File sharing apps: Do I need a Dropbox alternative?

Eight features that your file sharing application should have to be secure

Read up on the risks of using file sharing apps, how they measure up against compliance, and get tips on tackling shadow IT in your organisation. This is a valuable resource if you are considering sourcing a Dropbox alternative.

The term ‘shadow IT’ refers to applications that haven’t been approved or sanctioned for a company network. Employees install them when they need a quick fix to a problem, bypassing IT processes to get the job done quickly.

Cloud-based file sharing applications are a particularly common form of shadow IT and it is easy to understand their appeal. An employee needs to send a large file; it is too big for email, so they download a consumer grade app and get the job done quickly.

But there are many reasons why this isn’t good practice – especially if the file contains personally identifiable information or company sensitive data.


File sharing apps: The risks

Data breach

The first question to ask yourself is ‘What am I sharing?’ If it is commercially sensitive information, or the personally identifiable data of your employees, customers or business partners (including images) then you need to be very careful.

Vulnerabilities in shadow IT can expose your data to hackers and malware, which can disrupt infrastructure, cause reputational damage and financial loss. For example, under the new EU legislation to protect personal data (GDPR), you could face a fine of up to €20 million (around £17.5 million).

Ask yourself these questions:

  • Does the application use secure protocols to transfer data to and from the cloud? You should be looking out for SFTP, FTPS or HTTPS.
  • How does the application authenticate users? For example, is there a password management policy that enforces strong, secure passwords for users (both senders and recipients)? Do passwords expire after a certain time?
  • Where does the data physically reside? With cloud-based consumer file sharing apps the servers could be based anywhere in the world. You need permission from the data subject to hold their personal data outside the EU. In addition, there is the risk that the country does not have the same strict data protection regulation as the EU. You are still responsible for making sure it is processed securely though.
  • Is the data encrypted at rest using PGP or AES?
  • Do you know how long the data is retained before it is removed? Leaving a file in place after its transfer obviously increases the risk of access by unauthorised people. It is your responsibility to know when sensitive data is removed, and that it has been done securely and definitively. Ideally, your system should allow you to set up automated rules for secure wiping of data.
  • How is access to the data managed? Can you – for example – set permissions so users (including administrators and recipients) can only access the data they require?


Consumer grade file sharing apps usually only offer single accounts, which is not a cost effective model for your organisation. Costs may be hidden within departments and add up to more than a licence for a properly approved platform with assigned user accounts and administrator access.

Business continuity

Multiple single accounts mean no one at the organisation has administrator access. When a member of staff leaves, the business is unable to access the file sharing application they have been using. You may lose files and contacts, or worse, be unable to evidence what data was sent, in the event of a data breach investigation.

Auditing and reporting

The GDPR requires organisations to ‘maintain a record of processing activities’ (article 30). Organisations should have a log showing all personal data transfers that occur, alongside an impact assessment to show each transfer has been completed securely. With multiple single user accounts, organisations lack this administrator overview.

Do I need a Dropbox alternative?

Dropbox Business and Education customers can be confident that security measures are in place. Details can be found in the Shared Responsibility resource.

There is no clear statement for Dropbox Basic, Plus, and Professional users though. The Dropbox Data Protection White Paper states: “While the scope of our certifications and audit reports typically refers to Dropbox Business and Dropbox Education, the majority of our controls are applicable for Dropbox Basic, Plus, and Professional users as well.”

This is not definitive and there is no indication as to which controls are included and which are not. We contacted Dropbox press office to ask for this information, but we did not get a response.

Pro2col technical consultants have investigated Dropbox Basic, Plus, and Professional and identified the following areas of concern:

  • Personal accounts do not have access logs.
  • There is no data processing agreement for any individual account.
  • There is no clear statement on where the data is stored.
  • There is no clear statement on secure data wiping.
  • Although Dropbox encourages users to use strong passwords and implement two-factor verification, this is not enforced.
  • Once a user has deleted a file, Dropbox will permanently delete it from their servers after a fixed time. If the user does not delete the file though, that data will remain there indefinitely.

Based on this, we do not recommend using Dropbox for transferring company sensitive information or personally identifiable data.

File share apps: Tackling the issue

Unless there is an alternative file-sharing platform for employees to use, they will inevitably resort to shadow IT. You need to build relationships with your users and provide a tool that works for them.

Build relationships with users

With file sharing apps and other shadow IT, it is really important to educate employees about the risks. They are more likely to think twice if they understand the consequences of a data breach. Building relationships with users in different departments allows you to identify their requirements and source a solution that meets their needs.

Provide a Dropbox alternative

There are excellent products on the market that allow employees to share files in a way they have become used to, but securely, and with enhanced governance and visibility of data. Users can easily share files of virtually any kind via any web browser, allowing others to access, upload, and download folders and files.

In fact, you may already be able to do this if you are using an ftp server – contact us to find out how.

If you think you need a new solution, our free bespoke secure file transfer comparison report will save you weeks of research time and identify the right solution for you. It is informed by 15 years’ experience delivering secure file transfer solutions, a deep understanding of user needs and continuous review of the multiple vendors on the market.

You complete a series of questions about your current and future business requirements, and receive a bespoke report from our technical consultants recommending the best solution for your needs and budget.

This information is up to date at the time of publishing – 7th June 2018 – and based on research our technical consultants carried out. The information about Dropbox was research using the feature comparison for Basic, Plus and Professional, Dropbox business: Shared responsibility, Dropbox Data Protection White Paper, Data Retention Policy and password information.

Are your GDPR impact assessments all in place?

Are your GDPR impact assessments all in place?

By 25th May 2018 you will need to have carried out GDPR impact assessments for all processing activities involving personal data of EU citizens. This is really important, even if you are confident your systems, processes and security is in line with the regulation.

This blog takes you through the reasons why, plus exactly what an impact assessment is in the context of data transfer and file sharing.

What is a DPIA?

The Data Protection Impact Assessment – or DPIA – is described in article 35 of the GDPR and then detailed in article 30. DPIAs need to be created for all new workflows and retrospectively applied to all existing workflows.

A DPIA performs several functions at the same time:

  • It is a risk and impact analysis
  • A description of a workflow including its purpose
  • A breakdown of security settings
  • It forms the basis for subsequent audit reviews.

The reality is that every workflow handling personal data must be fully documented. There is no official template for this document, but it makes sense to adopt a standard form as early in the process as possible. Consider creating two assessments – one top level and one containing the technical detail.

Think of the top level DPIA as an executive summary providing a description of the processing options, and the reason for doing it. This can be as simple as ‘Sending employee Records from HR system to Accounts SFTP server’ and ‘Required for loading monthly payroll’. It should also contain the perceived risks to the process, and any mitigations applied. The DPIA needs to be signed off by the Data Protection Officer.

The more technical DPIA should contain the detail of the workflow. We recommend the following as a minimum:

  • The software in use
  • The Data Controller Name
  • The categories of data being transferred
  • The recipient category (EU/3rd Country/International Organisation)
  • The data retention period
  • The security methods being employed (Encryption, High Availability, recovery options, penetration tests, etc.)

DPIA as a record of processing

Completing a DPIA meets the requirements of GDPR article 30. It means that during an audit, you will be able to provide a document to fully explain each workflow handling personal data.

It also means that you will need to periodically review each DPIA and ensure that they still match the reality of the situation – sometimes every organisation will have an update to a workflow (planned or otherwise) which does not get adequately documented. Similarly, if something outside the actual workflow itself changes (for example, retention periods), then the DPIA needs updating. It makes sense to attach the results of continuity or penetration tests directly to the DPIA as evidence, if ever required.


White Paper and supporting resources

You can find out more about this and other aspects of the GDPR for data transfer and file sharing in our White Paper. When you download this you will also receive an example GDPR impact assessment template and interface mapping template. These resources are designed as a guide to support you meeting the requirements of GDPR article 30 and 35.

GDPR access control and authentication

GDPR access control and authentication

You will have deduced from previous blogs in our GDPR series that the regulation doesn’t always stipulate specific security measures for protecting personally identifiable data. Often it is down to the data controller to implement measures appropriate to the risk and sensitivity of the data.

While there are no specific guidelines for your authentication and access control policies – as experts in secure data transfer – we recommend a stringent approach based on the following three articles…


Article 25: Data Protection by design and default

This article seems a bit of a catchall for anything security-related, but it is also the bedrock to GDPR implementation. Alongside the expected security points, there is a specific sentence that applies to access control:

“In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

This bit is pretty explicit. It says only the ‘natural persons’ who need access to process the data get access. From a security point of view that means access to any data should always be restricted on a ‘need to access’ basis, regardless of whether it is an administrator or general user.

The word ‘indefinite’ needs to be considered too. There are several dictionary meanings of the word: ‘unlimited’ or ‘not determined’, for example. In this context though, I believe that a better definition is ‘vague or unclear’. From this, we can infer that an Access Control List (ACL) for any personal dataset should be kept to the minimum and make it clear why each access has been granted. From a GDPR perspective, this should fall under the Impact Assessment that defines the whole process.

One could also argue that the necessary safeguards are put in place to protect the data as mentioned in article 25. For authentication purposes, this might include multi-factor authentication. In fact, the GDPR has no specific requirement for MFA, although it is safe to assume this would fall under ‘Data protection by design and by default’.


Article 32: Security of processing

This article reminds us that the risk of disclosure or destruction of data is offset by the level of security that has been applied. The requirement here is to assess risks from the processing; it is referred to both in article 30 and 39.


Article 30: Records of processing activities

This article centres on reporting on the security measures you have in place. It states that you need to provide “a general description of the technical and organisational security measures referred to in Article 32(1)”

This means that you should have a record of what access has been granted to people and perhaps more importantly, why. Recital 82 of the regulation also states that records of security changes are kept and can be made available on request.



Managed File Transfer (MFT) solutions have several features that will address any authentication and access control concerns ahead of the GDPR.

Organisations should be able to create unique user identities within a file transfer system, and monitor user activities. The system either needs to provide a robust mechanism for setting password strengths and expiration policies, or use existing security systems to manage these (these are generally more advanced). Some systems offer Multi Factor Authentication (MFA), where users have to confirm their identity by another means (eg: Entering a unique code sent by email or text).

Additionally, the system should restrict users to only access the data they require, whilst not being so restrictive that they cannot work. Organisations also need to think about how third parties authenticate their identity. For example, a recipient at another organisation should authenticate their identify when receiving files through an EFSS system.

You may also want to consider encrypting data at rest, which will add an additional level of security. You can find out more in our earlier blog post, Encryption at rest for GDPR.

If you would like to find out more about how GDPR will impact your data transfer and file sharing systems and processes, download our White Paper.

Personal data in MFT GDPR compliant?

Is personal data stored in my file transfer system GDPR compliant?

When you are checking your data transfer systems and processes for GDPR compliance, it is easy to focus on the security surrounding the transfer itself. But there are other requirements for the processing of personal data to consider too. Article 4 defines processing operations as including “storage, retrieval, restriction and destruction”, so essentially the regulation applies to all operations surrounding a transfer, not just the transfer itself. This blog post takes you through data storage in your file transfer system.

The two key things to consider here are:

  1. Securing the data being stored, whilst making sure it is available in the event of an issue;
  2. Removing files that are no longer needed.

What the GDPR states

Article 25 is about ‘data protection by design and by default’. We are explicitly told that…

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to […] the period of their storage and their accessibility.”

This essentially means that data should only be kept for as long as it is needed and only accessible to those needing it.

Article 32 recommends some appropriate measures to control security and who has access to the data. Article 32 requires us to implement appropriate measures, including:

The pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.



Secure but available data

The data that we are storing in a file transfer system must be encrypted, but available in the event of an issue. This may be Highly Available (HA) or Disaster Recovery (DR) as applicable. Access needs to be secured so that only the right people can access the data. You also need to carry out regular security testing, so it is time to book your penetration tests!

There are, of course, several Managed File Transfer (MFT) products offering encryption and availability, which tend to be at the higher end of the market. You can achieve similar functionality using PGP encryption prior to presenting data to the transfer system, and regular VM snapshots.

Remove files that are no longer required

You need automated rules or processes in place to remove personally identifiable data or old user details from your file transfer system once it is no longer required. Think, for example, about data you share with your business partners. Too often, we see that files are not removed from the MFT platform immediately following their transfer (both inbound and outbound). The key characteristic of any file transfer system is of course the file transfer function – not file storage. Leaving a file in place after its transfer obviously increases the risk of access by unauthorised people.

Put an agreement in place with your business partners to delete files as they download them. As a backup, you can set up an automated rule to delete files after a certain time.



  • Don’t leave data in an MFT system any longer than absolutely necessary;
  • Encrypt everything;
  • Check your backups or availability solutions and test them regularly;
  • Organise penetration tests.

Interested in a file transfer solution?

Logging and reporting data transfers for GDPR Article 30

GDPR Article 30: Logging and reporting data transfers

This post looks at GDPR Article 30 and your responsibilities for logging and reporting data transfers that include personally identifiable data. It is part of our GDPR blog series. Each post looks at different aspects of data transfers or file sharing, and includes recommendations for GDPR compliance.

In previous blogs, we have discussed encrypting personally identifiable data in transit and at rest, in order to satisfy GDPR requirements. This blog post looks at reporting and auditing the file transfer operations.

Unlike many articles in the GDPR, you can find what you need to know in one simple place: Article 30 (Records of processing activities).

You need to consider the following recital statement (#82) for GDPR Article 30:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

This means you need to document how your data transfers should take place (through an impact assessment), and log how they actually occurred in practice. Your Data Protection Impact Assessment (DPIA) should explain the sensitivity of the data, where data is sent, among other factors, and stipulate security requirements accordingly.

To be compliant with GDPR, you should be able to compare the DPIA with your logging – perhaps through an automated means – to show that transfers are taking place as stipulated and any discrepancies can be addressed as they occur.

The ‘supervisory authority’, would generally be the Data Protection Officer (DPO), who is responsible for an organisation’s GDPR compliance, including performing impact assessments. At a minimum, DPOs need to know when the reporting flags up that a transfer has diverged from the criteria stipulated in the impact assessment (articles 35 & 39).

Managing user accounts

Another point to consider is the management of user accounts. First, there is Article 7 (Consent) to take into account. You must keep a record of the consent given when an end user signs up to the file transfer service. (Mostly this applies to external users, as internal users usually give consent through their terms of employment). You must be able to show the wording of the consent at any time during the life of the user account, so you may wish to record (and report) on this information separately – perhaps in the user profile itself.

You will also need to report on user accounts at various stages of their life. Under GDPR, you can only keep personal data for as long as it is required, and reporting will highlight any personally identifiable data that needs removing. Article 17 tells us that the controller has an obligation to erase personal data when it is no longer necessary for the purpose for which it was collected. Many systems will automatically expire accounts if they are not used for a period of time, but you may still have user’s personal details that will need to be removed. Creating a report of expired user accounts will highlight these.

Managed File Transfer (MFT) solutions transfer data quickly and securely, enhancing productivity and providing visibility. Systems have a range of features to keep you compliant with the GDPR. Find out more about how it can can transform your business on the MFT solutions page.

Are you reviewing your data transfer and file sharing processes and systems for GDPR compliance? Pro2col’s GDPR White Paper is an essential read for you.

Encryption in transit for GDPR

Encryption in transit for GDPR


Our series of GDPR blog posts highlight how the new regulation will impact your data transfer and file sharing processes and systems. ‘Encryption in transit for GDPR‘ looks at this key part of processing.





Your data transfer responsibilities can be open to interpretation in some areas of the GDPR. One thing that’s abundantly clear, however, is the need to encrypt personal data during processing (i.e. during the transfer).

Article 32 tells both the controller and processor to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including…encryption of personal data”.

Obviously, this is where Secure File Transfer becomes necessary. Transfers are generally going to be secured using either SSL (both FTP & HTTP) or SSH.

We’re all familiar with SSL and tend to use it to describe both the “Secure Sockets Layer” and “Transport Layer Security” (TLS) cryptographic protocols. Only TLS, however, can still be considered secure. SSL is no longer safe to use (In 2016, the PCI Council updated the PCI-DSS standard to exclude all SSL versions plus TLS 1.0 as well). Whilst TLS 1.1 is still considered secure, it’s preferable to only use TLS 1.2, which is considered by some to be “more secure”.

Unfortunately though, many older computers cannot transfer using TLS. This leaves some organisations with a dilemma. Allow these older insecure protocols or insist that clients upgrade their computers? With the introduction of GDPR, this is no longer an option.

SSL relies on certificates, which need managing and ensuring they are properly signed. It is safe to say that self-signed certificates will not be acceptable from a GDPR perspective.

SFTP (SSH file transfer) is generally considered to be secure and in many cases is preferred to SSL because it only requires one firewall port to be opened. SSH public keys should be exchanged between the client and server in advance of use, to ensure that the correct keys are accepted.

In either case, regardless of which protocol you decide to employ, you will also need to be aware of ciphers and algorithms. In the same way that some cryptographic protocols are considered insecure, some ciphers and algorithms are too. For example, for SSL you would disable DES and RC4 and for SSH you would disable arcfour. Your data protection officer should be able to tell you the full list of which ciphers to disable.

Another important point to consider is whether you need to play the client or server role. In other words, will you transfer the files, or provide a secure location for people to exchange files. As a client, you are somewhat at the mercy of the server owner who will dictate which protocols may be used. Conversely, as the server owner, you need to ensure that either the software that you select supports a broad variety of clients, or else distribute client software to your trading partners.