The Security Risks with Sharing Documents and How to Prevent Them

The Issues with Sharing

Sharing documents is a must for businesses to be productive and to work together globally. There are many circumstances in which we need to share data: providing specs and documentation to global outsourcers; collaborating with remote workers, partner and channel relations; communicating with customers; or creating shared repositories for M&A deals. Just a few examples of documents that are shared include quotes, specs, competitive analysis, replies to RFPs and customer presentations. Some of these documents may be highly important or sensitive and if they fall into the wrong hands, accidentally or otherwise, potentially can cause serious damage to a business.

Protecting shared documents is a problem that is hard to solve. By definition, sharing is a hazardous operation, simply by allowing additional people access to   information. Firewalls, intrusion prevention or Data Leakage Prevention (DLP) systems cannot solve this problem since it is not about blocking inbound and outbound communication. Actually, the data is supposed to go out, but its exposure needs to be limited. This cannot be solved by simply putting a password on these documents. Beyond the technical deficiencies of such a method, it simply will not work. A password does not prevent an authorized recipient from sharing with a non-authorized party, as it can be shared with the unauthorized recipient as easily as it was shared with the authorized recipient. No wonder some companies still use the old-fashioned color-copy protection, i.e., sending photocopy-resistant blue paper or using couriers. This is a very expensive and cumbersome way of dealing with the issue at hand.

There are several different aspects of sharing that need to be secured; the first is protecting documents en route. The sender needs to make sure no one can intercept the documents along the way. The second aspect is making sure the recipient is authorized to receive these documents and that only authorized recipients can view it; sometimes one may also wish to provide tracking capabilities and verify that the recipient has indeed received and viewed the sent document. Finally, once the documents reach their rightful recipients, there is the ever tougher issue of making sure they are not transferred or leaked to unauthorized parties. The latter problem is difficult to solve – there are many ways in which documents can leak out. For instance, the recipient can print, forward or even take a screenshot of the important information.

Before we discuss the different ways to solve this problem, let’s take another look at some additional requirements. One important requirement to consider is the age-old tradeoff between security and ease of use or productivity – the solution must be easy to use and deploy. A solution that is difficult to use is also difficult to encourage company-wide, subsequently achieving little security benefit from the investment. Likewise, if the deployment and maintenance is too time-consuming, the solution may fail. Another requirement is how easy and seamless it is for third-party people and entities to use. It is extremely difficult to force an outside party to adopt the solution with no reason to adhere to an organization’s policies and software choices.