Browsers Are Inherently Insecure
The first factor to consider is that virtual data rooms are usually hosted in the cloud, on third-party servers.
Though cloud adoption is becoming incredibly popular, it’s not always the best choice for storing your most confidential documents.
As soon as you upload your documents to a remote server, you’re unable to personally verify their security and lose visibility over temporary files and other metadata that may be left behind.
Typically, documents are decrypted on the server and delivered to the client in plain text, which creates a wealth of temporary files on the server unprotected.
Temporary files are also stored in the browser, where attackers may be able to extract them in plain text.
In fact, the browser environment, in general, is not conducive to security. Secure data rooms primarily use JavaScript to enforce document restrictions or DRM controls, which are unable to prevent printing to a PDF or screenshotting.
But these JavaScript controls aren’t just limited – they can be modified and bypassed. As JavaScript is executed in the browser, users can install plugins or inject code to bypass restrictions. This allows them to share or modify your documents in ways you didn’t intend.
Password-Based Logins Are Easily Shared
Credentials are also a major issue when it comes to document protection. Documents in secure data rooms are locked behind a simple username and password systems.
We all know that these credentials can easily be shared, phished, or gathered via spyware. As you don’t have access to your client’s PC, you cannot verify that the environment where they’re entering their credentials is secure.
Adding to this problem is the fact that most systems don’t even prevent the same user from logging in with the same credentials at the same time.
Admittedly, some data rooms mitigate these risks with two-factor authentication systems, which require users to verify their login via an app on their phone, email code, or SMS message.
This does help unintentional credential leaks but doesn’t stop intentional sharing. 2FA can also be frustrating to the end-user, leading to timed cookie systems that only require users to authenticate every so often.
These cookies can be modified trivially or restored with a simple browser plugin.
Systems like Google or Microsoft Authenticator, meanwhile, allow users to backup/transfer their 2FA codes and recovery keys to other devices.
In some instances, users also store recovery codes in plain text in their cloud storage or notes app.
The Bottom Line
Virtual data rooms are only as secure as the credentials that protect them and the server’s documents are hosted on.
Further, though they’ll be billed as a safe way to share documents with outside parties, they’re wholly ineffective against preventing screenshotting, PDF printing, and in some cases permission bypassing.
Though many have tracking and monitoring systems, these too are unsuccessful, as they only show which user credentials or IP shared a document – not whether they’re genuine.
On top of this, the cost of these solutions can spiral rapidly, with customers often tied into monthly, fixed-term contracts.
The lack of perpetual licenses and the inability to self-host further reduces flexibility and increases costs in the long term.
To fully protect their documents, then, businesses need to look elsewhere. Document DRM or PDF DRM solutions address many of the failings of secure data rooms, allowing for on-premises hosting, advanced permission controls, anti-screenshot technology, offline viewing, and the ability to lock documents to devices and locations.
While they aren’t always cheap, pricing is often more generous and flexible, and self-hosting is usually an option for complete internal control.
They are the only effective way for secure document sharing with third parties, preventing document leakage, and protecting corporate transactions.