Document distribution is, and always has been, essential for any business. However, as the medium has changed from paper to document, the challenges surrounding their secure distribution have grown. There is now a real chance that a file will be intercepted on its way to the recipient or compromised on the recipient’s computer and shared with the outside world.
This represents a major threat to organizations. Whether it’s confidential meeting minutes, M&A documentation, or an unsigned contract, the leak of information can cause untold damage. Even if the document doesn’t reach the outside world, an attacker can potentially intercept a document modify it to their own gain, and then redistribute it internally.
Unfortunately, securing all different formats of documents in all environments is a mammoth task. Today we’ll be focusing on just one of them: PDF. The PDF file is among the most widely shared on the internet, with millions passing through email and onto cloud storage services each day. It’s also one of the document formats that is often poorly protected. We’re going to discuss some of the ways enterprises today choose how to protect their PDF distribution, and why they might not be as secure as you think.
Passwords and encryption are the foundation for modern internet protection. It’s natural, then, that many businesses turn to it as the sole form of protection for their PDF files. Doing so, however, could present a major security risk.
While it’s true that encrypting a document with a password gives it some form of protection in transit and at rest, the protection likely isn’t as strong as you expect. The “open” password applied by Adobe PDF security can be recovered in plaintext through paid solutions provided by Russian firm Elcomsoft. This allows the document to be fully decrypted.
However, it may not even be that difficult. The reality is that maintaining passwords on PDF documents is a pain. For a password to be secure, it needs to be long and complex. It also needs to be unique to each document – otherwise, the protection of all of your documents hinges on a single point of failure. Implement both of these, however, and you have hundreds of passwords that are difficult to remember and keep track of.
The reality is that if you have long passwords, employees will end up storing them in insecure ways so they can remember them. If you have short passwords, they’ll be cracked by freely available applications in seconds. It’s a damned if you do, damned if you don’t situation. And regardless of what you choose, it takes just one person to leak a password for everything to fall apart.
Relying on encryption, however, has a far greater flaw – it doesn’t protect the document after it has been read. Anybody who reads the document can provide the decrypted PDF to anyone else. Solutions like Adobe Acrobat try to prevent this with permission controls, but they’re poorly implemented. As a result, anybody with the password to open the document can trivially remove the permissions.
Other protection options
As a result of these failings, some businesses have turned to a newer protection solution – secure data rooms. Unfortunately, despite aggressive marketing, secure data rooms don’t fare much better.
The basic concept behind a secure data room is that a company rents dedicated “secure” space on a server on which to share documents with outside parties. However, while this offers some protection when it comes to interception, organizations need to ask themselves: does it stop documents from being shared?
So, what about PKI systems? In short, yes, PKI systems work. But they’re also very expensive and difficult to manage. You’ll need to hire multiple people to keep on top of keys and certificates and they may not do a good job. If they make a mistake, everything can fall apart. As a result, they’re best used by larger organizations.
Your best bet: A PDF DRM solution
The best choice for most businesses, then, isn’t PKI, but a fully-fledged PDF DRM system. A PDF DRM solution is purpose-built to protect the document distribution process – removing the need for passwords while enabling effective controls to stop printing, screenshotting, editing, and unauthorized sharing.
While PDF DRM solutions make use of some of the techniques above, including encryption and PKI, they do so in a more streamlined and secure way. Before a document is distributed, the document owner encrypts it with PDF DRM software. The document is converted into a separate, unreadable format that can only be opened by a secure viewer application. The receiver can only open the file if they have both the secure viewer and a license file installed on their computer ahead of time.
The secure viewer application is able to implement editing, screenshotting, and printing, and device watermarking controls in a way that is very difficult to bypass. The encrypted licensing system ensures nobody else can intercept and view the document. It’s simple and requires little overhead, yet the distribution process is well-protected. This makes it an ideal choice not just for smaller businesses, but organizations of all sizes.