Secure file sharing uncovered

Ahmet Tuncay is the CEO of Soonr, a provider of secure file sharing and collaboration services. In this interview he talks about making security a priority, discusses what drives employees to routinely use personal online file sharing solutions for confidential data, outlines the critical features of secure file sharing solution, and more.

Despite clear IT security policies, convenience drives employees to routinely use personal online file sharing solutions for confidential data. What advice would you give to those managing the security of these networks?
The first advice we would offer is to not ignore the problem or underestimate the potential risks. If the organization has internal security or proprietary information policies, it is a good idea to spell out the company policy regarding the use of unauthorized cloud services and consequences to the employee.

Other than making it very clear to such employees that placing company confidential data on unapproved cloud services is a very serious violation of company policies, the only practical solution is to offer employees an equally – if not substantially better – service with more convenience, reliability, and ease of use. There’s no excuse for not taking the steps to assess what end-users expect from a file sharing and sync service, evaluating available solutions, making sure the solution also meets the needs of the IT, Security, and Compliance functions of the organization, and rolling it out as fast as possible.

As a part of the needs assessments process, the main objective should be to get to the root of the behavior – is the worker in the office or on the road, is sharing being done with internal workers or clients and partners outside the organization, what types of share and access rights are needed, are there other business specific use cases that should be understood?

There are plenty of security file sharing options available, but users tend to use what they know, regardless of how secure it is. How can the security industry change their way of thinking and make security a priority?
It is not enough to give users something only as good as what they’re already comfortable with, they have to be enticed with a service that is substantially better. Better could mean much improved performance (lower latency, higher speed), much better reliability (data is guaranteed never to be lost and easily recovered if deleted intentionally of accidentally), much better availability (service is never down), much higher capacity (terabytes of storage allocation rather than gigabytes), much easier to use, and much more powerful features – such as off-line access, in-app editing of documents on mobile devices, and a great sharing and collaboration experience.

Users understand the competitive advantages of these benefits easily – saves them time, makes them more responsive, minimizes or eliminates mistakes – makes them more productive all around. Many workers are not only competing with people outside their own organizations but also with their peers and others inside their companies – the mantra “adapt or perish” is more true today than ever.

Based on conversations with your clients, what are they most worried about when it comes to file sharing?
We see clearly that security risks are at the top of their minds. Most are worried first about outside hackers and crackers, second about careless or uninformed employees and contractors, and third about insiders, disgruntled employees and contractors. IT is as much worried about threats from inside their organizations as they are of threats from the outside – which is exactly what an enterprise-grade file sync, share, and collaboration service should be designed to mitigate. Policies around authentication, sessions, public links, devices, mobile content management, and dozens of other functions combined with advanced reports and forensics related to user, device, and document activity enable our clients to build systems that are fully compliant with the practices in their businesses.

What are the most important features for a robust, feature-rich and secure file sharing solution?
For business workers, every minute counts. As such, selecting a file sharing solution that works the way they do, on any device, at any time, helps them get things done faster. But, security and compliance are additional factors where companies simply can’t compromise. To support these important requirements, an enterprise-grade secure file sharing solution should offer features in each of the following five categories:

1. Infrastructure – To ensure that there is no possibility of experiencing any service interruption, performance degradation or global malware infections, select a service that has segregated geo-redundant locations with local data storage for privacy and performance. If a business operates only in Australia, Canada, and the UK, there’s no point storing all their data only in Nevada. At a minimum these facilities should have Tier 3 grade operational controls and fault tolerance with greater than 99.9% availability and SLAs to back it up.

2. Security – Enterprise security should be prevalent throughout the solution including encryption in transit, in session and on device, and all locations where user files are stored. It should also employ best practices for key storage and rotation management, two-factor authentication, data leak prevention and device wipe functionality.

3. Mobile productivity – To best support user needs, select a file sharing service that offers integrated, on-device rendering and annotations and integrated, on-device document editing. This will help workers remain productive, where ever they are working. It should also support easy document creation from any device such as a scan to PDF and it should eliminate the need to “open-in” or “open-with” additional third party applications which can slow productivity, add work complexity, or create vulnerabilities.

4. Administration – To support adherence to company governance policies and data leakage prevention, the selected file sharing solution should offer a robust set of administration features that are easy to manage and as granular as a company wants to go. Some administration features to look for include supporting data protection such as versioning, archiving and recovery. Policy controls should be granular with the ability to control access by user, document and device as well as read/write/delete rights by author. If your organization relies on Active Directory, select a service that will integrate with it to better enable role-based access control. Finally, all administration features should be supported by detailed reporting functionality to support compliance auditing.

5. Compliance and testing – To be sure that the service you select is truly compliant and secure, choose one that has had its operational controls tested and validated by a reputable auditing firm. Ask for the auditor’s report covering SOC2 Type 2 operational controls prepared in accordance with SSAE 16 and/or ISAE 3402 standards. Be sure that the audit report is really covering the operational controls of the file sync and sharing provider you’re directly working with and is not just for the physical data center provider (this is an all too common area of confusion). This will give you assurance that the solution meets high standards for both internal and end user operations. Other audits your file sharing solution should have completed include 3rd-party penetration testing, and US/EU Safe Harbor (privacy) audits. Also look for solutions that are HIPAA-compliant and have a BAA statement.