Need a document management system with document encryption, audit logs and document tracking
Hi Guys,
We have a Windows 2012 file server with a document directory structure which includes security groups and user permissions on the domain.
We have a requirement for higher security, documents to be encrypted and a record of all files being opened, copied, printed, etc.
I guess a document management system is the ideal solution, but to which extend can a document be monitored once it is saved outside the document management system, such as on the users' desktop?
Any recommendations?
We have a Windows 2012 file server with a document directory structure which includes security groups and user permissions on the domain.
We have a requirement for higher security, documents to be encrypted and a record of all files being opened, copied, printed, etc.
I guess a document management system is the ideal solution, but to which extend can a document be monitored once it is saved outside the document management system, such as on the users' desktop?
Any recommendations?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Madison,
From what I found IRM seems to be what we need.
Documents can be protected even when e-mailed to an unintended recipients.
IRM is apparently being replaced by Azure Information Protection.
I've downloaded the client and noticed it integrates with Azure RMS and Azure Active Directory.
Not sure if we'll be able to implement Azure Information Protection in a Windows 2012 domain environment without having Office 365?
From what I found IRM seems to be what we need.
Documents can be protected even when e-mailed to an unintended recipients.
IRM is apparently being replaced by Azure Information Protection.
I've downloaded the client and noticed it integrates with Azure RMS and Azure Active Directory.
Not sure if we'll be able to implement Azure Information Protection in a Windows 2012 domain environment without having Office 365?
Not sure if we'll be able to implement Azure Information Protection in a Windows 2012 domain environment without having Office 365?
take a look at the feature list. you will need a subscription.
https://azure.microsoft.com/en-us/pricing/details/information-protection/
I believe all you need is Azure AD connect which will work on 2012
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites
or if you decided this is the right path to take simply open up a new question and ask about Azure Information Protection environment requirements.
;)
I have stood up MS Rights Management Service (irm) and this is on a Windows 2012 system. You do not need azure for internal. It may be the case for external RMS.
Standing up a RMS is not hard at all.
Standing up a RMS is not hard at all.
Rupert, to be quite Frank, you are heading towards a lot of pain.
RMS is not hard to setup, yes, but it has a lot of consequences you will not see at first sight. It is nothing that people without very deep knowledge in security infrastructures can handle. You should question what you will gain if you implement such a system.
->what exactly are your "requirements for higher security", why record all files being opened, copied, printed, etc. (what does "etc" consist of?)?
->what particular situations are you facing now that you are trying to overcome?
->in regard to Microsoft RMS: do you own the licenses (RMS CALs) to run it? Are you willing to pay for those?
RMS is not hard to setup, yes, but it has a lot of consequences you will not see at first sight. It is nothing that people without very deep knowledge in security infrastructures can handle. You should question what you will gain if you implement such a system.
->what exactly are your "requirements for higher security", why record all files being opened, copied, printed, etc. (what does "etc" consist of?)?
->what particular situations are you facing now that you are trying to overcome?
->in regard to Microsoft RMS: do you own the licenses (RMS CALs) to run it? Are you willing to pay for those?
Top 5 Document Management Software:
https://www.techjockey.com/blog/top-document-management-software-list
Solution to record and track every SharePoint change:
https://www.lepide.com/lepideauditor/sharepoint-auditing.html
https://www.techjockey.com/blog/top-document-management-software-list
Solution to record and track every SharePoint change:
https://www.lepide.com/lepideauditor/sharepoint-auditing.html
ASKER
Thank you McKnife,
We definitely do not want to cause ourselves a lot of pain trying to solve this problem,
Our needs are as follows:
Requirement: The particular data / information is Very sensitive and all access to the data should be controlled and recorded
Current Setup: We have a Windows file-server with proper directory structure and permissions, but is unfortunately not enough
Problem: An internal user with specific permissions may e-mail a file to an INTENDED recipient (external), who on their part forwards the document to an UNINTENDED recipient (external), which the company would like to prevent / control
Problem: An internal user by mistake sends a file via e-mail to an UNINTENDED recipient
Requirement: An internal user with specific access may want to give another user temporary (say 24 hours access) to a set of documents, this access should automatically be cancelled after 24 hours
I am not sure whether any system would be able to provide the level of data-security that is required.
We definitely do not want to cause ourselves a lot of pain trying to solve this problem,
Our needs are as follows:
Requirement: The particular data / information is Very sensitive and all access to the data should be controlled and recorded
Current Setup: We have a Windows file-server with proper directory structure and permissions, but is unfortunately not enough
Problem: An internal user with specific permissions may e-mail a file to an INTENDED recipient (external), who on their part forwards the document to an UNINTENDED recipient (external), which the company would like to prevent / control
Problem: An internal user by mistake sends a file via e-mail to an UNINTENDED recipient
Requirement: An internal user with specific access may want to give another user temporary (say 24 hours access) to a set of documents, this access should automatically be cancelled after 24 hours
I am not sure whether any system would be able to provide the level of data-security that is required.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Guys,
I will open a new question to ask about RMS, Sharepoint and IRM specifically.
I will open a new question to ask about RMS, Sharepoint and IRM specifically.
Hey Rupert,
I know your question is old and hopefully, you have gotten this resolved. The BEST solution to your requirements is to keep the document under your control. Your end users would never email the document [just a link to the document that you control]. Now you full control over the document and who has access to it. I have some solutions for affordable ECM solutions that will allow you to do this. Thanks
I know your question is old and hopefully, you have gotten this resolved. The BEST solution to your requirements is to keep the document under your control. Your end users would never email the document [just a link to the document that you control]. Now you full control over the document and who has access to it. I have some solutions for affordable ECM solutions that will allow you to do this. Thanks
This can mean several things. Encryption at rest can be done with Bitlocker with the Windows you already have. Encryption in transit through IPSec on Windows.
You should also be able to enable auditing with Windows that will cover a lot of what you need.
So, Windows might be what you need?
>>but to which extend can a document be monitored once it is saved outside the document management system
There is a point where it is outside the scope of the system. For example: I copy the file to a thumb drive and print it at home.