Let’s be honest; we have all used plugins at one point or another. They work in conjunction with and add functionality to specific apps.
Some document security companies sell plugin protection systems that require integration with a regular document processing software, such as Adobe Reader, in order to work. This is a tempting proposal because the user is already familiar with the application in question and in theory can carry on using it as before but with a few added restrictions for document use. However, in reality, they are not a very good idea and often are the cause of many problems as explained below.
The Shortfalls of Plugin Security Systems
First off, if you can load a third-party security plugin into a program, it means that other plugins can also be integrated. As a result, a plugin that circumvents the security protocols put in place can also quite easily be added. In fact, a security plugin might end up conflicting with another plugin which has already been integrated. This might hinder the effectiveness of such security protocols. For example, one plug-in could block access, while the other makes access easier. Their conflicting interests will make it so neither plugin can perform their jobs effectively.
Sure, people are usually advised to know the origins of all the software they install on their devices and to consider whether they will perform conflicting functions. However, people often do not pay attention to such details and will probably install plugins that end up being a security risk to their devices and confidential documents.
Something that may make using plugins seem like a good idea is the Adobe licensing program. This is brought about by their Integration Key Licensing Agreement (IKLA). The fact that they certify some third-party plugins may make it seem like they are endorsing their use. However, this is not the case. Even the certified plugins may make your documents more vulnerable to security threats rather than more secure.
Something else that might happen because of this is the fact that third parties can make apps that can break security systems, without intending to do so. There are even some modes in the “Adobe DRM” that allow only certified plugins to run when processing certain documents. It is, nonetheless, a security measure that developers can bypass by forging credentials. After that, the embedded plugin will be able to bring about all manner of vulnerabilities. After all, nothing with forged credentials has ever had good intentions in the first place.
There is then the other problem that updating the underlying application (the application the plugin works with) causes the plugin to no longer work correctly. This is because the application has no knowledge of the plug in since it is not part of its system. Plugins have to be designed to hook into certain pieces of code, and if that code changes then they will no longer work.
What are the alternatives to plugins?
A strong document security solution needs to have security in mind when it is built. This means a dedicated program that enforces security controls and is not open to compromise by other third party applications.
A standalone secure document viewer can also be built so that it can make use of certain Operating System functionality and prevent this from working when the viewer is active. An example of this is stopping the use of Windows print screen or monitoring what programs are being loaded that could compromise the security of a document that is currently loaded in the Viewer. Other functionality could include monitoring printing so you can determine whether to allow the user to print to a specific printer or not. Then there is the ability to enforce decryption of content into memory only and stop temporary files being created that could store unprotected copies.
Standalone viewers can stop all plugins from being loaded and ensure documents remain within a protected environment where they are not available for easy attacks by hackers.
The truth is that a plugin security system is one of those things that will end up disappointing you in the long run. And, there are so many loopholes to exploit that you would be wise to look for something more standalone and secure from outside intervention. Also, you don’t need the hassle of having users contacting you saying they cannot open their documents when the plugin stops working.
If you are serious about protecting your documents then you need to look for a document security system that does not use plugins or other technology which has known security weaknesses.