Do You Have Substantial Evidence of Data Breaches Through File Sharing?

Posted by Gary Cooke on September 29 2015

With the explosive growth of freely available consumer file sharing services like Dropbox many companies are finding out the hard way that their employees have been sharing valuable, and often times confidential company information, with external individuals with little or no security measures in place.  Being able to identify what information was shared and to whom it was shared may prove difficult in times of legal or internal investigations when Shadow-IT exists.

Even those companies who have implemented an enterprise file sharing (Enterprise File Sync & Share – EFSS) as Dropbox alternative may find that their ability to audit and report on what information was shared with whom and when may find that these capabilities are severely lacking in their current product.

Compliance for secure file sharing

Compliance is very stringent in regulated and security-conscious industries like Bank, Financial Services and Insurance (BFSI), and healthcare. When it comes to compliance there are many concerns that an investigative group, auditors or government authorities will want/need answers to.  Some of these concerns revolve around:

  • Where did the data come from?
  • Are there different versions of the data being shared?
  • Who was the data shared with?
  • Was the initial sharing of data secure?
  • What actions the external recipients may have performed on my data?
  • Could the external recipient have shared the data with others?

Many enterprises ignore the shadow-IT even after having an official evidence of its existence, which may turn risky not only for individuals responsible for security and compliance, but also for reputation and existence of business. Vaultize helps enterprises mitigate Shadow-IT risks by preventing data leakage and ensuring compliance – ensuring end-to-end file security and data governance.

Vaultize provides highly secure file sharing through sync & share (EFSS), mobile collaboration and secure anywhere access to enterprise content repositories, at the same time giving control and visibility to enterprise IT through multi-dimensional access rights, enterprise digital rights management (eDRM or information rights management), mobile content management (MCM) and endpoint data protection.

Even before the time that data is actually shared with an external party, Vaultize is gathering and retaining all of the information associated with that data to answer the questions above. Vaultize allows global data protection policies to be set up on the data that is stored on the end-user devices and permits enterprise IT to determine the length of time the data is retained as well as the number of versions to be kept.  Depending on the length or your company’s data retention period the volume of data on the Vaultize server could grow to be very large. But with content-aware global de-duplication of Vaultize, the amount of storage required could be reduced as much as 70 – 90%.

Vaultize Link Share policies allow the enterprise IT to structure how data can be shared with external parties.  These policies can include items like automatic conversion of email attachments (in Microsoft Outlook or Lotus Notes) into secure links, password requirements, preventing access of the link via geographical and/or network fencing, expiration of the link (based on time or access), control of external recipient interactions with the data (online viewing only, downloading with enterprise Digital Rights Management capabilities or watermarking of files), to the ability to share data with others. 

Each time data is shared externally an email with a link to the Vaultize server is sent to the recipient.  This email contains information that can be tracked to identify the person(s), the file/folder name, and the link back to the Vaultize server.  All of this data is then stored on the server for the life of the data.

With features like the “History of a File” and “History of a User” compliance and legal teams can quickly identify the answers to the above questions including the actions of the external recipient including items like their email and network IP addresses as well as the dates and times they accessed the data and any actions they were allowed to perform.  These two “Histories” also identify the actions of the internal employee with information such as where was the Link Share initiated.  Was it a workstation/laptop (Windows, Mac, or Linux) or was it a mobile device (Android or iOS)?  From what IP address was the mobile device using when the external link was shared.  In addition to these reports the Vaultize Audit Trail report contains a complete history of all activity on the Vaultize server based on months in the year.  All of these reports can be either exported or distributed to the appropriate individuals.

So don’t expect that all enterprise file sharing products are the same when it comes to the security and auditability of your sensitive company data.  Vaultize is the only enterprise file sharing platform today that can comply with all of your investigative needs and data governance.

Take Your Free Assessment

Topics: Compliance, File Sharing, enterprise file sharing, Enterprise File Sync & Share, Dropbox Alternative, endpoint data protection, Secure FIle Sharing, Shadow-IT, data retention, data governance

Subscribe To The Blog