With walls breached, document protection is the new security imperative

Whether driven by hackers becoming more aggressive, or by new regulations increasing visibility around an ongoing problem, growing reports of data theft are prompting organisations to take urgent and proactive measures to protect business documents during every stage of their life cycle.

For many IT professionals, this focus on document security has created new challenges—like finding and implementing the right technology, and gaining executive backing to ensure that appropriate policies and procedures are implemented.

Coming years will see this evolving imperative lead to new roles and responsibilities, according to Gartner, which believes that more than half of CEOs will have appointed senior digital leaders to their staff by the end of 2015. By 2017, one-third of large enterprises are expected to have a formal digital risk officer (DRO), managing risk across business units and reporting to a non-IT senior executive as they work to ensure the integrity of corporate data.

The implications of any failure to act will be significant: by 2020, Gartner has predicted that six out of ten businesses will have suffered major service failures because their IT security team hasn't managed to keep up with the new threats posed by technologies such as cloud computing, increasing use of cloud storage for personal and business documents, widespread mobility and the Internet of Things (IoT).

New paradigms such as the IoT “form a new superset of technology that challenges the ability of existing organisational structure, skill sets and tools to consistently and adequately assess, define and manage technology risks,” the firm warns.

“By 2019,” adds Gartner vice president and distinguished analyst Paul Proctor, “the new digital risk concept will become the default approach for technology risk management.”

A core part of that risk management lies in an organisation's ability to keep control over its data – and, in particular, to manage the security of its business documents.

As perimeter security controls evolve from being the only line of defence to being one of many, enacting security at the document level will be critical in successfully enforcing the protection of digital data when it travels outside of an organisation.

Thinking in this way will become critical, as mobile devices enable access to business documents anywhere, any time – essentially requiring a complete rewrite of the rules of document management.

“People are using a multitude of devices and there has been a big push over the last few years to make it really convenient to access your documents wherever you go,” explains Orin Thomas, a technical expert and author who is a Microsoft MVP and MCT with a number of MCSE and MCITP certifications.

“The thing about security and convenience is that the more secure something is, the more inconvenient it is. With devices pushing towards convenience, it means there is absolutely no security in digital business documents. If you can copy a document to your phone or to a USB stick, whoever picks it up may be able to get your documents.”

Many techniques have offered ways of ensuring control over who can use digital documents in the field, but the most promising has been the use of a technique that automatically encrypts documents before they are stored in cloud-based storage services.

The encryption keys to those documents are stored back at the enterprise, with compliant viewer applications designed to query any attempt to access a document with the licensing server at that enterprise. Document authors can also set protection levels based on the ability to take screenshots, print, redistribute and take other actions with digital business documents.

By checking access rights for the document against the master content-protection server, the client application decides in real time who is able to access a document, and who is not; permitted users are given a copy of the organisation's public key. In this way, access rights can be revoked simply by refusing to supply the public key to the viewing application. Without it, data thieves will get nothing but an encrypted and unreadable data file.

“The permissions are built into the document,” says Thomas. “You have a higher level of control over the document, and you can say for example that you don't want a particular document to leave Exchange. If someone tries to email it to a Gmail or Hotmail account, it won't open.”

This architecture – built into technologies such as Microsoft's Windows Rights Management Services (WRMS) – is a significant step forward from older approaches based on Pretty Good Privacy (PGP), which depended on the free exchange of public keys that had to be managed by users.

Yet while WRMS-styled techniques have been around for some time, they are not heavily utilised – often because the business has adopted new data types, such as PDF files, that fall outside the realm of WRMS protections.

Ironically, the result is a strong sense of insecurity regardless of the technologies installed: a recent Ovum survey of senior IT professionals and business managers found that just 9 percent felt safe from insider threats around the theft of data.

New technologies were a commonly named source of the insecurity, with concerns over technologies such as big data initiatives (named by 73 percent) and cross-border data exchange (70 percent) reflecting the pace of technology change.

Fully 68 percent of respondents were concerned about the lack of visibility into service provider facilities, while 64 percent were worried about the potential for unauthorised third-party access and 61 percent were concerned about not knowing where the data was being held.

Despite the widespread sense of insecurity, Australian organisations were far less concerned than their American counterparts about the abuse of privileged access rights, with 37 percent of Australian and 63 percent of US organisations expressing such concerns.

Across the board, encryption and better key management were named as the most important deterrents against insider threats. Fully 67 percent of surveyed Australian organisations were planning to increase their security budgets as a result of insider threat activity.

That sort of activity, as the US Department of Defense and many others have found out the hard way, can lead to unwanted and damaging exposure from many fronts.

“If the US Department of Defence had had this sort of security in its documents,” Thomas says, “Julian Assange would never have been able to open them.”

With new architectures continuing to cause angst amongst those concerned with information security, however, improving digital document security techniques are seen as the most promising way of keeping up with the influx of inside and outside threats.

As companies like Nitro extend these protections to PDF and other file types, the potential to build an ecosystem of security will continue to increase. And, in turn, vulnerabilities from poor key management will steadily decrease as digital document security becomes something that is enforceable at every stage of the document lifecycle.

“Many of the most damaging hacks done on big companies have been perpetrated by privileged insiders,” Thomas says. “Over the next decade we're going to see awareness of rights management increase – and it won't be systems administrators that have the keys to the kingdom like they had in the past.”

Orin Thomas, along with Microsoft Rights Management Services and Windows IT Pro, partnered with Nitro recently to deliver a documents security webinar. Watch it on-demand.