IT Departments make big efforts to keep secure the corporate documentation on the file servers and document management systems. They define roles, add permissions to the roles, break the inheritance of permissions on the directories, update the membership in those roles, etc. This is also periodically audited, checking regularly the access given to that information in a comprehensive way. They know that the information stored there is critical and that the time spent in securing them and checking that there are not open doors, is an investment that is worth.
Nevertheless, we are aware that we can safely store the information in our corporate storage systems, but in the end the information will be moved beyond these systems where people need to use it. And this happens every day. By the time a corporate user opens one of those documents stored there with Office, inside or outside the corporate network, the file is moved to the user’s device with all the information but without the security layer that keeps it protected from forbidden accesses in the file server or document management system. Now this document has left the folder that kept it secured and well protected and is stored in an environment without the right protection.
Sometimes IT Departments have no choice but to rely on the goodwill of the people and generally they are not wrong. They are not going to do copies of the documents and send them to people that should not have them. Nonetheless, although we decide to trust in the goodwill of the people we shouldn´t forget that we and they are humans, so it is too much to ask them to behave as machines and automatically remove the files that were downloaded unprotected to their computers after finishing working with them. We can also rely on mechanism offered by Sharepoint, Box Edit, shared folders through SMB, etc. to make sure the files disappear from the local computer once the edition of the document has finished. These programs usually keep a local copy of the file in a hidden folder within the personal folders and they remove it once the document has been closed.
But can we be relaxed? The risk that IT Departments and Corporations should take depends on the value given to this information: Somebody can send by error those files in the computer to the wrong person; a program crash (Office, etc.) or a network connection outage can leave unprotected copies of the confidential files in the users’ computers. These copies are stored there forever and the user is not aware of that. The mechanism of these programs is done in background and the information will be stored forever in the background inadvertently. Can we be sure that nobody is accessing to those folders getting these unprotected documents? And if this happens, can we still be relaxed?
Two examples of data losses that can happen inadvertent for the users:
- Documents stored in outlook temp folders: Let’s say you open an attached document which contains sensitive information. While you are reading the document, Outlook unexpectedly closes. The attachment will be stored in the Outlook Temp folder forever. Now imginte this computer is stolen or lost… all your documents are just there unprotected. Don´t you believe me? Just go and look. If you’ve been using your computer for some time I bet you will find a good quantity of files stored there.
- Auto-save in MS-Office: You are editing a document with the auto-save feature of Office enabled (it is enabled by default) storing temporal copies of your document in a temporal hidden folder. Now MS-Office unexpectedly closes and you can recover your work but if you are not careful the temp copy will be stored there forever, unprotected. Again, you can take a look and probably you will be surprised of the documents you have stored there unprotected.
It is really a hard work to keep the operating room in a hospital completely cleaned but the risk associated to not doing it is huge. Adding security mechanism in some places must be balanced with the value of what we want to protect. If we cannot be relaxed, and we are worried about sensitive information remaining unprotected in unexpected places we must deal with encryption or data protection solutions. But just a note regarding the typical file encryption solutions: They “transparently” let you open the document, let you edit it unencrypted and when it is closed, it is saved again encrypted in the disk. Regarding the auto-save or Outlook temp folder issues we will have the same problems commented above. We can say that the auto-save feature bypasses the encryption since we are editing an already unencrypted file, so if MS-Office closes unexpectedly, unencrypted copies of the documents will be stored in the auto-save temp folders and we are not aware of that!
Some companies have spent a lot of money in file and folders encryption solutions and are discovering now that these “hidden” doors are leaving critical information opened in users’ computers. These problems do not happen with information rights management solution where the documents are encrypted with a protection “shell” that travels with them and protect them in transit, at rest or while you are using them (in use) you can forget about these problems. Users will be able to read or modify the document, but it will not be unencrypted even if it is in use.
So when a document is protected by these kinds of protection & control solutions like SealPath you can be sure that your files will travel protected keeping the protection that you applied in the file server or document management system. If the document goes to the wrong hands, they won´t be able to open it. If there are copies stored in temporal folders, you can be sure that the copy will carry the permissions assigned to it. We are humans, we can lose documents or leave it in unexpected places but with SealPath you will know that the ownership and access to your documentation will be always under your control.
Take a look at the following folders and check if there are “hidden” files there:
Outlook temp folders in Windows Vista, 7, 8:
Outlook 2007, 2010, 2013:
C:\users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook
Outlook 2003:
C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\OLKFoldername
Outlook temp folders in Windows XP:
Outlook 2007, 2010, 2013:
C:\Documents and Settings\<username>\Local Settings\Temporary Files\Content.Outlook
Outlook 2003:
C:\Documents and Settings\<username>\Local Settings\Temporary Internet\OLKfoldername
Autosave folder:
You can see location in Office 2007, 2010, 2013 at File > Options> Save > AutoRecover file location. In Office 2003 it is defined at Tools > Options > File Location > File Types box, AutoRecover Files. Typically or by default the path is:
Autosave folder in Windows Vista, 7, 8:
C:\Users\<username>\AppData\Roaming\Microsoft\Word\
C:\Users\<username>\AppData\Roaming\Microsoft\Excel\
C:\Users\<username>\AppData\Roaming\Microsoft\Powerpoint\
Autosave folder in Windows XP:
C:\Documents and Settings\<username>\Application Data\Microsoft\Word (or Excel, or PowerPoint).
Temporary folders of Box to edit documents with Box Edit:
C:\users\<username>\AppData\Roaming\Box Edit\Documents