Sharing Documents Securely

Secure document sharing systems

Introduction

Everyone needs to be able to share documents – after all, I am writing this to share with you.  But if you want to share documents securely you have to think beyond simple encryption (used to ensure that only the intended recipient(s) can open a protected document) to also controlling what can be done with the document content once it has been decrypted and opened by an authorised user.  Is encryption or a cloud based access control system the answer to your specific secure document sharing needs, or do you need complete control over your own data?

The marketplace appears to offer a range of different products with different functionality, which may appear to address your requirements, and we will examine them to see how appropriate they are.

Secure Document Sharing platforms

When people think about secure document sharing, they usually think about a specific online file storage and/or collaboration service.  However these platforms have various limitations, such as:

• documents have to be uploaded to a supplier’s server that is not under your control
• documents are generally viewed via a browser so there is limited screen grabbing prevention (if any) and limitations on the controls you can enforce
• printing to PDF or other file drivers is not prevented so users can save documents locally to disk if you allow printing
• users must always be online to the Internet in order to view and print documents
• users can share their login credentials with others without being detected
• pricing is usually based on the number of user accounts and can get expensive quite quickly

Secure document sharing platforms have mainly evolved from document collaboration systems, and often they have complex role based permissions which are best suited to internal use where you can define formal access control structures (i.e. there is no concept of selling the documents and controlling their actual use).

However, most of the documents you need to share securely have gone beyond the concepts of collaboration (i.e. distributing reports, finance info, formal board minutes, formal procedures etc.), and in certain countries where Internet connections are poor many users still need to store and view documents offline because their telecoms communications are poor or non-existent (see How the world was One – Arthur C Clarke).  Most importantly however you need to decide whether you want to store your documents on someone else’s server accessible via the Internet.  And as we all know, servers are always available and never hacked…  Even if a document sharing platform is right for you, it may be necessary to find a solution where you maintain control of the documents and don’t ‘give’ them to the security provider.

Sharing documents securely using encryption

Encrypting a document is fine if your objective is to secure the file at rest – i.e. you want to store documents securely either locally or in the cloud, – or in transit –i.e. you want to send a file to another user, say by email, and be assured that if the email is read by someone else then they won’t be able to open the document (but be careful what you say in the email!).

Document encryption, however, has its limits.  Once a file is decrypted there are no access controls governing its use.  So if you send an encrypted document to another user – because you only want them to be able to view it – there is nothing at all to prevent them sending the decrypted document to anyone they choose.  This is especially important if you are selling documents (say reports, ebooks, etc.) and want to make sure that only those that have paid for them can use them, or if you have confidential company information that must only be made available to specific employees, board members or third parties.

Sharing documents securely using DRM technology

Document DRM adds a complimentary layer of security on top of document encryption.  With document DRM, documents are encrypted to protect them in transit and at rest and then access and other controls are added to govern use.  Basic document DRM controls prevent copying and document modification, stop or limit printing, and stop screen grabbing by preventing print screen and the use of screen grabbing tools.

To prevent unauthorized document sharing, document DRM systems use licensing controls to tie users and their devices to specific documents.  This ensures the document owner can share documents securely amongst only intended recipients (unless of course an authorized recipient is willing to give their tablet device, mobile phone or laptop to someone else).  Many document DRM systems also provide dynamic document watermarking – user details are displayed on a document when it is viewed and printed to discourage photographs being take on the screen, or if printing is allowed, to discourage users from making copies of printed documents.  Adding watermarks dynamically ensures the document only needs to be protected once rather than once each for every single user.

More advanced document DRM systems enable documents to be shared securely in only authorized locations by limiting use to specific countries and IP address ranges.  This ensures that users using mobile devices cannot open secure documents say outside an office location or in countries where usage is forbidden due to regulations.

Sharing documents securely for limited time periods

Another advantage of using document DRM systems to share documents securely is the ability to automatically expire (and thus revoke) document use after a certain amount of time.  This could be after a number of views or prints, a number of days, or on a fixed date.  Ensuring information can no longer be viewed after a certain period is especially useful for M&A documents where information is only required for a limited period, or for documents that have a natural life span.

Document DRM systems also provide the ability to revoke documents instantaneously no matter where they reside – so if information has been published by mistake, or access given to the wrong person, or a chargeback has been made against an ebook etc., you can instantly recall it.

Sharing documents securely with accountability

When sharing documents securely it may be important to establish that an authorized user has viewed and/or printed a document, for legal or compliance reasons or to help identify leaks.  Document DRM systems can help here with providing log files detailing when documents were opened and printed, by whom and when this occurred.

Conclusion

So when sharing documents securely there are many issues that have to be considered.

What kind of document control are you seeking to exert – internal use, internal and external, or purely external?

Do you trust the recipients enough so you know that they will not pass documents on; how much control do you want over your documents when dealing with untrusted parties; do you trust a Secure File Sharing company to protect and host your confidential or valuable documents on their servers; do users always have an Internet connection available; and how much security is enough?

Do you need to log what users are doing?  Are you licensing the use of information content rather than sharing documents at a peer-to-peer level?

For the simpler requirements a collaboration system may offer enough controls because documents are in a constant state of flux.  As you transfer to selling documents, or distributing private documents to remote environments where you have to create your own security, then it is essential to use document DRM systems to provide continuing protection to document content.