No matter how secure digital information is inside a corporate network, it is typically open season once it travels outside a firewall. Even with advances in network security, most organizations have little control over digital documents that move beyond protected networks. Document recipients can copy, cut, paste, print and forward information at their discretion. As many executives have learned the hard way, labeling a document “confidential” does not protect the information in it.
The impact of leaked information—whether accidental or intentional—can be dire. Major corporate announcements can go from assets to liabilities if information is made available to the wrong people at the wrong time. Loss of confidential customer data can lead to wide-scale identity theft and legal trouble, damaging customers' finances and a corporation's reputation.
Securing and controlling information is top of mind for business executives. Fortunately, technology advances are providing companies with greater control over sensitive information, no matter where it is and who views it.
By using technology that controls information at the document level, organizations are transforming how they leverage and share confidential business content. Document-level security addresses the need to protect information using controls that move with a document. Upon creating a document, managers can specify recipients' rights of access and even revoke or revise access rights after documents are distributed. Typical controls include restricting who can print, copy or save documents; monitoring who accessed or tried to view materials; and maintaining a complete audit trail for documents, including histories of how they were used.
Document-level security is a natural extension of an organization's efforts to protect enterprise information and is an important part of an overall enterprise rights management (ERM) strategy. Traditional approaches to securing electronic document delivery often involve Secure Sockets Layer (SSL), virtual private networks (VPN) and e-mail encryption. However, these approaches only secure communications lines without providing persistent security within documents after they leave the secure network transport.
Document-level security goes an important step further by using a policy server to establish controls that persistently protect a document through its lifecycle, from creation, to distribution and collaboration, to archiving and destruction.
A Standards-Based Approach
Increasing demand from business executives and IT managers for document-level security is being met by a range of solution providers. Adobe Systems offers its LiveCycle solutions for securing and controlling documents. Microsoft has Windows Rights Management software, while smaller vendors like Liquid Machines have their own offerings.
For companies looking at document-level security, it is important to consider the size of operations to secure and adopt a solution that can scale to meet evolving business requirements. Organizations may want to use a hosted solution from a trusted provider, or for larger enterprise applications, opt to deploy a solution in-house. In either case, document-level security solutions should be built around scalable J2EE, Web-service architectures that help ensure easy integration with existing and planned systems such as application severs, databases, ECM systems, authentication systems and scanning devices.
With so many processes and documents in business today, security strategies need to handle documents created in a variety of software applications and used in different computing environments. Ideally, security policies can be applied to documents individually or as part of batch processes. The resulting policies also need to be dynamic, allowing organizations to revoke or apply new controls on demand.
New Avenues for Business
One of the most exciting things about document-level security is the breadth of business applications it impacts. Product development, bank loans and contracts, legal proceedings, scientific research and customer service are just a few of the many processes benefiting from persistent security within documents.
For instance, Fluor Corporation, a Fortune 500 engineering and construction company, is looking to protect its most sensitive business documents from misuse, such as employees accidentally referencing outdated documents or ex-employees taking confidential best practice guides to their next jobs. Fluor is applying controls to documents that limit who can view materials and how long they are available.
With Adobe LiveCycle Policy Server software, Fluor can assign protections to project management manuals, best practice guides and other materials. The technology requires employees to authenticate themselves to view files, preventing unauthorized people from accessing confidential information. An added benefit of the authentication process is that employees are automatically prompted to download new documents if the versions they have are outdated.
Proactive Security Policies
In another example, a home equity lending group at one of the nation's leading banks is looking to safeguard the loan documents it shares with partners. Like many large lending institutions, the bank was experiencing higher costs and longer times to generate and deliver completed loan packets to title companies. Also challenging was meeting stricter government regulations for securing customer information.
To address the challenges, the bank deployed Adobe solutions to automatically generate and deliver loan packets with built-in security. Today, the company's loan officers can generate password-protected PDF files that only authorized title officers can open and print. They can also set controls on PDF documents so that loan packets expire instantly if new documents are issued.
The demand for document-level security is evident worldwide. An innovative district court in Italy (the Court of Cremona) is securing documents to help ensure conditions of parity between everyone involved in legal proceedings. The efforts are part of a cost-effective system called DIGIT that dramatically reduces the amount of paper used during proceedings.
The DIGIT system captures, manages, submits and archives all types of case documents and information in PDF. As soon as document sets arrive for preliminary hearings, they are scanned and converted to PDF files, in which access policies are assigned. Processed documents are made available online to authorized court clerks, judges, public ministers, and others, who can quickly and securely review case documents in PDF at any time.
Much-Needed Control over Information
Effective security means addressing the variety of ways that organizations and their partners and customers use documents. Limited security approaches focusing only on document storage or transport fail to acknowledge real threats to information as it moves across organizations and people. By building security into documents and making it independent of software applications that typically change from user to user, organizations are gaining much-needed control over who sees information, what is done with it, and where it goes next.
John Landwehr, CISSP, director of security solutions and strategy for Adobe Systems Inc., has held positions at NeXT Corporation, Apple Computer and Gemplus, and his experience includes application servers, smart cards, virtual private networks and digital signatures. He also has experience rolling out a large credit card project. Mr. Landwehr has presented testimony to the United States Congress on electronic commerce and security issues and is a member of the board of directors of the San Francisco Bay Area Chapter of Infragard.