How important is your data to you?
How do you protect the privacy of data and information held in your documents? How do you put a price on something like that?
Security is a key focus for every group in Microsoft. It always was important but even more so since Bill launched the trustworthy computing initiative four years ago. Here’s an overview of the progress on that from Scott Charney, the VP for trustworthy computing.
All of us need to understand the key principles of security from everyday users of PCs (see the getsafeonline campaign which Microsoft was a key partner with government) and as IT professionals, we need to understand how this applies to our area of expertise. I think we as the IT experts should see it as part of our community service to help people understand security issues and stay safe.
For Office, we need to be clear about what is a security feature and what is a collaboration feature.
Excel for example offers the ability to “protect a worksheet” which is an example of a collaboration feature rather than a security feature. As the kb says:
Warning This method is not the most effective method to help protect the whole document because Excel does not use encryption when you protect only select elements.
What this feature does is protect the structure of your worksheet or workbook by requiring a password to edit worksheets or the whole xls. This works well if you want to stop users from breaking your spreadsheet. You’re going to start wondering if I’m obsessed by the world cup, but this world cup fixtures xls is a great example of someone using this for the right purpose.
What this isn’t doing though, is actually encrypting the data so if you take the document out of Microsoft applications, there is every chance somebody with a mind to do so will be able to read the data. For example OpenOffice does not implement this feature for exporting to xls. For once, I have no bone to pick with them there though, its up to them to decide what features they put in their product and if they choose to spend their time cloning other Office features thats their perogative 😉
It’s also to be expected going forward, that they will implement different features for ODF than for xls – we will use OpenXML in ways that the 97-2003 formats cannot support. Perhaps a closer analogy is our support for PDF – we export to it but it is not as rich as our investments in XPS which is also on the file-save as option now. I think its a pity when otherwise good journalists try to find a controvercial “angle” on an issue like this instead of focussing on helping to educate people about how to stay secure but I’ll get off my soap box now..
OK so what if you want to encrypt the data? This is easier than you might think and you don’t need to be some sort of special agent tech ops guy to do it. Just go to tools, options, security tab and you’ll see all the various encryption methods available to you. Office has very strong encryption available which will protect your data. OpenOffice for example does not have a way of opening such files at all (even with the password). Well that’s great I hear you say, but what if I lose the password? Yeah well you are, as they say, hosed.
Enter Information Rights Management. Actually it entered a while back in 2003 with the last release of the Office system. IRM is a smarter way to do document encryption because it allows you to apply a policy to the document. That means you can permission individuals, groups or roles with different levels of access. The good thing about that of course, is that if you don’t have to remember a password for that document because your credentials are checked using your windows authentication. This security goes wherever the document goes too. IRM lets you stop people printing or forwarding the document or email too. Again, if you do have rights to view a file and are absolutely committed to leaking the information unscupulously then technology cannot prevent that – you may not be able to print it or forward it by you can still put your monitor on top of the photocopier! or just verbally tell someone. What IRM stops though is inadvertent leaking of sensitive information from your company and that is very hard to put a value on in most businesses.
With 2007 we make it very easy to apply policies, just like workflows, to document libraries and to content types which means that documents created there or documents based on a published content type can have IRM policies applied automatically. This is a way that we can create privacy and security by default. It is designed into the system so just by using it, you are working in a secure way. I like this because it’s better than simply throwing a big rule book at people and expecting them to remember to apply it – the system is secure by design.