Latest articles
More Resources
Enterprise Protection Method - EPM
The challenge - Document encryption for 50.000 users.
New regulations, new privacy laws and general awareness have increased the interest for information security. At the same time, modern organizations are challenged with enormous amounts of data created by its information workers. Tools like the Microsoft SharePoint® document management system help information workers to organize and access data and are today being evaluated or implemented by many organizations.
This year we learned about an information security challenge that concerned the IT Security Manager for a large consulting firm. They had over 5.000 users and every user created in average about 40 documents per year, which added up to over 200.000 documents each year. Microsoft’s SharePoint document management system was being set up to handle document collaboration. The security challenge was the need to encrypt 4 - 5 % of the 200.000 documents - approximately 5.000 documents and each document would have different user access rights.
Cryptzone’s solution to the problem is Secured eCollaboration, which can be set to use our patented key encryption method called Enterprise Protection Method (EPM). Using EPM together with Secured eCollaboration, the end user can simply choose to secure any document, no matter if the document is on their desktop, on a network drive or located on Microsoft SharePoint. When the end user chooses to secure a document an "access rights wizard" will start up and the user will be allowed to give access rights to other users and/or groups. The security concept is that a document’s access rights are from the point of encryption limited by the user that created the document - the document creator. The document creator will then be able to add access rights to other users and groups within the company’s Active Directory® so they can access the document. Additional policies can be set up to allow for creation of custom passwords for receivers of secured documents that are outside the Active Directory®.
So why does the document not simply inherit the access rights? The reasons are many, and include that many laws and regulations states that documents containing sensitive information should be limited to as few individuals as possible. By making the end user add access rights to each document created, our technology makes sure this user access right wasn’t done by accident and that there was an active effort to give additional access to other users and therefore limit any unnecessary access rights. Another reason is that Cryptzone Document Security utilizes granular encryption concepts. Which means the security moves with the document, even if sent outside the domain borders. The file is encrypted, where ever it is. Furthermore, Cryptzone Document Security concepts focus around end-point encryption, which rules out the option where the SharePoint server is to host sensitive data, or handle the encryption process. The concern is that any data on a share-point server can easily be accessible at the server level which would allow unauthorized access of sensitive data by administrators.
We know that the workflow and lifecycle of documents can be very complicated by its very nature and that they need to be supported from a security perspective. Even though many organizations have excellent collaboration tools, end users tend to store documents in many locations. They store documents at collaboration sites, USB flash drives, the "My Documents" folder, network drives and additionally they send documents via email to their colleagues. Each document can be stored simultaneously in many environments and stored as different versions. While it’s nearly impossible to block a user from making copies of a document, it is possible to limit accessibility to all clones of a document if the key needed for decryption is centrally stored. Cryptzone’s EPM used with a specific setup, it is possible to block access to all copies of a document just by changing access rights to one of them.
Example: John secures a document on his laptop and adds access rights for the groups Marketing, HR and for the user Tom. John emails the secured document to Tom. John removes the access rights for the HR group. Neither the original document nor the copy which Tom has on his computer will be able to be opened by the HR group.
While the EPM concept alone is a powerful content protection method, we have also added additional features to make it fit different types of organizations with different needs. Every document can have different access role levels where some users can only read the document while others can read, edit and change access rights. It is also possible for the IT administrator using the SEP Management Console to predefine users and groups, so they could have access to documents as well as to limit who the end users can share secured documents with.
With the EPM concept it’s possible for organizations to collaborate securely between end users. Also, the EPM feature provides comfort to IT administrators so that they don’t need to worry about encryption keys and complicated technical solutions. With EPM, an end user can secure a document and share it with their colleagues. The user’s colleagues can simply locate the document and double-click, and if they have access rights the document will open up automatically. Life and work should be simple. That is how we are successful.