It’s 2016, Do You Know Where Your Content Is?
It is possible to provide end users with the tools they want without compromising for ‘good enough’ security with the proper approach and business partner.
28 July 2016
The phrase “It’s 10 p.m., do you know where your children are?” is one certainly familiar to anyone growing up in the United States in the 60’s, 70’s and 80’s. It was a public service announcement heard on television usually just before the late local news broadcast and its goal was to remind parents of curfews that were in place in many cities as a result of social protests of the time period and that parents need pay closer attention to the whereabouts of their kids. I was reminded of the phrase recently when a customer asked, “how can I tell where my content goes once it leaves my company?”
It’s not an uncommon question in today’s information technology world. The proliferation of cloud services continues as businesses continue to seek competitive advantage through faster technology deployments and enabling their employees with required tools wherever they are in the world. While much of the discussion of late regarding location of data revolves around the topic of data sovereignty, the conversation with a member of a global financial institution’s security team was more focused on the question of who has access to the bank’s data once it leaves the bank’s network.
Now, there are many different ways to approach this question and several different technologies that can help form a meshed approach to information security that can help companies protect their content in all three phases. Some examples are:
- Customer Managed Keys giving customers sole ownership and control over the encryption keys used to protect their content at rest;
- Proper management of internet transport protocols such as having the latest TLS stack in place and disabling old protocols on all web servers to protect content in transit;
- Implementing file level rights management that provides security and control over files even after they are downloaded by external users to content in use.
But, what about the fact that cloud based technologies make it increasingly simple to integrate 3rd party technologies? What happens if your cloud vendor of choice decides to allow integration of an external tool that your company has not had an opportunity to certify or that causes your data to flow to a risky geographical jurisdiction. These were the questions this security professional was asking.
Take for example Microsoft Office 365. For decades Microsoft Office has been the productivity tool of choice for businesses and consumers alike. As many content sharing and management tools moved to the cloud, and as consumers moved to free cloud storage or file sharing tools, Microsoft did the smart thing and made sure that those customers could continue to access familiar programs like Word, Excel and PowerPoint from the browser. In order to provide their customers a desired user experience, cloud storage vendors, such as Box, and consumer file sharing vendors, such as Dropbox, have now provided integration to Microsoft’s Office Online web apps. However, in doing so they have provided the potential for data to travel to a 3rd party vendor (Microsoft) or geographic location other than their own… and that is a major concern for any security conscious business.
If your company uses a ‘freemium’ service such as one of the examples above, when an end user chooses the option to open a file from the cloud storage vendor’s app into Word Online, for example, that file is going to leave the cloud vendor's datacenter, travel across the internet to a Microsoft managed datacenter in an indeterminate location, be written to temporary memory or disk space while viewed or edited, and then travel back across the internet to its original location with the cloud vendor. The fact that the data is now moving between multiple datacenters and/or locations can introduce unnecessary risk to your data. Any security professional will agree that the fewer number of potential parties that have access to your data, the safer your data will be. Two round trips across the internet and access by any number of people while in transit and/or temporary storage with the 3rd party vendor was too much for our banking customer’s comfort level.
Our Security Approach
At Intralinks, we have put information security first since we introduced the first virtual data room 20 years ago. We’re focused on the enterprise and simply don’t allow any 3rd party that wants to integrate to our service to do so without the proper consideration of our business focused security team first. Our customers wanted to be able to use Office 365 as well, so we set about the integration from a ‘security first’ point of view. Today, Intralinks customers can view and edit all of their Office content in Office Online web apps without their content ever leaving the Intralinks datacenters, which our customers routinely audit for compliance with their industry’s highest security requirements. We do this by operating the Office Online applications inside of our datacenters so that the data does not have to flow to a public Microsoft instance.
Consumer grade security is for consumers, not for the enterprise. Before you choose your next cloud service provider, ask yourself whether they put the security requirements of your data ahead of their need to attract more users? Can they prevent your data from ever leaving the geography that your business requires or will you be at risk of potentially enormous fines for breach of data sovereignty regulations? Are you given the opportunity to audit their 3rd party partners to your satisfaction? Are you given the ability to limit access to their freemium features through policy?
It is possible to provide your end users with the tools they want without compromising for ‘good enough’ security. With the proper approach and business partner, you can always know where your content is.
Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.