Slashdot Mirror
How Do You Monitor Documents?
JumpDrive writes "I have been presented with a problem recently, which I know others have probably faced. During the last month, one of our customers accused us of providing another customer with their specification. So the question arose: how do we, or can we trace documents and find if they are being opened or used somewhere where they weren't intended. We don't want to be restrictive, because at times, we have people all over the place, but if one of our documents were opened in a foreign country, that would arouse suspicions. Most of our documents are made with MS office suite, and I have been thinking of working on a macro to ping a server, but that would require the user to enable the macros, and it would also require the insertion into about 1000 documents. But it's been difficult for me to find a solution that doesn't prevent someone in Omaha from opening a document for legitimate use and is not a solution that can easily be disabled or hacked around."
See topic - MS do something which seems to be essentially *exactly* what you want, and since you are using MS Office, I would suggest giving it a try.
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
The best solution to your problem probably would be using Microsoft's AD RMS.
http://technet.microsoft.com/en-us/library/cc753531.aspx
AD RMS provides you with the ability to control licensing, opening, printing, etc. of documents. This will provide you with the audit trail you migh tneed.
Of course, you can still photograph every screen while scrolling through the pages, so it's essentially worthless in practice, but it might satisfy your customers demands for proper paperworks.
Yep, implementing AD RMS will be a heck a lot of work, and you'll surely need to adjust your internal processes in order to incorporate AD RMS.
What you're planning on doing is DRM: Which is, as all Slashdot readers know, impossible with a properly determined person. And in your case (industrial espionage), there are better people working on it than a few hackers that try cracking Blue-Ray in their spare time.
You don't say what operating system you are running on the clients (I'm assuming windows of some variety), what network os you are using, or where the files are stored.
However, you want to turn on file access monitoring. It's pretty simple if you have one file server and all the files are there because you only have to turn it on once. Here's a good start:
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx
If you are running linux, http://www.rootprompt.org/article.php3?article=10751 was the second article in a google search.
Depending on the number of users and files, your logs can fill up quite quickly. You may also want something like SNARE http://www.intersectalliance.com/projects/index.html to monitor workstations. They may be doing some server work this morning; I'm getting a time out on the web page.
The bigger question though is if your clients think you are cheating them, why will they believe your logs?
You may also want to get some books on windows and linux security monitoring.
I keep my sensitive documents in a locked cabinet. Never had an issue with a document opening itself in a foreign country.
Nobox: Only simple products.
The watermark doesn't even have to be high tech, it can just be a guid inserted at some point in the document, with a company policy that says when you can remove it (never?), when you should change it (when it crosses a boundary, like a departmental boundary) and how records should be kept (e.g. a central database of which event caused the creation of a new guid).
DRM is broken by design.
Document DRM is even simpler to circumvent. Tiny cellphone/digital cameras. Screenshot much? Notepads? A really good memory is anti-ddrm. The best you can do is log access, but once it is accessed, there is no control over specifications. YMWNV.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Don't know how many document formats support it, but perhaps you could have an embedded image or other embedded information pointing at a file on a web server. All accesses would then be recorded on the server log.
What you are trying to do is what DRM has been trying to do for a long time: prevent unauthorised people opening a document on untrusted hardware.
The reason all DRM ultimately fails is because the system opening the document is untrusted. You simply can't have easy access outside your company with the ability to do things like print and prevent unauthorised copying, the two are mutually exclusive.
There are systems which do what you are asking, but they all rely on only trying to open the document within your company where you can control the software environment. At best they would let you find out if a document was say printed, copied to a USB stick or sent by email etc, but after the document leaves your company there is basically nothing you can do.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
When you let the documents out of the house, there are no way to prevent people from using the information. If the information was only available on a web-page with passwords and monitoring of user and IP-addresses you will at least have some control of the information.
pgl
Sharepoint is your best bet here.
The only alternative I can think of is checking your docs into your source control.
Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose.
Protection of data is hard. There are many variables to consider.
The first step to understanding what data that requires protection is to perform a risk assessment. This will help identify information which may result in financial loss, corporate brand confidence in the event that the data is compromised.
It's important that this task has senior management sponsorship. Getting a sysadmin to "get on with it" is not good enough. It needs input from the business to understand the information that needs protection and also the funds to purchase the relevent software, hardware to provide the enforcement controls. Policies and procedures should be written to make it clear what should be done with the data, and also to illustrate to staff, guests, business partners what is acceptable.
Controls typically are installed on the desktop, servers and network in-line controls to capture information as it flows throughout the network.
In your direct question, there are a few options to protect the Word documents. But this is only a small set of the things you need to consider. Word does have some DRM controls and I'll leave it up to you to look into it. What is important to note is that Word format may not have all the necessary controls that you need, and you may need to compensate these with others.
If your company is serious about this, they really should get a security consultant involved to help you identify the risk areas, document the controls, and help with an architecture to protect the information across your enterprise environment.
A couple of security vendors do have some products on the market, but this area is still pretty young, but it is a growth area.
Google Data Loss Protection products from RSA and McAfee for a start.
You have completely missed the point of Ask Slashdot. It's just not about doing a 5 minute search and randomly choosing one. The reason people ask this group questions like this is because they want more detailed information from people who have hopefully had hands on experience doing these things. What worked? What didn't? Why did it, or did not work? How was implemented? You may not be able to find that kind of information easily even if you know what to search for. And once you have that information, there are other people to give their insights on what that persons stories. It has the potential to be one big chain of helpfulness.
Sure, it's a cheap and lazy way of getting someone else to do some of your work for you, but it's not generally a bad thing. I know if I was completely clueless about some tech related problem, I'd probably ask here. Wouldn't you?
Basically, what you want is to keep track of information. The fact that is in a digital document in office or a sheet of paper is irrelevant. Printed papers are both easier and harder to control. First they are easier to track down and count. But in the end, if they are on the loose, the probabilities of finding the source of the leak is very, very thin (the only way is to use some sort of security paper). In a digital document, if the leak is the document itself, verbatim, then, if tight DRM controls are in place, you will find where the leak is very easy. But in the end, security doesn't survive a photographic camera or a copy/past of notepad... Transposing to analogic and digital again will remove almost all fingerprinting that you can add to any document. As for the accusation by itself, the best way to work around it is to help out the client and ask them for help to find and squash both the leak and the issue. The great majority of this issues comes from human factors (and in the case of digital documents, computer security/virus). So... in the end, GL...
Assuming your documents are stored on a Windows server, one option is to enable NTFS auditing. This requires no changes on the client side.
That is the simple answer.
If you want to give something to someone, you can't control what they do with it. That is like saying "I want to give this hammer to a friend, but I want to prevent them from loaning it to someone else, or using it to smash computers with."
If you don't trust the person that you give something, then the chain of trust is broken. Everything we do is based on trust. I trust if I give you an emergency key to my house that you won't rob me. I trust that when I accept cash from you to pay for a service that it isn't counterfeit. I trust when you sign a contract with me, you will live up to your duties in the contract. I trust when you babysit my children you won't rape them. You pretty much asked for exactly what the whole point (and failure) of DRM is all about- trying to FORCE *everyone* to trust and comply with your wishes. You can't. Welcome to humanity.
No, you can't. If you want people to be able to read it, they can copy it. You can make it more cumbersome but nothing can prevent screenshots. You can waste a lot of time and money, but the best you will achieve is being able to say "we tried". Because you cannot succeed. You can't distribute a document and at the same time expect it to remain secret.
This is indeed the way forward.
But what you didn't explicitly mention, you seem to take it for granted, is that all systems at some point have to rely on trust.
So the issue at hand is best, if not only, tackled at the HR and/or PO department, more technology has little effect.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
At my workplace we handle standards and manufacturing procedures for a variety of companies worldwide. We don't lock our documents but we do use adobe PDF's so we can track who accesses. They state that it's basically not feasible to be able to prevent access to something unless you were to grant it remotely in the first place (similar to like a view-only google doc) instead of giving a document to your customer. Meanwhile, this could still be screencapped if someone wanted their own copy, so it's not even worth it.
As people have said, once a doc is out there, you can't stop access to someone determined even if you have server validation to open it. This is like the "how do you secure a PC from the feds" thing where the answer is if they have physical access/their own copy, you don't.
For this reason, the best steps we have for validation are everything we can do on our side to ensure that the documents are only given out to the appropriate individuals. Thus like anything, human error is the only way it would be released really.
Depending on your budget, there may be some value in looking into the "Interwoven" Document Management System (DMS)..
Its primarily marketed to legal firms, however its got great file tracking (i.e. who, where, when opened, printed, viewed, and for how long.. etc..) and is quite well rounded to suite the needs of just about anyone.
Has no Linux suport for the server or desktop clients though...
....move along....nothing to see here....
Have you looked into SharePoint? You can get external hosts for it and load your documents to it like you would a NFS; from there you can both monitor and manage access rights to all of your documents. You can allow customers temporary login rights that allow them to view specific documents, can can even restrict their use to "read only" - preventing saving a local copy...in theory. Of course, the aforementioned industrial espionage methods (memory sticks, cell phone cams, etc) circumvent these methods, but this will at least keep casual users from deliberately redistributing your works. A good legal consent banner on the site can help scare off users as well, as all IP addresses can be logged and you can pursue offenders like the RIAA if you want...
"how do we, or can we trace documents and find if they are being opened or used somewhere where they weren't intended?"
"if one of our documents were opened in a foreign country, that would arouse suspicions."
"Logging access" is exactly what he's trying to do. The idea here would be at least knowing, and if you've only given a document to one external entity, you know you have a leak somewhere within that entity or your own organization. Simple managed watermarking can help to discover which.
And DRM in general may be broken, but it's not that black and white: DRM does prevent some casual theft of content, because it's a hassle...that's all anyone with a brain -- and who has paid attention to anything in digital media for the last decade and still employs DRM -- expects anymore.
Those who which to pirate content will ALWAYS be able to do so, regardless of any protections put in place. Perhaps someday those who favor DRM will realize that the losses from hassle to honest customers or prospective customers outweighs anything "gained" from having DRM in place.
But back to the issue at hand, which is a different one: an organization wants to track -- and potentially prevent, under some circumstances -- access to original documents representing proprietary data. A "DRM" model (like that employed by Microsoft Rights Management Server) can help to accomplish this. Of course, once someone discovers it's in place, then any number of untrackable circumvention options, such as those you mentioned, can easily be employed. So, the best option for this case is passive tracking/logging.
This ask slashdot seems a little suspicious to me, it does seem to exactly match the feature set of a suite of microsoft products.
Anyone worth thair salt as a system administrator that works with microsoft tools should know the features of microsoft office and the add on server components to get the DRM system working in an enterprise.
It sounds suprisingly close to what you would find in a microsoft pamphlet.
OK, you've gone for a tech solution to a problem before really asking what the problem here is. So what's the real problem? Legal libility, of course. Your customer X is accusing you of sharing data with their competition Y.
Create an job to track sensitive documents. If you only have a few, then it would be additional duties for someone. If you have a lot, it's a new position. This job is to track who has legitimate access to sensitive documents. When customer X starts throwing allogations you've shared data with customer Y, everyone that has legitimate access to the data is required to sign an affidavit that they did not share the data with people not autorized to have the info. Now customer X has to PROVE that one of your employee's did indeed do so, and that their affidavit is a lie. MUCH harder to prove and a lot cheaper for your company to defend against.
Of course, that won't stop customer X from THINKING you did, and that may cost you that customer, but absent using a full up sensitive document control system like the government does, there's no real inexpensive solution I've found. I'd be interested to see if /. comes up with one though.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
RMS wouldn't be very cooperative. You'd have to try and convince him to drop his aversion of proprietary software.
First, though, if you don't have a document handling and marking policy for PAPER documents, you're unlikely to succeed implementing one for electronic documents. In other words, if you don't presently mark printed documents with restrictive handling requirements ('secret', 'confidential', 'proprietary', 'atty-client privileged'), it won't do you any good to try to control their electronic versions.
Second, Windows has never been designed to try to enforce more than discretionary controls. What does that mean? It means that EVERYONE who touches the machine or its data is presumed to be cleared to see whatever is on the machine. They may not have the need to know what's there (that's what DAC does), but they're cleared to see it - so they're TRUSTED to handle it correctly.
If that doesn't describe your environment, you should reconsider whether a single-level system, like Windows, is suitable for storing, printing and using your documents in your environment.
This http://www.documentum.com/ is how we have been doing it very successfully for a number of years. Very easy for us to implement and extremely easy for the end-user to use.
have a look at microsoft sharepoint, they have document checkout so you can see exactly who did what with the document http://www.microsoft.com/Sharepoint/default.mspx
MS claims to do something which seems to be essentially *exactly* what you want
There, fixed that for you...
You can put a lot of walls around the document, but that will hurt badly its usability. The end user would want to be able to print it? There you already have a leak that no software can control, specially if is a postscript/pdf printer.
You can agree there is no use to copy/paste portions of your documents, no need to use them under any other platform than windows, but printing?
The problem will end being in how many ways you will penalize the rightful users of those documents to avoid someone else to access them
Other approach of the problem is to take the computer and just digital media of that document out of the middle. Maybe you can give your documents in a personalized Kindle-like device that only can be used to see the doc and nothing more, but only will work putting even artificial restrictions on the usability of them.
actually says I don't 'trust you when you shake my hand- but if we get a third party (or more involved) then I'll trust you'
every day http://en.wikipedia.org/wiki/Special:Random
In my company the incoming documents are converted into a wiki and access is given to people who need it. Once work is done on it it requires two different people (managers/experts) to review it and mark it as complete. Then it is converted back into a Word/Excel/PDF/Whatever document and sent to the client.
May I ask what software you are using for your 'wiki' ? We are looking for something with similar functionality (I can do without the document conversions) for our internal documentation, and the wiki software I've looked at so far hasn't been particularly good on the authorisation side. I had hoped to avoid going full-blown CMS/DMS, as we're only really after the "content approval" aspect.
I don't think you can find a good solution just by technical means alone. Having run into this problem as a company attorney, I can say that the best defense is to define and enforce a strong document management policy. Technical solutions without a defined policy will only make you a pariah. Also, you should check to see how the specs came to light in the document at issue. I recall one episode where one of our business development personnel sent a draft contract (in Word format) to a potential customer having used an earlier contract with another customer as a template. The BD person deleted the details from the earlier contract and inserted new (less favorable) terms. The other party turned on the redline mode to see the deletions and insertions and demanded the same terms as the earlier party. Everyone involved at our end was pretty embarrassed. The solution was to require than all drafts of all legal and business documents be sent in PDF or a "scrubbed" version of the Word document using a product from Workshare.
lol
DRM doesn't work. It's technically impossible.
Your best bet is to not give the document to untrusted parties.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
No i wouldn't come here FIRST. I would have done a little research on my own before i came to a (suspect) public forum to ask my question.
A little bit of upfront leg work isn't unreasonable to ask.
---- Booth was a patriot ----
I agree with this post, or at least this aspect of it: there isn't really going to be a technical solution. You won't find a magic DRM that actually works, can't be broken, and tracks everywhere the file goes.
What you probably can do is develop a system that will restrict access to the files to only a few authorized people, and tracks who accesses it from that server when. So it would allow you to say, "Only people who are working on this account can access this document, and only [Person A], [Person B], and [Person C] have ever downloaded that document. The last person to download it was [Person B], who downloaded it on [some date]" What you won't be able to say is, "Once [Person B] downloaded it, the information in that document was transfered to [Person D]."
Part of the problem is, even if you're able to implement extremely good DRM, it still won't necessarily stop Person B from reading the document from his monitor, copying the information by hand to a piece of paper, and then sending that paper to someone else (i.e. the analog hole).
If these documents really must be secured, you're going have to have policies and a culture that secure them. Technology can help, but it can't really fix the problem.
Anybody halfway competent can sanitize documents. The easiest way is to transcribe them.
All types of DRM and watermarking have been broken successfully, typically with far lower effort for the attacker than the defender spent in the first place.
You basically cannot defend yourself against this type of accusation and that is one of the reasons why the accuser has to prove them and not the accudes to disprove them. I would avdvise you to terminate business relations with the people accusing you. ''Nonexistent trust'' is a good enough reason.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Comment removed based on user account deletion
EMC IRM (Formerly Authentica (yes, there is a typo in the summary))
Oracle IRM (Formerly SealedMedia)
Liquid Machines
Adobe LifeCycle Rights Management
Bottom line, if you EVER had access to read either an electronic or paper document, you can NEVER conclusively prove that you didn't somehow gain a copy and do Whatever(TM) with said copy. Unless there was a human watching you during every moment of the access, or maybe you were videotaped during every moment of access.
You can implement systems to track who had access to a document. The more comprehensive these systems, the less likely it is that you'll be suspected of mistreating the document or information within. Such tracking increases accountability, though it's next to impossible to 100% assure that every person who accessed the data never did any unapproved thing with it.
If you don't want to do the aforementioned rights management services, then you can set file-level permissions to limit the number of people with access. If that's not enough, you can implement filesystem auditing, to log each access to the file. That narrows the suspect list even further, from those who CAN access the file to those who DID access the file. Both of these depend on a tight system of account administration controls, and the latter also depends on a trusted secure storage repository for the logs. Naturally the integrity of any or all of these systems can also be questioned.
Suddenly one gains appreciation for a system of justice which places the burden of proof on the accuser, eh? The only way to evade suspicion is to make sure you never had access to the thing you might be suspected of behaving badly with.
use samba. crank the loglevel high to see who accessed it, use ACLs on the server to disriminate access to specific users.
I believe Google Apps has done a fantastic job of this. Each document can have different people who are invited to both view and edit the document. As well, you can provide the visitor with rights to invite more people. Above all, it has the entire trail of changes by every user at every moment the change was made. You can track any change directly back to the person editing the file. Best of all, you can set up Google Apps to only authenticate on your domain and you can import any type of Office document into the system.
Hummingbird rocks, in my experience. It involves a fundamental shift in the way people create and access documents, since it doesn't work with network shares. It also means that you have to enter the meta-data associated with the files every time. However, it does have very strong permissions, access controls, and versioning support, and would likely solve your problem, since you can prevent those who don't need access to a document or project from access, or even viewing that the document exists. On the down side, it's fairly expensive. (In our organization, implementation was at least 5-figures, and probably 6) and it requires a lot of support and baby-sitting (1/2 to 1 FTE, with an organization of about 500).
OK...
I can do this. I am, after all,
a superhero!
There is no way to prevent someone from doing something like taking a photo of all the pages on a screen and sending them to someone.
However, a product like Sendside will let you track everyone who receives, opens, and forwards a message that you send.
If you are really paranoid you can use encryption on the document and make all recipients provide their own encryption keys.
OK, so it really isn't that dire, but you cannot control what software will be used to open a document, so you cannot possibly guarantee the ability to track such access. Of course you can devise a system that tracks most accesses, but your specific example - opening a document in Europe IIRC - would be most likely to be defeated by the wide popularity of diverse FOSS tools such as linux and the tools that run on it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
...we document monitors!
http://www.object404.com
The only way you can do this is if you centralize access: place the document only on a central server and only allow access to it by viewing it on that server. Then that server can log every access and where it came from. That means, BTW, that you can't make the document accessible via a Web server, since the user could just do "Save As..." and make a local copy. Ditto making it available from a file share. You'd need to set up remote access to the server (X11 and an SSH tunnel, for instance, or Windows Remote Desktop), lock down any sort of remote transfer (disallow SCP, disallow the remoted desktop from sending files to it's local desktop) and provide a viewing application that logged accesses.
The fundamental problem is that once you give a copy of a document to someone, you've got little control over what they do with it. It's the same problem we've always had with documents: if you give someone a physical document, you've precious little control over whether they slap it in a photocopier and run off a few copies of it to give to people they shouldn't. Approach the problem in the same way you'd approach the same problem with a physical document.
If you want to do that, never send electronic copies.
Send only hard copies, printed on paper with a security watermark, and with a tamper-evident seal.
Actually, don't send them. Allow access to them only at your secure facility. By people who have undergone thorough background checks. And who are strip-searched before entering the viewing facility, to prevent smuggling hidden cameras in.
Or, you could just deal with the fact that information is going to get out.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
During the last month, one of our customers accused us of providing another customer with their specification.
Forget about fancy industrial espionage scenarios with evil Chinese crackers. If this really happened and isn't just paranoia on the part of your customer, chances are it was someone in your company who had authorized access to the specs and, probably out of stupidity or by accident, forwarded the confidential information to someone they shouldn't have.
Sadly your most effective approach is to comb through e-mail logs of people with access to this document, and see what attachments they've been forwarding recently.
As others have already explained, there's no way to prevent this kind of thing from happening again, either. Just educate your people to keep confidential documents secure and get rid of people who disregard this rule.
That. Computer science is the science managing the processing and transmission of information. It does not provide technical solution to the opposite problems. Secrets, however, have been managed for centuries by military organization. They know a great more deal about protecting secret than Microsoft does. Maybe you would better spend your time and money learning about it.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
You simply cannot control the distribution of a document once it is out of your hands.
However, you CAN trace information. Agree with your customer to include information that is deliberately inaccurate in your spec: certain figures are off by a predetermined fraction, for example.
That way, if the information IS leaked and appears in the hands of parties unaware of the misinformation, you can at least tell its origin.
DRM is snake oil
DRM is snake oil in the way it's used to protect media from copy.
Because at the same time DRM is supposed to enable one to show the content (and thus give the key to the individual holding a copy) and exactly at the same time its supposed to stop unlicensed copies (thus preventing the exact same person using the exact same keys to copy the exact same media in a different way).
It's snake oil, because in the classical cryptographic triangle - A(lice) sending a crypted message to B(ob) without C(harles) snooping it - DRM makes B and C the exact same person.
Hence the contradiction, and hence DRM is doomed to eternally fail to protect media, no matter how contrived means are applied to it.
Here the reader ask a completely different question :
he wants A to be in the headquater, B to be an employee in Omaha, and C is some person doing industrial spying in Russia or China.
Some people are supposed to have the cryptographic keys to the documents, other people aren't supposed to have the keys.
In that circumstance, cryptography might help...
(Well, that's assuming that the thieve is an external person. Of course if that was an inside job, we're back at a situation that movies are in. But then the company has a much bigger problem of trust toward its employee to tackle first).
MS claims to do something which seems to be essentially *exactly* what you want
Well, the real problem is at the beginning of the sentence :
MS do something which seems to be essentially *exactly* what you want
Given their long history in term of computer security, you can count on MS to completely botch their solution...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I recently attended a presentation of new startups at my University, and I think that the products of FortressWare are exactly what you are looking for: http://www.fortressw.com/showdemo2008.htm I haven't tried them, but from their presentation it seems they provide what you need.
Digital files cannot be made uncopyable any more than water can be made not wet. -- Bruce Schneier
Colorless green Cthulhu waits dreaming furiously.
Quick! Call up the NSA. This guys onto something.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
The original question notes, among other things, that opening the file while out of the country would raise suspicion. How would anything determine the difference between an out of country user using VPN access to control a computer in country and an actual in country user? Wouldn't seemingly legitimate users likely be using VPN to access the document when not on site, and thus impossible to track directly through the document?
How about have such documents sent to one person, or a small team, who encrypt them and generate the keys. The document is then provided by *that* team's site, and all access to the files is recorded, *and* that a request to that team must be made for the appropriate key, and who what key was provided to, of course, would be logged.
Would that cover it?
I would use GPG, since other encryption software might be illegal to allow someone traveling out of the country to carry.
mark
And use the web server to monitor accesses to your heart's content. This will shows you if someone opens the docs from a foreign country or any other location. :)
Of course it doesn't protect the documents in any complete way - just like with any other DRM, a smart user could circumvent this by using a proxy or making an offline copy of the doc.
But then if you don't trust your employees, nothing will work anyway
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Keep the documents on your web-site (in HTML or PDF, if you must). Protect access to the site with customer-specific usernames/passwords. Instead of mailing out entire documents (in a proprietary format), mail out links to them instead — and save us all some bandwidth.
Yes, a user with elementary knowledge of computers will be able to download your doc (especially easy with PDF) and then e-mail. But all the other little schemes are defeated with the same amount of elementary knowledge.
You can also put some limitations into your PDF-files (such as no printing), but, as I say, these are all defeated fairly easily.
In Soviet Washington the swamp drains you.
I don't know if I'd find the information here "suspect". There's a lot of knowledgeable people here. For a first choice? Maybe not the best choice, but if you're really stumped and have no place else to turn, I wouldn't say Slashdot is a terrible place to ask a question and get some help.
Some people just get into "writer's block mode", for a lack of a better term, when you have a pressing issue to deal with. I know it happens to me from time to time with my job. I just simply ask people who are more knowledgeable than I am, that I don't have to work with (to eliminate any potential bias) to see if I can hear of any sort of solution. You may not always hear the "correct" ones, but it can help in getting those neurons fired up.
Since you are using MS Office documents, best place to start is Microsoft as you aren't the first person to have a request like this... Search their site.
Other things I know to look at other than what has been suggested are:
-Office Live (Cloud Stuff, but does tracking)
-Sharepoint (You can internally host it on an Intranet and make it available via Internet and it also provides checking in and out of documents and tracking and can be extended to do extra things you might need, but it is a quick out of the box solution that is free if you have a Windows Server.
-Do you own ASP.NET/PHP based web site to host the documents and do your own tracking, not as simple as the Sharepoint solution, but can be as effective and as easy.
For the last two if accessibility to the documents is an issue, you can use WebDAV or other mediums that give you OS level folder integration, so the users don't even have to access or see the documents via a browser.
One important factor in making security decisions is the tradeoff between preventing access by unauthorized people versus annoying authorized people. You can implement five-stage biometric security to open a lab door, but that increases the chances that lab workers will prop the door open when they go to the bathroom.
The main convenience issue that occurs to me in your situation is what happens when someone opens the document without a network connection? If somebody backhoes the Internet connection to your Omaha office and your access control system can't connect to a server in New York, is the Omaha employee allowed to to read the document? If not, how would you prevent someone annoyed by that fact from using Copy and Paste (when he's got a network connection) to create an OpenOffice version of the document?
Are employees allowed to print the document? If so, how do you plan to prevent them from handing it to an unauthorized party in a manila envelope? If not, how do you deal with annoyed users who like to print specifications so they can use a highlighter and write notes in the margins?
Ceci n'est pas une signature.
Use secure pdfs. Intel does (.pvd). When you open the doc you have to enter a password to view it. Can't edit, copy, etc from it. Yes, someone may crack it. but all you have to do is diligence in securing it, and you are ok. If some unscrupulous person cracks it, you are not responsible. You did your best. So the person has to install the secure software to view the secure pdf. Then you have the person download their secure pdf from your doc server. You know who got it, and that it is locked. You are set.
wake up and hold your nose
I have had good luck with the MS IRM stuff. If that won't work you might consider hosting everything centrally and require your users to view them over Citrix or some other thin client technology.
The talk of DRM is kind of ridiculous. DRM is for preventing unauthorized people from gaining access to to files. DRM does nothing for preventing people you supposedly trust from accessing files and sharing the information therein. You either trust the people who access your data or you don't.
You do need a tracking system of some sort, as your brainstorming illustrated. What you need will need to be on the server-side of things - any client based tracking (where the records are stored for any length of time) will not be able to be trusted. If you're using Samba based file sharing, tracking which files are opened by whom is trivial through the log files.
Once you know who's opened/copied a file, then you know who has access to them and will be able to track down the guilty party, if indeed there is one. If your access mechanisms are not granular enough to track this much, that is where you need to start.
NFI how you'd go about it in Windows.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Nonsense. WE HAVE A SOLUTION TO YOUR PROBLEM. Please email all your documents to wikileaks.org and we will guarantee their safety!!!
Let's say that up until now you haven't had the ability to monitor documents to the extent specified. You can't prove whether or not the leak occurred from within your domain. Neither can they: they don't have the ability either, or you'd know. So, neither can they can't disprove your (forthcoming) assertion that the leak came from within their domain, and you can't support it. But as we can see commonly happen, accusations carry more weight than mere questions, rightly or wrongly. Accusing them will wake them up and put you on even footing. From then on you can develop a mutually acceptable and workable security system.
It'll have to be rigorous, as in enlisting the OS to assist. Otherwise one could simply copy the file and open it outside a secured domain. And that too will take oversight, by one such as a security admin who'll be able to track the file's circulation including any instances of it being copied. Note that opening for editing constitutes an explicit copy until (at least) the changes are saved, which would show up, and copying the data from memory to a swap file would constitute an implicit copy that wouldn't normally get reported. It could, however, be used to grab a copy (of a copy) of the file just as we used to use a browser's cache for grabbing copies of streamed media that weren't otherwise easily snagged.
Of course you could use the information above to show they can't support their assertion and so you could sue them for defamation. Better, you could give them the choice of that or joining you in investigating the security problems and solutions, and possibly investigating the competitor for espionage. Once again, accusations can carry a lot of weight. But then the competitor might be willing to join the investigation in order to be able to track their own as well as (as could everyone) prove that any infringements didn't come from their domain. The best security comes when all are watchers and all watch each other in the open.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
This is even worse than purpose of typical DRM. DRM is supposed to prevent people who can read the data from copying it somewhere else.
This "problem" is how to prevent people WHO CAN WRITE AND COPY DATA from copying it in some specific way (into documents that are sent to other customers).
The amount of draconian control over simple operations such as cut/paste, email and conversion of formats will make any useful work absolutely impossible long before the system will become sufficiently restrictive to fulfill its purpose.
It also sounds like you have a highly toxic work environment already, so maybe you will be better off finding another company to work for. Unless, of course, you are yet another Microsoft astroturfer trying to promote Sharepoint and other related crap.
Contrary to the popular belief, there indeed is no God.
I was trying to solve a somewhat similar problem and while I'm not sure if there is going to be an easy drop in solution I think you can assemble what you need using a combination of a Samba file server to store the documents and either a custom monitoring daemon on the file server that uses the inotify API or setup the auditd rules and put together some scripts to transform the audit log files into a report you can use.
For what I needed I ended up writing a simple bash script that runs continuously in the background and uses inotifywait to monitor a directory. It sounds like you need something more granular so I suspect the auditd solution would be more of what you need.
The weak point of the system, and for any document sharing system, is what happens after a user copies a document to their local machine. As others have stated solutions like DRM are bogus, the only way to absolutely control information is to not allow access in the first place.
As a retired Navy officer, I have a little familiarity with the subject of "security". Does the name "Walker family" ring any bells? The Walkers were three security-cleared, top-secret-crypto-certified Soviet spies. For YEARS, they gave communications crypto codes to the Soviets, which allowed the Russians to read U.S. ciphers. Against dedicated spying like this, there is NO WAY to GUARANTEE the security of your documents. Microfilm cameras have evolved into cell phone cameras, and high resolution digital copiers have made things harder to control, but if an trusted-but-untrustworthy person has access to a document, he has an excellent chance of being able to transmit the secret information to another party. At best, you can hope to detect when he has done so. Because no matter what the vetting process, spies DO get through.
Some apps (BlueCoat, for example) can disable screen captures (I think what it really does is control the clipboard API access) either globally or based on the source application name, but as you say, this doesn't help in the case of screen capture using an external digicam. So unless you have screen cap disabling software AND confiscate everyone's cellphones on entry into secured areas, you still have a fair risk that a determined spy can grab the data.
We are the 198 proof..
Have you looked into Adobe Acrobat server? It uses server side authentication to allow management of documents in real-time so you can add, change or remove rights to documents. It also allows for live update of content within documents to provide up-to-date stats and data. We have been evaluating it for our company. It isn't cheap but will probably be less than the legal cost of defending a lawsuit.
Tell your tech writers not to copy and paste specs or other internal documents.
Or if they do, have them save the copies without metadata. I'm not a betting man, but the odds are, your company didn't share your customer's secrets with its competition. The potential liability is too big and too obvious. Instead, I'd wager someone tried to save time by cutting and pasting one document into another as a template. The tech writer then modified the template to address the new client's needs and emailed it off. The new client then opened up track changes and read the specification information from the original document.
This wouldn't be the first time that "secure" information leaked out because someone failed to scrub a document's metadata or failed at redaction.
--AC
I agree that there may be a lot of knowledge here but there is far more blind bias around these parts that make all advice suspect and subject to rational review.
---- Booth was a patriot ----
The simple solution is to use google docs and tie your documents to google analytics.
Issues like version history to track changes .. and auditing capability already built into file servers should make this easy to deal with.
In my company we use Live link externally and share point internally .. seems to work for us.
of course it cannot track what a person who has 'access to the document will do with it ' i.e print or share with someone els.
You have got to involve someone with an active firehose.
That is competence no matter how you slice it.
Letting an AT&T tech find out about the NSA closet on the other hand was not competent.
I'm sure they are being more discreet these days.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Code Green Networks provides scanners that detect and block certain documents from going across your network. Of course, they won't stop an intelligent and determined corporate spy, but that's a much harder problem.
I hereby place the above post in the public domain.
We are local government and we have migrated to EDMS for just such a thing. We are using TechnologyOne's Dataworks http://www.technologyone.com.au/index.php?id=270 But HP's Trim is worth a look as well http://h18006.www1.hp.com/products/software/im/governance_ediscovery/trim/index.html Depending on the size of your company. I would be *tin foil hat* about using Google analytics for such a thing...
Not to mention that, in general, Ask Slashdot stories are about questions that would be useful to a wider group of people, not just the person who submitted the question. Perhaps someone else was needing an answer to this problem, or someone else has a similar problem but wasn't sure how to go about it and will get help from this. This one might be a bit more limited than most, but can still be useful by many.
And it's a great resource for the future, a good Google result.
As an alternative, you'd have to publish docs in a ebook type format that includes a contact back to a server to log who and where a document was opened. Standard OOTB functionality of Office or even PDF is too easily defeated.
I'm only familiar enough with netapp out of the nas/san vendors to feel like I can speak authoritatively, but netapp has a feature to audit cifs (windows file sharing) access/modification. Throw "cifs file auditing" into google and you'll get some results. This will only really give you auditing at the first level of access, if someone accesses it legitimately and then passes it on you're out of luck, but you'll have a list of who accessed the initial file at least, which may be enough.
Anyway, YMMV, but if you've already got netapp or some other storage vendor, it might be worth looking into.
RandomAndInteresting.comdefending the world from stupidity since 1979
Same way as the Feds do it. Physical security. Faraday cage rooms. Locked buildings. Fences. Armed guards. X-Ray machines and strip searches. Camera phones laptops, and electronics confiscated at the door. Then observe and log everyone in the same room as the document in question. Etc.
There's no other way.
.
Anyone that tells you that they can solve this problem is lying or ignorant. A specification is just words, and maybe a few diagrams. It is being suggested that someone who had legitimate authority to view that info, gave it to someone else. Since the legitimate viewer could just retype the spec, there is no technological solution. The only hope you would have is to pull a phone book maneuver, and intentionally insert a few errors. This will still only give you circumstantial evidence. You could spend billions trying to make your documents secure, and it will still never happen. This is strictly a social problem with no technical solution.
Heck, this problem existed before computers were even used in business. Documents were copied, sales people would leave with lists of customers, you name it. Thinking that you can solve the problem with a computer program is just fantasy.
There is no denying that this is an important problem. If you can't assure your customers of your security, they will simply refuse to do business with you. That means in short order going out of business. So security is important, but so is accountability.
OK, you cannot make absolutely sure that every person that encounters a document will not give it to someone else they should not. However, you can make sure that each such legitimate access is tracked and that people with access are accountable. You can then make it clear to everyone that violating company security is grounds for immediate termination.
Simple solution is a secured web site where people have to log in to access documents. This can be tracked in logs. So you now have absolute knowledge of each and every person that accesses a document. Simply by convention you can enforce the policy that there is no distribution other than the web page. Someone violates this policy and they are canned.
Security involving humans has to involve accountability. There is no other way.
DRM is snake oil in the way it's used to protect media from copy.
I think the point is to make it more difficult, not impossible.
About the difficulty itself : I think that the companies are currently over-estimating the role played by person-to-person copies (that used to by the main mean of dissemination back when the only reliable network was the sneakernet).
Currently the simplest way to get an unlicensed copy of anything is to :
At no point is the random user even inconvenienced by the DRM system. The copy is just a couple of mouse-clicks away. It hard to be even simpler than that.
That's why I personally think that DRM is doomed for the role most company are trying to use :
it's completely inefficient to anyhow slow down the propagation of copies.
All it takes is *one* single time the DRM to be defeated by a motivated group (and as I said previously, the cryptographic model of DRM is broken so this group will always succeed) and it suddenly available to anyone on the planet.
DRM-proponent usually respond to the "DRM is a broken system" argument by showing that a high number of modern keys aren't 100% perfect either and could be broken too, but are enough.
A locked house could be broken into with motivated enough thieve equipped with correct tools, never the less a standard lock is enough to put of most casual vandals and therefor is good enough. Similarly DRM - even if broken - is well enough to slow down dissemination of material.
But the analogy isn't valid : One motivated and decently equipped thief, can break 1 lock at a time and steel the content of one house. The net result after breaking this lock is 1 single robed house.
Whereas with DRM, thanks to internet-based distribution schemes, it would be as if by breaking 1 single lock, the motivated thieve suddenly made all the same kind house everywhere on the planet simultaneously available for all the world's burglars at the very same second. The net result would be all similar houses magically all robed by everyone at the same time.
I consider most DRM schemes the same as all the FBI warnings at the beginning of movies :
- completely useless because the target audience never get to see them.
- their only effect is to annoy legitimate users who did buy an original copy.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Furthermore, I'd argue that what makes locks effective is not the difficulty in opening them per se; most locks are actually not difficult to open. Heck in many cases all you need to do is break a window which could hardly be called difficult.
Also after breaking a window, one burglar has finally enough access only for himself, and he - alone - will be able to rob the house.
After breaking the DRM and managing to make 1 single unlicensed copy, thanks to the power of the internet suddenly everyone else in the world is instantly able to have access to this broken copy.
It is as if the same window broke on all houses of the same street and all the world's burglars where auto-magically teleported inside these houses to rob them at the same time.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I guess they consider it a different room to talk in, so to speak. Talking at the firehose is like talking at the front curb near the fire hydrant. Talking here is putting it on the big screen in the convention center.
Or something like that.
But, as far as I know, that's the way it works.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
You can enable auditing on the file server (go to the security tab of a parent folder and then click Advanced | Auditing). With this approach, you can audit all aspects of the files in the folder (if people are opening, deleting, changing, etc a file). Or, you can enable Group Policy and enforce the users to accept the macro settings you specify. With this approach, you can use the macro approach you outlined.
yup, the usability suffers.. the flip side of audited work.
Storm
Adobe have options built into PDF's to do exactly this. My sister gets files like this and has to log into a website before the PDF will open (it's encrypted) and it disables printing, copying, editing, etc.
Reminds me of a similar event. Someone had "leaked" information out of a company. Turned out that someone had "cut" the sensitive information out of the .doc format before releasing the document to the internet, rather than rewriting it. Now because of the autosave function, that info was still there. Someone simply opened the document up in a text editor, and bam! Sensitive info!
Could it be possible something similar happened here? Do your workers have autosave on? And do they re-use forms? Could they have cut out the company's sensitive info, only to have it reappear in a text editor?
Open Source: Eroding the Digital Divide
You need to be able to set an expiration policy on your documents.
I don't know what available system will do this for you but here's the idea (and it's probably not new).
Typical users of your document get to use it for a prescribed period of time, then it locks them out and corrupts itself (which is better than encryption as it can't be 'solved'). You can then additionally use available DRM to disable printing, copying, etc.
What you don't tell people is how long they have to use the document. It could be a day, 2 days or a week. When the document expires it provides a notice of where they can get a new copy to work with (Sharepoint or other login only network share).
So while this won't ultimately prevent screencaps, photos or similar 'analog' conversions - it does limit the window of opportunity and provides continuous tracking of who is accessing documents from where.
Another tracking option would be to enable a remote backup/sync system for all employees who work out of the office. Here you will get access times, modification dates, evidence of copying (files have to be created for even a 'digital-analog' copy to occur (screencaps, copy/paste, hand-typing) so you will have mitigated that vector... given that you employ a journaling system of some sort so people don't just take screencaps then upload them to a server or off to a USB, then delete them.
In any case you get a snapshot of employee filesystems to use for an investigation - a pattern of behavior will often point to a guilty party, at which point if they have committed a real crime, you can get the feds involved for some surveillance of your own.
A fool throws a stone into a well and a thousand sages can not remove it.
The OP asked how to monitor. Most of the above is on prevention.
Encryption is part of it.
Part too can be some form of chain of custody.
Each document has some form of who did what. Version control with change logs.
This way you know who had the document.
But consider that Office apps have a bunch of hidden data in them. So mark each document with multiple flags so that each copy checked out is different. This can be done either in the hidden part of the document, or by setting subtle style flags, (Right margin on page 3 is 1.495" instead of 1.500 inches Font for Heading 2 is 15.95 points, not 16 ) You have to have enough flags so that a bunch can be changed and there are still enough to uniquely identify the version.
This way at least, if your customer can get the 'revealed' document, you have a chance of finding out what part of your organization is insecure.
Another possibility is to only allow editing of documents via a virtual machine located in the server room. There is no copy on the local machine. Connections to the virtual box are through the company VPN. If the document is printed locally it is imprinted with the version, who it was printed for, and where it was printed.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
Like several have said before me - this is a people issue not a technical/process issue. I'd stop looking for a technical solution because you will make the human issue worse.
"Action is the thing that escapes most people. Great ideas are a dime a dozen. Great actions are few and far in between.
So, you're looking for a technical solution to the problem of evil behavior in humans. Good luck.
The beginning of enlightenment in data security is the notion that a breach could always occur. The question is not how to prevent all breaches, the question is how to organize the data, allocate it to individuals, and protect its transmission to minimize the effect of the inevitable breach when it DOES occur.
The document in question had somewhere in the neighborhood of 16 keypoints. I spotted 13 key points. So the document either came from one of 3 sources (companies). Within our company it would have probably only come from an upper level manager, but it is possible that some other people working in the production phase could have released the document.
The release of the document in question probably only has civil issues involved. But we have other documents that if released would carry much heavier penalties. These later documents or proof of dispersion of these later documents would not show up in civilian products.
So what I'm trying to determine is if our documents are being dispersed. What I have discussed with one manager is creating an update to certain documents and see if they do show up somewhere else. What we would like to know is if documents are going out. If they are what type of documents and to where.
Depending on what type of documents involved we would either terminate suspected employee or call in law enforcement for further investigation.
What I like about ask slashdot is that nobody is trying to sell anyone anything and there are enough knowledgeable people that the "you can fool some of the people all of the time and some of the people all of the time, but by no means both" rule applies. It's kinda' like peer review, except we all constantly bicker and are openly hostile... in other words, we're a bunch of geeks doing what we do best on the topics we know best. Did you ever notice how many people from the marketing department hanging around this joint? Exactly. And, all things being equal, the fanboys camps usually about equal out (I've seen Microsoft employees stand their ground here, on technical merit alone, against hordes of zealots on a few occasions) such that it's a zero sum game when politics come in to play.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
You can imprint with digital watermarks that can't be seen by the naked eye, but will show up on a screen shot if the watermarking app scans it (I've heard some can even pull the watermark off of a printed and rescanned image).
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Check out DLP: http://en.wikipedia.org/wiki/Data_Loss_Prevention.
Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information.
We're evaluating the following appliances where I'm employed:
Reconnex
FTK SilentRunner
Vericept
Vontu