GDPR and Changing Regulations Mandate Secure Migrations to New Enterprise File Sync-and-Share Platforms
The growth of digital information and the benefits of executing business processes in the cloud are creating a surge in the popularity of enterprise file sync-and-share (EFSS) platforms. Gartner predicts 80% of large and midsize organizations will deploy content collaboration platforms by 2020; and a Forrester survey found that 56% of firms surveyed had implemented a secure file-sharing tool on premises or in the cloud, and another 19% intend to do so in the coming year.1
These trends are not surprising given that enterprise file sync-and-share platforms help internal users collaborate with each other, partners, and customers by providing a secure method to share and work on files from multiple devices. Utilizing an approved EFSS also means employees are less likely to use their own file-sharing apps to store, access, and manage corporate data. Otherwise, Shadow IT occurs, which is risky because data stored on personal platforms is likely non-compliant with regulations and corporate policy. The data is also outside of the IT department’s control and visibility, and therefore not sufficiently protected.
But there are also compliance concerns to consider when it comes to the EFSS platforms that are authorized for use by your company and under the control of IT. In heavily-regulated industries-such as life sciences, healthcare, and the financial sector-storing data on an EFSS system isn’t a “one and done” deal. You will need to continue monitoring the platform to make sure it remains compliant.
While your EFSS platforms might be compliant today, they may not be when new regulations emerge, such as GDPR, which just went into effect this past May, and includes stricter controls as well as harsher penalties. For example, “the right to be forgotten” clause gives customers under certain conditions the entitlement to obtain proof of the erasure of personal data without undue delay.3 Failure with any of the GDPR clauses could result in fines ranging from approximately $13M to $26M, or 2% to 4% of global annual revenue, whichever is higher.4
You also need to consider existing regulations as they change, such as HIPAA, ISO 27001, FINRA, FDA 21 CFR Part 11, and SSAE 16 SOC2. HIPAA, for example, went into effect in 1996, and since then has gone through six major updates.2 Each time an update occurs, IT has to assess whether the changes have an impact on the compliance status of all the EFSS platforms in use across the company.
In light of changing and new regulations, your business must be ready to move data to new platforms-quickly and efficiently. You also need to ensure data remains secure in transit so it’s not only safe from lurking cybercriminals, but so the migration also doesn’t violate compliance regulations.
Choosing a Compliant EFSS Platform
Finding an EFSS solution that supports your industry’s regulatory requirements that also offers audit trails to prove compliance can be a challenge. As you start your search, there are some basic security attributes to look for that indicate whether an EFSS platform is compliant. Check carefully-not all EFSS solutions provide all these necessary security measures:
- End-to-end encryption: Content must be encrypted while at rest, in motion, and while being edited on end-user devices.
- Auditing capability: This includes the ability to monitor log-ins, permission changes and user events for internal and external user accounts.
- Folder permissions: System administrators can provision and remove access rights to folders for employees based on their role and what the business wants them to access.
- External controls: Contractors, vendors, and customers can be given limited-access accounts with control by system administrators over the use of the EFSS.
- Remote wipe: For any devices that are lost or stolen-used by internal or external users-the ability to remotely delete files that were downloaded from the EFSS platform is a must.
The attributes listed above will give you a head start as you work to comply with the major industry regulations. However, it’s important to carefully examine the requirements of each regulation that applies to your company because not only do they differ, but as we noted, they are also continually updated. The requirements may vary depending on whether your EFSS service runs on-premises, in the cloud or as part of a hybrid environment.
No matter the environment, you need the ability to monitor, analyze, and respond to issues. An on-premises environment is relatively simpler to achieve compliance because of the defined perimeters. But if you’re in the cloud, be sure that the tools you use for these functions move at cloud speed. The cloud requires you to bridge the gaps between private and public networks; physical and virtual environments; physical boundaries and unknown perimeters; and known access vs. unknown access.5
Of all of the options on the market, cloud-based EFSS platforms are best suited to keep your organization in compliance with GDPR and other regulations because cloud providers continuously update their security posture and data retention capabilities. Security posture is important because it represents the strength and currency of the controls that have been deployed to prevent cybersecurity attacks. Data retention is also vital since it measures the platform provider’s ability to persist and archive files so that they remain always available.
By providing these capabilities, the leading EFSS cloud platform providers enable you to more easily maintain compliance-sometimes with just a few clicks. When a regulation changes or a new regulation goes into effect, you can simply access drop-down menus to modify your cloud environment and quickly comply.
Avoid the Security Risks When Migrating to a New EFSS Platform
Once you have selected an EFSS platform that works with your specific industry standards, the next step involves finding a secure way to migrate your files-whether it’s from on-premises servers to the cloud, or between cloud platforms. A poorly-executed migration can lead to a regulation violation, and a non-compliant migration may create incorrectly-mapped data, data loss, or data caching between systems. Any one of these could lead to substantial compliance fines-and you might leak data that ends up in the hands of cybercriminals.
To avoid the penalties that come from regulation violations, re-evaluate your current migration solution; a migration using ill-equipped tools creates several risks that can lead to compliance infractions and data loss. Inadequate reporting on the migration procedure can also lead to a violation.
Due to how strict regulations can be for keeping records of the sensitive data you store, a migration tool that lacks proper reporting functionality can also leave you in the dark as to where your data is, or where it was as it was being moved. If you don’t have granular visibility into what happened with the data, you won’t be able to prove you handled the migration securely. This blind spot can leave you exposed if you are responsible for sensitive customer data like medical records, financial investments, or credit card information.
Improperly-mapped permissions can also prove fatal when it comes to compliance. If a migration results in personally identifiable information becoming visible to those who shouldn’t be able to access it-perhaps due to a permissions mistake-you’re looking at a major violation. But by mapping permissions properly, you can discover and classify data so it is protected and managed in a consistent, reliable way.
EFSS migrations that store and cache files or metadata on servers also jeopardize the security of sensitive metadata. If the cache is stored in a cloud-based infrastructure, you need to know where that infrastructure is based, and if it’s secure; otherwise, an un-authorized end user could access it and you risk violating regulations.
Man-in-the-Middle attacks are another factor to consider. An EFSS migration that isn’t completely secure risks accidentally handing sensitive user information to cybercriminals who intercept the data as it migrates from one platform to another.
Enabling EFSS to Continue Performing as a Powerful Collaboration Tool
Over time, you may realize that one of your EFSS platforms that is compliant with regulations isn’t enabling end users to do their jobs. The most common reason is that they can’t collaborate and work on joint projects efficiently. Given that businesses store and share volumes of personal and sensitive information subject to regulations-particularly in the healthcare, life sciences, and financial sectors-compliance still needs to be a top priority.
With a comprehensive and intuitive migration client, such as Cloud FastPath from Tervela, moving your data compliantly is simple, secure, and straightforward. The solution automates user and permission mapping, which reduces cutover time and costly errors when moving from on EFSS system to another. Cloud FastPath also tracks what you’ve done for audit purposes and streams data directly-from source to target with transport layer security in effect during all stages. No data is staged, cached, or written to disk, which means no person or system has access to your data while it is at rest or in motion.
Armed with these capabilities, you can mitigate all the risks discussed above and enable your EFSS platforms to continue serving as powerful tools so your end users can continue to work with remote colleagues and provide services to customers effectively. To see a real-life example in action, check out this case study showing how Icade, a real estate investor and developer, successfully migrated 40+ terabytes of content and 1,000+ employees onto an EFSS.
For help in developing a long-term strategy to move your company’s data files to a standardized storage platform in the cloud, sign up for a free trial of Tervela Cloud FastPath and discover the power of cloud migration!