Personal email systems and file synchronization and sharing tools like Dropbox and Gmail have become prevalent, but have inherent risks in the business world. The Compliance-as-a-Service vendor Sokasa provides a self-service turnkey encryption and compliance solution to ensure files are encrypted wherever they're placed.
Toward the end of 2012, the file storage company Nasuni released data indicating one in five employees admits to using Dropbox at work, even if it’s against company policy. The usage numbers have probably gotten higher since because Dropbox claims to have more than 275 million users.
CIOs and CISOs hate to admit it, but they know employees use Dropbox and other unauthorized cloud services like Gmail to enhance productivity. Personal email systems and file synchronization and sharing tools have become prevalent in the business world, even if they are not officially sanctioned. Even if you look at highly regulated industries like healthcare, education, legal and financial services, you’ll see high penetration of consumer-oriented cloud services.
Perhaps the biggest problem resulting from use of such services is the scattering of files. If you look at services like Dropbox, Box, Gmail, Evernote and numerous others, they all have a similar property. They don’t just keep a copy of your data in the cloud; they also scatter or download a copy of that data to all your devices through synchronization. And if you share a file with someone else, the data goes onto their devices as well.
+ ALSO ON NETWORK WORLD Dropbox is winning the storage wars, get used to it +
Needless to say, this creates quite a problem if a device containing sensitive or regulated data is lost or stolen, or if data is shared with someone who has no business receiving it. According to the U.S. Department of Health and Human Services, the most common cause of a breach of unsecured protected health information (PHI) – a clear violation of HIPAA – is the loss or theft of a device containing the data.
Organizations that allow (or don’t prevent) BYOD now have even more unmanaged devices that are connected to these cloud services and receiving company data on them. It’s a ticking time bomb in terms of data security and compliance.
A new company emerged from stealth mode a few weeks ago to address this very problem. Sookasa claims to be the first company to enable professionals to natively use their favorite mobile devices and cloud services, such as Dropbox and Gmail, while transparently encrypting sensitive data and addressing regulations such as HIPAA and FERPA. The Compliance-as-a-Service vendor provides a self-service turnkey encryption and compliance solution that promises to encrypt files anywhere they are placed – including in the cloud and on mobile devices and desktops – and remain protected even when shared externally.
Sookasa says it addresses three critical risks of sharing files through cloud services:
- Unencrypted data can be exposed when it is on a device that is lost or stolen. Even if the data is not accessed illegitimately, the event is still technically a breach of regulations such as HIPAA, FERPA or GLBA, depending on the data type, and must be treated as a breach.
- Files shared through cloud services might accidentally be shared with people who don’t have a legitimate need for the data. For example, an email attachment can be forwarded without the data owner’s knowledge or permission, creating an opportunity for a breach.
- Unencrypted data that is stored in a cloud service could potentially be accessed by the service provider or other authorities. This can be a violation of corporate policy or government or industry regulation.
While the third risk grabs headlines, other solutions already exist to address data encryption for cloud services. It’s the other two risks that Sookasa points to as a differentiator.
Sookasa itself is a cloud service that connects to the various cloud providers like Dropbox through APIs and does encryption and access control through those APIs. In addition, you can download lightweight apps to mobile and desktop devices, and through the apps do encryption, decryption and access control on the fly while preserving the cloud service’s user experience on the device. After Sookasa is initially set up on the device, it works in the background.
This is best illustrated with an example, so I’ll continue with my Dropbox scenario. When Sookasa is installed on a user’s device, it creates a “secure” folder within Dropbox and anything that is placed in this folder is automatically going to get encrypted, access controlled and audited. A file within the secure folder will have a .Sookasa file extension. This indicates the file has Sookasa’s unique encryption properties that follow the file no matter where it is scattered. Meanwhile, all of the normal sharing features of Dropbox are preserved.
Through a central dashboard, an administrator of the Sookasa controls can access the encrypted files. This administrator creates a team of users on Sookasa. The team members can come from inside or outside the organization and the names can be drawn from Active Directory if desired. Think of this team as a whitelist of people who are authorized to access the Sookasa-protected files. Anyone who is not whitelisted by the admin cannot open the encrypted files. The admin has the power to revoke access at any time so that team members can be de-provisioned as needed. Device access can be revoked as well in the event that someone loses a device that has files on it.
Sookasa also has shared links that lets you share encrypted files with people who are not Sookasa users. For example, a doctor can send test results to a patient in a secure fashion, but the patient doesn’t have to be on the whitelist. He can simply access the encrypted file through a special Web link after the patient’s identity is authenticated.
The administrator can set policies for file access, and files can be set to be accessed even when a device is offline. Files are completely audited so that the administration can see when people access files or change permissions to files. The audit trail is a requirement for many regulations.
Key management is critical with all such tools. With Sookasa, every file placed in the secure folder has its own encryption key. Files that get the .sookasa extension have metadata that contains the file key of that specific file encrypted by a public master key. This encrypted file key goes with the file when it is replicated to the cloud or users’ devices. When you double-click on a file to open it, a request is sent to the Sookasa server to retrieve the file key that is needed to decrypt the file using the private part of the master key. Since Sookasa doesn’t store any data files (in this example, they are stored by Dropbox), the files and the master keys are always separate, and neither Sookasa nor the cloud app vendor ever has access to both. For larger enterprises that want to host or exclusively own their private master key, Sookasa has a solution for them to do so.
Sookasa elegantly addresses the three risks mentioned above. If a device containing protected files is lost or stolen, the files are encrypted and only people who are authorized to access the files can open them. Files placed in the secured Sookasa folder are encrypted before they ever get distributed to the cloud service or scattered devices. Protection follows the files wherever they go, and users don’t need to change anything about their routines to use the solution.
The solution’s architecture is said to be scalable. Sookasa’s key management is independent of the cloud application service it is interacting with so it would work the same way on any cloud service or device platform you choose to add.
David Crump, director of Operations for Choice Medical Healthcare, implemented Sookasa for his medical supply company a few months ago. Because his company handles medical records, it must conform to HIPAA regulations for data protection. Choice Medical had built some business processes around Dropbox to facilitate sending files among critical contacts and customers.
“I shopped around for solutions so we could do this and still collaborate,” says Crump. “I tried a couple of options and they were just disastrous. When I tried Sookasa it allowed us to keep everything we had already created. We didn’t lose any functionality and it added on this protection layer that kept everything seamless, kept everything together for us. There wasn’t any extra work that we had to put into our processes. By using Sookasa we were HIPAA compliant without any issues.”
Linda Musthaler is a Principal Analyst with Essential Solutions Corp., which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.