Editor: Why is data security and privacy in the news so much at the moment? What’s changed?
Hadfield: The volume of documents being shared electronically is increasing, of course, but what’s changed is the level of awareness around the security risks posed when sharing a document, and how important it is to ensure that the document is protected. Clearly, the documents that corporate counsels share contain high-value intellectual property and highly sensitive or personally identifiable information. There’s also – and I’m happy about this – an increasing awareness of the risks associated with hidden metadata within documents, whether that be track changes in Word, notes in a PowerPoint presentation, or confidential financial information in an Excel table. Finally, there is a huge surge in the Bring Your Own Device trend, which means more and more knowledge workers in the legal sector are working outside the traditional confines of the office on a mobile device, and people need to become more aware of the risks there, too.
Editor: How can people be sure they’re sharing their highly confidential files securely?
Hadfield: This is something we care deeply about. We’ve been helping lawyers and corporate counsels to share highly sensitive documents securely for years. The traditional mechanism for this has been as an attachment to email, but recently there have been changes in how people work – increasingly outside of the office and work hours, where they don't always have access to their desktop. The problem is that they’re sharing in a range of different ways, using FTP services, consumer-grade file-sharing services, and using personal consumer email accounts. IT departments therefore need to make sure that all of their channels, not just email, are covered and made secure.
Having the proper measures in place that allow corporate counsels to feel secure about what they’re sharing normally falls on IT. Their role is to protect corporate IP, ensure compliance, and build coherent security policies, which have been developed in line with users’ needs and behavior.
Editor: You mentioned earlier that people rely on consumer-grade file-sharing applications such as Dropbox and ShareFiles. How do corporate counsels successfully implement an enterprise-grade file-sharing application and ensure that the people they collaborate with actually use it?
Hadfield: The way business professionals want to work now, increasingly via mobile devices,[1] has created a breed of tech-savvy users. People are comfortable with installing and using simple consumer-grade file-sharing applications for work. There’s an expectation from business consumers for the same level of flexibility and simplicity with enterprise file-sharing applications. Everyday users are using the same kinds of applications they use to share photos for work, and this is a real problem. In fact, it’s often called the “Dropbox problem.” It becomes IT’s problem when they lose control of what is shared with whom. This has a direct impact on compliance, but also on the ability to have an audit trail - two of the basic tenets of any secure document-sharing application.
So in response, IT needs to provision a sanctioned application that is as easy to use as consumer-grade applications, but totally secure. People will naturally find their own way of completing tasks if something isn’t easy to use – and alternative options and solutions won’t have the kind of protection that’s needed for dealing with sensitive or high-value documents. The irony is that if something is secure but isn’t user friendly, it breeds unsecure practices as users find other ways to share.
Another method for driving adoption is to add real business value to enterprise file-sharing applications. Creating the kinds of applications that people really love to use is what Workshare is all about, but more importantly, we create the kinds of applications that deliver real and quantifiable additional value to businesses. I’ll give you an example. We were approached by a large law firm in Southern California whose IT department understood the appeal of consumer-grade file-sharing applications and was keen to provide their lawyers with an IT-sanctioned alternative. They looked to Workshare and found that it wasn’t only the fact that Workshare products support the users while working on mobile devices and outside of the office, but that they also included Workshare’s award-winning comparison application, Workshare Professional 8. The patented DeltaView technology has now been made available on the lawyers’ mobile devices, and along with being user-friendly, it was this that added real business value – the ability to compare versions of documents on the move – that sold them.
Editor: Describe how the Professional 8 application fulfills a corporate counsel’s need to securely share files.
Hadfield: The big news with Workshare Professional 8 is that it includes Workshare’s secure file transfer functionality and extends that functionality dramatically to cover all channels: email, web applications, tablets and mobile, which we have just discussed. Notably, it includes end-to-end encryption, so that all files are sent securely. End-to-end encryption is an important part of the Workshare value as it ensures that data is protected during transfer or “in-flight.” Given that users are sharing files online, the other capabilities corporate counsels should be looking for is encryption of data “at rest,” held in the shared online environment. As we identified earlier, a big risk for corporate counsels is the inadvertent sharing of sensitive data – either in the document itself, or hidden inside as track changes or notes. Professional 8 includes the ability to identify and strip metadata from files.
Editor: When you are using Professional 8, does a warning immediately pop up to prevent you from inadvertently sharing sensitive data?
Hadfield: We’ve made a series of enhancements to the way the metadata alert is delivered: a warning will appear letting you know you are potentially sending something you shouldn’t. We have been identifying and eliminating hidden metadata inside documents that are about to be sent for over 12 years. In fact, 62 percent of Fortune 1000 corporate counsels use us today as do 98 percent of the law firms in the United States. But, despite this market position, we have not been complacent. We’ve enhanced the process dramatically in Professional 8 with our Interactive Protect feature. It analyzes documents as soon as they are attached to an email, giving you a detailed list of the hidden data, or metadata, associated with that document. It also gives you a clear and obvious way to deal with those potential issues, for example, by cleaning the track changes, or removing the notes that have been made in the document.
With the new process, by the time the email has been completed, all the analysis and cleaning has been done. This means that when you hit "send," the clean version of the document is ready to be sent with minimal interruption to the workflow. It’s that simple.
Editor: Does Workshare use anything besides encryption as the basis of data security?
Hadfield: One of the things we would advise corporate counsels to think about is a higher concept of security. End-to-end encryption must be a basic requirement, but we also should be able to control what happens to the document once it’s sent. One of the dangerous things about consumer-grade file sharing is that once the file is out there, there’s no control over what can be done with it. So we’ve created a permission-based management over what a recipient can do with that file. I could “disallow” you from re-sharing that file, that is, I could prevent you from being able to download it. I could also limit the timeframe in which you’re able to access the file, setting an end date for access. These are some of the permissions that we can apply to the file because with a business document, it’s important to be able to control what’s happening to it.
Editor: Could you provide an example of how Professional 8 allows for safe file sharing?
Hadfield: Let’s look at how this would apply in a workflow. Say I am a corporate counsel working with an opposing counsel during a contract negotiation, and we begin with a nondisclosure agreement that would be signed, scanned, and sent back to me. I would then use something like iManage to file it, and I may want to acknowledge the receipt of the signed agreement by resending a text-based version. If I was using anything less than an enterprise-grade file-sharing application, all sorts of problems could happen. Firstly, I’ve shared a document with the opposing counsel that may well contain hidden data, perhaps a previous version of a very important nondisclosure clause I didn’t want the opposing counsel to see. The track changes might have been visible to the opposing counsel and, frankly, all they might have had to do is press the undo button and they would see what I’d deleted. The big problem is that once that file is out there, I’d have no control over what happens to it.
If a sensitive file is being shared, depending on the level of the individual sharing the document, we can set the policy up to have some decision making left to the lawyers. That’s mostly where the Interactive Protect feature benefits come in. For example, it might be more appropriate to completely block the email if it contains metadata, if say the word “confidential” appears. These are the sorts of very granular policies that we can predefine. We can tailor security to give various permissions to people within the same organization in line with an active directory integration, which is a policy IT administrators create to assign different file-sharing rights to individuals.
Editor: How do enterprise file-sharing applications like Workshare’s help corporate lawyers control where their information is stored geographically?
Hadfield: That’s a very important issue, and I’m glad you brought it up. It’s ironic that in a cloud environment, we’re actually advising people to care about where data is physically located. One of the unique things that Workshare allows you to do is choose the geographical location of the data center where the documents are stored, as this impacts which jurisdiction your documents fall under and therefore which legislations need to be complied with. For example, in much of northern Europe, privacy is a major concern, and some industries and agencies are not allowed to have data held outside of the country. In other countries, there are safe harbor considerations. Some U.S. states have particular considerations. Workshare allows customers to house their data in one of the specific data centers that we run around the world, or for more specific operational or compliance requirements, we can store data in a data center the customer runs.
Editor: Would you like to sum up where Workshare is now?
Hadfield: There is real excitement around Workshare Professional 8. By supporting mobility and the ability to share documents easily but in a highly secure, managed way, corporate counsels can rest assured that the information they are sharing remains safe. The firm and the IT administrator can ensure policies and requirements for security – stretching all the way from an audit trail to pinpointing data to a specific location. We have been trusted by the legal sector for over a decade. With Professional 8, we have extended that trust into the cloud and are working closely with our customers to develop the most appropriate environments for their documents.
Published October 22, 2013.
