What is the challenge?
Until recently, the easiest way to share documents or files with other employees was either using a USB drive (for large documents) or sending them by emails, if size allowed; email was also the option of choice when sending documents to external contacts. For larger documents, external providers like WeTransfer were used to temporally hold the file for the recipient to later retrieve and download.
However, this way of proceeding had many limitations as well as security concerns. First, email is not 100% reliable, and when having several documents attached, depending on their size and format, such emails could get blocked or end up in the Junk folder and be ignored. Plus, it generates unnecessary web traffic, and is inefficient as often the same document would need to be resent several times, as recipients would forget to download them locally onto their computer, and just leave them in their mailbox or delete them. Also, once leaving, no control whatsoever can be made over that document, like preventing the wrong people from accessing it, editing it, and printing it. Unlimited copy and editing of the original document could be done without any supervision.
The question is: how can we have our employees both store and share corporate documents, internally or with external parties, while enforcing our data protection policy?
What is EFSS?
Enterprise File Sync and Share (EFSS) is a service that allows employees to save their documents into a unique, personal work repository and keep their documents synced and access them from their computer and mobile devices, from anywhere, transparently, like if they were opening documents stored locally.
That repository can be located either in the cloud, at a provider, or on the local network using a dedicated, on-premises solution.
All Your Documents, Synced and Backed Up
As its name indicates, the first function of an EFSS is to sync documents, to ensure that if an employee is creating and modifying documents from different endpoints – for example a corporate-owned desktop computer at the office, their BYOD laptop at home, or their mobile device while on the road – that the latest version of all their documents is always available, on all their devices.
On desktop computers, a client application running in the background will take care of syncing all documents under the employee work repository (a local, dedicated folder on their computer) with the back-end server. On mobile devices, due to obvious space limitations (compared to desktop computers) and the way documents are processed, a copy of all documents is not kept by default, but users can instead choose which documents they want to always have available on their mobile devices, even if offline (e.g., flight mode).
Also, when a user is using multiple computers, all their documents placed in their personal work repository will automatically be synced and available in their latest version on all their devices. Also, when migrating to a new computer, these documents will automatically be downloaded from their repository.
The real power of an EFSS solution is the ability to share documents, easily and securely, both internally, with colleagues, and externally, with customers and
partners, and still retain control over the document.
For example, after finishing writing a document, an employee can, directly from his favorite word editor, share it with other people by providing their email address; they would receive an email with an (encrypted) download link to access the document, click on it to open said document from their own favorite work editor and depending on the permissions set only view the document, make comments, or modify it, in real time. This is especially great when several people are working at the same time on the same document, for example when writing this very blog post article, you are currently reading 😉 No need to resend once again, by email, the latest version of the document for review, as everyone has access at the same time to the latest version of said document.
Revision control, also known as version, is particularly interesting when several people are working on the same document, for example marketing department making changes to a product brochure or leaflet; in case one needs to go back to a previous version, it is as easy as selecting the last good version, reviewing it, and eventually restoring from it. No need to use backup, or a different copy of the same file.
Collaboration, like for example the ability for several employees to work and make changes in real-time to the same document, is also a key feature, but not available with all EFSS solution.
It is important to review your own use case, understand the need of your employees to find the EFSS solution that adjusts the most; versioning might be required if exchanging large documents, but no need for live collaboration, while in some other cases, live collaboration is crucial for employees to work together efficiently. As usual, there is no one size fits all solution, it is all about your own needs and requirements.
Externally, While Remaining in Control
However, sharing internally, with colleagues, is quite easy as documents do not leave the boundaries of the organization and its control over them. But the real challenge, in terms of security, is how to share documents with the outside world while still retaining visibility and control over them.
When sending a copy of a document by email, there was absolutely no way to do anything afterward; that document could be edited, copied multiple times, shared with other recipients, etc.
Using an EFSS will allow organizations and their employees to keep control over the documents they are sharing with external contacts. One option is to only allow recipients to access the documents through an online portal, from which they will be able to see, and eventually edit said documents, but will have no option to download nor print.
But there are situations (Use Cases) where the recipients need to have a local copy of the document on their computer, for example for convenience when working on the document (using an online web version of your word processor is never the same as using the desktop one). To cover these cases where the documents will “physically” (digitally) leave the boundaries of the organization, certain vendors include Digital Rights Management (DRM) technology, so even if the document is technically unreachable and located on an endpoint, we have no access to, we can still embed some controls internally, that will apply anyway, no matter where the document is. This goes from preventing editing, printing to even time-bomb the document (limit the time during which he can be open) and/or include a watermark in it, so in case someone tries to make screenshot of some part of the document, attempting to leak it, we can identity who did. Some vendors even allow to report back the IP address where the document was opened from, to geolocate.
It is important to understand where your data will be stored (if using cloud-based solution), how it will be accessed, from where and how it will be secured, both at-rest or in-transit.
Since corporate data, in terms of documents, will be travelling between your endpoints and the EFSS solution, it is important to confirm with your vendor that their solution supports encryption not only of the data at rest (locally on your endpoints) but most importantly, end-to-end encryption of the data in transit, especially if using a cloud-based solution where said data will travel over the internet. Some vendors even offer zero-knowledge encryption, which means the keys are always with the owner, and that there is no server-side decryption possible from the vendor; this provides extra privacy and security.
In order to control where can data be accessed from, it is recommended to use Conditional Access, and additional factors like device, location, application, or real-time risk level to determine whether a user will be allowed to access a service, be blocked, or be allowed, but only after validating additional checks. This is a requirement for some customers, especially in regulated sectors, to ensure for example that some documents, even if accessed by an employee legitimately using an approved device, cannot fall into the wrong hands if in an unsecure, untrusted areas or region/country. For example, for a Swiss bank employee travelling to the US, access to certain document is blocked to prevent unauthorized access from US authorities (e.g., CBP) when physically in the country, to protect bank secrecy.
Auditability is also something to consider, as it is important to be able to track who share which documents with who, when, what changes were made to it and if possible, from where (using IP location).
Which EFSS to choose?
When adding any new component to your infrastructure, the first consideration is integration. Make sure the local agent is available for the different Operating Systems your employees are using, both desktop (Windows, macOS, Linux) and mobile (iOS, Android) and that the solution is also compatible with your current office suite (ex: Microsoft Office), usually using special plugins provided by the EFSS vendor. The easier and transparent for your employees to use, the better the adoption and so success of your deployment.
Employees will obviously need to authenticate before they can access their repository, store, and sync corporate documents, and the easiest, the better. Make sure the solution integrates with your Identity Provider (IdP), including Microsoft Active Directory or Azure AD, to mention a few. Also make sure the solution provide Multi-Factor Authentication (MFA) mechanisms or at otherwise can integrate with an Identity and Access Management (IAM) provider, in order to strengthen the authentication process.
Another consideration is whether you want to go a cloud-based solution (all vendors offer it) or an on-premises one (offered by most but not all vendors). Cloud-based obviously has its pros, in that it does not require dedicated machines to supervise and maintain, software to install and update constantly, but just use the console to perform basic configuration and later day-to-day administration. However, some customers, especially in regulated sectors like finance, energy, or healthcare, might have the requirements to host all these documents internally, within their local network, for extra security and control.
In terms of data protection, if you decide to go cloud-based, you need to think about data residency as this is a real concern, especially for regulated industries and some businesses. Make sure that the vendor operates and even store your data at least within your region (ex: Europe), or even better within your country (ex: Germany). Some vendors, even using their cloud-based solution, will offer the ability to use your own cloud-based storage (ex: Amazon S3), for extra security, control and ensuring data residency in your region/country. Also make sure the solution is compliant with current data regulations (ex: GDPR in Europe).
Another aspect to consider is that although all EFSS solution provide file sharing and syncing, not all of them provide live collaboration, that is the ability to work on a document at the same time as other people, make real-time changes… So, you really need to review your own use case and determine however that feature is key or not.
Educate your employees
Although most EFSS solutions integrate well with the most common office suite apps, there is still an important part to take care of to make sure documents are no longer saved locally nor shared by emails: your employees. It is crucial to train them accordingly, and make them understand all the benefits that this will bring to them (never lose a document again, access from anywhere, share securely) so they take the habit of saving their document on their personal, work repository and also use the tool options when sharing documents with their fellow colleagues internally, or customers and partners externally.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group