Tag: security

Security is important at every company. Whether it be ensuring employee safety or reducing theft, companies want to protect their people and their assets. When it comes to data security, companies can now provide security while encouraging collaboration. Read our blog posts about security.

Top 3 Reasons Secure Data Collaboration is Disrupting Information Security

Companies interested in adopting modern file-sharing and collaboration solutions typically consider two choices.

The first choice is to stay the course, with company security the paramount concern. By making it difficult and time-consuming to share information, this option impacts the level of collaboration conducted by the organization, which minimizes productivity.

The second choice is to choose the course of full speed ahead as the company encourages sharing information and fostering collaboration. This strategy makes it easy for employees to collaborate within and outside the organization, ramping up productivity and hopefully revenue. The danger of this choice is dramatically increasing the chance of sensitive data loss (e.g., intellectual property) while also failing to comply with global data protection regulations.

However, there is a third choice, one that does not hinder data loss prevention efforts while allowing as much collaboration as possible. This choice is called secure data collaboration, and it is emerging as an information security strategy for our modern age.

What is Secure Data Collaboration?

Secure Data Collaboration (SDC) is sharing data between two parties securely and productively. BAE systems has a great definition: Secure Data Collaboration and Dissemination is a type of electronic information sharing capability in which two or more parties can each securely exchange their data with each other in an encrypted software environment – for collaboration on projects, for example, or dissemination of sensitive information – while always maintaining control of their data.

The key here is that SDC is not “encrypting the data itself” nor “preventing collaboration.” SDC is securely exchanging data in an environment that is already secure and globally adopted (e.g., Microsoft Teams, SharePoint Online, OneDrive).

Before every organization in the world accelerated to the cloud in 2020, one might argue that these environments were not that accessible; how many Global 2000 organizations deployed and used OneDrive globally? Fast forward to 2021, and in the past year, the adoption of M365 accelerated faster than anyone could have predicted. As a result, most organizations have access to these secure cloud containers and are now ready to become modern collaborators. It is during this transition to modern collaboration that SDC will disrupt traditional information security solutions, and here are the top 3 reasons why:

Traditional information security solutions were built on an assumption of prevention: Locking data down or stopping data from leaving the organization are disabling collaboration, not enabling it. This attitude does not work for modern collaborators who want to accelerate productivity and service delivery for their customers. However, SDC is built on the assumption that organizations want to share data with 3^rd parties; they need help managing the access controls to the secure container (e.g., Microsoft Teams).
Secure Data Collaboration is built from the cloud for the cloud: Information Rights Management (IRM) and Data Loss Prevention (DLP) were initially built to support traditional enterprises, mainly operating on-premises. Modern collaboration demands security solutions that are purpose-built from the cloud and for the cloud. Collaboration is constantly changing, and on-premise solutions are not adaptive. SDC requires a solution that assumes change.
Productivity will always outweigh security: This has been an ongoing debate since the dawn of information security; however, the last year has proven that organizations will do whatever it takes to ensure their employees can remain productive. We thought organizations that would take another five years to “go digital” did it in weeks and accepted that the security controls would be playing a bit of catch-up. Traditional information security solutions that continue to put roadblocks in front of productivity will no longer cut it. SDC is focused on truly striking that balance for its users.

If you would like to learn how e-Share can deliver a modern solution that secures your company data while enabling employee collaboration, please contact us to arrange a demo. The e-Share team will be writing more about secure data collaboration in the coming weeks, and we are excited to share more developments on this topic.

Sharing Sensitive Data With 3rd Parties at the Cybercrime Tipping Point

In 2019 researchers uncovered a massive “trove” of more than 20 million sensitive banking and financial documents associated with mortgages – not from the banks or originators who actually received the data from consumers – but rather a third party “data and analytics company” who provides various services such as converting paper documents and handwritten notes into computer-readable format.

How much did the banks save, not processing that paper in-house? How much does the embarrassment of having customer data breached, or the potential fines, offset the business case for such a relationship?

The answer is that in the large, it does not. The use of Business Process Outsourcing (BPO) firms is a standard part of most modern businesses. The question is, how to respond to almost daily breaches as we try to enable vendors, partners, and even joint ventures to share information?

In the case of mortgage, the most common use case for a BPO is to do data entry: literally reading the various scanned forms, and typing them into a loan origination system. Do they need a copy of the document that they can save on disk?

The answer is simple: they do not.

You can protect your data and still let them use it by deploying e-Share Trusted Sharing to deliver that BPO a read/edit-only link that expires automatically after you reach the end of your service level with them:

This way you protect your data and still enable the partner or vendor to provide you with the value you hired them to create. It’s a win/win!

Contact e-Share to see how quickly and easily you can get started.

information security security

The Security of Expiration

This week’s breach involved a medical services company’s FTP server which allowed “uncontrolled access to its patients’ protected health information”.

“This uncontrolled access permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

The company ultimately “agreed to pay $3,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules”.

So-called File Transfer (or “FTP”) servers are a venerable approach to sharing data. FTP was one of the first digital publishing platforms, used widely for software distribution and file transfer since the early days of the internet. SSH FTP (or SFTP) adds encryption and thus makes it compliant for transferring sensitive information, including PHI data which is regulated by HIPAA. So long as the client and server encrypt the transferred files at rest.

The problem is, compliant is not the same as secure.

Once a file transfer server is up and running, it will reliably and consistently serve files. If access is incorrectly or incompletely configured, as appears to be the case here, every minute brings added exposure. This is why all access to shared files should be limited to a period of time by default, something file transfer servers were unfortunately not designed to support. This could have prevented the breach, despite the questionable configuration.

A second issue, is that FTP is all about TRANSFER. As long as it remains up and running, authorized clients will have unfettered access to download data and then do whatever they like with it – print it, publish it, transfer to others… worse, clients become compromised over time. People leave companies – and transfer their user credentials to their replacement, hopefully not a third-party service – or they may be compromised through phishing or malware attacks.

The longer the server is up, the longer your exposure lasts.

The good news is, FTPs days are numbered. Migration to the cloud is finally happening – and companies are discovering the mechanisms built-in to cloud file storage services are only intended for internal collaboration.

Solutions like e-Share’s Trusted Sharing offer fine-grained sharing options – like automatic expiration of shared material. This can, as shown above, be set at the organizational level. For many shares, one-time or 1 day is entirely adequate. For longer collaborations, the expiration should likely match the engagement level.

Sharing can also be limited to view or edit-online only, with no download, printing or copy/paste. You can optionally require participates to sign in with OpenID, enter an access code, accept terms of service – and more.

Register for a demo to learn how mandating share expiration is a critical first line of defense for all information – especially regulated data like PHI.

security