The demand for cloud-based virtual data rooms has been growing steadily over the past few years.
In 2019, the virtual data room market was valued at almost $1.5 billion, with that number expected to grow by 14% each year until 2027.
Amidst this growth, there has been a rise in so-called “secure data room” solutions. On the surface, they’re a perfect storm – an ideal solution for secure, confidential document exchange with third parties that forgoes complex infrastructural and access control setup.
The reality, however, is that your secure data room may not provide your documents with as much protection as you expect.
While secure data room providers talk up their advanced firewalls and server security, the document protection itself is often flawed.
There are many routes an attacker can take to gain access to documents or that employees can take to share them with others.
Browsers Are Inherently Insecure
The first factor to consider is that virtual data rooms are usually hosted in the cloud, on third-party servers.
Though cloud adoption is becoming incredibly popular, it’s not always the best choice for storing your most confidential documents.
As soon as you your documents to a remote server, you’re unable to personally their security and lose visibility over temporary files and other metadata that may be left behind.
Typically, documents are decrypted on the server and delivered to the client in plain text, which creates a wealth of temporary files on the server unprotected.
Temporary files are also stored in the browser, where attackers may be able to extract them in plain text.
In fact, the browser environment, in general, is not conducive to security. Secure data rooms primarily use JavaScript to enforce document restrictions or DRM controls, which are unable to prevent printing to a PDF or screenshotting.
But these JavaScript controls aren’t just limited – they can be modified and byed. As JavaScript is executed in the browser, s can install plugins or inject code to by restrictions. This allows them to share or modify your documents in ways you didn’t intend.
-Based s Are Easily Shared
Credentials are also a major issue when it comes to document protection. Documents in secure data rooms are locked behind a simple name and systems.
We all know that these credentials can easily be shared, phished, or gathered via spyware. As you don’t have access to your client’s PC, you cannot that the environment where they’re entering their credentials is secure.
Adding to this problem is the fact that most systems don’t even prevent the same from logging in with the same credentials at the same time.
ittedly, some data rooms mitigate these risks with two-factor authentication systems, which require s to their via an app on their phone, email code, or SMS message.
This does help unintentional credential leaks but doesn’t stop intentional sharing. 2FA can also be frustrating to the end-, leading to timed cookie systems that only require s to authenticate every so often.
These cookies can be modified trivially or restored with a simple browser plugin.
Systems like Google or Microsoft Authenticator, meanwhile, allow s to backup/transfer their 2FA codes and recovery keys to other devices.
In some instances, s also store recovery codes in plain text in their cloud storage or notes app.
The Bottom Line
Virtual data rooms are only as secure as the credentials that protect them and the server’s documents are hosted on.
Further, though they’ll be billed as a safe way to share documents with outside parties, they’re wholly ineffective against preventing screenshotting, PDF printing, and in some cases permission bying.
Though many have tracking and monitoring systems, these too are unsuccessful, as they only show which credentials or IP shared a document – not whether they’re genuine.
On top of this, the cost of these solutions can spiral rapidly, with customers often tied into monthly, fixed-term contracts.
The lack of perpetual licenses and the inability to self-host further reduces flexibility and increases costs in the long term.
To fully protect their documents, then, businesses need to look elsewhere. Document DRM or PDF DRM solutions address many of the failings of secure data rooms, allowing for on-premises hosting, advanced permission controls, anti-screenshot technology, offline viewing, and the ability to lock documents to devices and locations.
While they aren’t always cheap, pricing is often more generous and flexible, and self-hosting is usually an option for complete internal control.
They are the only effective way for secure document sharing with third parties, preventing document leakage, and protecting corporate transactions.
