What does riding a horse have to do with modern collaboration?

File Sharing Encryption

Recently we had a great debate at e-Share about file encryption and secure data collaboration. The discussion centered around a claim that if you are a modern collaborator, you do not need to encrypt shared files since links are used to access files stored in the cloud. 

How we came to a consensus was with an analogy about riding horses and driving cars.

Before the car was invented, people rode horses. Intelligent horseback riders would wear helmets or protective gear to ensure they would not get hurt if they fell off the horse. After the car was invented, people did not wear helmets while driving since the car’s frame would give them protection. Cars have become even safer than riding a horse over the past century, with the advent of seat belts and airbags. Most people other than race car drivers do not wear helmets because it is redundant.  

Traditional file sharing and content collaboration is like riding a horse. The sharing of data is built around an on-premises file transfer solution. Using encryption (putting a helmet on) makes sense as the data (the horseback rider) is exposed and needs protection as the data leaves the premises. Modern collaboration is like driving a car; the file is already and always stored in a trusted container (e.g., SharePoint Online), and adding encryption (wearing a helmet) is redundant. The critical thing to focus on is ensuring the correct privileges are established to access the information (the keys to access the locks to get in and start the car).

 

The other great thing about modern cars is their navigation system. They can track where you are always going. The same is true with modern collaboration. Link-based sharing allows you to ensure your data can be audited and always tracked at the time of access, not just at the time of sharing. This is a critical distinction. With secure links, the file is never downloaded by the recipient, and therefore you are not securing a file; you are controlling access through a least privilege model.  

Show the difference between modern and traditional sharing

But people still ride horses…

Yes, horses are still ridden for work, transportation, and leisure but cars have replaced horses as the most popular form of transportation. We see a similar evolution in organizations. While most of the business is shifting to modern collaboration that protects data with a Secure Data Collaboration strategy, some people still share and download files. We do not argue that applying encryption (putting on a helmet) is a bad idea in those instances.

 

Please let us know if you would like to learn more about how your company can implement a solution that allows secure data collaboration. You can find us down at the stables trying to convince the modern collaborator holdouts. Giddy-up! 

5 Lessons Learned Deploying Microsoft Information Protection (MIP) Labeling

Microsoft Information Protection

Like our customers, e-Share strives to leverage all the modern collaboration tools we have at our disposal. As a Microsoft customer eager to deploy MIP labeling, we have optimized the business value attained with current licensing and cost-justified our adoption journey for productivity tools as well as Microsoft Information Protection.

With this suite of Microsoft products, we want to use OneDrive, SharePoint, and Teams not just internally but also for external collaboration. As we looked to achieve our own Secure Data Collaboration goals, it became clear that we could benefit from the adoption of MIP labeling. As a team, e-Share has deep experience building and managing data loss prevention and data classification products. Naturally, with this kind of background, deploying our own labeling taxonomy should be a breeze – right?

After a few more meetings than we anticipated, we had defined a taxonomy that we could all agree on and met the requirements of our SOC 2 driven Information Classification Policy. Here is where our e-Share taxonomy landed using MIP labeling:

  1. Public:
    • This is information that is suited, and in many cases created, for public disclosure.
    • No control policies but requires business justification if a user selects this label.
  2. Confidential:
    • This is information that is related to everyday business activities, such as product and marketing documentation
    • This is our default label
    • All Confidential data must stay within e-Share’s control, which means e-mail attachments will be stripped (using e-Share’s Secure Mail Gateway) and placed into a trusted share on SharePoint
    • External users will not require a login to the trusted share
    • However, every action (open, edit, download, etc.) will be logged and be visible in our Microsoft Power BI analytics reports
  3. Restricted (includes all Confidential policies):
    • This is all customer custodial data and customer data
    • Login to the trusted share will be required from external users (OpenID, OTP)
    • Anything regulated found with auto-labeling would be tagged at this level
  4. Private (includes all Restricted policies):
    • This is information that only a minimal amount of people should have access to
    • Investor, financial, internal-only documents
    • Allow list (limited to 20-30 people/domains)
    • Headers and footers are applied

So, what did we learn deploying MIP labeling?

1) Always start with why – then talk about the labels.

With labeling, people tend to overly focus on the actual names of the labels, resulting in many hours/weeks/months/years of discussion. However, if you are not clear on the “why,” there will be an endless loop of frustration. In this case, the why is what controls do we want to have? At e-Share, since we use our product, the discussion focused on the kinds of access we will grant external recipients to our Trusted Shares based on the label. To accomplish this, you need to think hard about who you interact with the most daily and compartmentalize policies to those categories. This then leads to lesson number two.

 

2) Do not overcomplicate (KISS – Keep It Simple, Stupid)
As organizations start to think about their labels and classify the different groups and privileges, things can get complicated quickly. Therefore, the moment you feel discussions getting out of control, communicate the importance of simplification. Less is more. Strive to find the few things that can make a real difference.  If you try and build a label with sub-labels for every interaction that might exist, the taxonomy will become overburdened and useless. e-Share decided to stay very simple (which is hard) and stick to four labels with no sub-labels. It is essential to consider the level of maturity and readiness of your end-users regarding data protection. Giving users too many options will cause analysis/paralysis, diminishing the classification process.

3) Consider how this will impact sharing with external users.
Often labeling discussions get focused on data inventory and internal data flows, but perhaps more importantly, you should consider how these labels will impact external sharing. As you can see from the e-Share taxonomy, our data classification policy is more heavily focused on what this means for external users and their access to our data. Of course, it is vital that certain internal information is kept private (e.g., investor relations). So we accounted for that with a label that provides policy granularity at a user/domain level.

4) Focus on newly created data first, then data at rest and in motion.
Even as a small company, e-Share has a ton of unstructured data; however, we started our labeling journey with data that is newly created and deployed MIP to all users in the business first. From there, we used Microsoft Cloud App Security to apply document labels to existing files in OneDrive and SharePoint so that we can control access to any and all externally shared files based on label policies (e.g., Restricted files require a user login through OpenID).

5) Defaults can help when used correctly.
There is always a great debate around using default labels. If you are not careful, they can create complacency and confusion. For e-Share, as you can see, we opted to stay away from an Internal label and instead used Confidential as our default label. We have found that 90% of our data is Confidential, so let us not get in our employees’ way. However, if they downgrade to Public, we have a business justification workflow to ensure the downgrade is warranted and tracked.

Microsoft Information Protection labeling is something to consider for every company which uses Microsoft products and collaborates externally. If you want to talk more about labeling and even see a demo of our taxonomy in action, we would be happy to walk you through it. Please click here to contact us

Top 3 Reasons Secure Data Collaboration is Disrupting Information Security

Secure Data Collaboration

Companies interested in adopting modern file-sharing and collaboration solutions typically consider two choices.

The first choice is to stay the course, with company security the paramount concern. By making it difficult and time-consuming to share information, this option impacts the level of collaboration conducted by the organization, which minimizes productivity. 

The second choice is to choose the course of full speed ahead as the company encourages sharing information and fostering collaboration. This strategy makes it easy for employees to collaborate within and outside the organization, ramping up productivity and hopefully revenue. The danger of this choice is dramatically increasing the chance of sensitive data loss (e.g., intellectual property) while also failing to comply with global data protection regulations.

However, there is a third choice, one that does not hinder data loss prevention efforts while allowing as much collaboration as possible. This choice is called secure data collaboration, and it is emerging as an information security strategy for our modern age.

What is Secure Data Collaboration?

Secure Data Collaboration (SDC) is sharing data between two parties securely and productively. BAE systems has a great definition: Secure Data Collaboration and Dissemination is a type of electronic information sharing capability in which two or more parties can each securely exchange their data with each other in an encrypted software environment – for collaboration on projects, for example, or dissemination of sensitive information – while always maintaining control of their data.

The key here is that SDC is not “encrypting the data itself” nor “preventing collaboration.” SDC is securely exchanging data in an environment that is already secure and globally adopted (e.g., Microsoft Teams, SharePoint Online, OneDrive).

Before every organization in the world accelerated to the cloud in 2020, one might argue that these environments were not that accessible; how many Global 2000 organizations deployed and used OneDrive globally? Fast forward to 2021, and in the past year, the adoption of M365 accelerated faster than anyone could have predicted. As a result, most organizations have access to these secure cloud containers and are now ready to become modern collaborators. It is during this transition to modern collaboration that SDC will disrupt traditional information security solutions, and here are the top 3 reasons why:

  1. Traditional information security solutions were built on an assumption of prevention: Locking data down or stopping data from leaving the organization are disabling collaboration, not enabling it. This attitude does not work for modern collaborators who want to accelerate productivity and service delivery for their customers. However, SDC is built on the assumption that organizations want to share data with 3rd parties; they need help managing the access controls to the secure container (e.g., Microsoft Teams).

  2. Secure Data Collaboration is built from the cloud for the cloud: Information Rights Management (IRM) and Data Loss Prevention (DLP) were initially built to support traditional enterprises, mainly operating on-premises. Modern collaboration demands security solutions that are purpose-built from the cloud and for the cloud. Collaboration is constantly changing, and on-premise solutions are not adaptive. SDC requires a solution that assumes change.

  3. Productivity will always outweigh security: This has been an ongoing debate since the dawn of information security; however, the last year has proven that organizations will do whatever it takes to ensure their employees can remain productive. We thought organizations that would take another five years to “go digital” did it in weeks and accepted that the security controls would be playing a bit of catch-up. Traditional information security solutions that continue to put roadblocks in front of productivity will no longer cut it. SDC is focused on truly striking that balance for its users.

If you would like to learn how e-Share can deliver a modern solution that secures your company data while enabling employee collaboration, please contact us to arrange a demo. The e-Share team will be writing more about secure data collaboration  in the coming weeks, and we are excited to share more developments on this topic.