Archive for the ‘data governance’ Category

FileCloud Aurora – All About DRM Capabilities

Introduction

In November 2020, FileCloud released update 20.2 – a complete rehaul of our Sync, Mobile and browser UI and functionalities. We at FileCloud have been working on this for a very, very long time, and so we’re incredibly proud to present to you: FileCloud Aurora.

Today, we’re going to be covering one of the most important security functions that Aurora introduces: DRM Capabilities.

For a comprehensive overview of all of FileCloud Aurora’s new features, please visit our previous blog post Introducing FileCloud Aurora!.

Secure Document Viewer

If the new UI was the biggest change in terms of appearance, FileCloud Aurora’s new Digital Rights Management (DRM) capabilities are unquestionably the most significant change in terms of functionality. 

Your data security has always been FileCloud’s number one priority. We’ve got all the files you’re storing with us safe and sound, but what happens when you need to send out or distribute important documents, such as external contracts, reports, or training materials? Our new DRM solution ensures that nothing you send out gets used in a malicious or abusive manner, even after it’s left your system and entered others. 

Our secure document viewer helps you protect confidential files from unsolicited viewing with FileCloud’s restricted viewing mode. Show only selected parts of the document and hide the rest of it — or choose to reveal sections only as the user scrolls, minimizing the risk of over-the-shoulder compromisation.

For more details, read more about the FileCloud DRM solution here

Screenshot Protection

Utilize the Screenshot Protection feature to prevent recipients from taking screenshots of secure information and documents.

This is an option that can be selected when you create your DRM Document or Document Container, and prevents any recipients from taking screenshots of the document. Not only that, the recipient won’t be able to share screens or screen-record to share the documents either, nullifying any chance of your documents being distributed without your permission or consent.

Document Container 

Easily and securely export multiple documents in an encrypted document container (AES 256 encryption), and share it via FileCloud or third party emails. 

DRM Protection

Support for Multiple File Formats

Protect your Microsoft Office (Word, Powerpoint, Excel), PDF, and image (jpeg, png) files, and include multiple types of files in a single encrypted document container! FileCloud’s DRM solution doesn’t discriminate, ensuring all your most regularly used file, folder and document formats can all be easily handled by our containers and viewer. 

Anytime Restriction of Access to Your Files

Remove the risk of accidentally transmitting confidential files and enforce your policy controls even after distribution. You can revoke file access or change view options (screenshot protection, secure view and max account) anytime, via the FileCloud portal.

Thanks for Reading!

We at FileCloud thank you for being a part of our journey to creating the most revolutionary user interface and experience on the market. We’d love to know what you think about these changes. For full information about all these changes, release notes can be found on our website here

We hope that you’re as excited about these new changes as we are. Stay safe, and happy sharing, everyone!

Obstacles for Data Governance

Data Governance

 

With data being touted as the new oil, organizational data governance has gained a lot of importance in the digitized world. When the product launches to purchase decisions to even government campaigns are driven by data, it is understood why data is so important. Almost everything that people do is monitored in some way or the other; and data is being collected in some form. This data is being analyzed to gain insights into people’s behaviors and choices, in turn, driving a lot of decisions for most organizations for their products and services.

It is therefore imperative that every organization has a foolproof data governance policy in place. The decisions taken based on the insight gained from data will only help when the data based on which it was taken is reliable. However, there are instances when organizations have had to pay a heavy price, just because their data was unreliable or totally wrong; in simple terms, the data quality was bad. It is also possible, that the insight they sought, showed them a totally wrong picture because of the inherent inefficiency in the organization, storage, or collection of data. Thus, data quality or integrity of the data happens to be one of the most important obstacles that organizations face in data governance.

Data Quality

It is not just important to have a good data governance policy in place; it is equally important to make sure that the policy ensures that the data is reliable and correct in all aspects and its quality maintained throughout. Else, the decisions may turn out to be costly. A Gartner research had pegged ‘poor data quality to be responsible for an average of $15 million per year in losses’. This figure tells a story of its own, about why it is important to pay attention to data quality. Another insight from Gartner as far back as 2007, mentioned that ‘More than 25 Percent of Critical Data in the World’s Top Companies is Flawed’. An IBM report has pegged the cost of poor quality data for US companies alone at $3.1 Trillion per year.

There is another hugely worrying statistic that should shake up the data governance policymakers. A Harvard Business Review study published on the topic mentioned that only 3% of the companies’ data met basic quality standards. The article also stated that on average, 47% of the newly created data records had at least one critical error. So, one can only imagine the implications of the decisions driven by such unreliable and erroneous data.

Interestingly, statistics also show that many organizations only have a data governance policy on paper. At times nothing, and in most cases, not everything gets implemented. This is also equally bad as it means that the organization is not serious about the data and the insights to be gained from it. Ignoring data governance is also equally as bad as having bad quality data. So, it is important to get these data governance aspects right for organizations to make the best use of data to ensure business growth, customer delight, and loyalty, and stay ahead of your competitors. On the flip side, when data quality was ignored, organizations have lost out on reputation, opportunities, and of course, have taken big dents in their finance as well.

Data Silos

Another hindrance in data governance, are the data silos that exist within organizations. These data silos result in data duplication and also impact the insights gained out of it. Data silos result in a situation wherein, data exists in some form in some unit/department of the organization, but it is unknown and unavailable to others in the organization. This can hugely impact and cloud the decisions taken within the organization and makes data governance ineffective.

The reasons for data silos are multiple like cultural, ignorance or oversight, technical, etc. However, the impact of not having a single data source within the organization that is equally accessible to all results in a lack of 360-degree view that is important to analyze the same. Duplication may not create confusion, rework or productivity loss, and lack of revenue, but also affect the overall data governance and decisions driven by the policy.

Data Transparency

Data transparency is as important as data integrity and it is a must for all stakeholders to know where and how the data they handle, comes from. Transparency of data also improves collaboration and visibility within the organization. The lack of transparency in data may be due to data ownership issues which result in the creation of data silos, which creates other issues. It also means that data analysis also does not happen within the silos, as decisions based on such flawed insights would prove disastrous.

Handling data transparency issues within an organization come under effective data management. They would have to work out policies that allow the sharing of data without security and compliance being compromised upon. Data would have to be treated as an important asset of the organization that needs a central approach from the top. Many organizations have evolved roles like a Chief Information Officer or a Chief Data Officer to cater to such needs. How these roles evolve a 360-degree strategy that takes all aspects of data management into consideration in arriving at their strategies and also ensure foolproof implementation, is what would decide the way forward.

There is also a host of data management or data transparency tools available that organizations can put to good use. However, the tools by themselves may not fully resolve the problem. Awareness about data management needs to be created among the data users and owners alike.

The Future

Data governance is here to stay; however, a lot of statistics around the same does paint a grim picture of its mismanagement. Many issues contribute to the current sorry state of affairs including:

  • Lack of awareness and understanding
  • Oversight
  • Failure to link the organizational business goals to data governance
  • Inability to adopt best practices and right methodologies

But, it is obvious that organizations have realized the power of effective data mismanagement and they have lots of examples to go by. The role of a data officer is now being given the same importance as that of a financial officer. Data is being treated as a valuable asset and is getting its due; when data is given its rightful place, it starts giving results. Consistent results can be achieved based on right and timely insights.

It can be seen and felt across the organization, from the top to the bottom. It can be felt by the employees as well as the customers, and it can be seen in the reputation of the organization and the rise in its value in the eyes of all the stakeholders.

What is Geo-fencing? And How Does it Play a Role in Data Privacy?

GeoFencing

 

Geo-fencing is a new term in the digital marketing space that puts the location of the devices to work for the provision of services. The services could be push messages and notifications that a user gets when the device enters a virtual boundary, known as geo-fence. These virtual fences are set up around certain stores, stadiums, event spaces, malls, and so on.

When a user enters this space with a GPS or an RFID enabled device, it triggers an action that results in the user getting some specific promotions about the particular event or store. Certain apps and software interact with the geo-fence that is set up in the area when the device is connected to GPS, cellular data, RFID, or Wi-Fi. This results in the user getting geo-fence specific messages, which is a useful tool for marketers to promote their products and services timely. Perhaps, the user while entering the space, may not have known about a new product or a promotion, etc.

Applications

The applications of geofencing go much beyond the mere marketing push notifications. Its potential is huge and almost all industries are exploring the endless possibilities that it offers. For example, businesses with huge fleets use it to track the movement of their vehicles; the cattle industry also uses it for the same purpose. Field employees are also tracked in a similar way by certain organizations, for automatically logging time.

Similarly, pets and toddlers could also be tracked for their movement. There are instances of authorities using geofencing to track peoples’ movement when they are in COVID-19 quarantine or for lockdown violations. Geo-fences are set up around important spots like airports, or important buildings as well. This helps monitor the movement, including that of drones in the area. So, geofencing does also play a role in security to track unwanted movement within a geo-fence.

Social networking apps use geo-fencing for location-based filters, stickers, and more; prominently, Snapchat is a very good example of this. Also, in Flickr, you can limit your photo sharing with people in a certain locale only. In-store promotions and audience engagement at events are other good examples of its use. Many of the smart home appliances can also be programmed to send you reminders based on geo-fencing.

Geo-fences are used to track movement in parking spaces to understand the availability of spaces. Certain auto brands even allow you to set up geo-fences around your parked vehicle, so you get a notification if it moves out of the same. Certain people are also using it to send messages to target customers entering their competitor spaces to try and lure them. Some marketers are also offering banner ads based on geo-fencing. Most importantly, a geo-fence sending out alerts about a possible hacker in a network can be used as part of the multi-factor authentication system of an organization’s cybersecurity strategy.

Role in Data Privacy

However, there are concerns raised about data privacy in the use of geo-fencing. When you track users in a specific fence, you are collecting information about them which they may not otherwise be wanting to share. In a world where social profiles are built using digital identities, this could be dangerous. For example, a user may not want people to know why he visited a certain clinic, a religious place, a club, or an event. These could be individual preferences, which were meant to be kept private, but, the geo-fence would have collected information about this.

The legal aspect of the use of geo-fence depends on the privacy laws of the land. In Europe, user consent is a must before this service can be activated. Once specific permission is obtained, then the location-specific data being collected will come under the ambit of the GDPR, which is meant to protect the privacy of the users. Unless all the personally identifiable information is masked by the device ID and the IP addresses that are being collected, it will be treated as a violation. This is because, Personally Identifiable Information (PII) also pertains to IP targeting, email targeting, and phone number detection under the GDPR.

Even the CCPA follows these ethics for its privacy laws applicable in the state of California. And it is expected that companies across the US will be affected by the CCPA, to give consumers new rights and protection almost equal to GDPR and that includes geofencing as well.

There is also the concern that geo-fencing may cause an overdose of unwanted notifications which is a disturbance for an individual. An individual may walk into a coffee shop at the end of a morning walk every day and be bombarded with offers. Or, one may just be passing by a shop with a geo-fence and get messages as a result. This can prove to be quite annoying and may even, ultimately put the customer off. There have been a few cases in the US wherein advertising firms have had to deal with legal cases as a result of their geofencing ads. Especially when the information collected is around health care, children, religious preferences, etc., which come under sensitive personal information, the privacy concerns around geo-fencing takes on a serious turn.

Interestingly, even the banking industry is exploring options with geo-fencing to provide improved customer experiences and fraud detection. People walking into a branch are provided inputs on customized services and offers for them to be able to make better choices. Some banks have enabled their ATMs with geo-fencing, so customers are provided with information about the nearest ATM.

Personal Choices

However, apart from the local privacy laws, individuals can control the information collected by the geofencing apps. If GPS is turned off, then geofencing cannot function, and hence, an individual’s privacy is fully protected. Some of the geofencing marketing happens with the help of the specific apps of stores, dealers, etc.

If an individual chooses not to download these apps, or check the settings in the app to opt-out of the geofencing services, then the location-specific inputs and data collection can be avoided. VPNs can be used to mask IP addresses so that no Personally Identifiable Information can be collected by the geo-fences.

Choose the Right Data Governance Tool for Your Enterprise

 

After the GDPR, data governance is everybody’s job. It’s not just the responsibility of database admins, corporate counsel, or Senior Management. Part of the change that data protection policies are intended to bring about is personal accountability and responsibilities for protecting your own and everyone else’s data in your workplace. So that means customer service representatives, clinicians, software engineers, truck drivers, are all liable for the careful stewardship of employee, patient, and customer data.

Why Data Governance Matter?

When developing systems, governance is largely about analyzing the data and requirements to determine the rules for data handling, security, syntax, and definitions. The foundational work for governance and data quality management needs to be done when developing systems to maximize data quality. To a large degree, the controls and functional parameters determine the level of quality that can be maintained over the life of the system. For example, whenever possible, structured lists should be used for data that will be used for analysis after the system is deployed so you don’t want those fields to be developed as free-form text fields because that would open the door for bad data to enter the data pool for analysis. In some cases, it is unavoidable because some information has to be collected as free-form data so when that is the case, you want controls in place that minimize the potential for bad data.

Data is becoming the core corporate asset that will determine the success of your business. You can only exploit your data assets and do a successful digital transformation if you are able to govern your data. This means that it is imperative to deploy a data governance framework that fits your organization and your future business objectives and business models. That framework must control the data standards needed for this journey and delegate the required roles and responsibilities within your organization and in relation to the business ecosystem where your company operates.

A well-managed data governance framework will underpin the business transformation toward operating on a digital platform at many levels within an organization:

  • Management: For top-management, this will ensure the oversight of corporate data assets, their value, and their impact on the changing business operations and market opportunities
  • Finance: For finance, this will safeguard consistent and accurate reporting
  • Sales: For sales and marketing this will enable trustworthy insight into customer preferences and behavior
  • Procurement: For procurement and supply chain management this will fortify cost reduction and operational efficiency initiatives based on exploiting data and business ecosystem collaboration
  • Production: For production, this will be essential in deploying automation
  • Legal: For legal and compliance this will be the only way to meet increasing regulation requirements

 

Data Governance Operating Model

The Data Governance Operating Model implements a data strategy (i.e., why govern data?) by establishing the foundation for all your data stewardship and data management activities.

It can be subdivided into three categories each addressing a key design question.

  1. The asset model, which deals with how an organization structures its data assets, ranging from the physical layer of systems and data structures through to the logical and business layers where everything comes together in terms of the relations between the various assets and how they are used by the Business. This covers the What and Where of data governance.
  2. The stewardship model, which allows an organization to understand existing ownership of data, identify gaps, assign and monitor roles and responsibilities for its data assets, start from individuals or teams and identify the data assets they work with/produce and simultaneously start from data assets and have a clear view of ownership. This covers the Who of data governance.
  3. The execution model, which deals with how organizations orchestrate the collaboration between their different parts, particularly with regards to how knowledge about data is gathered, how data is understood, and if/when it can be trusted. This last component is critical to governance and cannot exist without the previous two being in place. This covers the How, When, and Why of data governance.

 

Capabilities to Look For in Data Governance Tools

  • Data Classification – Different types of collected data would fall in varying levels of importance. Hence it is essential to classify and categorize that data as early in the chain as possible. Data classifying is a crucial first step towards establishing good data governance.
  • Data Lineage – Data lineage is about understanding how and where the data has originated and its processing logic and destination. It gives visibility and also helps in tracing errors back to the root cause in a typical BI process. The data lineage is vital to create trust in the data.
  • Data Storage and Security – You must then capture legal requirements, compliance requirements, and company policies on data privacy and security. Strong data governance must include data backups. You must understand the schedules and recovery processes. Governance will require a good understanding of the exact number of copies of data, how long they are meant to be kept, and who has access to them.
  • Data Ownership and Stewardship – Data ownership is not about holding the data but about providing it’s access to other business units so that they can also benefit from it. Data stewardship is about managing the data quality in terms of accessibility, accuracy, completeness, consistency, and updating.

 

Conclusion

When data issues occur, doing root cause analysis is again needed to assess the source of the problem and identify a logical solution. More than ever, data governance is vital for companies to remain responsive. It is also important to open up new and innovative fields of business, for example by big data analyses, which do not permit the persistence of backward thinking and overhauled structures.

 

 

Geo-Fencing in Data Governance and It’s Possible Uses

 

What is Geo-Fencing?

A Geo-fence is a feature that defines a virtual boundary around a real-world geographic area. Every time the user enters or exits the boundary of a particular area, actions are often triggered during a location-enabled device. Usually, the user will receive a notification with certain information that supported its location in real-time.
The main advantage of this technology is that it creates a fusion between the virtual world and the real one. We make use of Geofencing in several projects, particularly within the health industry.

Geofencing notifies your app when its device enters or leaves the countries. It allows you to make cool apps that will trigger a notification whenever you allow home or greet users with the newest and greatest deals whenever favorite shops are nearby.

Applications of Geo-Fencing

Geo-fencing has multiple use cases and if implemented aptly, can positively impact business operations.

Defence, Research & Finance

By assigning geo-fences to devices deployed in finance, defense, or research, IT can ensure that the device is non-operational outside of the designated geo-fence. Using an MDM tool IT can define multiple geofences for various areas of operation and can make the device obsolete outside of the geo-fences. Every time the device enters or leaves the geofence, it’s notified and that they can track the situation of the device and check for compliance violations if any. This ensures that critical data on the device is secure at all times and cannot be accessed outside of designated premises.

Delivery Executives

Assigning particular areas to particular delivery executives. By assigning geo-fences to delivery executives, optimum efficiency is often achieved by avoiding multiple delivery executives being assigned to equivalent geographical areas.

Schools

More and more schools are implementing e-learning to enhance the training experience for college kids. Setting geofences on devices owned by the school eliminates the threat of students taking the device home and misusing it for any other purpose. Geo-fences ensure device security also as enforces intended usage.

Remote / Travelling Employees

IT can enforce multiple device policies for various geo-fences. These device policies include WiFi configurations and other settings specific to office location. This facilitates the workers to plug and work from multiple office locations without expecting IT support.

Fleet Management

In logistics and transport, devices with geo-fence can help track the situation of vehicles in the least times. This ensures timely support in case of a breakdown as well as device and vehicle security. Geofencing is used to assist the algorithm in performing decisions to reroute cargo when detours or slowdowns arise.

Geo-Fencing and Data Governance

Let’s dive deeper, and differentiate between geo-location and geo-fencing. Because geo-location uses your IP it can be easily spoofed or fooled and is not geographically accurate. However, geo-fencing is predicated on GPS coordinates from satellites tracking latitude and longitude.

While GPS can be spoofed it requires loads of expensive scientific equipment and certain features to validate the signal. Using geo-coordinates enables new sets of policies and controls to make sure security and enforce seamless verification.

Geofencing is often used as a tool to defend also to support risk management. By using it as a source of data collection, decisions are often implemented to notify and manage the danger of devices entering and leaving a specified geographic area. Geofencing can provide data that falls into Personally Identifiable Information (PII) which should make it regulated under most privacy laws.

Geofencing and location tracking can be utilized to help identify risk to an organization. By tracking and understanding the physical patterns of devices coming and going from an organization, a risk profile can be established. Questioning why and when it is appropriate for a work device to leave company property or personal devices to be brought in, is one concept. It could prevent lost/stolen work devices and discourage unsecured personal devices from being introduced to the network.

A geofence could be set to alert administrators to strange devices that have crossed into a virtual barrier. It also can alert administrators when devices that ought to never leave the premises have crossed the barrier. Although this has not prevented the intrusion, it may alert the organization of an imminent threat, giving them a head start in the race.

Any collection of data is at risk. As an administrator, the risk of this data getting into the wrong hands must weigh with the benefits of trend analysis and the intelligence that can come from it. At this time, most functionalities require this to be on an application with preauthorized approval on the device, however, this can change. If a “master key” could be created to fit any application and allow administrators to take over control of devices in secured locations. Administrators could see what trespassers are seeing, pack up cameras and audio to stop information leaks

GeoFencing in FileCloud

Geopolitics and government cost-cutting combined have added urgency to moving files and sharing them in the cloud: cost-cutting because the cloud is perceived to be cheaper than on-premises, and geopolitics because greater scrutiny of where files are located and who they are shared with is accelerating the need to geofence data.

With FileCloud Online, you get the complete flexibility and choice to decide where your organization’s data is stored. FileCloud Online is hosted in secure, world-class data centers in the US, EU, Canada, Australia, and Asia. You can select a region that is right for your business. FileCloud also enables administrators to discover and manage sensitive data. DPOs and administrators can now search for common data types using built-in pattern identifiers including e-mail addresses, and phone numbers

Conclusion

The is no standardized global law for cybersecurity and privacy. The European Union (EU) has stricter encompassing privacy policies than those in the United States (US). According to IT Governance, “unlike the European Union, the US has no single federal law that regulates information security, cybersecurity, and privacy throughout the country. Several states have their own cybersecurity laws additionally to data breach notification laws. These areas are currently regulated by a patchwork of industry-specific federal laws and state legislation, with varying scope and jurisdiction. Geofencing is emerging as a tool offered to perform tasks, instead of just notifying administrators. Current privacy policies and laws are insufficient when the scope of geofencing is applied to current methodologies. Geofencing must be regulated in a fashion that ensures data collected is important and relevant, which the info is kept safe from potential threats

Data Privacy in the US and Privacy Shield

Data Privacy

 

Data privacy is of utmost importance to governments across the world; it is about protecting the rights of the citizens and their information, and how the same will be collected, stored, used, or managed. The information collected by many organizations as part of undertaking their business could be highly sensitive as well. Examples of such data are healthcare information, financial information like credit card details, etc. apart from the name, address, and contact details of citizens.

Protecting this data is important as it can be misused in many ways like identity thefts, frauds, stalking and harassment, and much more. A lot of such incidents have had serious repercussions, including huge financial losses to organizations and governments across the world. This led to stringent data privacy laws coming into place. While each country or region implements it using different mechanisms, the underlying common objective remains the same; to protect the citizens’ rights about how their data is collected, stored, used, and managed.

The GDPR which came into existence in the European Union is a good example of how the EU is ensuring this aspect. The GDPR law does not just cover the EU region but is also applicable to all entities that collect and deal with data of citizens of the EU. The US too has some stringent laws for data privacy; the only difference in the US is that there is not one federal law that is applicable across the spectrum like the GDPR. Instead, these are mostly at the state level and may differ in their definitions and application.

Also, there are federal laws linked to data privacy for specific industry verticals such as:

  • Patient information in healthcare – Health Insurance Portability and Accountability Act (HIPAA)
  • Minor data protection -Children’s Online Privacy Protection Act (COPPA)
  • Banking and finance – Gramm-Leach-Bliley Act (GLBA)
  • Students personal information- Family Educational Rights and Privacy Act (FERPA)
  • Consumer information – Fair Credit Reporting Act (FCRA)
  • US Privacy Act of 1974

Apart from this, at the state level, most states have adopted laws for data breaches, data disposal, and data privacy in some form. The California Consumer Privacy Act (CCPA), New York Consumer Privacy Act (NYPA), Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) – Massachusetts, Minnesota Government Data Practices Act (Minn. Stat. § 13), etc. are examples of such data privacy laws at the state level.

US Privacy Act of 1974

This law decides how the federal agencies handle the citizens’ data; provision is given to the citizens to know, see, and request correction of information held by government agencies. Also, agencies are bound by certain principles while collecting information and also, only employees who ‘need to know’ are provided access to such information.

This law is further complemented by each of the specific laws mentioned above, as well as the state-level laws which cover most of the basic principles of data privacy in the form of:

  • Personally Identifiable Information (PII) that includes identification and contact information like name, address, and social security number, etc.
  • Personal Health Information (PHI) that covers personal health information, medical history, insurance details, and so on.
  • Personally Identifiable Financial Information (PIFI) that includes citizens’ bank account, credit card, and such information.
  • Student details that cover grades, transcripts, and other academic records.

Privacy Shield

The Privacy Shield program administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, defines the program as:

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

The audiences of this program include US businesses, European businesses, EU and Swiss individuals, and Data protection authorities. The program provides a framework for each of these entities to ensure that the data they transfer outside the EU are adequately protected, based on compliances laid out by the program. The EU and Swiss individuals can also understand how participating US entities are protecting and handling their data.

Additionally, the data protection authorities in the EU have access to a dedicated contact to act as a liaison with data protection authorities. This will easily help address any queries about the Privacy Shield program. There is a participation list available on the website, with information about each entity along with their certification details, data privacy coverage.

Participation in the Privacy Shield program is voluntary for the organizations, and they can opt-out of it at any time as well. However, once they opt-in, and make the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law. According to the details on their website, only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) are eligible to participate in Privacy Shield. This is done by going through the requirements provided and sending a self-certification submission to the Department of Commerce (DOT).

The Privacy Shield website has laid out a clear step-by-step process that organizations need to follow to self-certify. There is also a FAQ to assist the process at every step. Similarly, there is also a withdrawal process detailed that organizations can follow, in case, they choose to withdraw from the policy. The information on the website is comprehensive and they also provide assistance services for dispute resolution, outreach, and education, as well as participation.

Why is ITAR Necessary in Enterprises?

ITAR Compliance

 

ITAR is the acronym for International Traffic in Arms Regulation and it consists of a set of compliance guidelines laid down by the Directorate of Defense Trade Controls (DTDC), of the United States government. To put it simply, it is a set of stringent guidelines that need to be followed by companies that manufacture, deal, export or import, any defense articles, and services. These guidelines are not just limited to physical goods, but also include information and files and so on; especially the CUI (Controlled Unclassified Information). The compliances will be applicable to everything that is listed on the United States Munitions List (USML) in articles and services.

The tricky part here is that all companies dealing with such goods and services should also ensure that their brokers or partners, down the supply chain, should also be ITAR compliant. As is the case with any compliance, the violations of ITAR also result in extremely worrisome repercussions. The penalties, including both civil and criminal, are quite high. The fines could run into millions of dollars, along with imprisonment and debarment from further government contracts, as well.

These repercussions are besides that, of taking a hit on the reputation of the organization, which could be much more damaging. The large enterprises may well recover from such incidents, but the small and medium ones may have to wind up their business altogether. Hence, it is important for all enterprises that deal with such goods, and services to ensure that they are ITAR compliant. It is not just a matter of survival; it is also to ensure that they do business with the best in the industry, by ensuring what it takes. Dealing with such security first organizations is a matter of pride for most enterprises. Hence, if they can do so consistently without any untoward incidents, it is a validation of the high business standards of the enterprise, as well.

The Challenges

The challenges for enterprises, especially small and medium businesses dealing with such sensitive information are many. These stringent compliances need to be built into their everyday data governance, covering all forms of communication, including their employees, customers, and vendors. There has to be a sound data governance policy that can be strictly monitored to ensure compliance. This is a must, as they may also be monitored or audited by governmental agencies themselves.

The compliance requirements are quite complicated also, with multiple layers of security like end-to-end encryption, data classification, data loss prevention, controlled access, and so on. For ensuring such strict compliances for data storage and movement, the enterprises would look at retaining complete control over their data. They may look at having private servers, stringent access control, sound backup policies, foolproof security measures, and so on. This could mean extra expenses in the form of infrastructure and its maintenance cost, as well as constant monitoring efforts for alerts, logs, and audits.

While these may not look challenging for large enterprises, SMEs will have to balance the compliance with their available budgets. With most enterprises moving to cloud service providers to save on their infrastructure costs, as well as for the convenience of operations, the compliance factor becomes doubly challenging. With Cloud comes the many other unique challenges of blending in the stringent organizational data governance policies into the cloud vendor’s infrastructure.

The Solution

The chances of an overlook on the compliance side are high, as it could just be an oversight by employees as well. However, the repercussions, remain the same for any non-compliance that occurs. Hence, to ensure compliance, it is important to ensure complete control within the organizational infrastructure and data governance policies.

The other option is to look for Cloud service providers who are already ITAR compliant, and also provide you the complete freedom and flexibility to manage your data. It is important to choose a partner that understands the importance of such compliances and maintains its policies, based on constant updates. The cloud contract should also extend to the lapses in the compliances, to protect the interests of the organization. A good idea may be to look at providers that are already working with government agencies, as it would mean that they have a robust compliance system in place.

It is better to list out all data governance requirements as a checklist for all necessary compliances, without compromising on any other organizational requirement. While many Cloud service providers may provide you with a lot of flexibility and control, specific compliances may not be available. A look at the best practices for ITAR Cloud compliance is a good way to prepare that checklist and start ticking.

The Silver Lining

While the ITAR compliance may seem a bit too overwhelming for most small and middle enterprises, with the right Cloud service partner, this can be overcome easily. Cloud service providers like FileCloud understand the importance of such compliances and its sensitivity, as they know what it takes.

FileCloud has been working with such agencies, and quite successfully, and the ITAR compliance is quite reliable. Also, there is complete flexibility and control over the data governance policies. If enterprises would like to retain their infrastructure to ensure complete control over the infrastructure, FileCloud can cloud-enable those servers as well.

When the stakes are high, it is always best to ensure all possible risks of non-compliances are plugged. One of the best ways to do that would be to tie up with a partner that best understands this business and makes it easier to do so. With many added benefits, going with a partner like FileCloud could be a big advantage that can make ITAR compliances easy and smooth for enterprises.

HIPAA Compliant File Sharing with FileCloud

The HIPAA Act of 1996 required the Secretary of HHS to promulgate regulations protecting the privacy and security of certain health information. These regulations are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule

The HIPAA Privacy, Security, and Breach Notification Rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains, or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity.

FileCloud helps you address three main concerns with which HIPAA is enforced

  1. Encryption of ePHI at Transmission and at rest.
  2. Record and Retain activity related to use of or access to ePHI
  3. Instances/ Policies for storing, processing or transmitting ePHI

Objectives

HIPAA Focuses on safeguarding ePHI and FileCloud helps you get there by

  1. Ensuring confidentiality, integrity, and availability of ePHI
  2. Protect against anticipated threats and hazards to security and integrity
  3. Protect against use/disclosure of PHI that is not permitted

Sections of HIPAA

The Security Rule is separated into six main sections that each include several standards and implementation specifications that a covered entity must address. The six sections are listed below.

  • Security standards: General Rules – includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications
  • Administrative Safeguards – are defined in the Security Rule as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
  • Physical Safeguards – are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
  • Technical Safeguards – are defined as “the technology and the policy and procedures for its use that protect electronically protected health information and control access to it.”
  • Organizational Requirements – includes standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans.
  • Policies and Procedures and Documentation Requirements – requires the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule; maintenance of written (which may be electronic) documentation and/or records that includes policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability, and update requirements related to the documentation.

HIPAA on FileCloud

FileCloud offers you a shared responsibility model to adhere to HIPAA regulations. The Privacy Rule assures the confidentiality and the authorized uses and disclosures of all Protected Health Information in any form—oral, paper, and electronic. The Security Rule provides safeguards for the confidentiality, integrity, and availability of Electronic Protected Health Information (e-PHI), or a subset of that information as safeguarded by the Privacy Rule. The Security Rule is meant to complement the Privacy Rule in protecting e-PHI. The three core objectives of the rule are confidentiality, integrity, and availability. To achieve these objectives, the HIPAA Security Rule defines three types of safeguards: administrative, physical, and technical.

Required

  • Unique Use Authentication / Person or Entity Authentication
  • Emergency Access Procedure
  • Audit Controls
  • Integrity Controls

Addressable

  • Automatic logoff users
  • Encryption and Decryption

In this blog, we will focus mainly on technical safeguards and how FileCloud helps you meet these requirements

User Authentication

FileCloud allows access only to authorized users with the correct username/password. This is valid for internal users and external users (vendors, patients, contractors, etc.)

Furthermore, FileCloud supports two-factor authentication for an additional level of security. (Full accounts only)

No files should be allowed to be anonymously available, this requires that “Share Mode” is set to Private shares only.

In your admin portal – Go to Settings / Policies – In “all” your policy groups, change the “Share Mode” to “Allow Private Shares Only”

Emergency Access Procedure

FileCloud can be backed up by most third-party Backup Endpoint solutions. The need information required is a the backup database files that are created automatically every day.

Files are created at:

C:\xampp\htdocs\scratch\autobackups

(Windows)

/var/www/html/scratch/autobackups

(Linux)

Additional to this, a backup of Managed Storage is required (all the files).

Check our backup instructions here.

FileCloud ServerLink (part of the Enterprise package) replicates the whole FileCloud installation including files, file indexes and audit trails in a remote server or in a branch office (hospitals). If one instance goes down, data can be accessed from duplicate FileCloud instance.

FileCloud support “High Availability” (HA) architecture, which helps customers to build redundancy across all layers of their infrastructure, ensures access to the records even when parts of the system go down due to disasters or technical issues.During emergency situations, Administrators can access any end-user files by resetting the user password or accessing files via the Admin portal

When using FileCloud Online – Enterprise, your system is completely backed up every day, and we keep these backups for three months, if something happens to your data, you can request that the backup from a certain date be restored.

Besides the backup of your site, your FileCloud site has additional protection mechanisms to save files deleted or edited.

 

Audit Controls

All FileCloud activity is recorded in the Audit Records, these records can be viewed and exported from the Settings / Audit section.

All audit records are saved in the FileCloud database; if you have a SIEM server, FileCloud can integrate with this and send all transaction entries directly to your SIEM to send alerts and auditing to monitor and record all the activity.

 

Integrity Controls

FileCloud provides a Heuristic engine that ensures data integrity is protected against Ransomware attacks.

This will check the files when they are created/edited/deleted.

Additional protection for normal files operations:

Automatic Logoff

FileCloud User Session Expiration ends a session after a predetermined time of inactivity. Administrators can configure the time based on their organization’s policies. Once a user session exceeds the inactivity period, the session expires, and the user is required to log in again.

 

Encryption and Decryption of Files

FileCloud ensures that information is fully encrypted with advanced AES 128 encryption when it is transmitted and stored. Only the correct user with the appropriate permissions and decryption key can decrypt the data.

Besides Data encryption, SSL certificates are in place to ensure that data transport is encrypted between the server and the end-user.

To protect login credentials, user passwords are hashed using the secure SHA-1 hash algorithm.

Enable Secure NIST Password

To enable secure NIST password go to Settings / Misc / Password and enable the feature “Disallow Commonly Used Password” and Save the settings.

At any time a password is created or updated, before the password is accepted, FileCloud Server checks the suggested password against the US NIST Password Guidelines list.

 

 

Healthcare activities of all kinds are strictly controlled by HIPAA (Health Insurance Portability and Accountability Act) regulations among others. For the American Pediatric Society and the Society for Pediatric Research, FileCloud offers HIPAA compliant audit trails. The audit records show which users acted in which way (access, modification, deletion, or other), on which data (includes files and folders), at what time (full timestamp), and through which device (web or mobile, for instance.) More than this, FileCloud also gives APS and SPR data leak prevention capabilities, such as remotely wiping or blocking devices to avoid illicit access, as well as seeing in real-time which devices are connected.

 

Tips for Preventing Data Breach/ Data Leak Prevention

data breach prevention

In today’s digitized global economy, data break or data leaks can result in leaked sensitive information, insights about the company’s growth patterns, differential competitiveness against their competitors and much more.

With the increasing volume of data, it is necessitated, that businesses look for alternatives that not only help them in providing solutions to their storage problems but also help them in offering security against data breaches and ransomware attacks. In this article we will discuss about data breach and tips for preventing data breach.

According to a data breach research conducted by Verizon, “43% of breach victims are usually small, growing businesses”. Also, the report highlighted, “Healthcare sector constituted 15% breaches, Financial industry constituted 10% breaches”. IBM informs that the average time to identify a breach in 2019 was 209 days which implies that businesses need to look at increasing the security infrastructure exponentially, since these breaches can lurk around for so long that by the time they have been identified, huge losses would have been incurred already by the businesses.

The mentioned tips for preventing data breach and other security measures provided by DLP tools can ensure a secure enterprise environment which stops any data leaks and data breaches from happening automatically or manually.

What is a Data Breach?

A data breach, also commonly known as data leakage is the release of sensitive and confidential data with the intent of causing huge losses to the business. Data breaches are not necessarily the result of hacker attack but could also be an insider job, therefore businesses should always take precautions to protect data from falling into the wrong hands.

Businesses receive and store huge terabytes of sensitive data such as client’s banking details, employee’s social security number, or project details, etc and data leakage would mean a complete or partial loss of data based on the mode in which data breach occurs.

Implementing new technological security practices and processes ensures that data leakages to be reduced to bare minimum and at the same time preventing data loss using Data Loss Prevention (DLP).
Types of Information leaked during data leakage:

Different groups or types of information which can be leaked

  • Financial and Banking Data: consisting of credit card numbers, bank details, and financial statements, etc
  • Personal Health Information (PHI): consisting of information related to past, present or future physical or mental health condition of individual
  • Personal Identifiable Information (PII): consisting of information related to identification, location, and contact details of an individual
  • Intellectual property Data: consisting of patents, client’s list, trade secrets, contact details, etc.
  • Sensitive Information: Consisting of meeting recordings, protocols, agreements, and classified documents.

Causes of Information Leakage:

  • Insider Threats: Insider threats included employees who have access to sensitive data and can turn back on the business in lieu of financial gain etc.
  • Payment Fraud: Credit card breaches result in payment frauds by creating illegal transactions. In this, Hackers set up fake online shopping stores offering a profitable deal, and then once a user inputs his/her card details, the information is stolen.
  • Loss/Theft: Sensitive information is at stack when mobile phones, laptop computers, or hard drive gets stolen. This physical act of losing the devices can result in huge losses to the business
  • Unintended Disclosure: The act of saving data in the non-secure location can mistakenly expose data on the internet. The worker hasn’t thought completely about the repercussions and thereby unintentional exposed data to the hackers.

Tips for Data Leakage Protection:

A data breach in the business’s storage system occurs silently and lurks in the background without the knowledge. Data is stolen gradually over several days and when the breach is identified already complete loss of data has occurred.

Several experts are of the opinion that data leakages are not completely preventable and therefore safeguard practices such as detection, containment and remediation should be thoroughly followed.

Some of the best practices that can help businesses prevent data breaches are:

  • Investing in the right security infrastructure: Investing in the latest security infrastructure can make the system more secure and less prone to data breaches.
  • Vulnerability assessments: Systematic and regular review to fill any security gap that is identified. This ensures that the vulnerabilities can be identified and mitigation steps can be taken for the same.
  • Simulated Penetration testing: Simulated testing to check for exploitable vulnerabilities in the system. This technique identifies the loopholes and helps in taking corrective measures to prevent any authorized access.
  • Staff Training: Staff training in a matter of security procedures and processes can help businesses by reducing the risk of unintentional data leakages. This in turn can increase the awareness of the staff in matters of security and help them in identifying the potential threats.
  • Policy for equipment use: Policy can be undertaken on the equipment to be used in the office premises. Questions such as whether the staff members should use their own devices or the devices provided by the business for sharing information are answered through this policy.
  • Compliance with data regulation: Major compliances ensure that all the service providers can work towards making their infrastructure secure by following the latest protocols
  • Data Breach Response Plan: The response plan ensures that all the steps will be predefined in case of a data breach. This ensures that the teams can calmly function and can help by further preventing any data losses.
  • Regular audits and assessment: Regular check-up audits can result in identifying any of the loopholes that may exist in the system and help in providing feedback on the working of the system.
  • Data Backups: Regular data backs needs to be maintained so that data copies are available in case data loss has been incurred.

Learn How FileCloud’s DLP can help you in preventing data breaches?

FileCloud enterprise storage and sharing solution (EFSS) not only provides you with the space for storing your data but also provides a workspace where you can collaborate with your team. Whether your preferred hosting option is an on-premise storage, cloud storage or a hybrid storage setup, FileCloud provides you all the necessary tools to prevent data loss and data breaches.

To make your stored files secure, FileCloud employs security protocols like end-point backup, 2 factor authentication, anti-virus scanning and ransomware protection along with more techniques. While your files are protected on the servers, many data breaches happen due to external sharing, hacks, social hacking and malware.

When there are so many invisible threats to sensitive data, you need a smart tool to employ rules which classify confidential and business critical data, identify violations of policies defined internally, prevent the data leaks from happening across all bases.

data leak prevention software

FileCloud’s approach to DLP relies on multiple layers of security, including:

  • User Management- monitors data access activities of the authorized personnel to identify any inappropriate activity taking place
  • Encryption and Data masking- Encrypts sensitive data rendering it useless for the hackers to extract information
  • Data loss prevention- monitors and inspects data at rest, in motion, and while it is stored on the server.
  • Behavior Analytics- uses the latest machine learning to detect patterns and identify potentially malicious activities
  • E-discovery and data classification- keep track of the information to comply with the data compliance. Data is classified to make searching files and data easy.
  • Audit trails- Keep track of all the activities currently undergoing in the cloud system and keeps track of users
  • Alerts: Uses Artificial Intelligence for keeping track and notifying the admin in case of data breaches.

Avoid Breaches and Insider Threats with Data Governance in FileCloud

 

FileCloud Governance offers complete content life cycle management with flexible retention and archival schedules. FileCloud’s Smart DLP and Classification capabilities offer data leak protection and help enterprises comply with data security regulations like HIPAA, FINRA, ITAR, GDPR, CCPA, and others.

With increasing regulations within business processes, any mishandling of files increases the risk of regulatory and financial penalties. FileCloud simplifies data governance by setting policies for automatic document life cycle management, including file retention and archival. FileCloud security infrastructure provides end to end encryption for uploading data, AES 256 bit encryption, and SSL/TLS secure tunnel for data transfer. Additional security measures include two-factor authentication, auto antivirus scanning, and ransomware protection.

Government entities often have significant responsibilities, large projects, and myriad suppliers to manage. Entities in branches of government such as

  • Defense
  • Services to the public
  • National infrastructure information technology plays an essential part in achieving the performance and results that taxpayers expect

Information needs to be shared to get things done, but not at the cost of security achieving both of these goals simultaneously is a key characteristic of effective government that IT, and file sharing specifically, must support.

The File Sharing Issue

Consider a government department that does not have any robust solution in place for sharing files, storing files in the Cloud, or backing up data. Internal staff and external collaborators will be backing up files and computers onto USB and other removable drives. The result will be increased security risks and loss of data and time.

  • Security Risks -Viruses, worms, Trojans, and other malware can travel easily on USB and similar devices, infecting systems as they are plugged in by unsuspecting operators.
  • Disorganization –Using file repositories without version control, creating multiple copies of the same file that is then edited by different users causes data to be overwritten and often lost. Creating duplicate copies and trying to locate the latest version of a document often causes delays and extra work for both users and for the departmental IT staff

The Security Standards in Government Departments

The Government departments are required to meet the government and industry standards to protect data. These standards provide guidance for building safe systems and networks, as well as keeping data secure. A strong security policy had to be ensured through two-factor authentication (2FA). The next challenge will be to find a file sharing and version control solution that would offer compliance with the federal government standard.

The IT team in a government department will need to

  • Keep track of the comings and goings of the various files for accountability.
  • Have the ability to set different levels of privileges for internal and external users.
  • Centralized management of all connected devices, including the option to remotely erase data from lost or stolen devices.
  • Monitoring tools such as reports on usage and notifications on system anomalies

Security has both advantages and disadvantages. Security policies that are too rigid make it impossible for an organization to function effectively. On the other hand, policies that allow too many exceptions to expose the organization to information breaches.

Their solution needs to

  •  Work across multiple devices as users had Macs as well as PCs
  •  Keeping data safe yet accessible to those with authorization
  •  Backing up files needed to be reliable, yet easy to manage.

FileCloud is your Solution

Government Organisations use FileCloud for its extensive and reliable functionality.

  • FileCloud can synchronize files across all devices and allow users to back up the files and folders they need in a snap.
  • FileCloud allowed IT staff to set granular access permissions, to keep data safe yet accessible to the right person
  • FileCloudgives users the ability to lock or check out files to prevent conflicting changes.
  • FileCloudsends notifications to alert users when shared files or folders are changed, helping them keep even better tabs on their data
  • FileCloud also provides the ability to create custom file-based workflows to automate the procedure

Key Advantages of Using FileCloud

  • On-Premise solution – Keep confidential data in-house
  • Secure Access for government employees within the network for data integrity
  • Admin access to all activities of users
  • Remote wipe of mobile devices and revoke access to users
  • Data backup ensuring the protection of confidential data
  • Version control so that all documents and stored data is accurate and current, but old versions can also be accessed
  • File Cloud customers save over 70% against competitor solutions

Manage Content Retention and Archiving

Simplify data governance by setting policies for automatic document life cycle management, including file retention and archiving. FileCloud offers many flexible policy types, including legal hold, archiving, and retention of deleted files.

Record is a document or content that an organization needs to keep as evidence for an important transaction, activity, or a business decision for regulatory, compliance and governance purposes. The ISO 15489-1: 2016 standard defines records management as “the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records”.

FileCloud simplifies record management by setting policies for automatic document life cycle management from creation to archival and final disposition. FileCloud offers many flexible policy types, including retention, archival, legal hold, and admin hold.

As an administrator, you can create Retention policies to automate some of the processing related to protecting files and their folder groupings. This policy-based automation is designed to help secure digital content for compliance, but it can also enhance the management of digital content for other business reasons. Retention policies are created and attached to files and folders. These special policies allow you to define the conditions that enforce a set of restrictions on how each file or folder can be manipulated.

Smart DLP

Provides 360* data protection by bringing data leak prevention capabilities closer to the content and users. Our simple, flexible, rule-driven Smart DLP system prevents accidental data leaks from end-users and can save enterprises from huge compliance fines.

Smart Classification

Our Smart Classification engine automatically sorts your content into logical categories within minutes. This flexible content- classification engine lets customers create custom search patterns and metadata sets for business-related document classifications.

Our Smart Classification engine automates your PII/PHI/PCI Discovery. Find personally identifiable information (PII), protected health information (PHI), payment card information (PCI), and other sensitive content quickly.

SIEM Integration

FileCloud now integrates with enterprise Security Information and Event Management (SIEM) tools. This new capability allows system administrators to monitor FileCloud alerts and audit events (What, When Who, and How) in one central place for ease of security management and complete protection.

 

FileCloud’s content life cycle management, classification, and DLP capabilities help enterprises comply with an array of data security regulations such as HIPAA, FINRA, ITAR, GDPR, CCPA, and more. Switch to our intelligent threat protection and safeguard your organization from huge compliance fines.