Document Security System To Prevent Confidential Leakage

I. Enterprise security systems

There are many things to consider when running a business, but there are operating elements that have been particularly acute over the years. Usually, the security system that a company wants to adopt is called an enterprise security system. Since there are many kinds and various ranges of security, many people are wondering which security system should be adopted to run the company safely.

There are usually three types or four types of enterprise security. First, there is an access management system that manages human access. It is a system that allows only authorized persons to enter the company by using various recognition sensors such as fingerprint recognition, card recognition, and iris recognition. Also known as a physical security system, it is often used in connection with a computing system. Next is the network security system, which allows only authorized systems to access the network. Network Access Control (NAC) is typical, and Data Loss Prevention (DLP) could fall into this category. Next is a file security system that enforces security for files (including documents) created within the enterprise. A representative security system is Digital Rights Management (DRM), which may also belong to the aforementioned DLP. In short, it can be divided into securing physical space (physical security), securing infrastructure (network security), and securing content.

Physical security and infrastructure security are also important, but it's true that more and more companies are paying more attention to content security in recent years. Therefore, this report looks at content security, especially document security, among enterprise security systems.

II. Type of document security system for enterprise

In general, document security systems apply security to document files created by employees in the company using production tools such as PCs (desktops, laptops, tablets) or smartphones provided by the company and the contents of documents. It refers to a system that is secure, prevents leaks, and makes it possible to track leaks. Literally, external leakage prevention and tracking system of documents created inside the company is a document security system. There are various kinds and functions. In this report, I will talk about the four types of document security systems that are commonly used.

DRM

Abbreviation for Digital Rights Management literally means digital rights management system. In other words, it is a system that manages the rights to everything that is digital. In general, only authorized users can view files by applying security to various files created through office solutions such as MS Office. It's a system that lets you edit and edit It can be applied not only to office solutions but also to CAD programs such as AutoCAD, and to programs that create an image and video contents such as Photoshop, Illustrator, and Premiere. In other words, all digital contents provided in the file format are protected by DRM. Indeed, it can be applied to executables, such as games, in addition to content in this document format, but I will not mention it because it is outside the scope of this report.

Usually, the DRM that secures files from the office or CAD solution mentioned above is called document DRM, and the security of multimedia content files such as music, video, and images is called content DRM. It is more common to refer to consumer DRM system to apply DRM to general users as enterprise DRM system. In the past, the DRM system provided by sound source sites such as Melons and Bentos is a content DRM and a consumer DRM system, and the DRM system used by an enterprise is an enterprise DRM system.

How does this enterprise DRM system work? Documents created on PCs with corporate DRM systems are encrypted and stored by default. In order to view the encrypted file, the user must be authenticated by the authentication server of the DRM system and must pass the authentication to receive decryption information (decryption key) to solve the encrypted content. Do it. The basic approach is this, but you can have various rights within it and restrict the view and edit rights according to the rights.

Because of this function, the agent usually installs an agent called DRM Agent on the PC, and the agent controls the applications that generate files (MS Office, various CAD programs, multimedia content creation programs, etc.). Generally, these applications are provided through an external DRM agent because the DRM function is not provided by default, and application control techniques such as injection and hooking are used in the process. As a result, PC performance often suffers from poor stability. Because all files are encrypted, even files created for personal use, not corporate documents, are encrypted. The disadvantage is that people who use it sometimes feel uncomfortable.

However, companies have to prefer a DRM system that applies to everyone because it is difficult to monitor what documents are created by users in the enterprise. In addition, if access to the authentication server is possible outside the company, documents can be read not only inside the company but also outside the company. Therefore, the DRM system is the document security system that is introduced and used the most in the enterprise.

Document centralization system

As the name implies, a document centralization system refers to a system that centrally collects and manages documents. A document centralization system is a system that allows documents created on a user's PC to be viewed on a document server even when stored and viewed on a document server provided by an enterprise, instead of being stored on the user's PC. The document centralization system makes sense that all documents created in the enterprise are centrally managed and prevented from going out.

A feature of the document centralization system is that, as mentioned earlier, documents created on the user's PC are not located on the PC but are stored on the document server so they do not leak out. In the case of DRM systems, the document is encrypted, but the file itself can be exported outside. This is because when information that can be decrypted (decryption key) is leaked, it becomes useless. That's why they often adopt document centralization as a way to keep them out of the enterprise.

The document centralization system generally moves documents to a central document server. When a document is viewed or edited on a user's PC, only a part of the document is downloaded and edited. Alternatively, files can only be read in the PC's memory and not be stored in the PC's storage space (HDD, SDD, etc.), so that they can be viewed and edited (called the memory loading method). In general, document files are not encrypted, but they may be encrypted and stored for greater security. If encrypted, even if the file is leaked, like DRM, it cannot be viewed until authentication, and in general, authentication of the document centralization system is limited to the inside of the enterprise.

There are various methods of document centralization system. There is a document centralization system that installs an agent like a DRM system and recognizes when a document is created and stored in the application, and moves the stored document to the document server and deletes it from the PC. There is also a document centralization system that allows you to connect to a network drive and view documents only on that drive. Another case is using cloud-based web offices, where cloud storage is used as a document server. Of course, you need to use a separate web office system rather than Google's Google Drive or Microsoft's OneDrive. Alternatively, it can be provided through a custom web office using the Office related OpenAPI provided by Google Drive or One Drive.

In general, introducing a DRM system does not introduce a document centralization system. This is due to a conflict in file management. Therefore, it is common to introduce only a document centralization system or only a DRM system. In the enterprise, the document centralization system is used to manage documents, but if the documents need to be exported, the system can be designed to export using DRM.

Printout Watermark

The printout watermark is one of the printout security systems. However, the print watermark is often referred to as a print security system. The print watermark refers to a security system that provides security for prints printed through a printer. However, the watermark is somewhat different because it is related to the printout, which is difficult to encrypt in the document itself, such as the DRM and document centralization system. Security systems such as DRM, document centralization systems, and DLP, which will be discussed below, are more proactive and preventive, while print security systems such as print watermarks are more likely to follow up.

The print watermark system is usually divided into two types, one for indicating the authenticity and one for outputting the information together so that it can be traced after the leak. The former shows that when we usually print documents provided by resident registration copies or other public institutions on the Internet, they are printed in a pattern at the bottom of the document. It is a security system that allows you to hide the authenticity of a document by making the watermark appear 'copy' when you print or reprint it. The latter is a security system that prints the information of the person (ID, department, name, etc.), date, and which printer was used at the top and bottom of the document. It also puts information in the middle of the document. So when a document is leaked, it is a security system that finds the first writer through the information at the top and bottom of the document, or in the middle of the document, and traces the path through the trace.

The output watermark system can be divided into a system including a printer and a system operating without a printer, and a system for installing an agent on a PC and a system without a printer. A system that includes a printer is when a particular printer is included in the printout watermark system. That is, the printer is connected to the printout watermark system and prints by watermarking the printer itself. In this case, when the data is moved from the PC to the printer, it is moved as it is, and the printer prints watermarks. A system operating without a printer allows a printer that does not have a specific printer, that is, a printer without a print watermark function, and moves data from the PC to the printer when the data is moved from the PC to the printer. Prior to printing, watermark systems with printers do not have agents on the PC. In the latter case, agents are required. This is because the agent works with the water mart. Of course, systems with printers also have agents installed, because they are needed to send user information to the printer and to log. If not, the printer collects user information and logs the log (although the printer records it, but sometimes uses a separate server connected to the printer). Thus, when a document is leaked, the log not only has information in the document but also the log to find the original writer and keep track of it so that it can find the leak path and find the leak point.

Printout watermark systems are often used in conjunction with DRM, document centralization systems, and DLP. This is secured by DRM, document centralization system, or DLP in advance, but because it is likely to be leaked somehow, there is a need to follow up afterward to prevent leakage. It is common to write together.

DLP

Abbreviation for Data Loss Prevention, a security system that provides data leakage prevention. It is a security system that monitors actions when a user creates a document or moves a document out of the way and alerts or blocks when an external leak is attempted. If the aforementioned DRM or document centralization system is involved in the storage and viewing of documents, the DLP is involved in all the actions of creating and handling documents. Therefore, unlike DRM and document centralization system that apply security by document, DLP monitors all documents.

DLP is not only stored in a storage space in PC, but also stored in external media other than PC through CD / DVD-RW or external storage via USB, or via the Internet such as sharing via email, web hard or cloud storage. It acts as a warning or blocking when an external export is in progress or when outputting. In addition, there is a function that checks the contents of the document and checks whether there is important company information or personal information, and permits or blocks them according to the inspection results when they are exported to the outside (or outputs by hiding sensitive information when printing). May be used).

Other features include controlling network access from unauthorized PCs, adding watermarks when documents are printed, or encrypting them when they are exported, preventing them from being viewed from outside or retrieving them only after being authenticated. Can be. These functions mentioned above are already implemented using the aforementioned DRM, print watermark, and NAC. In the case of DLP, the documents or data in the enterprise can be provided by interworking with these solutions or implemented as functions of the DLP system. To prevent them from leaking outside. This variety of features makes DLP a total enterprise data security solution. In general, however, DLP usually prevents data from falling into the enterprise, and most of them support functions such as external export blocking and output blocking.

DLP is generally divided into Endpoint DLP, Server DLP, and Network DLP. Endpoint DLP, like DRM, installs an agent on a PC and tracks and monitors all the flows in the PC. Server DLP monitors the contents of documents stored on the server. Inspect and destroy or control access. Network DLP monitors the contents of a communication packet when a PC is connected to and communicated with an internal server or an external system via the Internet. The highest security of the DLP is called the endpoint DLP and the least burden is the server DLP or the network DLP. Usually, the server DLP <network DLP <endpoint DLP is applied in order. Relatively more companies are applying it).

Unlike DRM, in general, DLP does not encrypt or encrypt the generated documents separately. Therefore, the disadvantage of DLP is that there is no way to secure the document in any way. Therefore, a lot of DRM is used in combination with DLP. However, there is a disadvantage in that the performance of the user PC is relatively low. This is because it is inevitable that usability decreases as security increases.

In addition to the four document security systems mentioned above, there are various document security systems. Even if the security system is not necessarily intended for document security, many security systems are consequently document security. As mentioned earlier, NAC, a network access management system, can also protect the documents stored on the network by preventing unauthorized people or systems from accessing the network. Other security systems have similar effects.

III. Responding to Mobile and Cloud Environments

The four document security systems mentioned above are document security systems that are mostly applied in a PC-based work environment. It is a security system that runs on so-called legacy systems, and it is true that this method has been applied and operated so far since corporate document production and reading methods are still performed in PC environment and Windows OS environment.

But it's hard to say that the current corporate workplace is only in the office, in the office. Of course, writing can be done in the office, but it's not always necessary to look at it in the office. You can see it outside the office or on a tablet or smartphone, not on a PC or laptop. In other words, it's not tied to the PC work environment as it was in the past. Whether it is compatible with a mobile environment has emerged as a challenge for document security systems.

It's not just about the mobile environment. Many companies are beginning to adopt cloud environments. Of course, the cloud environment that companies want to adopt uses desktop virtualization, which raises PCs of employees working in the office to the cloud environment, but the document security system mentioned above is used because it uses server virtualization, which raises servers, which are mostly business systems, to the cloud environment. You can think that it is not too big to apply it as it is. In addition, the work environment often comes to the web environment. In this case, the document security function is often combined with the document security function from the beginning when the web-based work environment is created. In other words, solution companies that build existing document security systems are responding to cloud environments by creating and deploying security-based web-based work environments with groupware solution companies and web office solution companies. As mentioned earlier, even if you use Google Drive or One Drive, you can use custom Google Drive or One Drive with security functions using OpenAPI provided by Google Drive or One Drive. It seems to be going.

We mentioned the response to the mobile and cloud environment, but it is true that there is no clear prominence in the mobile response. In fact, mobile office applications are rarely used for work. Of course, smartphones are often used because of the screen size, but tablets with mobile OS such as Android tablets and iPads, rather than Windows tablets with Windows OS, are still lacking. Therefore, there are many cases where the response method of cloud environment is used together as the response method of the mobile environment. In other words, the web-based work environment needs to be well supported by the web browser, and since the web browser of the tablet or smartphone is as good as the web browser on the PC, it is often used as an alternative. Still, document security systems on mobile are still lacking and lacking.

Ⅳ. The necessity of introducing a document security system

For the enterprise, security is very important. One or two document leaks may or may not cause a company to collapse, but one or two document leaks can hurt sales or lose important cash cows in the long run. In addition, a corporate image may fall. However, the costs of introducing and operating the four document security systems mentioned above are not frankly cheap. This can be a burden for venture firms or SMEs with limited funds. There are companies that are aware of the need for security but are unable to introduce it as a cost burden.

Security may be reluctant to feel the need until you have a problem right away, but if you think about the amount of damage after the problem, it's right to prevent it. Of course, the well-known solutions of the four document security systems mentioned above are expensive, but if you look for them, you will find document security solutions for SMBs and venture companies that are inexpensive, secure and functional. Finding such a cheap and decent solution might be something a business needs to do.