Keeping Private Documents Private

  • Article

When I share an email or a document with a colleague and ask for their confidentiality, I trust that they won’t share the information with others. Yet information that is particularly business- sensitive tends to be quite interesting, so we learn in the press when people are tempted to break the rules. For instance, last year Ad Age received leaked documents revealing advertising spending for Google’s largest customers. While Microsoft is not immune to leaks from personnel, it provides customers and employees with technology they can implement to guard email messages and documents from exposure beyond the intended audience. 

Information Rights Management
Information Rights Management (IRM) is similar to Digital Rights Management for documents and information. With IRM, users can restrict rights to content and prevent authorized recipients of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content. Via IRM, Windows users can even prevent restricted content from being copied with Print Screen.

Let’s take a look at controlling access to Microsoft Word documents in the image below. In Word, I can use permission rights to limit document viewing to company staff. I can set permissions which prevent recipients from forwarding, copying or printing a document, and I can restrict a document so that only full-time employees can access it. Not only that, each Office application has the ability to apply similar restrictions.

Google Docs does not have Information Rights Management. In fact, the window for leaks is wide open in a Google environment! Google Docs allows users to specify who they want to share a document with online, yet users cannot apply any security settings to the document. Other users can download and share it any way they wish. In addition, if a user is working in a Google Apps domain, their files adopt the domain’s security setting, by default, whether those settings are private or not, so Google Apps users may be sharing or publishing documents without knowing they are doing so!

Controlling Document Access with Microsoft Word versus with Google Docs

More Security Loopholes Found in Google Docs” and “Is Google Docs Secure Enough for Your Company’s Data?”  reveal additional risks.  Since Google Docs stores images with separate URLs, the images are available to anyone who knows the URL, regardless of whether the owner has given them permission to view the image, has revoked the user’s rights to it, or has deleted the image. Knowledgeable users can even change the revision number in the URL to access older versions of the image. Should an image be sensitive, such as a graph of company budgets or losses, the information could easily become very public, damaging the firm’s reputation. However, Google reviewed these security holes stating “We believe that these concerns do not pose a significant security risk to our users.” Google doesn’t seem to take security for Google Docs images very seriously.

Managing Rights for Email
Microsoft also enables IRM for email. You can restrict access to email through Exchange via a set of permissions which are very similar to the permission settings in Office. You can identify the specific rights you want to allow or disallow. For example, to reduce risk and liability you can implement IRM so that staff can’t forward private, corporate messages outside the company without permission. Your business keeps private, team emails within the team, and company secrets contained in email remain confidential. Google has none of these capabilities.

Managing Rights with Microsoft Exchange

Information Rights Management requires certain on-premises investments. It is not for everyone. Larger organizations often take the time to implement and benefit from IRM. Should this interest you, customers can establish IRM settings for Office 2010 and Outlook 2010 using Group Policy, while SharePoint customers have the choice of managing security via a LiveID or through a Rights Management Server.

 

Comments

  • Anonymous
    January 01, 2003
    @Ian Ray:  Microsoft Active Directory Federation Services now supports RSA SecurID token authentication, (two factor authentication), to secure not only Office 365 applications, but also Microsoft Exchange, and the Azure cloud.   (http://bit.ly/uQDbaq).

  • Anonymous
    January 01, 2003
    @Matt: Thank you for your idea.

  • Anonymous
    January 01, 2003
    @Ian Ray, Yes, the MSN support team resolved an IRM issue in its trial of a free, consumer, Hotmail IRM service occurring two years ago. Of course, business customers had no impact. By design, the free email service that Microsoft offers consumers and the email services that Microsoft provides to businesses are completely separate. Thank you for citing options for business customers in securing their documents. That is good to know. More details about IRM for Office 2010 are here. (http://bit.ly/kwH4DQ) @Gary Ross: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers. (http://bit.ly/l5hNQX). With hybrid deployment, customers can continue leverage this powerful capability.

  • Anonymous
    January 01, 2003
    @Ian Ray: While we will certainly be updating this blog with cloud security topics, you might also browse the Office 365 technical blog which provides some good updates. (http://bit.ly/eLdkDk)

  • Anonymous
    January 01, 2003
    @Ian Ray:  While second factor authentication is not for everyone, organizations adopting it have a need for this level of user security and consider both human factors and costs in relation to benefit. I offer no guidance regarding sustainability of other, potential 2nd factor authentication methods to Office 365, as we look to partners and customers for feedback on these potential methods, based on their experience using them with the cloud service.

  • Anonymous
    January 01, 2003
    @Ian Ray: Those wishing to implement RSA SecurID for two factor authentication might begin by reviewing this blog post. It describes using federated identities in Active Directory with Office 365. (http://bit.ly/xvW2eS). We look forward to hearing about customers’ and partners’ experience with other 2 factor methods in authenticating to Office 365!

  • Anonymous
    January 01, 2003
    @Ian Ray: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers.(http://bit.ly/l5hNQX).

  • Anonymous
    January 01, 2003
    @Ian Ray: Microsoft knows that technical capability is one thing and recommending a sustainable solution is much different. That is an important and much greater commitment. As business partners and customers test, verify and gain experience with how other authentication technologies interoperate and work within organizations, Microsoft may begin to recommend both RSA SecurID and other 2 factor authentication technologies to Office 365 customers. Until that time may come, Microsoft recommends RSA SecurID for 2 factor authentication to Office 365.

  • Anonymous
    December 07, 2011
    When is IRM coming to the cloud?

  • Anonymous
    December 08, 2011
    Is this similar to Office 2003 IRM? That feature creates incompatibility issues, or at least it did the last time I saw a file where someone had actually used it. Google did add a "prevent download" feature in early November, FWIW.

  • Anonymous
    December 08, 2011
    I should add that I've long been interested in this technology except for two issues:

  1. Fears that it would be just as incompatible as different DRM formats used on other media
  2. Issues with being locked out of data such as those in this post http://tinyurl.com/ch3eyej Standard encryption with keys passphrases seems to work adequately for confidential information and doesn't have the issue of doubt that in the future this information will become unavailable. ECM vendors have tried to sell there management lock-in features for years with very low uptake. If a truly compatible and future-proof solution was devised, I'm sure businesses would be quicker to other encryption methods.