This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
File sharing today is more necessary than ever. Business processes often require people to work collaboratively and to share important files with members of their workgroup, outside partners and contractors, even customers and prospective customers.
Sharing those files is easier than ever. They can be emailed, placed on a thumb drive, put in a public network directory, or placed on a cloud file sharing service such as SharePoint, Dropbox or Box. It all makes collaboration so easy.
Unfortunately, it also makes data leakage and unintended exposure easy, too.
Protecting files that contain sensitive information, while still making them available for collaborative use, continues to be a challenge today. It's certainly possible to encrypt a file or folder or even an entire disk containing numerous sensitive files, but what happens when a file owner needs to share the file with, say, a customer or a third party vendor? If the file is encrypted, how does the recipient decrypt it? Moreover, how can you control what they can do with the file once it's decrypted? Suppose the recipient puts the file outside the secure container and shares it with others who were not authorized by the file owner?
One option is to place the file in an enterprise version of a file sharing service like Dropbox or Box. Such tools typically come with administrative features that allow restrictive use of files, sharing controls and remote wiping of files. There's usually an audit trail log, and of course, file encryption to protect the files within this container. However, if an authorized user accesses the file within the collaboration application, he can then transfer the unprotected file and do whatever he wants with it. Once the file leaves the application container, it can be leaked and lost.
Companies need a simple way to share files containing confidential and often regulated information, in a flexible and scalable manner. More importantly, the protective measures around the files must be persistent so that they follow the files regardless of where they go or who has them.
This is a need that FinalCode aims to fill. FinalCode is a year-old U.S. company but the patented technology it uses to secure files was developed several years ago in Japan. The product has had time to mature and the company is now making a push to go global. Certainly the need that I described is universal around the globe.
FinalCode claims it can solve the file security and data leakage dilemma with an easy to use yet strong encryption solution that gives users broad entitlement control over their files. The FinalCode tool can be implemented across popular applications, devices, content management systems, cloud storage and collaboration platforms. Companies using FinalCode do not need to change, upgrade or replace anything, the company says, because its solution works with existing systems. It can be delivered as a virtual appliance for installation on premise, as a SaaS application, or as a hybrid of the two.
Using the solution starts with a FinalCode client on the desktop. As a worker creates a file that he wants to protect, he drags and drops the file name onto the FinalCode icon on the desktop. This brings up a menu where the worker decides how to handle that file. For example, the file owner decides what file permissions to place on the file; who can have access to the file; how many times or the duration of time a recipient can view or open the file; whether a recipient can print it; and so on. Once this is done, the file is encrypted locally while the key and the associated permission metadata are transmitted to the FinalCode server.
Rather than assigning the file protection parameters manually, it's possible to have them applied automatically. The FinalCode system allows for pre-defined corporate file protection policies to be enforced. For example, suppose a company uses SharePoint as a file repository. The SharePoint administrator can set up a specific folder for a workgroup—say the Finance department. Then he also sets up the permissions for FinalCode based on integration with Active Directory.
Whenever people with access to that SharePoint folder save a file there, the FinalCode permissions get applied automatically. Perhaps anyone in the Finance department is allowed to read, write, copy and print the file, but if that file leaves the Finance group (based on groups within Active Directory), then it gets deleted automatically whenever someone else tries to open the file.
Once a file is encrypted, the file owner can send or share it however he wants to. He can put it in a Dropbox folder and then someone he is collaborating with can retrieve the file according to the permissions assigned to it. If the recipient downloads the file from Dropbox, the permissions on the file are still active. If the recipient emails the file to someone else – say someone the file owner didn't explicitly give permission to – the file is encrypted and cannot be read or opened. It can even be deleted, if the file owner had set that kind of policy. Even after the fact, the file owner can change the file permissions to either allow the new recipient to access the file or to delete the file from the new recipient's possession.
To work with a file protected with this solution, an intended recipient needs to have a FinalCode client -- which can be downloaded from the Internet -- that is authenticated and connected to a FinalCode global rights access server. The client, which can be on a Windows system or iOS or Android smartphone, contacts the FinalCode server and retrieves the security information for the file. The file is locally decrypted and the preset permissions are enforced upon it. In this way files can be shared and stored outside of protected environments like the SharePoint folder or the enterprise Dropbox.
The delete feature is rather unique. Some file protection solutions say they disable files, which doesn't delete them; it merely takes away the encryption key. FinalCode actually deletes files so that brute force attempts can't be used to access them without an encryption key. What's more, FinalCode has the ability to invoke a file delete rule even after the file is distributed.
FinalCode has administrative features that log access activity, whether successful or not. This helps with compliance audits—to know who has had access to specific files, when, and what they did with the files.
Pioneer Service Network Corporation (PSN) is a long-term user of FinalCode. The company uses the tool to protect confidential files it shares with business partners and customers. The company says it is able to maintain and enforce protection and usage permissions regardless of where its files go. It even uses FinalCode to prevent screen capturing and printing. The company’s IT manager says FinalCode provides PSN with strong encryption and usage governance capabilities without having to change enterprise content management, cloud storage or collaboration systems. More importantly, customers appreciate the measures PSN takes to keep their information confidential.