File sharing – what’s the best solution for your business? Part 1
Enterprise File Sync & Share, EFSS – What should we look for when choosing a file sharing application in the context of technological changes, new legal regulations, data security and range of necessary functionalities.
Sharing files within organizations is an obvious and ongoing process. It takes place on many levels and with the usage of different types of files. Starting from simple email attachments, photos, videos, ending with multi-million contracts. Despite the fact that we do not have too many applications on the market that are able to completely cover the area of our expectations in this field, we still have to decide on something. So if we want to know what is important, the first question worth asking is: for whom?
EFSS – administrators and users
The point of view and the needs of the administrator and user are two different worlds. They have slightly different needs and pay attention to different functionalities. The administrator will be interested in the uncompromising security of the application and the safety of the data stored in it. On the other hand, the user wants the application to be easy to use, ergonomic, effortless while sharing data, and trustworthy.
File sharing – the principle of limited trust. What is necessary for modern file sharing applications architecture?
None of the administrators should be too confident that shared files are properly secured. One should, however, be able to monitor all processes related to this activity. That’s why it is worth to pay attention to whether the used platform provides reports on the processes that can be analyzed. Why is it important? Since the functionalities may allow data encryption, double authentication with text messages or one-time codes, the user is still the weakest link. If he is not at least a little aware, there will always be a way to threaten shared data. Not necessarily deliberately. Most data threats are caused unintentionally because users do not fully understand what they are doing. Therefore, to some extent, you need to monitor and control this process – administrator supervision is necessary.
It does not have to be massive cybersecurity breach, as in the famous Marriott hotels case.
To cause a disaster, you do not need much. An employee of the company X upload an excel with credit card numbers on Dropbox, and the file became public. That’s a short horror story. That is why standardized security policies are important, but with the possibility of extending them with custom security solutions tailored to the profile of a given company. All this to prevent user errors. As architects of solutions, we must face current IT challenges and issues, and respond to market needs to the maximum extent.
You definitely need to be aware that depending on the industry and the type of data that you are processing, we not only have internal regulations but also external ones. Of course, the GDPR, but also national regulations that impose certain legal requirements on the manner of data storage. Here, from the administrator’s perspective, we need to be sure that the tool that we want to implement in the company must be – in general – legal.
There is a list of countries and regulations that apply in different countries regarding data storage. Medical records, for example, can not be stored outside the country. Such issues must also be borne in mind.
Where do you store your data?
This is related to the second aspect – does your tool work in an external public cloud – where we do not always know whether data is stored on servers in a given country, continent or somewhere else? Do we have the option of using a private cloud or solutions that we can install on our servers?In the case of medical companies in Australia, the only possible solutions are KODO, OwnCloud, NextCloud, where you can install the server only on your infrastructure or look for a solution from your local provider.
This is also associated with broadly defined data security. What number of copies is stored? Are they well distributed in terms of data replicas or backup copies? Are they stored on one server, tens or hundreds? You should also be aware that depending on the type of data we want to share, we need to adjust security policies. Because if we want to send low-value data, we do not necessarily have to think about encryption or more advanced methods of data transfer.
Data and security requirements
If you want to share data with clients or partners that will contain personal or commercial information or data about our business, of course, you should choose a solution that supports encryption using the most powerful key. If we finally met the infrastructural, legal and security requirements, then the next aspect is the use of the application. Ease of configuration, the creation of user accounts, the ability to efficiently and quickly manage users, but also the preview of the audit log. It’s about checking what happens to the data, to the users, and ultimately the ability to take quick action if we need to secure some data. For example, manually block file sharing.
We mentioned that in most cases the user is the weakest link. The fact that we will have a good infrastructure, secured and encrypted data may not be enough. The user can still share the protected file externally, eg with a link that does not require a password when downloading it. It’s required that file-sharing software allows you to build policies and patterns in a simple and transparent way to avoid such situations.
File sharing (micro) revolution
One would like to say that nowadays in the field of file sharing (not data sharing) tools we are on the eve of a micro revolution. It is about the use of machine learning or simple elements of artificial intelligence to identify not only the type of files but also their content. Soon you will be able to provide such settings in security policies in EFSS, that will allow you (instead of defining the type of file) to specify the types of data prohibited to share. So, for instance, users will not be able to share any contracts, images of people or personal data: credit card numbers or personal identity numbers. Such application (Storware’s KODO is heading this direction) will analyze the content of the document and will be able to determine with a high probability what type of document it is – a contract, a manual, a financial report, a novel etc.
Such a service would be a powerful tool for intelligent data leak protection.
What is automation in file sharing applications?
Chief Technology Architect at Storware
Professional Services Architect at Storware