Join 3,433 readers in helping fund MetaFilter (Hide)


Transparent DRM
April 17, 2012 10:33 AM   Subscribe

I'd like to make certain documents at work (mostly PDFs) only openable to logged-in domain members based on group membership. Watermarking with account credentials would be a plus.

I'm looking for the cheapest option that will prevent accidental leakage of some docs (e.g. Reply-All bombs), PDFs for the most part. I know we could accomplish this with PDF passwords, but they will be a pain to maintain in the long run. Ideally this would be integrated with Active Directory so group membership would determine accessibility. Commercial options from a brief google are LockLizard, FileOpen, and a few other plugin vendors, many of which are overbuilt for DRM ebook distribution, not a SMB situation. We've got a mixed WinXP/7 domain with 2008 DCs. Watermarking with accountname etc. is a nice-to-have. Is there anything built into Adobe or Windows that will do this? This only has to work at a single site.

Please no lectures on how DRM doesn't work. I know it's impossible to fully control documents. We're only trying to deter casual/accidental leakage.
posted by benzenedream to Computers & Internet (8 answers total) 1 user marked this as a favorite
 
There's nothing I know of that's built-in to Windows or Adobe. Generally for the features you are looking for, you should be shopping for Enterprise-class IRM (Integrated Rights Management). I understand there are some configurations of or third party integrations into SharePoint 2010 that do this, but they're not gonna be cheap.
posted by kalessin at 10:58 AM on April 17, 2012


Since the users are logged in, can't you just share PDFs as links to shares (which you can easily set permissions on) instead of attaching files?
posted by wongcorgi at 11:05 AM on April 17, 2012


Or link to a internal web site that checks for appropriate permissions using NTLM and displays the PDF in browser window?
posted by wongcorgi at 11:06 AM on April 17, 2012


I'd hide the PDFs on a server and allow access through a web viewer that checks permissions.

If you use a web viewer that rasterizes on the host, you're never shipping the actual PDF to the clients. Memail me and I can offer you some options (and I'd rather avoid pimping my company).
posted by plinth at 11:46 AM on April 17, 2012


This is kinda what SharePoint is for.

Disclaimer: This should not be read as a recommendation for deploying SharePoint.
posted by odinsdream at 12:18 PM on April 17, 2012


I should note that I support SharePoint as my primary paid job, and I don't always recommend it (like most Enterprise-class products in IT, it's costly and takes a lot of effort to implement and support it well). There are also competitors in similar price ranges and with similar feature sets in the Document Management and Integrated Rights Management spaces. You can Google to find all the competitors.

The basic complexity of what you're asking about is that there needs to be a server that keeps track of:
- Who your authorized users are
- What they're allowed to view, resend, edit, etc

Your document viewing/editing/sending software needs to be aware of that server and check with the server before allowing those actions, prompting users for their credentials, sending those somehow to the server for processing, and responding appropriately to different kinds of authentications, authentication failures and permissions sets.

And to make it even more complicated, you are likely to need these services to be cached locally for network-disconnected clients (like iPads, for instance, that don't currently have a WiFi connection, or laptops in the same situation), and also probably need to be accessible from outside of your corporate network (so, e.g. sales people can access prepared quotes when logged into the Internet via a client's network). So this is a mix of securing extranet servers and providing limited VPN functionality to the rights server.

These are pretty complicated questions in the IT space. So folks buy big iron and expensive Enterprise software to get most of it done and tend to focus on the more complex and more individual challenges like how to design the network so that workers in the field can get access to documents for viewing or even re-sending without having to contact an overworked IT guy to get it done.

And this even leaves aside the likelihood that a field sales person may want to change the permissions on the fly or create an account for a customer or partner so they can see the same info at will. that's another order of complexity to add to the whole system.
posted by kalessin at 12:41 PM on April 17, 2012


And to make it even more complicated, you are likely to need these services to be cached locally for network-disconnected clients

As I noted, this is for a single site. Remote viewing isn't required (no field people). Unlocking on the fly is not required, a single admin user with unlock rights is ok.

Since the users are logged in, can't you just share PDFs as links to shares

Yes, but this doesn't prevent saving to other locations, which is what the encryption would be for.

This is kinda what SharePoint is for.

I know Sharepoint will do the tracking, ACL, and logging bit out of the box. Sharepoint IRM seems to be dependent on MS Right Management Service (RMS) and Client Access Licenses (CALs) which doesn't look cheap, and would require a PDF RMS wrapper.

If you use a web viewer that rasterizes on the host, you're never shipping the actual PDF to the clients.

These may be rather voluminous docs that are semi-randomly accessed, so slow page rendering when scrolling would be moderately painful. I've used hosted solutions before with rendering that caused grumbling when dealing with 1000 page docs, but that could just have been a bad implementation.
posted by benzenedream at 1:56 PM on April 17, 2012


You have Active Directory, and the files will be accessed by people who are logging in with appropriate domain credentials?

How about this. If you have a NAS box, create appropriately named folders on it, and in the security settings, only the appropriate AD group gets any access (whether that's modify rights or just read & execute).

For example

\\server\share\folder 1
The folder 1 group within AD gets modify rights, nobody else (except for domain admins, of course) gets any access.

Repeat as necessary:
\\server\share\folder 2
\\server\share\folder 3
etc...
posted by AMSBoethius at 3:12 PM on April 17, 2012


« Older Where can I find a black crino...   |  How do you negotiate buying fu... Newer »
This thread is closed to new comments.