Keeping Private Documents Private


When I share an email or a document with a colleague and ask for their confidentiality, I trust that they won’t share the information with others. Yet information that is particularly business- sensitive tends to be quite interesting, so we learn in the press when people are tempted to break the rules. For instance, last year Ad Age received leaked documents revealing advertising spending for Google’s largest customers. While Microsoft is not immune to leaks from personnel, it provides customers and employees with technology they can implement to guard email messages and documents from exposure beyond the intended audience. 

Information Rights Management
Information Rights Management (IRM) is similar to Digital Rights Management for documents and information. With IRM, users can restrict rights to content and prevent authorized recipients of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content. Via IRM, Windows users can even prevent restricted content from being copied with Print Screen.

Let’s take a look at controlling access to Microsoft Word documents in the image below. In Word, I can use permission rights to limit document viewing to company staff. I can set permissions which prevent recipients from forwarding, copying or printing a document, and I can restrict a document so that only full-time employees can access it. Not only that, each Office application has the ability to apply similar restrictions.

Google Docs does not have Information Rights Management. In fact, the window for leaks is wide open in a Google environment! Google Docs allows users to specify who they want to share a document with online, yet users cannot apply any security settings to the document. Other users can download and share it any way they wish. In addition, if a user is working in a Google Apps domain, their files adopt the domain’s security setting, by default, whether those settings are private or not, so Google Apps users may be sharing or publishing documents without knowing they are doing so!

Controlling Document Access with Microsoft Word versus with Google Docs

More Security Loopholes Found in Google Docs” and “Is Google Docs Secure Enough for Your Company’s Data?”  reveal additional risks.  Since Google Docs stores images with separate URLs, the images are available to anyone who knows the URL, regardless of whether the owner has given them permission to view the image, has revoked the user’s rights to it, or has deleted the image. Knowledgeable users can even change the revision number in the URL to access older versions of the image. Should an image be sensitive, such as a graph of company budgets or losses, the information could easily become very public, damaging the firm’s reputation. However, Google reviewed these security holes stating “We believe that these concerns do not pose a significant security risk to our users.” Google doesn’t seem to take security for Google Docs images very seriously.

Managing Rights for Email
Microsoft also enables IRM for email. You can restrict access to email through Exchange via a set of permissions which are very similar to the permission settings in Office. You can identify the specific rights you want to allow or disallow. For example, to reduce risk and liability you can implement IRM so that staff can’t forward private, corporate messages outside the company without permission. Your business keeps private, team emails within the team, and company secrets contained in email remain confidential. Google has none of these capabilities.

Managing Rights with Microsoft Exchange

Information Rights Management requires certain on-premises investments. It is not for everyone. Larger organizations often take the time to implement and benefit from IRM. Should this interest you, customers can establish IRM settings for Office 2010 and Outlook 2010 using Group Policy, while SharePoint customers have the choice of managing security via a LiveID or through a Rights Management Server.

 
 

Comments (52)

  1. Anonymous says:

    @Ian Ray:  Microsoft Active Directory Federation Services now supports RSA SecurID token authentication, (two factor authentication), to secure not only Office 365 applications, but also Microsoft Exchange, and the Azure cloud.   (http://bit.ly/uQDbaq).

  2. Anonymous says:

    @Matt: Thank you for your idea.

  3. Anonymous says:

    @Ian Ray, Yes, the MSN support team resolved an IRM issue in its trial of a free, consumer, Hotmail IRM service occurring two years ago. Of course, business customers had no impact. By design, the free email service that Microsoft offers consumers and the email services that Microsoft provides to businesses are completely separate.

    Thank you for citing options for business customers in securing their documents. That is good to know. More details about IRM for Office 2010 are here. (http://bit.ly/kwH4DQ)

    @Gary Ross: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers. (http://bit.ly/l5hNQX). With hybrid deployment, customers can continue leverage this powerful capability.

  4. Anonymous says:

    @Ian Ray: While we will certainly be updating this blog with cloud security topics, you might also browse the Office 365 technical blog which provides some good updates. (http://bit.ly/eLdkDk)

  5. Anonymous says:

    @Ian Ray:  While second factor authentication is not for everyone, organizations adopting it have a need for this level of user security and consider both human factors and costs in relation to benefit. I offer no guidance regarding sustainability of other, potential 2nd factor authentication methods to Office 365, as we look to partners and customers for feedback on these potential methods, based on their experience using them with the cloud service.

  6. Anonymous says:

    @Ian Ray: Those wishing to implement RSA SecurID for two factor authentication might begin by reviewing this blog post. It describes using federated identities in Active Directory with Office 365. (http://bit.ly/xvW2eS). We look forward to hearing about customers’ and partners’ experience with other 2 factor methods in authenticating to Office 365!

  7. Anonymous says:

    @Ian Ray: IRM requires some on-premise implementation, and the following white paper describes security for Office 365 customers.(http://bit.ly/l5hNQX).

  8. Anonymous says:

    @Ian Ray: Microsoft knows that technical capability is one thing and recommending a sustainable solution is much different. That is an important and much greater commitment. As business partners and customers test, verify and gain experience with how other authentication technologies interoperate and work within organizations, Microsoft may begin to recommend both RSA SecurID and other 2 factor authentication technologies to Office 365 customers. Until that time may come, Microsoft recommends RSA SecurID for 2 factor authentication to Office 365.

  9. Google Gary Ross says:

    When is IRM coming to the cloud?

  10. Ian Ray says:

    Is this similar to Office 2003 IRM? That feature creates incompatibility issues, or at least it did the last time I saw a file where someone had actually used it.

    Google did add a "prevent download" feature in early November, FWIW.

  11. Ian Ray says:

    I should add that I've long been interested in this technology except for two issues:

    1. Fears that it would be just as incompatible as different DRM formats used on other media

    2. Issues with being locked out of data such as those in this post http://tinyurl.com/ch3eyej

    Standard encryption with keys passphrases seems to work adequately for confidential information and doesn't have the issue of doubt that in the future this information will become unavailable. ECM vendors have tried to sell there management lock-in features for years with very low uptake. If a truly compatible and future-proof solution was devised, I'm sure businesses would be quicker to other encryption methods.

  12. Ian Ray says:

    Another piece of security software I have used in the past is called "outlookgnupg" plugin.

    github.com/…/wiki

    This worked fairly well for decryption of sensitive documents sent when I worked for the government. Are there plans to extend the API of Office 365 to support such things?

    I have also used "cr-gpg" for Chrome (which I have had some issues installing on certain configurations due to its alpha status). Perhaps such a browser extension could be developed for encryption/decryption that would work with Office 365 as well.

    Just throwing this stuff out there. I haven’t seen much Microsoft/Oracle/Adobe IRM integration actually in use, but have seen pgp-type encryption in use on sensitive document transmission many times.

  13. Ian Ray says:

    @Tony Tai

    Thank you for the link. From reading that blog, it appears S/MIME is not working in Office 365 without OWA. This would break any rights management, yes? I hope that has been/will be fixed.

  14. Matt says:

    really? when do you want to compare this to google *applications* and not google docs?

  15. Ian Ray says:

    On the security issue in general, I would like to see an Office 365 option for "two-factor authentication". Enterprise still employs the obsolete 90 day password reset. This compiles with security audits of various standards devised decades ago, but does not secure information in a practical way. That is, a user could have a complex password written on a sticky note every 90 days or have "letmein11" as their password combined with text message codes… The latter seems to be more difficult to break from a practical perspecive.

    Really, it doesn't matter how strict sharing is set up if the account shared to is vulnerable. Office 365 programmers could solve this by borrowing a practical concept.

  16. Ian Ray says:

    @Tony Tai

    It would be nice if Active Directory allowed a user to use a set of hard tokens to turn off the existing authentication in the event that the SecurID keychain unit or phone is lost/stolen. I don't really understand the need for a proprietary solution as the only two-factor authentication offered. Seems expensive and cumbersome for a technology that has famously been compromised.

  17. Ian Ray says:

    @Tony Tai

    Are you stating that SaaS SMS or App-based two-factor authentication is not as "sustainable" a technology as SecurID keys?

    SecurID costs at minimum $25,000 for the central hardware and employees regularly lose the $60 keys. SecurID was compromised once, what assurance is there that this won't happen again. "Sustainable" does not seem like an appropriate label… "legacy" would fit better.

  18. Ian Ray says:

    @Tony Tai

    Well, I hope customers push for easier to deploy methods than SecurID.

  19. rahul khattar says:

    Guys suggest the group to check out what Seclore IRM has to offer in this space.

    It works wonderfully in different distributed office environments. Infact it would work even if your mail server is hosted with Google or any other cloud player.

    You do not need to install any software or buy any expensive licenses for your macintosh , windows or linux box to view the protected documents.

    Infact if you so choose to migrate your Office service provider, it is a seamless experience

    Regards

    Rahul Khattar

    GM ES,Seclore

  20. mm says:

    http://www.gamesyoum7.com/game/347/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D9%88.html
    http://www.gamesyoum7.com/game/343/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A7%D9%84%D9%81%D8%B1%D8%A7%D8%AE.html
    http://www.gamesyoum7.com/game/359/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%AA%D9%84%D8%A8%D9%8A%D8%B3_%D8%A8%D9%86%D8%A7%D8%AA.html
    http://www.gamesyoum7.com/game/520/%D9%84%D8%B9%D8%A8%D8%A9_%D9%85%D8%A7%D8%B1%D9%8A%D9%88.html
    http://www.gamesyoum7.com/game/184/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%B2%D9%88%D9%85%D8%A7.html
    http://www.gamesyoum7.com/game/21/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A8%D9%86_%D8%AA%D9%86_%D9%88%D9%82%D8%AA%D8%A7%D9%84_%D8%A7%D9%84%D9%81%D8%B6%D8%A7%D8%A6%D9%8A%D9%8A%D9%86.html
    http://www.gamesyoum7.com/game/52/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A7%D9%84%D9%85%D8%B5%D8%A7%D8%B1%D8%B9%D8%A9_%D8%A7%D9%84%D8%AD%D8%B1%D8%A9.html
    http://www.gamesyoum7.com/game/521/%D9%84%D8%B9%D8%A8%D8%A9_%D9%85%D9%82%D9%8A%D8%A7%D8%B3_%D8%A7%D9%84%D8%AD%D8%A8.html
    http://www.gamesyoum7.com/game/348/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A7%D9%84%D9%82%D8%B7%D8%A9.html
    http://www.gamesyoum7.com/game/375/%D9%84%D8%B9%D8%A8%D8%A9_%D8%AC%D8%A7%D8%AA%D8%A7.html
    http://www.gamesyoum7.com/game/87/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A7%D9%84%D9%85%D8%B2%D8%B1%D8%B9%D8%A9_%D8%A7%D9%84%D8%B3%D8%B9%D9%8A%D8%AF%D8%A9.html
    http://www.gamesyoum7.com/game/73/%D9%84%D8%B9%D8%A8%D8%A9_%D8%B1%D8%A7%D9%84%D9%8A_%D8%A7%D9%84%D8%B3%D9%8A%D8%A7%D8%B1%D8%A7%D8%AA.html
    http://www.gamesyoum7.com/game/509/%D9%84%D8%B9%D8%A8%D8%A9_%D9%83%D8%A7%D9%86%D8%AF%D9%8A_%D9%83%D8%B1%D8%A7%D8%B4.html
    http://www.gamesyoum7.com/game/355/%D9%84%D8%B9%D8%A8%D8%A9_%D8%A8%D8%A7%D8%B1%D8%A8%D9%8A.html
    http://www.gamesyoum7.com/game/434/%D9%84%D8%B9%D8%A8%D8%A9_%D8%B3%D8%A8%D9%88%D9%86%D8%AC_%D8%A8%D9%88%D8%A8.html
    http://www.gamesyoum7.com/game/3/%D9%84%D8%B9%D8%A8%D8%A9_%D8%AA%D9%88%D9%85_%D9%88%D8%AC%D9%8A%D8%B1%D9%8A.html
    http://www.gamesyoum7.com/game/488/%D9%84%D8%B9%D8%A8%D8%A9_%D9%81%D9%8A%D9%81%D8%A7.html
    http://www.gamesyoum7.com/game/446/%D9%84%D8%B9%D8%A8%D8%A9_%D8%B5%D8%A8_%D9%88%D8%A7%D9%8A_%D9%88%D8%A7%D9%84%D8%B0%D9%87%D8%A8.html
    http://www.gamesyoum7.com/game/34/%D9%84%D8%B9%D8%A8%D8%A9_%D8%AD%D8%B1%D8%A8_%D8%A7%D9%84%D9%81%D8%B6%D8%A7%D8%A1.html
    http://www.gamesyoum7.com/game/430/%D9%84%D8%B9%D8%A8%D8%A9_%D8%B3%D8%A8%D8%A7%D9%82_%D8%A7%D9%84%D8%B3%D9%8A%D8%A7%D8%B1%D8%A7%D8%AA.html
    http://www.gamesyoum7.com/game/132/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%AA%D9%84%D8%A8%D9%8A%D8%B3_%D8%AC%D8%AF%D9%8A%D8%AF%D8%A9.html
    http://www.gamesyoum7.com/game/126/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%A8%D9%86%D8%A7%D8%AA_%D8%AC%D8%AF%D9%8A%D8%AF%D8%A9.html
    http://www.gamesyoum7.com/game/230/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%B7%D8%A8%D8%AE_%D8%AC%D8%AF%D9%8A%D8%AF%D8%A9.html
    http://www.gamesyoum7.com/game/127/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D8%A8%D9%86_%D8%AA%D9%86_%D8%A7%D9%84%D8%AC%D8%AF%D9%8A%D8%AF%D8%A9.html
    http://www.gamesyoum7.com/game/259/%D8%A7%D9%84%D8%B9%D8%A7%D8%A8_%D9%81%D9%84%D8%A7%D8%B4_%D8%AC%D8%AF%D9%8A%D8%AF%D8%A9.html

  21. situs buka jasa dan promosi jasa says:

    Situs buka jasa dan promosi jasa on http://www.bukajasa.com

  22. jadwal bola hari ini says:

    Jadwal bola hari ini on http://www.hantubola.com
    Prediksi bola malam ini on http://wwwhantubola.com
    Prediksi bola akurat on http://wwwhantubola.com

  23. ojekgratis.com says:

    ojek gratis @ http://www.ojekgratis.com
    grab bike on http://www.ojekgratis.com
    Go jek bndung on http://www.ojekgratis.com
    uber gratis @ http://www.ubergratis.com/
    uber coupon code on http://www.ubergratis.com/
    http://www.uber.com/invite/ubergratis.com
    sprei katun jepang on http://www.paramacollection.id
    grosir sprei katun jepang on http://www.paramacollection.id/
    sprei katun jepang terbaru on http://www.paramacollection.id
    jasa poles marmer on http://poleslantai.com/poles-marmer/
    jasa poles marmer on http://www.poleslantai.com/
    agen taruhan bola @ http://www.maubet4u.com
    agen taruhan bola sbobet @ http://www.maubet4u.com,

    agen taruhan bola online sbobet @ http://www.maubet4u.com

  24. ojekgratis.com says:

    ojek gratis @ http://www.ojekgratis.com
    grab bike on http://www.ojekgratis.com
    Go jek bndung on http://www.ojekgratis.com
    uber gratis @ http://www.ubergratis.com/
    uber coupon code on http://www.ubergratis.com/
    http://www.uber.com/invite/ubergratis.com
    sprei katun jepang on http://www.paramacollection.id
    grosir sprei katun jepang on http://www.paramacollection.id/
    sprei katun jepang terbaru on http://www.paramacollection.id
    jasa poles marmer on http://poleslantai.com/poles-marmer/
    jasa poles marmer on http://www.poleslantai.com/
    agen taruhan bola @ http://www.maubet4u.com
    agen taruhan bola sbobet @ http://www.maubet4u.com,

    agen taruhan bola online sbobet @ http://www.maubet4u.com

  25. Paket tour wisata says:

    Paket tour wisata on http://www.tiketpesawat24jam.com
    Paket tour wisata murah on http://www.tiketpesawat24jam.com
    Paket tour wisata hemat on http://www.tiketpesawat24jam.com

  26. Togel online says:

    Togel online on http://www.sindobet.com
    Taruhan bola online on http://www.sindobet.com
    Prediksi bola hari ini on http://www.sindobet.com

  27. Jasa backlink murah berkualitas says:

    Jasa backlink dan seo on http://www.goseopro.net/
    Alat ukur standart backlink goseopro.net
    http://www.goseopro.net/2015/10/alat-ukur-standar- backlink.html
    Jasa backlink murah berkualitas
    http://www.goseopro.net/2015/03/jasa-backlink-murah-berkualitas.html

  28. caribiankomu says:

    fantastic post, very informative. I wonder why the other specialists of this sector do not notice this. You must continue your writing. I am confident, you’ve a great readers’ base already!
    http://www.encendiabiochar.com/

  29. Tutorial flashing android says:

    Cara flashing android @ http://indoflasher.net
    Tutorial flashing android @ http://indoflasher.net
    Tempat download stockrom dan firmware indonesia @
    http://indoflasher.net