Protection of corporate documents outside the perimeter of the enterprise information system
Every company has a range of tasks connected with protection of electronic documents from leakage and unauthorized use. And now BYOD became a serious threat because it blurs the perimeter of the enterprise information system. A company can forbid using mobile devices but it entails slowing business processes in the short term and loss of income in the long term. There is also a necessity to share different documents with people outside the perimeter, e.g. auditors, stakeholders, partners, consultants. Is there a possibility to continue to control documents which have left the company’s border?
Why DLP doesn’t track outgoing documents
There are two approaches to DLP functionality. The first one says that it is enough to control outgoing traffic and linguistic analysis helps to detect leakage of confidential information. What are the benefits of this approach? Firstly it can be implemented rather quickly: during deployment you need to set content analysis parameters which are similar for most companies. Secondly it takes minimal efforts from the customer – you need to take only one critical decision: what to do if the system detects an incident: to block or skip, noting this fact in the log for further proceedings. In most cases, customers choose the second option, because otherwise it can disrupt business processes and deliver a lot of troubles.
The second approach takes much more time and efforts because this kind of DLP provides protection and tracking of sensitive information where ever it is located. This versatility is achieved thanks to the development of detailed information security policy, which is based on a thorough business process study for a minimum of 3 months. It doesn't suit for young and vigorously developing companies, because their structure is constantly changing. But for mature companies it works pretty well.
However DLP is designed to secure documents inside the enterprise. There are several methods to share documents with external people on secure basis: to arrange a protected cloud or to add a person to Windows Active Directory. Anyway it is a time-consuming process that requires the involvement of several specialists. Most people prefer to find some other way to send a classified document without bureaucracy.
Sending confidential documents outside the company
Forrester Research asked respondents from Canada, France, Germany, UK and USA the following question: “How do you choose the way to share documents at work?”. The survey was about applications and collaboration workforce in SMB. The results are presented on the diagram bellow.
Source: Forrsights Applications and Collaboration Workforce Survey.
If we assume that the first result is likely a prerequisite for the exchange of information, we can safely say that the leading position is occupied by the concern about confidentiality of documents. It has become an integral part of the business culture for many employees. But is it really so for small and medium-sized businesses in your country?
The threat of trade secret leakage and the risk to lose control over intellectual property motivate companies to introduce a security system at least on the level of regulation. After determining what documents are confidential, the company specifies acceptable ways of sensitive information sharing.
Encryption use
Everyone heard about encryption in one way or other. How it works? A file with confidential information is converted the way it can’t be opened without a special digital key. A person who has this key decrypts the file and further can use it without limitations.
Let’s study what threats can be minimalized with encryption tools. Here is an example of Lavabit, a well-known secure email service. It was used by Edward Snowdon for his correspondence. To protect messages Lavabit used TLC keys, and such a powerful organization as the NSA was unable to reveal the contents of the emails of his former employee. However, at the end the service was closed, but, as they say, it is another story.
We can conclude that encryption is an effective tool for protecting electronic documents from an intentional interception, including MitM attack, or an accidental leakage. There are many different encryption systems in the world: some of them are open and some are proprietary. And experts in information security admit that open systems are more popular because their algorithms are transparent, and companies know exactly what is happening to the protected information.
This picture could be ideal but we need to think about another threat. A recipient can do whatever he or she wants with your document after decryption including sharing it with 3-rd parties.
Protection against unfair recipient
On the diagram above you could see that 18% of the audience cares if external recipients are included in the mailing list. In this situation the main goal is not to give too much information. In May 2014 the White House press service made a mistake – they gave journalists a list of participants in the briefing with Barack Obama which contained a name of a CIA resident in Afghanistan. In case of disclosure the life of this employee and his family could be in danger. The journalists detected this fact and notified the press service and there was a happy end. But only loyal journalists are invited to presidential pool. Can you say so about all your recipients?
In this case, the threat is hidden in unscrupulous actions of recipient of confidential information, which leads to a leakage.
Usually protection against unauthorized actions of the recipient is required to publishers and copyright owners. Despite the measures taken by the state, we can hear about piracy rather often, so different DRM systems are still in great demand.
But protection of digital content against illegal copying and use is not only a headache for publishers. For companies this problem is also crucial. First of all, it concerns electronic documents, which can be attributed to a corporate knowledge base: description of production technologies, instructions for the sales department, distance learning materials, etc. Access to such documents is granted to a broad group of people and moving them beyond the perimeter of the information system, at times, is a business necessity.
Also such kind of protection may need in the situation when a document is sent to a recipient who is not approved (not trustworthy).
A few words about how it works. Similar to encryption a file is converted the way it can’t be opened with standard programs. To get access to a protected document a user needs to install a special application and to receive a key, which gives a right to open this document. When a protected document is opened for the first time, it demands activation. It means that the system checks the key validity and binds it to the user device. Protection covers access and printing control, prevents copying and screen shooting. Of course we can do nothing if a user takes a picture with a camera and sends it via email. In this case watermarks can help to detect the source of leakage.
This system also allows to prevent a document interception or accidental leakage. A sender gets reports with activation events and user IP addresses.
Many companies use this method of protection to avoid the use of paper versions of large corporate documents, which greatly reduces printing and logistics costs.
Conclusion
Document protection and tracking outside the perimeter of the enterprise information system is a challenging task and the solution depends on the customer’s requirements. To prevent interception it is enough to use encryption on open program code. If a company besides interception and accidental leakage needs protection against unfair recipients it is better to use external DRM with options to control access, copying and printing. These solutions can be integrated into DLP systems or perform as independent solutions.