By István Molnár, Compliance Specialist, Tresorit
For many organizations, workflow supervision is one of the biggest challenges to solve. Ideally users should be properly managed and monitored but sadly, countless organizations suffer from a lack of IT supervision. As a result, there is no telling what users are capable of doing. One of the main fields where a lack of IT supervision can become a major issue is content collaboration.
Content collaboration is the process of securely sharing, synchronizing and storing content files in a structured and transparent manner. It is one of the most frequently applied methods of user interaction and the default portal for exchanging business-critical information both internally and externally. This makes it an area where serious IT involvement is needed to ensure data security, user efficiency and business continuity.
What are the main causes and how to solve unsupervised content collaboration?
In a number of instances, IT departments are completely out of the loop when it comes to managing and monitoring internal and third-party content collaboration. This boils down to having no transparency and traceability in regard to user and file related activities. By isolating the main causes creating an unsupervised infrastructure, we can also identify how to solve them.
1) Not knowing what rights users have
Although IT departments have some form of user directory in place, like an Active Directory or LDAP, they still struggle when it comes to individual file associated rights. That is because all these tools do is decide whether the user falls under the category in order to access a collaboration platform or not. Even though a user is authorized to collaborate, that doesn’t mean they should have full access and editorial rights over all given files.
Without properly managing user rights, organizations can’t guarantee data confidentiality as users may accidentally or intentionally cause harm by managing files that should be limited or inaccessible to them. In addition to internal users, third-party management should receive the same level of attention; it is crucial to identify who should access files from outside of the organization’s secure perimeter, as well as for what purpose.
What is the solution?
Implementing functions such as access rights management is essential in supervising internal users and externally collaborating parties. Supervising the entirety of the user lifecycle from the point they join the organization till their last day as an employee allows total control over their rights and level of privileges. By identifying and providing the necessary minimum amount of rights to users, organizations can enforce the least privileges principle. This helps mitigate the probability of unauthorized access and disclosure of business-critical information. It is possible to support both the top-down and bottom-up attribution of rights by isolating larger group-based rights yet also allowing flexibility to individual users with custom rights attribution when needed.
2) Not having a clear inventory on files
User and group management is one thing, but data itself is also a vital segment in an organization’s life. Not knowing what files are actually being produced and where are they stored is a common symptom of a decentralized infrastructure. It occurs most commonly when each department operates in silos and stores files on separate standalone systems and devices instead of in one central repository. The drawback of this is that IT simply cannot keep visibility over the most crucial information produced and managed it within the organization. As a result, there is no telling what files already exist, if there is any work flow conflict and simply who has access to what and to what degree.
What is the solution?
Establishing a central file repository completely owned and managed by IT. Users may assume ownership over the folders and files stored within, but overall management should fall in the hands of IT professionals. This allows organizations to enforce company wide policies on data storage location and prohibit any attempts to store data outside the collaboration platform.
3) Not knowing what tools are used for collaboration
Many times, employees take an alternative route and start using consumer-grade tools for business collaboration. The reason behind this is mainly that the in-place Content Collaboration Platform turned out to be way too cumbersome to use, making every-day work almost impossible due to excessive security precautions.
What is the solution?
To solve the issue, a balance must be struck between efficiency and security. If the organization solely focuses on one aspect it will severely hinder the other. Lack of security may make it more convenient for users but also creates a number of potential attack surfaces. This goes for the other way around as well. Too much security might be appealing from an administrative perspective, but it also can easily make any form of collaboration almost impossible for users.
4) Not being able to log events and activities
Not possessing reliable evidence on user and file related activities can cause serious ramifications during forensic investigations and compliance audits. During a data breach, every second can count. As a first step once a breach is identified, the security team will try to accumulate as much evidence as possible to identify: What data and which users are affected? What or who could have caused the breach? What is the magnitude and scale of the breach? If the security team lacks the tools to pinpoint these factors, then it is a guarantee that similar breaches will soon follow leaving the organization in a desperate financial and reputational situation.
Failing a compliance audit can also result in the same ramifications. One of the first things required during an audit is clear documentation on every user and activity. If the organization is incapable of producing reliable information on its infrastructure and all events occurring in it then the audit will surely fail.
What is the solution?
The solution lies in reporting capabilities. The more customizable and detailed they are, the better. In terms of content collaboration having clear reports on who accessed, shared or deleted files is the most important question to answer.
All-in-all, content collaboration is a vital part of an organization’s life and requires serious monitoring and control effort to ensure data confidentiality, user efficiency and business continuity.