For a variety of industries, data security must meet rigorous compliance standards. Regulations vary, but one truism among all regulated industries is that confidential business data should reside on secure servers that unauthorized parties can’t touch.
But even organizations striving to stay compliant are tempted by file sharing applications hosted in the public cloud. With low costs and intuitive interfaces, these applications make a great first impression on users. However, using these applications for enterprise file sync and share (EFSS) could introduce serious challenges, namely:
- The provider’s data security isn’t sufficiently robust to pass an audit.
- A compliance-certified provider could be acquired by a similar cloud company that doesn’t support the same standards.
Let’s explore these two challenges with an eye toward how you can steer your organization in a direction that aligns with your long-term compliance outlook.
Pitfalls of the public cloud
There’s no doubt that the public cloud revolutionized the consumer software market. In recent years, Dropbox has emerged as one of the most successful players, thanks to its easy-to-use interface.
The thing is, Dropbox fails to provide the data security features necessary for compliance-dependent organizations pursuing EFSS. Look no further than the healthcare industry, where privacy officers openly bemoan Dropbox’s use among healthcare providers and research associates. The application, though definitely easy to use, is not HIPAA compliant – and it never has been.
According to the Department of Health and Human Services, software must incorporate all of the following technical safeguards, among others, to ensure HIPAA compliance:
- Audit controls: Applications used by healthcare facilities must “record and examine access” to any systems that contain protected health information (PHI). Dropbox maintains a limited history of user actions, but it does not keep a complete audit trail.
- Integrity controls: Applications must ensure no PHI is ever “improperly altered or destroyed.” With Dropbox, it’s impossible to verify the authenticity of PHI and ensure that it hasn’t been improperly altered.
- Transmission security: When PHI is transmitted over a network, certain “technical security measures” must prevent its falling into the hands of unauthorized parties. Unless users are using third party encryption technology in conjunction with Dropbox, there’s no way to guarantee the security of data in transit.
File sharing applications based in the public cloud – and Dropbox is just one of several – rarely ensure compliance with industry regulations and could cause your organization to fail an audit.
More control, not more uncertainty
Now let’s say you find a hosted EFSS solution that meets your compliance requirements.
The danger with this decision is that it ignores three significant realities of using hosted applications in compliance-dependent industries:
- Cloud computing is a dynamic, evolving area of technology.
- Cloud companies are frequently acquired by other cloud companies, which could affect the types of services they offer.
- When it comes to software applications, maintaining compliance requires control and predictability – not uncertainty, dynamism, and change.
There’s a place for SaaS products in business, and many compliance-dependent organizations use them to great effect when the product is not used to share sensitive data.
But a fast-changing environment signifies a lot of unknowns for compliance. In the event your EFSS solution was acquired by a provider who can’t support the same compliance standards, what would happen to your data? Would it be “transitioned” to a non-compliant hosting arrangement? Would you be forced to quickly change platforms? It’s hard to be sure.
The only thing that’s certain is that your organization would find itself in the midst of an unexpected compliance crisis.
Using your resources
Enterprises can take advantage of existing infrastructure to host their own data and control access in a way that ensures compliance with industry regulations. And they can do it while providing a modern, intuitive interface – the same sort of environment seen in Dropbox.
Solutions like Novell Filr deliver all the advantages of popular public cloud platforms without the data security concerns. IT can take back control. Users get the simple, familiar interface.
Part of staying compliant is not exposing yourself to unnecessary risks. For enterprise, the public cloud may offer simple file sharing, but it’s also an enormous compliance risk. If you have the resources to avoid that risk – and keep your users happy – why not use them?
