Are you sharing data securely?
Your employees need to share data between themselves to perform their roles effectively, but how do you ensure that this adheres to your organisations’ security policies? What can you do to control this and help them with sharing data securely?
With multiple employees now working from different sites or hot desking, it’s an area that can easily spiral out of control, so we have a possible solution for you to consider.
Let’s take a common example for many organisations. Employees often need to share data with external 3rd parties on an ad-hoc basis. For most of my time in IT, this has been done by sending an attachment in an email. Policies and procedures that users agree to upon employment and mail filter tools, such as Mimecast, would also be options that should be put into place to prevent data that needs to be secured being leaked via e-mail.
However, this doesn’t really address the issue. Sending files by e-mail invariably causes issues at the mail server stage, where space is generally a premium. Mail sent to multiple recipients in the same organisation will result in numerous copies of the same file being stored, especially problematic when you consider that the majority of users don’t delete e-mails until their mailbox is full. Additionally, resources on mail servers are often challenged just by handling e-mails with large attachments. As a consequence, if a user runs into a block or needs a file which is going to be stopped by the mail server, then they may look for an alternative way such as a cloud based file sharing solution.
Several years ago, I was told by an IT manager of a large media company, that their organisation moved nearly a terabyte of data through file sharing services every month. They felt the cost of sharing the data by other means or the delays involved would actually harm the business. The problem was they had no control and didn’t know if the data was authorised to be shared or where the data was going.
Using an Ad-Hoc messaging module of a Managed File Transfer (MFT) solution would have allowed them to block sharing sites from all users, yet still allow users to share data in a controlled manner. Ad-Hoc messaging (sometimes referred to as EFSS or Electronic File Sync & Share) allows clients to exchange e-mails containing hyperlinks to files, rather than the files themselves; these are stored in a web enabled file transfer server, which both the sender and recipient are granted access. Although it is clearly desirable to remove the attachments passing through the mail server, it does highlight potential failings around the governance of the data entering or leaving the organisation, such as Data Loss Prevention (DLP) and virus-checking.
MFT solutions now integrate into Anti-Virus (AV) and DLP solutions using an ICAP (Internet content Adaption Protocol) connector. When a file is shared, the MFT solution passes the file and other metadata to the DLP solution using the ICAP protocol. Based on its content, the DLP server will then check if the file should be sent. If the file is allowed, then an “OK” message is sent to the MFT server and the ad-hoc notification message is sent. If the file is blocked by the DLP server, then the MFT gets a “not OK” message and the server does not send the notification mail. The file is then deleted so it is not cached. Incoming and outgoing files can also pass through an AV Scanner using a similar method to ensure that malicious code is not being shared.
When you installed MFT, ICAP may not have been included in your AV or DLP solution, but most now offer it, so it’s definitely worth reviewing your integration options.
ICAP is not a perfect solution and has some technical drawbacks. For example, most ICAP based solutions (and there are only a few) require that you provide the ICAP interface by way of a proxy, which will not necessarily interact well with every MFT solution – be sure to check which specific products are supported by your MFT system. Another potential issue can be the length of time required to transfer large files to the ICAP server for inspection – in some cases this may result in a perceived lag during the sending of the Ad-Hoc message. However, combined with the Ad-Hoc module of an MFT solution, it allows the control of data in and out of an organisation to meet IT security policies without restricting the end users from performing their duties.
If you would like to investigate whether an MFT solution would be right for your organisation, you can check out our Expert guide to MFT which includes some questionnaires to help you. Alternatively, If you’d like to discuss your options, feel free to give our team a call on 0333 123 1240.