Keeping Private Documents Private

When I share an email or a document with a colleague and ask for their confidentiality, I trust that they won’t share the information with others. Yet information that is particularly business- sensitive tends to be quite interesting, so we learn in the press when people are tempted to break the rules. For instance, last year Ad Age received leaked documents revealing advertising spending for Google’s largest customers. While Microsoft is not immune to leaks from personnel, it provides customers and employees with technology they can implement to guard email messages and documents from exposure beyond the intended audience. 

Information Rights Management
Information Rights Management (IRM) is similar to Digital Rights Management for documents and information. With IRM, users can restrict rights to content and prevent authorized recipients of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content. Via IRM, Windows users can even prevent restricted content from being copied with Print Screen.

Let’s take a look at controlling access to Microsoft Word documents in the image below. In Word, I can use permission rights to limit document viewing to company staff. I can set permissions which prevent recipients from forwarding, copying or printing a document, and I can restrict a document so that only full-time employees can access it. Not only that, each Office application has the ability to apply similar restrictions.

Google Docs does not have Information Rights Management. In fact, the window for leaks is wide open in a Google environment! Google Docs allows users to specify who they want to share a document with online, yet users cannot apply any security settings to the document. Other users can download and share it any way they wish. In addition, if a user is working in a Google Apps domain, their files adopt the domain’s security setting, by default, whether those settings are private or not, so Google Apps users may be sharing or publishing documents without knowing they are doing so!

Controlling Document Access with Microsoft Word versus with Google Docs

More Security Loopholes Found in Google Docs” and “Is Google Docs Secure Enough for Your Company’s Data?”  reveal additional risks.  Since Google Docs stores images with separate URLs, the images are available to anyone who knows the URL, regardless of whether the owner has given them permission to view the image, has revoked the user’s rights to it, or has deleted the image. Knowledgeable users can even change the revision number in the URL to access older versions of the image. Should an image be sensitive, such as a graph of company budgets or losses, the information could easily become very public, damaging the firm’s reputation. However, Google reviewed these security holes stating “We believe that these concerns do not pose a significant security risk to our users.” Google doesn’t seem to take security for Google Docs images very seriously.

Managing Rights for Email
Microsoft also enables IRM for email. You can restrict access to email through Exchange via a set of permissions which are very similar to the permission settings in Office. You can identify the specific rights you want to allow or disallow. For example, to reduce risk and liability you can implement IRM so that staff can’t forward private, corporate messages outside the company without permission. Your business keeps private, team emails within the team, and company secrets contained in email remain confidential. Google has none of these capabilities.

Managing Rights with Microsoft Exchange

Information Rights Management requires certain on-premises investments. It is not for everyone. Larger organizations often take the time to implement and benefit from IRM. Should this interest you, customers can establish IRM settings for Office 2010 and Outlook 2010 using Group Policy, while SharePoint customers have the choice of managing security via a LiveID or through a Rights Management Server.