documents security

How to Protect Confidential Documents

Sensitive and confidential information is a natural part of doing business. Whether it’s contracts inprogress, pre-release statements, or preliminary patents, nearly every organization has them. However, as targeted phishing and purposeful leaks become more common, many are left to wonder whether they’re adequately protecting them.

Thankfully, there are many solutions that protect against the theft of confidential documents, but they have varying effectiveness. We’re going to look at some of the most popular methods and the type of situations they’re best utilized in. Let’s start with one of the most marketed: Access control solutions.

Access Control Solutions

Access control systems like Microsoft’s Active Directory are very popular. Part of the Windows Server operating system, Active Directory is a set of databases and services that connect users with the resources they need and deny access to the ones they don’t. Though documents aren’t encrypted by default, they can be when working with Active Directory Rights Management Services (AD RMS). This protection is limited to the internal network, however, and does not help with secure document sharing with third parties. It’s also limited to Windows devices, which can be a deal-breaker for many companies.

Enterprise and Cloud-based rights management

A cloud-based Azure Active Directory exists with useful tools like conditional access, but it comes with its own issues. It requires the setup of document classification and policies, which can be time-consuming and expensive initially and require someone with experience to set them up. It’s also of limited use to those not already deeply invested in the Microsoft ecosystem. For example, it typically applies only to documents generated by Windows applications.

However, if you’re already invested in the cloud and Microsoft 365, Azure AD it can be a good choice. You don’t have to configure additional servers, it can support mobile devices, and can track and revoke documents. Though it isn’t really designed for sharing documents with third parties, external users aren’t too difficult to add to the system if they have a Microsoft account.

Data Leakage Protection (DLP) solutions

One of the most popular ways to protect sensitive data is a DLP solution. In fact, Gartner estimates that in 2021, 90% of organizations have at least one form of integrated DLP.

If you’re unfamiliar, DLP solutions are typically a set of technologies designed to identify and restrict the sharing of sensitive documents and data. They inspect data that’s sent via email, instant messaging or cloud storage sytemsand execute a response based on a set of admin-defined rules. It may, for example, stop a user from copying files to a USB or ensure sensitive documents require decryption by an authorized user. You can think of it as an encrypted, extended version of traditional access control systems.

Generally, DLP systems are quite effective. The caveat, however, is that they don’t properly account for the fact that many companies need to share sensitive documents and information with those outside of their network. Usually, DLP systems encrypt documents that move outside the network and can’t be decrypted due to the way the key management system works. As a result, it’s difficult to implement productively both for authorized third-party sharing and work from home/BYOD scenarios.

It can also require a lot of resources to maintain DLP rules and sensitive file lists, with automatic, keyword-based classification of sensitive documents being easy to bypass in some cases. They can also struggle to deal with SaaS file sharing, require sometimes unstable plugins to work with specific applications, are a large management overhead, and are costly in the short and longterm.

Digital Rights Management (DRM) Solutions

The final choice is aDRM-based enterprise rights management solution. The best DRM providers will provide simple software that lets you apply permissions and controls to documents for internal and external use. They typically require very little setup or ongoing maintenance, and the cost is reasonable compared to DLP or cloud-based management.

With enterprise-level document DRM, you can apply controls that restrict printing, screenshotting, copying, editing, and sharing and cause documents to expire after a certain date, number of views, or prints. It also lets you restrict opening to certain locations or devices.On top of this, encryption and key-based licensing systems let admins make documents accessible only to the users they define. 

Online management portals allow for tracking and access revocation at any time, even if the document is being shared with someone outside of your organization.

What’s the best choice for confidential document protection?

There is no “best” choice for confidential document protection, but there are some that stand out as being a little outdated. Access Control and DLP solutions are two of them, but they can still be useful if you have quite a traditional office setup.

For the large modern office, cloud-based/enterprise management solutions tend to be a better choice. If you’re already heavily invested in the Microsoft ecosystem and work almost entirely on Windows devices, Azure AD makes sense. For enterprises with a wider range of devices or limited budget or for smaller organizations, DRM protection may be a better choice, as it offers a wide range of controls without the need for complex setup and extensive training. 


Ultimately, with the rise in cyberattacks and leaks, a company that doesn’t have document protection in place is playing with fire. Choosing the right solution will require a lot of consideration, but the time investment is worth it when compared with the damages that a data leak will bring.