|
Why can't I rely on Excel's native spreadsheet
'protection'?
Content and location security
limitations
The problem with the native 'protection' provided by
Microsoft ExcelŽ is that it provides only weak intellectual property security,
and no location security capability at all.
Excel does provide worksheet and workbook password-based
protection, cell locking and hiding of formulas, and password protection of
macros and Add-ins. The level of protection provided, however, is
relatively low, and provides a first line of defense only. These
protections can all be broken fairly easily. Un-protect programs and
services are available on the internet. Excel does not prevent someone
with access to a confidential spreadsheet from copying worksheets, ranges, or
formulas and pasting them into another spreadsheet.
Thus, no secure protection of the intellectual
content of the spreadsheet, formulas, algorithms etc is available by using
native Excel protection.
"The encryption on Worksheet and Workbook structure
passwords is extremely weak. Passwords can be cracked in minutes with free
software. Even Microsoft acknowledges that worksheet and workbook
protection is a 'display' feature and not a 'security' feature. Passwords
will only stop the casual user and cannot be relied upon as a security feature
in distributed applications." Doug Tyrrell, Excel Consultant
"MS Office file passwords are not secure and were never
intended to be. There are a great many third-party utilities available on
the Internet to recover lost Office file passwords. Therefore these
password features will never be effective for preventing customers from seeing
proprietary or trade secret information, for example, or for serious
confidentiality or security concerns inside the workplace." Jim Dettwiler
"If I protect my worksheet with a password, is it really
secure? No. Don't confuse protection with security. Worksheet protection
is not a security feature. Fact is, Excel uses a very simple encryption
system for worksheet protection. When you protect a worksheet with a password,
that password -- as well as many others -- can be used to unprotect the
worksheet. Consequently, it's very easy to "break" a password-protected
worksheet. Worksheet protection is not
really intended to prevent people from accessing data in a worksheet. If someone
really wants to get your data, they can. If you really need to keep your data
secure, Excel is not the best platform to use." John Walkenbach
"Excel features related to hiding data
or locking data with passwords are not intended to secure or protect
confidential information in Excel. These features are merely meant to
obscure data or formulas that might confuse some users or to prevent others from
viewing or making changes to that data." Microsoft 2006
Access security limitations
Furthermore, no form of location security is provided by
Excel. File access to a particular spreadsheet file can be prevented
by:
- network access control and restriction for corporate and
networked environments
- physical access restriction for small businesses/home
offices
- protection based on encapsulation or encryption of the
file, preventing access to the file's contents
However, in order for a user to be able to use the
spreadsheet, they must have access to the spreadsheet file and any password
required to decrypt it. Once in possession of this information, the file
contents can then easily be copied as if access had never been
restricted.
|
