Document security has always been important, but in our increasingly “connected” world the risk of un-authorised people accessing your documents is on the rise.
So how could an un-authorised person (an attacker) access your private documents?
If the documents are not encrypted, by circumventing “access controls”.
So, what do I mean by “access controls”?
Let’s consider some examples:
- When you logon to your computer, you need to provide a password to logon. That is an “access control”. Without the password you can’t logon to your computer and you can’t access the documents on your computer.
So how could an attacker who doesn’t know your password potentially gain access to your documents?
There are in fact several ways that access controls can be bypassed:
- If your computer is part of a Windows domain, the attacker could logon with another domain account, and if the documents are stored locally that would likely provide them with immediate access, if the other domain account that they were using had local administrative rights.
- If the attacker has physical access to your computer there are a number of specialised “tools” (many freely available on the Internet) that can be used to boot your computer and access the computer’s file system directly. Using such a tool, the attacker could make a copy of your documents, and there would be no record of this activity.
- If you have a backup of your computer, and that backup is stored locally or in the Cloud (e.g. Dropbox, OneDrive etc.) and the backup is not encrypted. Then the contents of the backup are likely to be accessible to the attacker.
- If your documents are stored on a network drive, then depending on the security permissions assigned it is possible that your documents can be accessible to other users. For instance, in a Windows environment, it is difficult to prevent Administrators from being able to access folders or individual documents. Without going into extensive detail, while permissions can be set to block Administrators access there are workarounds. For instance, if an admin user takes ownership of a folder then they can change the permissions so that they have access. While there will be an audit trail of the change of ownership; that won’t prevent the documents from being accessible once the permissions have been changed.
- Administrators may also have access to backups, when restoring backups often there is an option to obtain full access to all files. This is another way that access controls could be bypassed un-detected.
- Another potential avenue of attack is Cloud services (e.g. Dropbox, OneDrive, Google Drive etc.). You really can’t be certain who might have access to your files on these external services or where the files are being stored.
So, what is the answer?
If you encrypt your documents securely, then the contents of your documents remain private even if the attacker manages to obtain a copy of your documents.
In all the scenarios where I outlined how access controls can be circumvented; if your documents are encrypted, then it doesn’t matter. Because although the attacker may have a copy of your documents, while ever your documents remain encrypted, they remain private.
Depending on your organisation’s specific requirements, we have two encryption products available.
If you would like to implement encryption or if you have further questions, please don’t hesitate to contact us.