Bring Your Own Collaboration and File Security: An Analyst and Vendor Perspective

KimKayAuthorPicby Kim Kay

These days, it seems as though nearly anyone can exchange or obtain sensitive data. Indeed, it has become altogether too easy for authorized users to obtain access to a file, and once in their possession, take it outside the control of the company. Even worse, these authorized users may choose to share that file with others who may not be entitled to have it, much less protect it in the same way. We asked Eric Ogren, senior analyst with the information security team at 451 Research, and Scott Gordon, chief operating officer at file security company, FinalCode, to weigh in on on the importance of securing file collaboration.

KK: Eric, when does file security become an issue for enterprises? Are privacy breaches just the start?

Eric Ogren: File security has always been an issue for enterprises. The classic model of inheriting security properties from the folder was embedded into operating systems well before the Web was born. It’s hard to believe that in 2016 we are still trying to retrofit that approach to fit the security needs of the modern business.

KK: Scott, are customers visiting FinalCode after they experience a data breach?

Scott Gordon: Certainly customers engage with us following an incident either they or a peer have experienced. The majority of IT and security executives are recognizing that unsanctioned file sharing and disclosures are already happening and depending on the risk, data, and impact to their business, are seeking ways to close leakage gaps or extend data privacy breach safe harbors.

KK: Eric, does this mean that there is renewed interest in Information Rights Management? 

EO: Sure, enterprises need to share proprietary information up and down the supply chain without losing total control over their data. IRM is one mechanism that enables a freer exchange of information within certain ground rules.

KK: Scott, what demand are you seeing in the market for new approaches to securing files?

SG: There are many use cases driving demand but some common applications come to mind. Compliance-sensitive industries protecting regulated files sent to third-party processing firms. Companies seeking to lock down their confidential information that must be shared, such as CAD design files sent to outsourced contractors as well as their supply or support chain. And service organizations, such as temp agencies, accounting, legal and recruiting agencies that, by nature, share sensitive or regulated data.

KK: Eric, what options are IT and security professionals considering to better address the issue?

EO: Well, throwing sensitive files up into cloud storage for sharing really causes IT to rethink how they handle file security. It is not a matter of how compliant the storage service is; it is a matter of what happens to the file when it is fetched from the cloud.

IT is trying different approaches. One, of course, is turning to IRM for sensitive files. I have also seen IT use virtualization services to keep machine-readable files off endpoints, DLP to try to keep certain files from escaping into the cloud, and network access controls in an attempt to restrict use of file sharing applications. But the bottom line is that users will always find a way to make their professional lives easier by sharing files, so our job as security practitioners is to help them do that securely.

KK: Scott, how have changes to file sharing infrastructure and applications affected FinalCode’s security offering?

SG: Many organizations are reassessing their current investments in content management systems – either extending existing capabilities, bringing in new on-premises or cloud-based systems, or allowing for the use of collaboration apps. Let’s not forget email and FTP. Our approach separates file security management from file storage, distribution and content management. In that way, we are infrastructure- and device agnostic and, as such, can be applied across many applications depending on business need.

KK: Eric, what’s your take on Microsoft advances and investments in securing collaboration and IRM?

EO: Microsoft has vested interests in positive user computing experiences for Azure, Office 365, OneDrive and other cloud services. Offering secure services is more important and more interesting than offering security services in that context. Thus, many of their recent security acquisitions, such as Adallom, Aorato, Digital Island, and Secure Islands are destined to become embedded into productivity tools.

KK: Scott, how can FinalCode compete with Microsoft?

SG: Companies have different applications, requirements and resources to consider when it comes to securing file collaboration, where only using Microsoft may not fully meet their business requirements or may be overkill for their need. Many software products leverage Microsoft’s IRM services to work, such as Secure Island. Another consideration is how organizations can easily and cost-effectively gain enhanced file security for recipients that are outside their environment and Microsoft controls. Depending on the customer’s business requirements, we are both complementary to Microsoft or the best alternative.

For example, Microsoft office applications such as Word, Excel and PowerPoint come with password-based file encryption. But this requires users managing passwords and shared secrets and has numerous requirements and recovery elements that, for many, will not easily manage or scale… and this just covers these specific Microsoft application file types. For many businesses, our approach is more-cost effective, has broader application and offers a comparatively low total cost of ownership.

KK: Eric, what about file security vendors other than Microsoft? What do they bring to the table?

EO: In the case of reimagining file security, there is activity from the likes of Fasoo, FinalCode, Ionic Security, Microsoft and Seclore, among others. There is a lot going on in this space between technology (HTML5 media extensions, browser plug-ins, privileged agents), business requirements (protect IP as it transits the Web, secure collaboration in long design to revenue cycles, restrict access to paid subscribers for media services), and government regulations (EU data directives and national privacy laws).

Most of the vendors do a pretty good job of managing the crypto features. The main differentiator is being boringly simple to use for non-IT people. For instance, you really don’t want authors worrying about security settings every time they publish a document, or get access requests from new team members. And a low level agent is much more secure than a browser plug-in, but it comes at the cost of users installing software, so you need to understand your users.

I do like what Microsoft is doing. However, the world is increasingly fond of iOS, Android and Linux products. Independents are finding traction by supporting all major data sharing applications, all major user devices, and keeping administration simple, simple, simple.

KK: Scott, is “ease of use” a cliché or the main factor for enterprise adoption?

SG: Absolutely. User experience, including nominal impact to workflow, has become among the top considerations in the selection process. But nowadays, ease of use also applies to IT administration as that affects total cost of ownership. This would encompass functional considerations such as deployment and interoperability, the means to automate provisioning especially for users outside the organization, and the ease at which to effectuate policy.

KK: Eric, how can IT professionals justify the security of files as an extension to their data leakage prevention programs?

EO: The approach for IT is to offer ways that the business can use IRM to further its cause. For instance, businesses send out price list upgrades to sale channel partners weeks before they become effective and then let IRM delete the old price lists to increase the number of properly priced orders. Or, transparently uploading documents into cloud sharing services for easy self-access service without worrying they may be forwarded to competitors.

KK: Scott, where do you see the opportunity for file security heading?

SG: Upwards. Structured data security, we are talking databases, and file access controls are pretty mature technologies. Collaboration of often sensitive, regulated and confidential information is an IT hailstorm. Given all the diverse ways to obtain and share files, and the various users that could receive files within and outside an organization – it will require organizations to consider additional means to manage files access and disclosure risks.

Kim Kay is associate publisher editor-and-chief of Computer Technology Review.

Leave a Reply

WWPI – Covering the best in IT since 1980