encryption of data-at-rest in a secure data room is important, but it is only part of the story.
If data is encrypted at rest (i.e. stored encrypted on a cloud server) that ensures hackers cannot access your documents by gaining entry to the server (assuming of course that encryption keys are not left vulnerable).
The main purpose however of a secure data room is to enable secure document sharing – allowing only those you have authorized to view protected documents. If authorized users can share links and login credentials with others then hackers breaking into a server to try and access your documents may be the least of your worries.
So encryption of data-at-rest may not be the silver bullet you think it is – it is just one component of data room security.
What is the most secure virtual data room?
The most secure virtual data room system is one that can:
- provide secure and transparent key management so users do not enter any login information that can be shared with others
- lock documents to devices so they will not open if copied to another device
- provide the same full protection for both online documents (those viewed in the Web browser viewer) and offline documents (downloaded files)
- decrypt document content on the client in memory (so it is not cached to disk) rather than on the server
- stop multiple users logging in at the same time with the same credentials
- stop printing to PDF and other file formats
- stops screen grabbing software
- protect documents on your local device so they are not exposed on a cloud server
Many secure data rooms that advertise themselves as the ‘most secure data room’ or ‘highly secure data room’ do not provide any of these basic security features.
So, secure data rooms for secure document sharing?
Secure data rooms were developed using the techniques of a central control system administered by IT departments. They achieved considerable success, although they did not prevent their users from being able to obtain copies of documents and pass them on without detection.
Cloud hosted secure data rooms expanded on the need to share documents securely outside of the contraints of an internal IT system but also have major shortcomings. These password based systems have still not addressed being able to stop users sharing sensitive documents with others – they just provide better monitoring so you can see ‘who’ (what login details) has accessed what documents.
DRM solutions for documents that don’t rely on passwords or plugins provide a much more secure solution to document sharing and distribution. They provide better control over the use of documents, lock use to devices and locations so they cannot be shared, and provide better operational flexibility for those who have to set up and administer the secure distribution of sensitive information.
So if you want to protect confidential and sensitive business documents, due diligence, compliance, litigation, corporate transactions, and other M&A documents from unauthorized access, distribution and use, then an installed Viewer that can lock documents to devices is the only effective way of sharing documents securely.