Can Box, the secure file-sharing service, persuade investors in its coming IPOs that it can eventually overcome the wariness or inability of some businesses – especially those dealing with sensitive financial information or health records – to use online services? It is a risky bet at best. Here is why.
Maintaining secure information exchange is the Holy Grail in almost every enterprise. But data can leak out, often through the intentional removal of data and via malicious hackers. Ensuring security is then both a technology deployment matter and a user training issue. It is possible to implement an extremely secure system, but it may require exceptional knowledge on behalf of both the sender and the recipient of the data. If tools and applications are easy to learn and simple to use, people will be more likely to adopt them. To maximize the reach of any delivery tool, though, it is imperative to make sure the recipients of a secure delivery need no special software to install or run to retrieve a delivery.
Companies face requirement issues at every turn. New federal and state regulatory compliance requirements are forcing many organizations to implement strategies and policies that are meant to protect sensitive information from unauthorized access. Healthcare organizations must follow strict guidelines when working with or transmitting a patient's Protected Health Information (PHI) as mandated by the Health Insurance Portability and Accountability Act (HIPAA). Financial services firms are gearing up to meet requirements for the Gramm-Leach-Bliley Act (GLBA), which helps protect consumers' private financial information.
Unknown risks abound. Many people using the web or an email system are unaware of the risks they take when sending or receiving confidential or sensitive messages or files. Significant risks are associated with email, particularly because the route an email takes from sender to recipient may not be as straightforward as one might imagine. Email also suffers from increasingly strict policies enforced at the corporate or ISP level, such as message size limits, bandwidth caps, restrictions on file types, and potential network clogs due to spikes in traffic when sending large attachments to many recipients.
Native architecture is so much better than porting a solution. FTP, an early technology, has been a file delivery protocol for over thirty years. Originally designed primarily as a simple file transfer system, with most of its security features bolted on, the protocol is just not inherently secure and was never intended to fit into a secure environment.
Most enterprises are reluctant to lose control over their data. The cloud is great for many applications, but the security conscious organizations will still have reservations about potential data co-mingling, vendor access to information, and even concerns about vendors giving up data to the National Security Agency (NSA). In highly regulated industries, losing control over data in the cloud just isn't an option.
The network is just as important as the data. Although some companies may be willing to open up their network through such secure tunneling solutions as virtual private networks or other remote access technologies, many organizations just aren't willing to take on the danger of exposing critical servers and portions of the network to outsiders. In addition, these types of network accesses may require specialized software and a certain level of network knowledge that many people do not have.
Tracking, auditing and reporting are key. One of the major requirements of many compliance regulations is the need to view and audit transaction records for deliveries, notification, and pickup by recipients. Tracking email that is sent out by individuals is a difficult task, and not easily monitored; items in sent folders can be easily deleted. FTP logs are cumbersome and difficult to decipher by a typical user. As FTP and web server logs are essentially text files, other tools are usually required to filter and generate useful reports.
Email, FTP, web downloads and cloud services are susceptible to many problems, often inherent in the technology upon which they are based. Whether organizations are looking to change existing policies and behavior by introducing new tools like Box, or are trying to lock down existing applications, they need management, reporting and auditing capabilities to help them achieve the levels of security and confidence they need as part of larger efforts for a more secure collaboration infrastructure.