Virtual Data Rooms: What VDR Security Do I Need?
You’ve decided you need a virtual data room but aren’t sure which security features you need or how secure each system is. Here’s some clarification about some common considerations with regards to VDR security.
As you probably already know, encryption is the process of encoding information to prevent unauthorized parties from reading it. In your research, you may notice some virtual data rooms with 128 bit AES encryption and others with 256 bit. For all intents and purposes, both are extremely secure. Without getting too deep into physics, it’s practically impossible for a computer to crack a 128 bit encryption using a brute force attack (systematically checking every possible combination).
Even without considering the billions of years of computation time it would take, the sheer amount of energy required for a computer to run the calculations is beyond reasonable figures with a low estimate being 263 TWh (more than 1% of the world’s current energy production). That’s just for 128 bit. A 256 bit encryption is not twice as powerful, but actually 2128 times more powerful! Long story short, you shouldn’t be worried about people cracking either encryption any time soon.
Why do banks and the NSA use 256 bit as a standard?
First of all, most people don’t understand how secure 128 bit is, and just see 256 as a higher number and therefore more secure. While this mathematically makes sense with regards to a brute force attack, many believe the difference between these two won’t really matter until a quantum computer is developed, but that’s a discussion for another time.
More Probable VDR Security Threats
Instead of debating over whether you need 128 bit or 256 bit encryption, you should be focusing on features that protect your documents from more common VDR security threats. Every system, and in this case, virtual data room, is only as secure as your users make it. Look for VDRs with multi-factor authentications that require users to not only enter their password, but also a randomly generated code sent to another device, such as a phone. This way even if one of your employees gets his or her laptop stolen, your confidential materials are still safe.
Along those same lines, you should carefully examine the user interface and workflow of your potential virtual data room solution. A positive user experience can obviously provide convenience benefits, but more importantly, can add to VDR security as well. The more intuitive a VDR is, the less potential there is for users to accidentally open VDR security holes. For example, permission settings and their impacts should be easy to understand and clear to all parties. The best way to find this information is by inquiring about a demo and testing out the product firsthand.
Lastly, dynamically-generated watermarks are also a must have feature for virtual data rooms. While over 70% of vendors offer this , you should still double check that your top choice includes this feature. Dynamic watermarks provide protection against unwanted document forwarding by placing a watermark identifying who accessed the document. This turns dissemination of a confidential document into a foolish self-incriminating act.
Certifications are like merit badges signifying that a product or process meets certain standards as defined by an auditing authority. There are certifications and standards about almost everything these days ranging from recycled materials to food safety. When it comes to virtual data rooms, vendors boast many different certifications about VDR security, but some aren’t as relevant as you may think. Here are most common certifications you’ll see with a brief description about what they mean.
SSAE 16 (SOC 1), which effectively replaced SAS 70 in 2011, is specifically for Sarbanes-Oxley (SOX) compliance. It covers an audit of internal controls over financial reporting, providing checks against tampering or foul-play. While this is a good process control, the objectives of the audit are specified by the audited organization itself. This means that a SOC1 certification for one company could mean something different than a SOC1 certification for another. As such, it shouldn’t be a deciding factor when choosing a VDR vendor.
SOC 2 on the other hand was specifically designed for datacenters and tech vendors and can provide objective information about at-risk areas. The set criteria of the SOC 2 framework is built on the Trust Services Principles and Criteria (TSPC) that the American Institute of CPAs (AICPA) define as:
- VDR Security – The system is protected against unauthorized access (both physical and logical).
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, accurate, timely, and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in
- Generally Accepted Privacy Principles issued by the AICPA and CICA.
Lastly, ISO 27001 is often claimed by vendors, and is an international standard around information technology security techniques. These standards evaluate the performance of an organization’s information VDR security management systems and are a good set of best practices. Ensuring objectivity, this certification would only be awarded to a VDR vendor after an independent audit by an accredited group.
If you’re confused, what you need to know is that both SOC 2 and ISO 27001 certifications are good signs of security but having one or the other shouldn’t be the deciding factor between VDR options. They can however, help differentiate secure virtual data rooms from simple consumer file sharing platforms.
There’s no such thing as an impenetrable system, but when it comes to virtual data rooms, there are definitely some security best practices. Most VDR vendors will provide more than enough technical VDR security (encryption, authentication, etc.), so you’re better off focusing on the user facing VDR security features.
Think about previous mishaps (stolen equipment, disgruntled terminated employees, people stepping away from logged on computers, etc) and see how the different VDR solutions provide safeguards against similar unforeseen events.