We often hear news about security related incidents where an inside staff member leaked information about key technology or a new product causing millions of dollars in damages. This is because most business information is now saved in the form of electronic documents rather than on paper. Speed and convenience has improved thanks to IT but breaching or copying information has also become much easier, and a single e-mail, CD/DVD, or USB in the wrong hands can cause tremendous damage. How can we keep these electronic documents safe then?
Before we begin, let’s take a look at the definition of an electronic document.
According to the Act on Promotion of Information and Communications Network Utilization and Information Protection, electronic document refers to “data prepared and transmitted, received, or stored electronically in a standardized form of document by a device capable of processing information, such as a computer.”
This means all documents created by electronic devices and methods are considered electronic documents. The biggest examples of these are standardized document files that are created and saved through document editing programs such as Hangul, MS-Office, and Acrobat. There are also other types of electronic documents that contain information such as txt, auto-CAD, and GIF/JPG.
Then what does it mean to secure these electronic documents?
This basically means authorizing only certain people to save, search, edit, or print electronic documents while blocking others from accessing them. This process furthermore includes preventing forgery and falsification of electronic documents.
Yet it is quite difficult to block security threats completely, since there are various types and distribution channels for electronic documents.
Security is not just designed to stop all access but to make sure users utilize information securely. The ‘security hole’ is created in this process through which not only authorized users but also unauthorized users access the documents.
There are various security technologies and solutions as there are diverse threats to the security of electronic documents. Let’s take a look at some of the most well-known technologies and solutions.
DRM (Digital Rights Management) is the first security technology developed for electronic documents. DRM allows only the authorized users by encrypting documents. It is considered the easiest, but the most powerful way to keep electronic documents safe.
The problem is that the technology has to support encryption and decryption for various kinds of documents, and control the staff from multiple departments in diverse positions. It is also quite complicated as it has to apply and manage different types of authorities for browsing, modifying, printing out, and using at diverse locations such as office, outside, and home. Once applied properly, however, it is definitely the most powerful security measure.
The best thing about DRM is that documents are protected with encryption so data is secure even if they have been leaked. The downside of this technology, however, is that it supports and controls diverse programs and if these programs end up colliding it may cause interruptions. Another problem is that it needs to classify authority according to how critical the document is and how high the user is ranked. It can also be considered complicated and inconvenient as the current security setting has to be removed for an unauthorized person to browse through it, but removing it requires authorization from the higher rank.
Not many people save electronic documents just on a single device like a PC. Most deliver them to someone else through e-mail, messengers, and sites like web hard, and put them into storage media such as smart-phones, CDs, and USB sticks to use them in other locations. Printing the documents out is another way to carry them.
What DLP (Data Loss Prevention) does is to authorize or block these channels and to keep a log so that incidents can be traced whenever they occur.
It manages authorization of online channels (e-mail, messenger, web hard, P2P, etc.) and offline channels (CD, DVD, USB, smartphone) as well as printing them out through printers and fax machines. These channels cannot all be blocked as some of them like e-mails and print-outs are needed for business. One issue is that although it keeps track of what channel the documents were delivered, it can’t get the documents back once they are leaked.
Still, DLP is used as the most basic security measure for electronic documents. The common strategy is to have minimum channels open and most others blocked, while applying additional security procedures for those open channels.
Document Centralization and Cloud-PC are similar but different methods to save documents in safe locations. They both store documents on safely managed servers instead of keeping them on PCs in order to prevent illegal document breaches.
Document centralization moves all the electronic documents created on PCs to a central server automatically and mandatorily after a certain period. On the other hand, Cloud-PC creates and saves electronic documents in a virtual PC environment provided by a central server.
Document centralization can prevent electronic documents from being leaked and improves document utilization through proper classification and storage managed systematically from the center. Yet some may find it inconvenient because the information of each document has to be entered for classification and storage.
Cloud-PC (SBC-server based computing) uses a virtual PC environment provided by the server including document editing programs such as MS-Office. Its security is considered more reliable than with document centralization, since the PC has nothing to do with document creation and modification. It is quite costly, however, because it has to be provided according to different PC environments for each user.
Output security is for verifying users who print out, fax, or copy documents. It creates a log as to who had printed, faxed, or copied documents in order to keep track when/if an incident occurs.
It verifies the user through an ID card reader on the printer, and lets it print out only the documents that had been sent by the same user. This means there won’t be any random documents accidentally being printed out and left alone. It also logs what each user had printed and even limits the number of prints to reduce paper waste and to save money.
Now that we have covered some of the top security technologies and solutions for electronic document security, let’s see what security strategies can be designed for our electronic documents.
First you need to know about what electronic documents you have. Knowing what electronic documents you, your team, and your company have and use is important. You can see what security threats and holes there are and what to do about them only when you know about those things.
Let’s say that you applied the security setting to an electronic document and blocked it from being used, and then later realized that it was necessary for the business. This little mistake can interrupt necessary business procedures and end up causing great damage to your company’s sales.
This is why understanding the electronic documents you have and how they are distributed is critical. This means you have to know which document editing program is being used in each department and what channel they use to send documents to each other.
Once you figure out what electronic documents you have, next you need to find the best way to keep them safe. There are, however, many different types of electronic documents and distribution channels. Blocking every channel for all the types of documents can take lots of time and money. This is why keeping the different types of documents and distribution channels to a minimum and optimal number allowing only a small number of authorized users to handle the documents through a limited number of channels is important.
In order to encrypt documents using DRM, it has to be interlocked with a document editing program. When the program is upgraded DRM also needs to be upgraded, and when you use a new program DRM needs to be set to support that program.
If you are using a program that DRM doesn’t support, the documents from the program may stay unencrypted. This means you need another method to keep these documents safe by controlling this program. Another way is to delete or block the programs that are not covered by the security system.
Once you reach the minimum types of electronic documents and distribution channels, next is to establish and apply the right security measures. In order to enhance the effectiveness of the security measures, technological security such as DRM and DLP and physical security like access control, and also managerial and integrated security such as security training and audit need to be applied. Even if all channels from a PC such as e-mail, messengers, and USB are blocked, it doesn’t mean anything if someone just takes the PC out of the office.
What’s critical in establishing security measures is to know what policy is appropriate for each user and department. Most research organizations have strong security policies since having their documents leaked can cause serious damages. Sales departments usually let their staff take documents off company property since lots of them spend hours outside the office everyday.
Like all other types of security, it is difficult to block all threats and blocking one doesn’t mean complete security. What’s necessary is to understand every form of threat so that systematic and integrated security plans can be established and applied.
Some may wonder what more is necessary once a security plan has been applied. Management, however, is also an important part of keeping things secure, since there can be many exceptions such as granting access to certain users or lifting the access control for a while when someone is in a hurry.
Security holes can be created as well if the access grant isn’t properly managed, since people who transferred or resigned may pose threats if their access isn’t managed in time.
Also, new hacking technologies and threats can’t be blocked without continued security management. It’s crucial to update current security systems in order to respond to new threats. Continued modifications and management, including adding new security policies or modifying existing ones for new security threats, are required.
One of the more recent types of security threats is taking photographs of documents using smartphones. New security policies such as putting a security sticker on top of the camera lens or installing security programs on smartphones that block the use of cameras are now being applied as a response. When IT advances, security technologies and solutions advance as well.
What keeps the same level of security after all, then, is ‘plan-do-check-act’ security management, which updates changing security trends for electronic documents and establishes/applies, operates, examines, and improves the security plan so it can successfully satisfy current security requirements. What’s important here is the ‘who’, because the administrator needs to be in charge of electronic document security.
Like all other security plans, electronic document security cannot be achieved without enough people to operate and manage it. Adding more security measures to adapt to changing security environments means more staff to keep it running properly.
Today, we had a chance to have a look at electronic document security. Some of the electronic document security policies can affect a company’s organizational process greatly. This is because the business process that used to solely account for convenience becomes more complicated or difficult for security, and many staff members may oppose such change.
Electronic documents used to be on both company and personal computers, transferred through public e-mails such as Naver or Gmail, and carried on USB devices. Many people can find it inconvenient if all these become impossible at once.
This is why electronic document security should be accompanied by the raising of staff security awareness. After all, electronic document security is also achieved through the people. Security policies will stay effective and keep doing their job only when the staff understands why these security measures are crucial.
Written By Byung Gyu Kim, Advisory at LG CNS Security Consulting Team