Enable Employee Workflows While Preventing Costly Data Breaches

Enable Employee Workflows While Preventing Data Breaches

User apps, such as email and file sharing, define an external perimeter where content enters and exits your organization. Enterprise apps and storage repositories define an internal perimeter around your most sensitive and valuable content. Access through these perimeters should be both simple and secure to ensure seamless workflows across your extended enterprise. Given the variety of applications and user workflows, however, providing simple access is actually a very complex challenge. Users can range from internal senior executives to trusted suppliers to external consumers and workflows can range from distributing a board of directors’ presentation to signing customer contracts. Preventing breaches while enabling workflows requires the implementation of strong data privacy controls: very complex access rights and privileges across many user roles. Therefore, consolidating access management through single sign-on and a directory service should be high on the list of requirements for building out a secure content sharing channel.

CISOs must enable secure online collaboration that balances the protection of sensitive content with the overwhelming need to share it, easing access while preventing breaches, ensuring privacy alongside transparency, and adhering to complex regulations without getting in the way of efficient communication. Each trade-off entails risks. This blog series explores these trade-offs and offers six guiding principles for creating a secure content sharing channel that enables work across the extended enterprise and protects your most sensitive digital assets.

Public Cloud Risk

In my last blog post, I shared how CISOs can protect their most prized digital assets by controlling and monitoring every file that enters or leaves their firm. Today, I’ll explore the pitfalls associated with providing simple, seamless access to content.

Securing IP Must Go Beyond Granular Policy Controls for Authorized Insiders

Securing authorized access, however, is just the first step. Just as much attention must be given to preventing unauthorized access, especially to your most sensitive content. All content sharing should be encrypted from origin to destination. Sensitive enterprise content should also be encrypted in storage and access should be further restricted with multi-factor authentication. In addition to comprehensive data encryption, your most sensitive content, such as legal documents, health records and proprietary IP should only be stored on premise. Public cloud storage not only exposes data to unauthorized access by unknown third parties, but the consolidation of data creates a honey pot for attackers and increases the risk of a large-scale breach. In addition, the US Federal Cloud Act of 2018 allows US law enforcement to compel technology companies via subpoena to provide data stored on their servers, regardless of whether the data is stored in the U.S. or on foreign soil. In plain English, your sensitive data can be collected in bulk without our knowledge or approval. On-premise or a hybrid cloud deployment should be the standard for truly sensitive information and IP. If on-premise storage is not possible and cloud storage must be used, then encryption keys should be unique to your organization and stored in a separate, secure location.

Enforce Granular Permissions and Build a Strong Perimeter

Securing authorized access is only the first step. Just as much attention should be given to preventing unauthorized access from malicious outsiders. [source: Accellion secure file sharing and governance platform]

Analyze Every Inbound and Outbound File for Added Security

Access controls can lock out unauthorized users, but they can’t protect you against unauthorized content, such as incoming malicious email attachments or outgoing leaks of proprietary IP. Therefore, your security architecture must extend beyond securing users to securing content. At a minimum, every inbound file should be cleared by anti-virus software prior to storage in an enterprise content repository. Outbound files should be scanned using data loss prevention (DLP) software to block leaks of sensitive content. Both inbound and outbound content scans can be accelerated to ease access by taking a stratified approach. More suspicious files can be queued for advanced threat protection (ATP) processing to isolate and execute them in a secure environment. By implementing a data classification standard, DLP scans can be performed offline while sharing requests can be processed in real-time.

In the next post, I’ll discuss the challenge in balancing privacy with transparency. While users across your extended enterprise expect easy access to sensitive content, they also expect complete confidentiality.

Don’t want to wait? Download the eBook now!
The Risky Business of Online Collaboration

The Risky Business of Online Collaboration

Discover the 6 principles for securing sensitive content without getting in the way of efficient communications with this informative eBook.

*** This is a Security Bloggers Network syndicated blog from Cyber Security on Security Boulevard – Accellion authored by Cliff White. Read the original post at:

Avatar photo

Cliff White

Cliff White is Chief Technology Officer (CTO) at Accellion. Mr. White joined Accellion in 2011. He has more than 15 years of experience in the software industry and web-based technologies. He has also managed global engineering teams and advised C-level executives on software product engineering and best practices. Before joining Accellion, Mr. White developed highly scalable software for, an online media hosting company and one of the most visited websites on the internet. Previously, he led the engineering function for, a peer review and recommendation website for rental properties before it was acquired by

cliff-white has 28 posts and counting.See all posts by cliff-white