Slashdot Mirror
How Do You Monitor Documents?
JumpDrive writes "I have been presented with a problem recently, which I know others have probably faced. During the last month, one of our customers accused us of providing another customer with their specification. So the question arose: how do we, or can we trace documents and find if they are being opened or used somewhere where they weren't intended. We don't want to be restrictive, because at times, we have people all over the place, but if one of our documents were opened in a foreign country, that would arouse suspicions. Most of our documents are made with MS office suite, and I have been thinking of working on a macro to ping a server, but that would require the user to enable the macros, and it would also require the insertion into about 1000 documents. But it's been difficult for me to find a solution that doesn't prevent someone in Omaha from opening a document for legitimate use and is not a solution that can easily be disabled or hacked around."
See topic - MS do something which seems to be essentially *exactly* what you want, and since you are using MS Office, I would suggest giving it a try.
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
The best solution to your problem probably would be using Microsoft's AD RMS.
http://technet.microsoft.com/en-us/library/cc753531.aspx
AD RMS provides you with the ability to control licensing, opening, printing, etc. of documents. This will provide you with the audit trail you migh tneed.
Of course, you can still photograph every screen while scrolling through the pages, so it's essentially worthless in practice, but it might satisfy your customers demands for proper paperworks.
Yep, implementing AD RMS will be a heck a lot of work, and you'll surely need to adjust your internal processes in order to incorporate AD RMS.
What you're planning on doing is DRM: Which is, as all Slashdot readers know, impossible with a properly determined person. And in your case (industrial espionage), there are better people working on it than a few hackers that try cracking Blue-Ray in their spare time.
The only way to control information is when you are the only one who has it. Once you transfer information to an other party, it will be out of your control.
You could introduce a system that prevent your customers access to the raw document files. i.e. allow them to open in through your "secure" document viewer, which doesn't provide a save option. But then they can still create a screenshot of the data (making a photo of the computer screen is also a screenshot).
The thing you are looking for is called DRM, which is broken by design.
Incoming document goes to a project manager who enters the document into an intranet document management system. Access to it are given to people that need to work on it and they can check it out, make changes, and submit it back in. Like how source code version control systems work.
In my company the incoming documents are converted into a wiki and access is given to people who need it. Once work is done on it it requires two different people (managers/experts) to review it and mark it as complete. Then it is converted back into a Word/Excel/PDF/Whatever document and sent to the client.
The wiki works well for documents that are not heavily formated.
You don't say what operating system you are running on the clients (I'm assuming windows of some variety), what network os you are using, or where the files are stored.
However, you want to turn on file access monitoring. It's pretty simple if you have one file server and all the files are there because you only have to turn it on once. Here's a good start:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx
If you are running linux, http://www.rootprompt.org/article.php3?article=10751 was the second article in a google search.
Depending on the number of users and files, your logs can fill up quite quickly. You may also want something like SNARE http://www.intersectalliance.com/projects/index.html to monitor workstations. They may be doing some server work this morning; I'm getting a time out on the web page.
The bigger question though is if your clients think you are cheating them, why will they believe your logs?
You may also want to get some books on windows and linux security monitoring.
I keep my sensitive documents in a locked cabinet. Never had an issue with a document opening itself in a foreign country.
Nobox: Only simple products.
The watermark doesn't even have to be high tech, it can just be a guid inserted at some point in the document, with a company policy that says when you can remove it (never?), when you should change it (when it crosses a boundary, like a departmental boundary) and how records should be kept (e.g. a central database of which event caused the creation of a new guid).
DRM is broken by design.
Document DRM is even simpler to circumvent. Tiny cellphone/digital cameras. Screenshot much? Notepads? A really good memory is anti-ddrm. The best you can do is log access, but once it is accessed, there is no control over specifications. YMWNV.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Don't know how many document formats support it, but perhaps you could have an embedded image or other embedded information pointing at a file on a web server. All accesses would then be recorded on the server log.
What you are trying to do is what DRM has been trying to do for a long time: prevent unauthorised people opening a document on untrusted hardware.
The reason all DRM ultimately fails is because the system opening the document is untrusted. You simply can't have easy access outside your company with the ability to do things like print and prevent unauthorised copying, the two are mutually exclusive.
There are systems which do what you are asking, but they all rely on only trying to open the document within your company where you can control the software environment. At best they would let you find out if a document was say printed, copied to a USB stick or sent by email etc, but after the document leaves your company there is basically nothing you can do.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I used Citrix for a bit while working with my fathers company.
It might be completely useless for what you want, but thought I might suggest it.
When you let the documents out of the house, there are no way to prevent people from using the information. If the information was only available on a web-page with passwords and monitoring of user and IP-addresses you will at least have some control of the information.
pgl
Sharepoint is your best bet here.
The only alternative I can think of is checking your docs into your source control.
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
I've used Microsoft Sharepoint for this in the past, it's not the greatest app, but it certainly helps for what you're talking about
http://en.wikipedia.org/wiki/SharePoint
Protection of data is hard. There are many variables to consider.
The first step to understanding what data that requires protection is to perform a risk assessment. This will help identify information which may result in financial loss, corporate brand confidence in the event that the data is compromised.
It's important that this task has senior management sponsorship. Getting a sysadmin to "get on with it" is not good enough. It needs input from the business to understand the information that needs protection and also the funds to purchase the relevent software, hardware to provide the enforcement controls. Policies and procedures should be written to make it clear what should be done with the data, and also to illustrate to staff, guests, business partners what is acceptable.
Controls typically are installed on the desktop, servers and network in-line controls to capture information as it flows throughout the network.
In your direct question, there are a few options to protect the Word documents. But this is only a small set of the things you need to consider. Word does have some DRM controls and I'll leave it up to you to look into it. What is important to note is that Word format may not have all the necessary controls that you need, and you may need to compensate these with others.
If your company is serious about this, they really should get a security consultant involved to help you identify the risk areas, document the controls, and help with an architecture to protect the information across your enterprise environment.
A couple of security vendors do have some products on the market, but this area is still pretty young, but it is a growth area.
Google Data Loss Protection products from RSA and McAfee for a start.
Widely used in the Legal Industry for collab, control etc.
You have completely missed the point of Ask Slashdot. It's just not about doing a 5 minute search and randomly choosing one. The reason people ask this group questions like this is because they want more detailed information from people who have hopefully had hands on experience doing these things. What worked? What didn't? Why did it, or did not work? How was implemented? You may not be able to find that kind of information easily even if you know what to search for. And once you have that information, there are other people to give their insights on what that persons stories. It has the potential to be one big chain of helpfulness.
Sure, it's a cheap and lazy way of getting someone else to do some of your work for you, but it's not generally a bad thing. I know if I was completely clueless about some tech related problem, I'd probably ask here. Wouldn't you?
Basically, what you want is to keep track of information. The fact that is in a digital document in office or a sheet of paper is irrelevant. Printed papers are both easier and harder to control. First they are easier to track down and count. But in the end, if they are on the loose, the probabilities of finding the source of the leak is very, very thin (the only way is to use some sort of security paper). In a digital document, if the leak is the document itself, verbatim, then, if tight DRM controls are in place, you will find where the leak is very easy. But in the end, security doesn't survive a photographic camera or a copy/past of notepad... Transposing to analogic and digital again will remove almost all fingerprinting that you can add to any document. As for the accusation by itself, the best way to work around it is to help out the client and ask them for help to find and squash both the leak and the issue. The great majority of this issues comes from human factors (and in the case of digital documents, computer security/virus). So... in the end, GL...
I suggest that you look at Trend Micro's Leakproof product http://us.trendmicro.com/us/products/enterprise/leakproof/
It should provide the type of protection that you are looking for.
Assuming your documents are stored on a Windows server, one option is to enable NTFS auditing. This requires no changes on the client side.
That is the simple answer.
If you want to give something to someone, you can't control what they do with it. That is like saying "I want to give this hammer to a friend, but I want to prevent them from loaning it to someone else, or using it to smash computers with."
If you don't trust the person that you give something, then the chain of trust is broken. Everything we do is based on trust. I trust if I give you an emergency key to my house that you won't rob me. I trust that when I accept cash from you to pay for a service that it isn't counterfeit. I trust when you sign a contract with me, you will live up to your duties in the contract. I trust when you babysit my children you won't rape them. You pretty much asked for exactly what the whole point (and failure) of DRM is all about- trying to FORCE *everyone* to trust and comply with your wishes. You can't. Welcome to humanity.
No, you can't. If you want people to be able to read it, they can copy it. You can make it more cumbersome but nothing can prevent screenshots. You can waste a lot of time and money, but the best you will achieve is being able to say "we tried". Because you cannot succeed. You can't distribute a document and at the same time expect it to remain secret.
At my workplace we handle standards and manufacturing procedures for a variety of companies worldwide. We don't lock our documents but we do use adobe PDF's so we can track who accesses. They state that it's basically not feasible to be able to prevent access to something unless you were to grant it remotely in the first place (similar to like a view-only google doc) instead of giving a document to your customer. Meanwhile, this could still be screencapped if someone wanted their own copy, so it's not even worth it.
As people have said, once a doc is out there, you can't stop access to someone determined even if you have server validation to open it. This is like the "how do you secure a PC from the feds" thing where the answer is if they have physical access/their own copy, you don't.
For this reason, the best steps we have for validation are everything we can do on our side to ensure that the documents are only given out to the appropriate individuals. Thus like anything, human error is the only way it would be released really.
Depending on your budget, there may be some value in looking into the "Interwoven" Document Management System (DMS)..
Its primarily marketed to legal firms, however its got great file tracking (i.e. who, where, when opened, printed, viewed, and for how long.. etc..) and is quite well rounded to suite the needs of just about anyone.
Has no Linux suport for the server or desktop clients though...
....move along....nothing to see here....
Have you looked into SharePoint? You can get external hosts for it and load your documents to it like you would a NFS; from there you can both monitor and manage access rights to all of your documents. You can allow customers temporary login rights that allow them to view specific documents, can can even restrict their use to "read only" - preventing saving a local copy...in theory. Of course, the aforementioned industrial espionage methods (memory sticks, cell phone cams, etc) circumvent these methods, but this will at least keep casual users from deliberately redistributing your works. A good legal consent banner on the site can help scare off users as well, as all IP addresses can be logged and you can pursue offenders like the RIAA if you want...
"how do we, or can we trace documents and find if they are being opened or used somewhere where they weren't intended?"
"if one of our documents were opened in a foreign country, that would arouse suspicions."
"Logging access" is exactly what he's trying to do. The idea here would be at least knowing, and if you've only given a document to one external entity, you know you have a leak somewhere within that entity or your own organization. Simple managed watermarking can help to discover which.
And DRM in general may be broken, but it's not that black and white: DRM does prevent some casual theft of content, because it's a hassle...that's all anyone with a brain -- and who has paid attention to anything in digital media for the last decade and still employs DRM -- expects anymore.
Those who which to pirate content will ALWAYS be able to do so, regardless of any protections put in place. Perhaps someday those who favor DRM will realize that the losses from hassle to honest customers or prospective customers outweighs anything "gained" from having DRM in place.
But back to the issue at hand, which is a different one: an organization wants to track -- and potentially prevent, under some circumstances -- access to original documents representing proprietary data. A "DRM" model (like that employed by Microsoft Rights Management Server) can help to accomplish this. Of course, once someone discovers it's in place, then any number of untrackable circumvention options, such as those you mentioned, can easily be employed. So, the best option for this case is passive tracking/logging.
This ask slashdot seems a little suspicious to me, it does seem to exactly match the feature set of a suite of microsoft products.
Anyone worth thair salt as a system administrator that works with microsoft tools should know the features of microsoft office and the add on server components to get the DRM system working in an enterprise.
It sounds suprisingly close to what you would find in a microsoft pamphlet.
OK, you've gone for a tech solution to a problem before really asking what the problem here is. So what's the real problem? Legal libility, of course. Your customer X is accusing you of sharing data with their competition Y.
Create an job to track sensitive documents. If you only have a few, then it would be additional duties for someone. If you have a lot, it's a new position. This job is to track who has legitimate access to sensitive documents. When customer X starts throwing allogations you've shared data with customer Y, everyone that has legitimate access to the data is required to sign an affidavit that they did not share the data with people not autorized to have the info. Now customer X has to PROVE that one of your employee's did indeed do so, and that their affidavit is a lie. MUCH harder to prove and a lot cheaper for your company to defend against.
Of course, that won't stop customer X from THINKING you did, and that may cost you that customer, but absent using a full up sensitive document control system like the government does, there's no real inexpensive solution I've found. I'd be interested to see if /. comes up with one though.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
RMS wouldn't be very cooperative. You'd have to try and convince him to drop his aversion of proprietary software.
First, though, if you don't have a document handling and marking policy for PAPER documents, you're unlikely to succeed implementing one for electronic documents. In other words, if you don't presently mark printed documents with restrictive handling requirements ('secret', 'confidential', 'proprietary', 'atty-client privileged'), it won't do you any good to try to control their electronic versions.
Second, Windows has never been designed to try to enforce more than discretionary controls. What does that mean? It means that EVERYONE who touches the machine or its data is presumed to be cleared to see whatever is on the machine. They may not have the need to know what's there (that's what DAC does), but they're cleared to see it - so they're TRUSTED to handle it correctly.
If that doesn't describe your environment, you should reconsider whether a single-level system, like Windows, is suitable for storing, printing and using your documents in your environment.
This http://www.documentum.com/ is how we have been doing it very successfully for a number of years. Very easy for us to implement and extremely easy for the end-user to use.
have a look at microsoft sharepoint, they have document checkout so you can see exactly who did what with the document http://www.microsoft.com/Sharepoint/default.mspx
MS claims to do something which seems to be essentially *exactly* what you want
There, fixed that for you...
You can put a lot of walls around the document, but that will hurt badly its usability. The end user would want to be able to print it? There you already have a leak that no software can control, specially if is a postscript/pdf printer.
You can agree there is no use to copy/paste portions of your documents, no need to use them under any other platform than windows, but printing?
The problem will end being in how many ways you will penalize the rightful users of those documents to avoid someone else to access them
Other approach of the problem is to take the computer and just digital media of that document out of the middle. Maybe you can give your documents in a personalized Kindle-like device that only can be used to see the doc and nothing more, but only will work putting even artificial restrictions on the usability of them.
actually says I don't 'trust you when you shake my hand- but if we get a third party (or more involved) then I'll trust you'
every day http://en.wikipedia.org/wiki/Special:Random
I don't think you can find a good solution just by technical means alone. Having run into this problem as a company attorney, I can say that the best defense is to define and enforce a strong document management policy. Technical solutions without a defined policy will only make you a pariah. Also, you should check to see how the specs came to light in the document at issue. I recall one episode where one of our business development personnel sent a draft contract (in Word format) to a potential customer having used an earlier contract with another customer as a template. The BD person deleted the details from the earlier contract and inserted new (less favorable) terms. The other party turned on the redline mode to see the deletions and insertions and demanded the same terms as the earlier party. Everyone involved at our end was pretty embarrassed. The solution was to require than all drafts of all legal and business documents be sent in PDF or a "scrubbed" version of the Word document using a product from Workshare.
lol
DRM doesn't work. It's technically impossible.
Your best bet is to not give the document to untrusted parties.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
No i wouldn't come here FIRST. I would have done a little research on my own before i came to a (suspect) public forum to ask my question.
A little bit of upfront leg work isn't unreasonable to ask.
---- Booth was a patriot ----
according to RMS, your documents want to be free.
Anybody halfway competent can sanitize documents. The easiest way is to transcribe them.
All types of DRM and watermarking have been broken successfully, typically with far lower effort for the attacker than the defender spent in the first place.
You basically cannot defend yourself against this type of accusation and that is one of the reasons why the accuser has to prove them and not the accudes to disprove them. I would avdvise you to terminate business relations with the people accusing you. ''Nonexistent trust'' is a good enough reason.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Comment removed based on user account deletion
Once it hits the net, it's gone. For this scenario, I'd say try implementing version and access control. You'd know everyone that accessed their particular spec, so the potential leak could be easier to spot. Please don't do the macro thing. That just sounds painful and ineffective. Investigate the version control offerings available to see what fits you best.
Openoffice 3 can export docs to pdf format which can be password protected and encrypted. You can also prevent the copying of the contents too.
Your issue is more of a trust issue imo. Your customer doesn't trust you, so you have been put in a really difficult position of proving you are trustworthy, and at this point you cannot prove anything. They'd have to be a _really_ good customer to put up with such a situation.
I work for an architect office, and we use Buzzsaw http://usa.autodesk.com/adsk/servlet/index?siteID=123112&id=2407898 for sharing documents. It doesn't limit what is done with the documents once they are downloaded, but it gives exact details of who took what. Use fulaudit trail (amongst other things ;) )
It will tell you who access specific files on CIFS shares.
End less TPS reports and other BS paper work and they keep a tight lock on office supplies. We had to call the cops to remove some one after we took the red stapler back from the desk that he failed to return at the end of the day and he went nuts.
EMC IRM (Formerly Authentica (yes, there is a typo in the summary))
Oracle IRM (Formerly SealedMedia)
Liquid Machines
Adobe LifeCycle Rights Management
Bottom line, if you EVER had access to read either an electronic or paper document, you can NEVER conclusively prove that you didn't somehow gain a copy and do Whatever(TM) with said copy. Unless there was a human watching you during every moment of the access, or maybe you were videotaped during every moment of access.
You can implement systems to track who had access to a document. The more comprehensive these systems, the less likely it is that you'll be suspected of mistreating the document or information within. Such tracking increases accountability, though it's next to impossible to 100% assure that every person who accessed the data never did any unapproved thing with it.
If you don't want to do the aforementioned rights management services, then you can set file-level permissions to limit the number of people with access. If that's not enough, you can implement filesystem auditing, to log each access to the file. That narrows the suspect list even further, from those who CAN access the file to those who DID access the file. Both of these depend on a tight system of account administration controls, and the latter also depends on a trusted secure storage repository for the logs. Naturally the integrity of any or all of these systems can also be questioned.
Suddenly one gains appreciation for a system of justice which places the burden of proof on the accuser, eh? The only way to evade suspicion is to make sure you never had access to the thing you might be suspected of behaving badly with.
use samba. crank the loglevel high to see who accessed it, use ACLs on the server to disriminate access to specific users.
I believe Google Apps has done a fantastic job of this. Each document can have different people who are invited to both view and edit the document. As well, you can provide the visitor with rights to invite more people. Above all, it has the entire trail of changes by every user at every moment the change was made. You can track any change directly back to the person editing the file. Best of all, you can set up Google Apps to only authenticate on your domain and you can import any type of Office document into the system.
How about a third party app like Next Page?
http://www.nextpage.com/products/document-retention.htm
There is no way to prevent someone from doing something like taking a photo of all the pages on a screen and sending them to someone.
However, a product like Sendside will let you track everyone who receives, opens, and forwards a message that you send.
If you are really paranoid you can use encryption on the document and make all recipients provide their own encryption keys.
OK, so it really isn't that dire, but you cannot control what software will be used to open a document, so you cannot possibly guarantee the ability to track such access. Of course you can devise a system that tracks most accesses, but your specific example - opening a document in Europe IIRC - would be most likely to be defeated by the wide popularity of diverse FOSS tools such as linux and the tools that run on it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It's funny, many here assumed that the best solutions is purely technological.
Most controls are based on the three Ps: People, Processes, and Products.
People: you need some sort of awareness. Either it's some sort of agreement that all your partners/clients/employees sign, are constantly reminded of, or are presented with often. You need NDAs. You need legal/contractual protection. You need to define the consequences of not following these (e.g. contract termination, disciplinary measures, legal liability/lawsuits, etc).
Processes: you need processes that support the objective(s). This can either be through business intelligence, workflow audits, whatever (if you don't have experience with this get a business analyst or the process nerd in your herd who knows this stuff) and needs to take the user experience, technical limitations, and controls in place. Know what type of controls you have (manual, automatic, technical, procedural, etc). Ignoring processes is irresponsible and YOU WILL LOSE.
Products: yes, you need some technology to support the People and Products. Whether it's sharepoint, JimBob's GPL'ed DRM solution, there will always be that "analog black hole" risk (e.g. you can have strict DRM in place, but nothing really prevents users -- technically anyways -- from pulling out her smartphone and taking snapshots of the document on the screen or picking up the phone and reciting it). See how one fails without the other?
Each of these support each other, and ALL are needed to work.
The tough part is figuring out all the components, how to put it together, and in today's economy, how to get budget to actually actualize all this.
...we document monitors!
http://www.object404.com
1) Act dim.
2) Pretend you don't know about some obscure hardly used functionality in the product you are trying to promote.
3) Phrase your question as though that one piece of functionality is essential to your very being.
4) Maybe act surprised and appreciative when some poor fool points out what you already know. ( try not to laugh in their face )
4) Sit back and hope that the promotion takes hold in the minds of genuinely dim people.
The only way you can do this is if you centralize access: place the document only on a central server and only allow access to it by viewing it on that server. Then that server can log every access and where it came from. That means, BTW, that you can't make the document accessible via a Web server, since the user could just do "Save As..." and make a local copy. Ditto making it available from a file share. You'd need to set up remote access to the server (X11 and an SSH tunnel, for instance, or Windows Remote Desktop), lock down any sort of remote transfer (disallow SCP, disallow the remoted desktop from sending files to it's local desktop) and provide a viewing application that logged accesses.
The fundamental problem is that once you give a copy of a document to someone, you've got little control over what they do with it. It's the same problem we've always had with documents: if you give someone a physical document, you've precious little control over whether they slap it in a photocopier and run off a few copies of it to give to people they shouldn't. Approach the problem in the same way you'd approach the same problem with a physical document.
If you want to do that, never send electronic copies.
Send only hard copies, printed on paper with a security watermark, and with a tamper-evident seal.
Actually, don't send them. Allow access to them only at your secure facility. By people who have undergone thorough background checks. And who are strip-searched before entering the viewing facility, to prevent smuggling hidden cameras in.
Or, you could just deal with the fact that information is going to get out.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
During the last month, one of our customers accused us of providing another customer with their specification.
Forget about fancy industrial espionage scenarios with evil Chinese crackers. If this really happened and isn't just paranoia on the part of your customer, chances are it was someone in your company who had authorized access to the specs and, probably out of stupidity or by accident, forwarded the confidential information to someone they shouldn't have.
Sadly your most effective approach is to comb through e-mail logs of people with access to this document, and see what attachments they've been forwarding recently.
As others have already explained, there's no way to prevent this kind of thing from happening again, either. Just educate your people to keep confidential documents secure and get rid of people who disregard this rule.
I worked for a comany that did many military contracts and required heavy document security. One of the bigest items I learned out of the training I needed to follow is that the procedures put in place are not so much to protect the documents, but to be able to control and limit the impacts of leaks.
In this case the labeling of documents "For US eyes Only" meant something, and "Controled Copy". The security staff could always audit (ask to see the document) to make sure it was properly stored and being handled properly. If the document was lost, a breach was assumed, a security incident was declared and registered with the authorities (eg: US gov). The document was assumed comprimised, and apropriate diciplinary action was taken if required.
All of this was procedural, as an employee, you were informed and responsible. If you photocopied a page, it was a breach. They NEVER gave a digital copy - too risky. Any Controlled copy had to be returned - just saying it was destroyed was not enough, they needed auditable proof (ie: they needed to do it) - because anytime someone could call "bullshit - prove it"
All the tech being listed here is to support a process - but you need the process first. This is older than computers - and there are many solutions out there. Unfortunatly, for us tech guys, the old "To a hammer, evreything is a Nail" rings true - everything can be solved using tech.
You simply cannot control the distribution of a document once it is out of your hands.
However, you CAN trace information. Agree with your customer to include information that is deliberately inaccurate in your spec: certain figures are off by a predetermined fraction, for example.
That way, if the information IS leaked and appears in the hands of parties unaware of the misinformation, you can at least tell its origin.
DRM is snake oil
DRM is snake oil in the way it's used to protect media from copy.
Because at the same time DRM is supposed to enable one to show the content (and thus give the key to the individual holding a copy) and exactly at the same time its supposed to stop unlicensed copies (thus preventing the exact same person using the exact same keys to copy the exact same media in a different way).
It's snake oil, because in the classical cryptographic triangle - A(lice) sending a crypted message to B(ob) without C(harles) snooping it - DRM makes B and C the exact same person.
Hence the contradiction, and hence DRM is doomed to eternally fail to protect media, no matter how contrived means are applied to it.
Here the reader ask a completely different question :
he wants A to be in the headquater, B to be an employee in Omaha, and C is some person doing industrial spying in Russia or China.
Some people are supposed to have the cryptographic keys to the documents, other people aren't supposed to have the keys.
In that circumstance, cryptography might help...
(Well, that's assuming that the thieve is an external person. Of course if that was an inside job, we're back at a situation that movies are in. But then the company has a much bigger problem of trust toward its employee to tackle first).
MS claims to do something which seems to be essentially *exactly* what you want
Well, the real problem is at the beginning of the sentence :
MS do something which seems to be essentially *exactly* what you want
Given their long history in term of computer security, you can count on MS to completely botch their solution...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I recently attended a presentation of new startups at my University, and I think that the products of FortressWare are exactly what you are looking for: http://www.fortressw.com/showdemo2008.htm I haven't tried them, but from their presentation it seems they provide what you need.
Digital files cannot be made uncopyable any more than water can be made not wet. -- Bruce Schneier
Colorless green Cthulhu waits dreaming furiously.
I'm not sure if this would solve your problem, but have you thought about encrypting/password protecting the documents? While this is not full proof to internal leaks (which you make it sound like), it should be quite effective against thieves.
The area is called content management. Full-blown enterprise CM is six-figures and up. Sharepoint is on the low end. There are some open source options. Haven't used them.
Since we are an Oracle shop we are looking into Beehive as a low-end solution. If you delete a file it claims to use it's agent to delete all instances of that file even on local workstations. Seems too good to be true.
It's a big, expensive job involving training, careful planning and some software expense any way you go.
Hi,I've been using SealedMedia (now Oracle IRM) for some time now. It will help you track files and put security features like printing, email, print screen, etc, again if you can open it nothing stops you from using an external camera to take a picture but this would be a good start.
http://www.oracle.com/technology/products/content-management/irm/index.html
Quick! Call up the NSA. This guys onto something.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
The original question notes, among other things, that opening the file while out of the country would raise suspicion. How would anything determine the difference between an out of country user using VPN access to control a computer in country and an actual in country user? Wouldn't seemingly legitimate users likely be using VPN to access the document when not on site, and thus impossible to track directly through the document?
No matter what is the state of your Document Control (DM) what the client is asking for is going to be EXPENSIVE (both time and money). Instead of running around trying to solve this DC problem, ask the client what proof they have of this spec leak. I would bet that some mid mgr of your clients is playing CYA by accusing you of the leak and there is no concrete proof. Better yet, the leak could be on their end. Instead looking at this as a simple technical problem, I would attempt a root cause analysis first, the cost analysis and finally negotiate the deal. You'll find that what people ask for, most of the time, has nothing to do with a solution to their problems.
How about have such documents sent to one person, or a small team, who encrypt them and generate the keys. The document is then provided by *that* team's site, and all access to the files is recorded, *and* that a request to that team must be made for the appropriate key, and who what key was provided to, of course, would be logged.
Would that cover it?
I would use GPG, since other encryption software might be illegal to allow someone traveling out of the country to carry.
mark
The customer making the claim just lost a 'key employee' to their competitor. They took your documents with them and handed them over. He was probably French.
And use the web server to monitor accesses to your heart's content. This will shows you if someone opens the docs from a foreign country or any other location. :)
Of course it doesn't protect the documents in any complete way - just like with any other DRM, a smart user could circumvent this by using a proxy or making an offline copy of the doc.
But then if you don't trust your employees, nothing will work anyway
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
While nothing is going to prevent screenshots for people who have access to the documents, perhaps you should consider a wholly online solution. Documents are created and shared online only...no documents via email or placed on a central server where they can be copied elsewhere.
Access to the documents is secured and logged.
Keep the documents on your web-site (in HTML or PDF, if you must). Protect access to the site with customer-specific usernames/passwords. Instead of mailing out entire documents (in a proprietary format), mail out links to them instead — and save us all some bandwidth.
Yes, a user with elementary knowledge of computers will be able to download your doc (especially easy with PDF) and then e-mail. But all the other little schemes are defeated with the same amount of elementary knowledge.
You can also put some limitations into your PDF-files (such as no printing), but, as I say, these are all defeated fairly easily.
In Soviet Washington the swamp drains you.
I don't know if I'd find the information here "suspect". There's a lot of knowledgeable people here. For a first choice? Maybe not the best choice, but if you're really stumped and have no place else to turn, I wouldn't say Slashdot is a terrible place to ask a question and get some help.
Some people just get into "writer's block mode", for a lack of a better term, when you have a pressing issue to deal with. I know it happens to me from time to time with my job. I just simply ask people who are more knowledgeable than I am, that I don't have to work with (to eliminate any potential bias) to see if I can hear of any sort of solution. You may not always hear the "correct" ones, but it can help in getting those neurons fired up.
Since you are using MS Office documents, best place to start is Microsoft as you aren't the first person to have a request like this... Search their site.
Other things I know to look at other than what has been suggested are:
-Office Live (Cloud Stuff, but does tracking)
-Sharepoint (You can internally host it on an Intranet and make it available via Internet and it also provides checking in and out of documents and tracking and can be extended to do extra things you might need, but it is a quick out of the box solution that is free if you have a Windows Server.
-Do you own ASP.NET/PHP based web site to host the documents and do your own tracking, not as simple as the Sharepoint solution, but can be as effective and as easy.
For the last two if accessibility to the documents is an issue, you can use WebDAV or other mediums that give you OS level folder integration, so the users don't even have to access or see the documents via a browser.
I used to work for a company called Provilla, later acquired by Trendmicro, who developed a product which I believe addresses your issue. The idea is just because you've given certain users the rights to view or modify files, that doesn't mean they have the right to email, copy to mass storage, or print the files. The product can both report and block unauthorized use of files by users who are otherwise authorized to view and modify the files:
http://us.trendmicro.com/us/products/enterprise/leakproof/
One important factor in making security decisions is the tradeoff between preventing access by unauthorized people versus annoying authorized people. You can implement five-stage biometric security to open a lab door, but that increases the chances that lab workers will prop the door open when they go to the bathroom.
The main convenience issue that occurs to me in your situation is what happens when someone opens the document without a network connection? If somebody backhoes the Internet connection to your Omaha office and your access control system can't connect to a server in New York, is the Omaha employee allowed to to read the document? If not, how would you prevent someone annoyed by that fact from using Copy and Paste (when he's got a network connection) to create an OpenOffice version of the document?
Are employees allowed to print the document? If so, how do you plan to prevent them from handing it to an unauthorized party in a manila envelope? If not, how do you deal with annoyed users who like to print specifications so they can use a highlighter and write notes in the margins?
Ceci n'est pas une signature.
Use secure pdfs. Intel does (.pvd). When you open the doc you have to enter a password to view it. Can't edit, copy, etc from it. Yes, someone may crack it. but all you have to do is diligence in securing it, and you are ok. If some unscrupulous person cracks it, you are not responsible. You did your best. So the person has to install the secure software to view the secure pdf. Then you have the person download their secure pdf from your doc server. You know who got it, and that it is locked. You are set.
wake up and hold your nose
We have a similar situation, where some clients sends us CAD drawings that are sometime highly sensitive.
The first rule is to keep them only when needed. Do not distribute them and erase them asap.
Then we have a hardware USB key that is needed to start the 'document reader' (obviously these are not word documents).
Finally we use "CryptoCard" a calculator-like device, unique for each user. Whenever we are connecting remotely on the document server, we receive a challenge (numbers) that we must enter on the device. The device then gives us numbers back to be entered to access the server. These numbers identifies the card, thus the owner of the card. Date/time/IP and all that is also logged. In my experience the challenge changes every 2 minutes, obviously time on the server and the device must be in synch.
At this time these 3 rule and methods are considered enough for our needs and customers.
I have had good luck with the MS IRM stuff. If that won't work you might consider hosting everything centrally and require your users to view them over Citrix or some other thin client technology.
The talk of DRM is kind of ridiculous. DRM is for preventing unauthorized people from gaining access to to files. DRM does nothing for preventing people you supposedly trust from accessing files and sharing the information therein. You either trust the people who access your data or you don't.
You do need a tracking system of some sort, as your brainstorming illustrated. What you need will need to be on the server-side of things - any client based tracking (where the records are stored for any length of time) will not be able to be trusted. If you're using Samba based file sharing, tracking which files are opened by whom is trivial through the log files.
Once you know who's opened/copied a file, then you know who has access to them and will be able to track down the guilty party, if indeed there is one. If your access mechanisms are not granular enough to track this much, that is where you need to start.
NFI how you'd go about it in Windows.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Let's say that up until now you haven't had the ability to monitor documents to the extent specified. You can't prove whether or not the leak occurred from within your domain. Neither can they: they don't have the ability either, or you'd know. So, neither can they can't disprove your (forthcoming) assertion that the leak came from within their domain, and you can't support it. But as we can see commonly happen, accusations carry more weight than mere questions, rightly or wrongly. Accusing them will wake them up and put you on even footing. From then on you can develop a mutually acceptable and workable security system.
It'll have to be rigorous, as in enlisting the OS to assist. Otherwise one could simply copy the file and open it outside a secured domain. And that too will take oversight, by one such as a security admin who'll be able to track the file's circulation including any instances of it being copied. Note that opening for editing constitutes an explicit copy until (at least) the changes are saved, which would show up, and copying the data from memory to a swap file would constitute an implicit copy that wouldn't normally get reported. It could, however, be used to grab a copy (of a copy) of the file just as we used to use a browser's cache for grabbing copies of streamed media that weren't otherwise easily snagged.
Of course you could use the information above to show they can't support their assertion and so you could sue them for defamation. Better, you could give them the choice of that or joining you in investigating the security problems and solutions, and possibly investigating the competitor for espionage. Once again, accusations can carry a lot of weight. But then the competitor might be willing to join the investigation in order to be able to track their own as well as (as could everyone) prove that any infringements didn't come from their domain. The best security comes when all are watchers and all watch each other in the open.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
This is even worse than purpose of typical DRM. DRM is supposed to prevent people who can read the data from copying it somewhere else.
This "problem" is how to prevent people WHO CAN WRITE AND COPY DATA from copying it in some specific way (into documents that are sent to other customers).
The amount of draconian control over simple operations such as cut/paste, email and conversion of formats will make any useful work absolutely impossible long before the system will become sufficiently restrictive to fulfill its purpose.
It also sounds like you have a highly toxic work environment already, so maybe you will be better off finding another company to work for. Unless, of course, you are yet another Microsoft astroturfer trying to promote Sharepoint and other related crap.
Contrary to the popular belief, there indeed is no God.
I was trying to solve a somewhat similar problem and while I'm not sure if there is going to be an easy drop in solution I think you can assemble what you need using a combination of a Samba file server to store the documents and either a custom monitoring daemon on the file server that uses the inotify API or setup the auditd rules and put together some scripts to transform the audit log files into a report you can use.
For what I needed I ended up writing a simple bash script that runs continuously in the background and uses inotifywait to monitor a directory. It sounds like you need something more granular so I suspect the auditd solution would be more of what you need.
The weak point of the system, and for any document sharing system, is what happens after a user copies a document to their local machine. As others have stated solutions like DRM are bogus, the only way to absolutely control information is to not allow access in the first place.
This has great tracking capabilities, it is opensource, and should do what you need.
Have you looked into Adobe Acrobat server? It uses server side authentication to allow management of documents in real-time so you can add, change or remove rights to documents. It also allows for live update of content within documents to provide up-to-date stats and data. We have been evaluating it for our company. It isn't cheap but will probably be less than the legal cost of defending a lawsuit.
Tell your tech writers not to copy and paste specs or other internal documents.
Or if they do, have them save the copies without metadata. I'm not a betting man, but the odds are, your company didn't share your customer's secrets with its competition. The potential liability is too big and too obvious. Instead, I'd wager someone tried to save time by cutting and pasting one document into another as a template. The tech writer then modified the template to address the new client's needs and emailed it off. The new client then opened up track changes and read the specification information from the original document.
This wouldn't be the first time that "secure" information leaked out because someone failed to scrub a document's metadata or failed at redaction.
--AC
I agree that there may be a lot of knowledge here but there is far more blind bias around these parts that make all advice suspect and subject to rational review.
---- Booth was a patriot ----
The simple solution is to use google docs and tie your documents to google analytics.
Issues like version history to track changes .. and auditing capability already built into file servers should make this easy to deal with.
In my company we use Live link externally and share point internally .. seems to work for us.
of course it cannot track what a person who has 'access to the document will do with it ' i.e print or share with someone els.
You have got to involve someone with an active firehose.
That is competence no matter how you slice it.
Letting an AT&T tech find out about the NSA closet on the other hand was not competent.
I'm sure they are being more discreet these days.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Code Green Networks provides scanners that detect and block certain documents from going across your network. Of course, they won't stop an intelligent and determined corporate spy, but that's a much harder problem.
I hereby place the above post in the public domain.
You want to implement MAC to allow fine grained access to documents. In Linux this is SE Linux. In Windows, there is something called WIC (which I found by googling Windows + MAC ;-).
Later . . . Jim
Document DRM is easily "hacked around" with a camera phone or a really good memory. You're looking for a technical fix, but the technology isn't the problem. There is no technical solution to misplaced trust.
Watermarking could possibly help you trace it back to the culprit after the fact.
We are local government and we have migrated to EDMS for just such a thing. We are using TechnologyOne's Dataworks http://www.technologyone.com.au/index.php?id=270 But HP's Trim is worth a look as well http://h18006.www1.hp.com/products/software/im/governance_ediscovery/trim/index.html Depending on the size of your company. I would be *tin foil hat* about using Google analytics for such a thing...
Not to mention that, in general, Ask Slashdot stories are about questions that would be useful to a wider group of people, not just the person who submitted the question. Perhaps someone else was needing an answer to this problem, or someone else has a similar problem but wasn't sure how to go about it and will get help from this. This one might be a bit more limited than most, but can still be useful by many.
And it's a great resource for the future, a good Google result.
for accessing would be to publish these documents in an environment that supports logging of such events (in some of our custom software we use https intranet that logs some users actions and identity by ssl certificate),
and as for leaking ... you can say "i cooked my meal today" or "i cooked a meal today", do the same at various parts of the document, distribute different versions and when a leakage occurs you just compare versions. if content is too important you could place extra line breaks, double white spaces, paragraph margins, font sizes and other non-disturbing content randomly throughout the document. simple and effective, though you'd probably need a custom software for distribution and comparison of such documents on a larger scale.
Unsurprisingly, this is a people problem, meaning that technology might help, but any technology-centric approach is entirely the wrong one.
The key is to make sure that, by design, people who shouldn't be able to access other people's information cannot, and furthermore that any attempt isn't merely logged but raises alarms. When it happens you should already know what to do about it, ie you have prepared the procedures in sufficient detail. This is lots of work, but still cheaper than trying to regain trust from your customers.
For ideas you can take a look at, for example, The Practice Of System And Network Administration, Limoncelli et al. But forget all the technology suggestions until you understand the structure of your problem.
As an alternative, you'd have to publish docs in a ebook type format that includes a contact back to a server to log who and where a document was opened. Standard OOTB functionality of Office or even PDF is too easily defeated.
I'm only familiar enough with netapp out of the nas/san vendors to feel like I can speak authoritatively, but netapp has a feature to audit cifs (windows file sharing) access/modification. Throw "cifs file auditing" into google and you'll get some results. This will only really give you auditing at the first level of access, if someone accesses it legitimately and then passes it on you're out of luck, but you'll have a list of who accessed the initial file at least, which may be enough.
Anyway, YMMV, but if you've already got netapp or some other storage vendor, it might be worth looking into.
RandomAndInteresting.comdefending the world from stupidity since 1979
Same way as the Feds do it. Physical security. Faraday cage rooms. Locked buildings. Fences. Armed guards. X-Ray machines and strip searches. Camera phones laptops, and electronics confiscated at the door. Then observe and log everyone in the same room as the document in question. Etc.
There's no other way.
.
In common law (US slightly different so check) there are 4 elements that a plaintiff has to prove before relief can be granted. They are:
1. that damage was caused
2. that damage was caused by your action or inaction
3. that you knew (or should have known) such damage would be caused and
4. the costs required to put the plaintiff back to where he was before the damage occurred.
If the customer cannot even remotely enumerate these points then they are basically stuffed. A good move in this situation is to not accept any responsibility but to agree to work with the client to address their concerns about security. That isnt the same as allowing them on a fishing expedition.
Above all, be reasonable and consult a lawyer.
Anyone that tells you that they can solve this problem is lying or ignorant. A specification is just words, and maybe a few diagrams. It is being suggested that someone who had legitimate authority to view that info, gave it to someone else. Since the legitimate viewer could just retype the spec, there is no technological solution. The only hope you would have is to pull a phone book maneuver, and intentionally insert a few errors. This will still only give you circumstantial evidence. You could spend billions trying to make your documents secure, and it will still never happen. This is strictly a social problem with no technical solution.
Heck, this problem existed before computers were even used in business. Documents were copied, sales people would leave with lists of customers, you name it. Thinking that you can solve the problem with a computer program is just fantasy.
You need to contact these folks: www.brainloop.com
They are out of Munich, Germany and within the last year added an office in the US. Their system is exactly what you need.
There is no denying that this is an important problem. If you can't assure your customers of your security, they will simply refuse to do business with you. That means in short order going out of business. So security is important, but so is accountability.
OK, you cannot make absolutely sure that every person that encounters a document will not give it to someone else they should not. However, you can make sure that each such legitimate access is tracked and that people with access are accountable. You can then make it clear to everyone that violating company security is grounds for immediate termination.
Simple solution is a secured web site where people have to log in to access documents. This can be tracked in logs. So you now have absolute knowledge of each and every person that accesses a document. Simply by convention you can enforce the policy that there is no distribution other than the web page. Someone violates this policy and they are canned.
Security involving humans has to involve accountability. There is no other way.
Worst case, a person authorized to view a document could take pictures or video tape of the screen.
Nothing you can do to stop that.
DRM is snake oil in the way it's used to protect media from copy.
I think the point is to make it more difficult, not impossible.
About the difficulty itself : I think that the companies are currently over-estimating the role played by person-to-person copies (that used to by the main mean of dissemination back when the only reliable network was the sneakernet).
Currently the simplest way to get an unlicensed copy of anything is to :
At no point is the random user even inconvenienced by the DRM system. The copy is just a couple of mouse-clicks away. It hard to be even simpler than that.
That's why I personally think that DRM is doomed for the role most company are trying to use :
it's completely inefficient to anyhow slow down the propagation of copies.
All it takes is *one* single time the DRM to be defeated by a motivated group (and as I said previously, the cryptographic model of DRM is broken so this group will always succeed) and it suddenly available to anyone on the planet.
DRM-proponent usually respond to the "DRM is a broken system" argument by showing that a high number of modern keys aren't 100% perfect either and could be broken too, but are enough.
A locked house could be broken into with motivated enough thieve equipped with correct tools, never the less a standard lock is enough to put of most casual vandals and therefor is good enough. Similarly DRM - even if broken - is well enough to slow down dissemination of material.
But the analogy isn't valid : One motivated and decently equipped thief, can break 1 lock at a time and steel the content of one house. The net result after breaking this lock is 1 single robed house.
Whereas with DRM, thanks to internet-based distribution schemes, it would be as if by breaking 1 single lock, the motivated thieve suddenly made all the same kind house everywhere on the planet simultaneously available for all the world's burglars at the very same second. The net result would be all similar houses magically all robed by everyone at the same time.
I consider most DRM schemes the same as all the FBI warnings at the beginning of movies :
- completely useless because the target audience never get to see them.
- their only effect is to annoy legitimate users who did buy an original copy.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Furthermore, I'd argue that what makes locks effective is not the difficulty in opening them per se; most locks are actually not difficult to open. Heck in many cases all you need to do is break a window which could hardly be called difficult.
Also after breaking a window, one burglar has finally enough access only for himself, and he - alone - will be able to rob the house.
After breaking the DRM and managing to make 1 single unlicensed copy, thanks to the power of the internet suddenly everyone else in the world is instantly able to have access to this broken copy.
It is as if the same window broke on all houses of the same street and all the world's burglars where auto-magically teleported inside these houses to rob them at the same time.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
(Replying to myself...)
About the difficulty itself : I think that the companies are currently over-estimating the role played by person-to-person copies (that used to by the main mean of dissemination back when the only reliable network was the sneakernet).
Currently the simplest way to get an unlicensed copy of anything is to :
Valve's Steam system is a counter example : /. was giving such stupid argument)
Some people argue it's much more successful than anything else, even if it itself incorporates some kind of DRM (just like Securom and Starforce), because some gamers are just considering Valve cool by default, and the other DRMs just evil by default, in a kind of Apple-vs-Microsoft fanboyism. (The recent review about piracy featured on
But my opinion, is that Steam is tremendously successful, *because* it manages to achieve the same kind of *convenience* :
.
All legal software you may want to obtain are all only 1 click away.
Just click on one button and you immediately have access to the game of your choice, all this without even leaving your house, all this accessible at your convenience directly from the couch.
I think that Valve pretty much understood the advantages of internet distribution and part of why the piracy is popular.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I guess they consider it a different room to talk in, so to speak. Talking at the firehose is like talking at the front curb near the fire hydrant. Talking here is putting it on the big screen in the convention center.
Or something like that.
But, as far as I know, that's the way it works.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
You can enable auditing on the file server (go to the security tab of a parent folder and then click Advanced | Auditing). With this approach, you can audit all aspects of the files in the folder (if people are opening, deleting, changing, etc a file). Or, you can enable Group Policy and enforce the users to accept the macro settings you specify. With this approach, you can use the macro approach you outlined.
All over the world:
"This document will now self-destruct in 5 seconds"
In Soviet Russia:
"This self-destruct will now document in 5 seconds"
Damn you, Soviet Russia!
yup, the usability suffers.. the flip side of audited work.
Storm
I was at a customer site in a large company. *All* of the company's computers use encryption when writing to/reading from media, using HW installed on the computer. Any file copied to a non-company machine is unreadable.
Adobe have options built into PDF's to do exactly this. My sister gets files like this and has to log into a website before the PDF will open (it's encrypted) and it disables printing, copying, editing, etc.
Reminds me of a similar event. Someone had "leaked" information out of a company. Turned out that someone had "cut" the sensitive information out of the .doc format before releasing the document to the internet, rather than rewriting it. Now because of the autosave function, that info was still there. Someone simply opened the document up in a text editor, and bam! Sensitive info!
Could it be possible something similar happened here? Do your workers have autosave on? And do they re-use forms? Could they have cut out the company's sensitive info, only to have it reappear in a text editor?
Open Source: Eroding the Digital Divide
You need to be able to set an expiration policy on your documents.
I don't know what available system will do this for you but here's the idea (and it's probably not new).
Typical users of your document get to use it for a prescribed period of time, then it locks them out and corrupts itself (which is better than encryption as it can't be 'solved'). You can then additionally use available DRM to disable printing, copying, etc.
What you don't tell people is how long they have to use the document. It could be a day, 2 days or a week. When the document expires it provides a notice of where they can get a new copy to work with (Sharepoint or other login only network share).
So while this won't ultimately prevent screencaps, photos or similar 'analog' conversions - it does limit the window of opportunity and provides continuous tracking of who is accessing documents from where.
Another tracking option would be to enable a remote backup/sync system for all employees who work out of the office. Here you will get access times, modification dates, evidence of copying (files have to be created for even a 'digital-analog' copy to occur (screencaps, copy/paste, hand-typing) so you will have mitigated that vector... given that you employ a journaling system of some sort so people don't just take screencaps then upload them to a server or off to a USB, then delete them.
In any case you get a snapshot of employee filesystems to use for an investigation - a pattern of behavior will often point to a guilty party, at which point if they have committed a real crime, you can get the feds involved for some surveillance of your own.
A fool throws a stone into a well and a thousand sages can not remove it.
As a public agency, we use Laserfiche to control access internally and externally. Full auditing of who saw it, who edited, printed, exported...
The OP asked how to monitor. Most of the above is on prevention.
Encryption is part of it.
Part too can be some form of chain of custody.
Each document has some form of who did what. Version control with change logs.
This way you know who had the document.
But consider that Office apps have a bunch of hidden data in them. So mark each document with multiple flags so that each copy checked out is different. This can be done either in the hidden part of the document, or by setting subtle style flags, (Right margin on page 3 is 1.495" instead of 1.500 inches Font for Heading 2 is 15.95 points, not 16 ) You have to have enough flags so that a bunch can be changed and there are still enough to uniquely identify the version.
This way at least, if your customer can get the 'revealed' document, you have a chance of finding out what part of your organization is insecure.
Another possibility is to only allow editing of documents via a virtual machine located in the server room. There is no copy on the local machine. Connections to the virtual box are through the company VPN. If the document is printed locally it is imprinted with the version, who it was printed for, and where it was printed.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
You could set up a secure site and distribute them via that site. This would allow you to monitor logs of who was accessing the site. Microsoft Office SharePoint Server would give you built in role based security, collaboration and versioning out of the box. It's a bigger project, but might add to customer satisfaction and increased security.
I reiterate what some others said, you have a business problem first - once your solve that then seek a technical solution to implement.
How about creating a corporate culture of honesty and professionalism?
There's no way you can technically prevent the sales guy in Omaha from telling the other client the specs he's seen from the first client.
But if he knows that honesty and professionalism are valued as much as making the sale (and dishonesty is not acceptable), and if his boss knows to only hire the kind of people who are compatible with this culture, there won't be a problem.
Like several have said before me - this is a people issue not a technical/process issue. I'd stop looking for a technical solution because you will make the human issue worse.
"Action is the thing that escapes most people. Great ideas are a dime a dozen. Great actions are few and far in between.
So, you're looking for a technical solution to the problem of evil behavior in humans. Good luck.
The beginning of enlightenment in data security is the notion that a breach could always occur. The question is not how to prevent all breaches, the question is how to organize the data, allocate it to individuals, and protect its transmission to minimize the effect of the inevitable breach when it DOES occur.
The document in question had somewhere in the neighborhood of 16 keypoints. I spotted 13 key points. So the document either came from one of 3 sources (companies). Within our company it would have probably only come from an upper level manager, but it is possible that some other people working in the production phase could have released the document.
The release of the document in question probably only has civil issues involved. But we have other documents that if released would carry much heavier penalties. These later documents or proof of dispersion of these later documents would not show up in civilian products.
So what I'm trying to determine is if our documents are being dispersed. What I have discussed with one manager is creating an update to certain documents and see if they do show up somewhere else. What we would like to know is if documents are going out. If they are what type of documents and to where.
Depending on what type of documents involved we would either terminate suspected employee or call in law enforcement for further investigation.
If you really want these features
a) add some accountability. Like, a few years in gaol for leaking. And hunt the suckers down.
b) hire some experience. From the military or a three letter agency.
It's a solved problem (and not by our-favourite-company-in-Redmond)
The reality, in a commercial environement, is to accurately price leaks; do an appropriate risk analysis and act accordingly
The problem, in a commercial environement, is that certain elements in the company (usually in marketing and sales) think that this sort of process doesn't apply to them. (Like software types, marketing is "special")
What I like about ask slashdot is that nobody is trying to sell anyone anything and there are enough knowledgeable people that the "you can fool some of the people all of the time and some of the people all of the time, but by no means both" rule applies. It's kinda' like peer review, except we all constantly bicker and are openly hostile... in other words, we're a bunch of geeks doing what we do best on the topics we know best. Did you ever notice how many people from the marketing department hanging around this joint? Exactly. And, all things being equal, the fanboys camps usually about equal out (I've seen Microsoft employees stand their ground here, on technical merit alone, against hordes of zealots on a few occasions) such that it's a zero sum game when politics come in to play.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Check out DLP: http://en.wikipedia.org/wiki/Data_Loss_Prevention.
Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.
We're evaluating the following appliances where I'm employed:
Reconnex
FTK SilentRunner
Vericept
Vontu
I agree that the solution needed isn't just software. It is a problem with people. I imagine the path by which the competition got the specs is much more like the way this company attorney mentioned. Somebody got lazy in writing up the specs and decided to cut and paste and accidentally left in details from the previous specification. Scrubbed documents can do a little to solve this problem, but I imagine human error still creeps in now and again. Though specs tend to be somewhat repetitive and formulaic, you might get traction using a home brewed "turn it in" like solution usually used to keep undergraduates from plagiarizing. It may create more work on the end of your company, but the only way to keep specs from leaking from one customer to another is to make sure that each document is written "clean" and isn't a modification of one belonging to one of their competitors. Make the formulaic parts explicitly so by creating templates, then compare the content of the non-formulaic fields using a diff-like command. If the similarity passes a certain threshold, then have a new pair of eyes take a look at the document before sending it out into the world.
Netware and Zenworks provide this functionality and ganular fs permission management. Simple automated auditing would generate reports (lots of products out there for this) on which users in which locations opened which documents. You could also have triggers set up to broadcast messages to specific admin terminals when someone reaches outside the data they should be touching.
The only drawback is having to set this up if you're a windows server shop.
1. if someone can read it they can copy it
2. as they can copy it into an alternate format then this bypasses drm
3. Intital access restrictions through strong user management is the only real solution. Watermarking may allow some trail of responsability to encrouage users to stick to policy.
4. Buy the snake oil if it will keep people happy that an effort has been made. It will certainly discourage the majority of policy breaches through added inconvenience but don't bet the bank on it.
If it's a big enough problem you might consider insider threat management solutions, eg:
http://www.oakleynetworks.com