Consider some recent headlines:
• A "nonpartisan" Social Security document had edits from a (Republican) White House staffer before submittal. Democrats and unions cry foul.
• A mutual fund firm inadvertently disclosed confidential shareholder information in a PDF-formatted public filing. Shareholders are filing data privacy lawsuits.
• The Pentagon revealed classified information in a PDF (Portable Document Format) about an Italian secret service agent's death in Iraq. Italy disagreed and is threatening to leave Iraq.
• A document with a list of HIV patients was attached to a public health department e-mail. HIPAA enforcers are investigating the breach in personal data privacy and security.
All of these incidents underscore the common theme that electronic documents and their file formats are not secure. This insecurity comes in many forms: lack of restrictions on e-mail or printing; exposing attributes, such as track changes or server names; revealing privacy data, such as identities or financial records; converting formats between PDF and Office when attributes are both kept and lost.
And the risks are escalating. Documents that are revised, e-mailed and posted are both numerous and growing. Gartner and IDC Research estimate that more than 1.8 trillion business documents and 2.4 trillion e-mails are created annually. Estimates from various sources say 25 percent to 35 percent of all e-mails contain document attachments, meaning 500 billion documents will leave the organization perimeters each year.
IT security has combated outside attacks for more than 10 years using antivirus software for PCs and networks and antispam and anti-spyware software for e-mail. Our security emphasis must now look inside-out. A recent projection by the Computer Security Institute and the FBI found that an insider attack against a large company would cause an average of $2.7 million in damages, compared with an average outsider attack that would cost an average of $57,000.
The widespread distribution of documents via e-mail, Web sites and portals is an excellent medium for communicating and collaborating with audiences in public and private sectors. Organizations must come to realize that a file format doesn't remove risky information leaks. It only masks them. File formats lull users and IT professionals into a false sense of security and unfairly puts individual reputations at risk. The only true way to stop this plague of document leaks is to govern with centralized policies that are transparent to people.
The only way to stop the document security leaks is to protect documents independent of file format. Modern security software exists today that does this by providing transparent, perimeter-level protection against inadvertent and malicious content exposures. Some of this software even alerts people before they make catastrophic mistakes, educating them about common practices that may lead to risky business.
The Pentagon leak put extreme strain on an already tenuous political situation as the U.S. continues to fight global sentiment in an attempt to hold together its military alliances. In addition, the U.S. and its taxpayers may see budget deficits escalate from both direct and indirect costs resulting from these kinds of leaks. And the White House leak may further delay "bipartisan" legislation at a time when the U.S. public ratings on the president and Congress are at historical lows.
Business documents are the lingua franca of commerce. Every day, sensitive information is leaked without our knowledge, and it is incumbent on us to act now, or answer to the consequences later. Business leaders must realize that while they won't necessarily make the headlines each time a document leaks sensitive data, they could lose a key partner, customer or lawsuit--or worse, their public image.
Biography
Joe Fantuzzi is CEO of Workshare, which offers document integrity software for professionals.
See more CNET content tagged:
shareholder, document, Adobe PDF, security, Iraq
By centralized policies, do you mean the software source code? As Lawrence Lessig suggested in "Code and other laws of cyberspace", software code can govern our lives and should be understood as a form of policy.
Maybe the problem is that people are using the popular but non-transparent Microsoft suite of tools which for business reasons try to obscure (or even claim exclusive rights like patents) on file format and software code details. If the tools were authored in an accountable and transparent way (such as Free/Libre and Open Source) and the file formats were vendor-neutral and transparent (such as Free/Libre and vendor neutral standards, such as the OASIS OpenDocument format), this would provide business users with the tools to eradicate the problem.
While OASIS has created a replacement for the editable office productivity suite formats (word processing, spreadsheets, presentations), there is a need for a vendor-neutral standard to replace Adobe PostScript/PDF that has the same level of accountability and transparency.
http://flora.ca
same problem that is the topic of the article.
The issues that led to the surreptitious release
of sensitive data are based on poorly thoughtout
practice, and worse support of tools. First, if
you want to keep something truly secret, use
strong encryption. The DRM/access
control/password mechanisms of most document
formats do not count. Something like GPG with 4K
keys ought to be sufficient.
In the case of publication, the issue is that
common document formats are not WYSIWYG in the
sense that they are containers not only for data
you do see, but quite a bit more. How about
those PDFs that are redacted by drawing an
opaque rectangle over sensitive bits with a PDF
editor -- fine, but the same editor can remove
them. Why not have the release mechanism
rasterize the PDFs into bitmaps (removes all
metadata) then reformat them into PDF again? Why
not design the editor itself to "do the right
thing" (tm)?
This is no less true of Word or other formats.
Sure, using OASIS documents would permit you to
write a generic "scrubber" to automagically
remove hidden metadata and revisions, but then
you have a problem that scrubbing would need to
be proactive for lack of an automated scrubbing
mechanism (assuming the document formatter
doesn't scrub).
Where a "centralized" system might be useful is
if the components of a documents are included by
reference rather than by content. In that
scenario, a document would present differently
based on the creddentials of the viewer. One
person might get a document composed of fully
scrubbed text, while another might get the
editable document with revisions and metadata.
The centralization portion of the equation would
necessarily mean that anything that dealt with
documents would need to go through the central
service to store document data. Maybe it would
work, but no product does this in a transparent,
cohesive, cross-platform manner.
Now that I think about it, though, you may be
right. The only way something like that could
fly would be with a solid, flexible, readily
understood reference implementation. I suspect
that if it didn't at least start as an
open-source project, it's not likely a
commercial vendor would have sufficient
incentive to play nice to make such a thing
practical.
Thanks for your insights and OASIS suggestion. At Workshare we offer centralized policy with distributed enforcement which gives selected users the ability to control how the policy is used. I invite you to download our Protect product at www.workshare.com and give me some feedback if you feel it is a good approach. We will look into OASIS in the meantime.
Thanks,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com
By centralized policies, do you mean the software source code? As Lawrence Lessig suggested in "Code and other laws of cyberspace", software code can govern our lives and should be understood as a form of policy.
Maybe the problem is that people are using the popular but non-transparent Microsoft suite of tools which for business reasons try to obscure (or even claim exclusive rights like patents) on file format and software code details. If the tools were authored in an accountable and transparent way (such as Free/Libre and Open Source) and the file formats were vendor-neutral and transparent (such as Free/Libre and vendor neutral standards, such as the OASIS OpenDocument format), this would provide business users with the tools to eradicate the problem.
While OASIS has created a replacement for the editable office productivity suite formats (word processing, spreadsheets, presentations), there is a need for a vendor-neutral standard to replace Adobe PostScript/PDF that has the same level of accountability and transparency.
http://flora.ca
same problem that is the topic of the article.
The issues that led to the surreptitious release
of sensitive data are based on poorly thoughtout
practice, and worse support of tools. First, if
you want to keep something truly secret, use
strong encryption. The DRM/access
control/password mechanisms of most document
formats do not count. Something like GPG with 4K
keys ought to be sufficient.
In the case of publication, the issue is that
common document formats are not WYSIWYG in the
sense that they are containers not only for data
you do see, but quite a bit more. How about
those PDFs that are redacted by drawing an
opaque rectangle over sensitive bits with a PDF
editor -- fine, but the same editor can remove
them. Why not have the release mechanism
rasterize the PDFs into bitmaps (removes all
metadata) then reformat them into PDF again? Why
not design the editor itself to "do the right
thing" (tm)?
This is no less true of Word or other formats.
Sure, using OASIS documents would permit you to
write a generic "scrubber" to automagically
remove hidden metadata and revisions, but then
you have a problem that scrubbing would need to
be proactive for lack of an automated scrubbing
mechanism (assuming the document formatter
doesn't scrub).
Where a "centralized" system might be useful is
if the components of a documents are included by
reference rather than by content. In that
scenario, a document would present differently
based on the creddentials of the viewer. One
person might get a document composed of fully
scrubbed text, while another might get the
editable document with revisions and metadata.
The centralization portion of the equation would
necessarily mean that anything that dealt with
documents would need to go through the central
service to store document data. Maybe it would
work, but no product does this in a transparent,
cohesive, cross-platform manner.
Now that I think about it, though, you may be
right. The only way something like that could
fly would be with a solid, flexible, readily
understood reference implementation. I suspect
that if it didn't at least start as an
open-source project, it's not likely a
commercial vendor would have sufficient
incentive to play nice to make such a thing
practical.
Thanks for your insights and OASIS suggestion. At Workshare we offer centralized policy with distributed enforcement which gives selected users the ability to control how the policy is used. I invite you to download our Protect product at www.workshare.com and give me some feedback if you feel it is a good approach. We will look into OASIS in the meantime.
Thanks,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com
because the software didn't cause the problems; people did.
No amount of document security software can make up for a lack
of knowledge on the part of the user about creating secure
documents, nor can it prevent a person from revealing information.
Most people agree with your point that security starts with educating people. Workshare has a piece of freeware called Trace! which provides alerts to document risks in an Always On fashion. I invite you to download it from our website (www.workshare.com), CNET or other sites and let me know what you think.
Thanks,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com
because the software didn't cause the problems; people did.
No amount of document security software can make up for a lack
of knowledge on the part of the user about creating secure
documents, nor can it prevent a person from revealing information.
Most people agree with your point that security starts with educating people. Workshare has a piece of freeware called Trace! which provides alerts to document risks in an Always On fashion. I invite you to download it from our website (www.workshare.com), CNET or other sites and let me know what you think.
Thanks,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com
You can completley redact content and clean-up meta data with relatively low-cost software. The key is making the people who create and release content aware of the nature of the process, not looking to centralized solutions in an increasingly distributed environment.
We totally agree that educating people first is one of the keys. Workshare delivers Trace!, freeware to do just that. Please download it for your own use if you like at www.workshare.com.
Workshare software can uniquely give distributed enforcement of centralized policies to selected users already informated. Our Protect product is set up for that with 100,000s of users today.
Thanks for your comments
Joe Fantuzzi
joe.fantuzzi@workshare.com
You can completley redact content and clean-up meta data with relatively low-cost software. The key is making the people who create and release content aware of the nature of the process, not looking to centralized solutions in an increasingly distributed environment.
We totally agree that educating people first is one of the keys. Workshare delivers Trace!, freeware to do just that. Please download it for your own use if you like at www.workshare.com.
Workshare software can uniquely give distributed enforcement of centralized policies to selected users already informated. Our Protect product is set up for that with 100,000s of users today.
Thanks for your comments
Joe Fantuzzi
joe.fantuzzi@workshare.com
I know most people believe pdf with security is secure. The Pentagon now knows it is not, as they saw their blacklined PDF file reveal classfied names and tactics, and Italy just said it is pulling troops out of Iraq. There are real solutions beyond simple PDF available today.
Regards,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com
- bs pdf it
- by July 14, 2005 2:19 PM PDT
- putting a word .doc file on the web is idiotic, even if you "secure" it. In reality there is no security, simply do a save as and you have an unsecured doc or save as html and you now have the password. Just pdf it and add security.
- Like this Reply to this comment
-
-
- bs pdf it?
- by July 17, 2005 10:11 AM PDT
- Adolfo,
- Like this
-
(20 Comments)I know most people believe pdf with security is secure. The Pentagon now knows it is not, as they saw their blacklined PDF file reveal classfied names and tactics, and Italy just said it is pulling troops out of Iraq. There are real solutions beyond simple PDF available today.
Regards,
Joe Fantuzzi, CEO
joe.fantuzzi@workshare.com