An enterprise-level service will allow a centralized IT department robust security measures, especially within regulated industries like finance or healthcare. A good service will make allowances for these industries, the compliance issues they may face and their unique workflow needs.
Enterprise-level services should also be flexible and scalable. Enterprise IT is responsible for highly sensitive corporate data, across multiple platforms, sometimes all around the globe. A file-sharing service must work across many systems and devices for hundreds or thousands of users, and it must be able to handle fluctuating user populations and needs.
A workable system will allow IT to delegate administrative functions to other groups or departments. In a company of, say, five thousand people, delegating control of individual files or individual users is crucial. An IT team may need to track the creative department’s bandwidth, for instance. But if creative is overusing its allowance, it’s up to the department administrators to figure out that John is streaming Netflix in his spare time.
Let’s examine a few of the enterprise-level features that IT departments and administrators will look for in a file-sharing service.
This is vital: a good file-sharing service needs to protect your information at all times. Your data should be protected while at rest on a cloud server, during file transfer, and while stored on devices (on-device). Check the licensing of your service and make sure it’s accredited, preferably by a trusted Data Privacy Management (DPM) company. Your service should use safeguards recognized throughout the industry, employed by government and recommended by trusted organizations like the National Institute of Standards and Technology (NIST).
Here are some specifics guidelines by which to judge a service’s security measures:
Security at rest
128-bit and 256-bit AES encryption
Your service should employ no less than 128- bit, and usually 256-bit, Advanced Encryption Standard (AES) encryption to protect data on its servers. 256-bit AES is an encryption algorithm developed by the NIST in 2001. It has been adopted by the U.S. government and is used worldwide. This kind of encryption depends on a key, or code, without which information is not readable to the user. 256-bit refers to the size of this key: someone would have to come up with 256 bits of information, in the right order, to decrypt and read your document. 256-bit AES is considered an advanced form of encryption.
Virus scans, malware scans and firewalls
Just like your own computers and servers, your cloud servers should be checked out by daily virus and malware scans. They should employ regularly updated firewalls to keep your data secure at all times.
Security during transfer
SSL and TLS
NIST standards recommend that your information be transferred via protocols called Secure Socket Layer (SSL) and Transport Layer Security (TLS). These protocols establish an encrypted link between server and client so that vulnerable information is not transmitted in plain text form.
Enterprise-level systems will allow you options about who controls the keys to encrypt your information. Some IT departments may require a managed environment in which the department itself controls the keys, and your service should be able to accommodate this need.
When you email documents through the cloud, you’re not emailing attachments. You’re sending a secure link to a document via email. You should be able to set your security requirements for this link. You may choose to allow any user with the link to open straight to the document, or you may require users to input a password before accessing it.
Your data is secure while it’s on cloud servers, and you can be confident that it’s transferred both to and from servers using an encrypted connection. But what happens to your data once it’s downloaded to a device like a smartphone or a tablet? After all, these devices are physically vulnerable — they can be lost or stolen, leaving your data available to anyone who happens along. How should a service account for this vulnerability?
Data on your mobile device should be encrypted, just like data at rest on servers.
Check your system for a remote wipe feature. If your device disappears, you should be able to sign in to the cloud and activate a program that deletes all your files from your device’s storage, instantly. Voila — secured data!
Your file-sharing service may offer a number of other on-device security features: you could set files stored on your device to self-destruct after a given period of time, limit access to your files by applications other than your cloud app, or block your files from access without the re-entry of a unique PIN or password. In general, the more of these security features your service offers, the better it will be for enterprise.
Enterprise-level file-sharing services should be tested and verified by authoritative sources every single year. Anything less than adherence to industry-wide standards does not fully protect your data.
Your clients and vendors have a vested interest in your data security — you want to be approved by organizations they recognize. Also, make sure that your system is accredited via standards approved by the U.S. government.
Your file-sharing service may receive several different kinds of certifications; many organizations out there offer security audits. Look for some of the most well known of them, like SSAE 16 certificates and ISO certificates.
Statement on Standards for Attestation Engagements (SSAE) audits are conducted by accredited public accounting firms that are certified to do so by the American Institute of Certified Public Accountants (AICPA). They ensure that service organizations like filesharing services effectively protect information by maintaining good standards for security, clearly communicating those standards to employees, ensuring the physical integrity of their servers and premises, assessing and accounting for potential risks, and performing a variety of other functions that, in combination, protect your data as thoroughly as possible.
Why are these security audits conducted by accounting firms? Because they were originally designed to ensure the security of financial data, some of the most sensitive information out there. Under an SSAE certification, data of any description and from any industry is safeguarded by the same advanced measures to which the protection of financial data must adhere.
There are three kinds of certifications available under SSAE 16 standards: Security Organization Certificates (SOC) 1, 2 and 3. Your service should retain one of these certifications annually.
The International Organization for Standardization (ISO) is an international body dedicated to providing specifications and guidelines to be sure that materials, products, processes and services work correctly. It has 166 member countries. Millions of people rely on ISO as a standards authority.
ISO offers several types of certifications, including ISO 27001, its standard for information security. An ISO 27001 certification ensures that an organization can manage sensitive information like financial data, intellectual property or private employee details. Find out whether the file-sharing service you’re considering maintains an ISO certification, and, if so, which one.
Security is particularly important in regulated industries. These industries — the healthcare and finance sectors, for instance — work with highly sensitive data, and they must comply with federal rules about the security, storage and transmission of that data. Companies can be legally liable if they are found to be negligent in their regulatory compliance, and the results can be catastrophic to both the companies and their customers.
Because of this, companies in regulated industries tend to maintain their own internal file-sharing systems as well as a cloud-based system. At the consumer level, the cloud just doesn’t offer them enough protection. As cloud-based technologies advance, however, this kind of separation may not be necessary.
Examine your file-sharing service for its specialized security capabilities. Can it provide archiving features? How about dedicated, private storage? Does it advertise support of federal compliance standards? Look for compliance with major regulatory standards, including:
Under the Health Information Portability and Accountability Act (HIPAA), any company that deals with Protected Health Information (PHI) must comply with stringent data storage and security standards. These companies could include businesses as diverse as:
• Doctors and hospitals
• Lab facilities
• Printing companies
• Medical equipment suppliers
• Insurance agencies
Basically, anyone who could possibly have access to PHI needs to be HIPAA compliant. Your file-sharing service should support this compliance.
HIPAA includes rules about the physical storage of servers, physical building access, emergency procedures, auditing and — here’s the important one when it comes to the cloud — data security. Most people know this. What’s less well known is that as of 2013, HIPAA has been updated with new regulations: the Omnibus Rule. This update simply makes compliance standards more stringent. Any filesharing service you choose should have updated its architecture to keep up with the changing law.
The Security and Exchange Commission (SEC) is a government organization that aims to protect investors and to regulate fair marketplace practices. The financial health of millions of Americans, and of the country itself, rides on the securities industry. That’s why the consequences of financial data security breaches have been so catastrophic in recent years.
Anyone in this industry, from credit rating agencies to stockbrokers, has to adhere to SEC standards in the protection of financial data. They also must be able to produce this data for SEC auditing, sometimes years after the fact. Files and folders, email messages, download notifications — all this information may need to be available to the SEC. So a company in the financial industry must be able to archive it.
To be useful to these companies, a file-sharing service will be able to accommodate their archiving needs. IT departments should be able to specify the amount of time for which data should be archived, and at a minimum, that amount of time should be several years.
The Financial Industry Regulatory Authority (FINRA) is an independent regulator for U.S. security firms. It performs a function similar to the SEC, but in the private sector. FINRA oversees brokerage firms and registered security representatives, as well as entities that provide training, testing or other services within the securities industry.
If your company is SEC compliant, you’ll also want to be FINRA compliant. A file-sharing service’s archiving feature should help.
Continue reading Enterprise-Level Concerns...
Learn more about ShareFile Enterprise File Sharing and Sync