File Sharing securely with external users and with adequate governance is hard. You might think you can just easily mandate a file sharing Software as a Service (SaaS) platform as part of your productivity suite, (Google Workspace has Google Drive, Microsoft 365 has Microsoft OneDrive, Apple has iCloud or there's always a third party SaaS like the venerable DropBox), but hold on before you do so. In exchange for a simple user experience you give up control over your data hosting to the cloud service provider. That might be fine for your organisation, and it is for a lot of organisations, but for some data workloads with sensitive, private or privileged data it could well not be acceptable.
Contents
- Five reasons why a Software as a Service (SaaS) platform might fail your organisations criteria for secure file sharing technology
- Evaluating secure file sharing against an information security policy framework
- Information Security Criteria
- Functionality and ease of use
- No system guarantees everything in an information security policy
- Detailed secure file sharing service evaluation against an information security policy framework
- Information Security
- Access Control
- Authentication
- Auditing and Logging
- Incident Response
- Data Encryption
- Data Integrity
- Data Deletion and Disposal
- Data Governance
- Data Classification
- Network Security
- Vendor Risk Management
- User Training and Awareness
- Secure Development Lifecycle
- Security Monitoring
- Compliance and Regulatory Requirements
Five reasons why a Software as a Service (SaaS) platform might fail your organisations criteria for secure file sharing technology
There are probably more but here are five:
- Firstly, SaaS providers might be required to give access to their data to other agencies by regulation or for other reasons although like DropBox they may appear to be transparent about it.
- Secondly, they might index your content as Windows does if you let it by enabling "Cloud content search", leading to the potential for serving information in search results to users who should not be able to see it.
- Thirdly, your SaaS provider might harvest the data for use in training a large language model (LLM) for Artificial Intelligence (AI), with the resulting risk posited by Google in "Privacy Considerations in Large Language Models" that training data appears in output or could be subject to a training data extraction attack.
- Fourthly, they might change their terms and conditions or like Skiff be acquired and shut down.
- In extreme cases, (looking at you, Amazon Drive), they may just throw in the towel and cease operating the service altogether.
Evaluating secure file sharing against an information security policy framework
Recently, we conducted an evaluation of secure file sharing technology for suitability for sharing securely with users both internal and external to an organisation in a regulated market sector. This was an interesting exercise, which made us spend further time thinking about the issues around secure sharing of company information in the cloud, and the almost automatic use these days of the technologies tied to an organisations business cloud software provider. The criteria we set were informed by our own information security policy framework as we look to become ISO27001 certified.
Information Security Criteria
Whatever system is chosen must preserve information security. It should ensure that access to the system is only given to the right people, to the right data, and at the right time.
- Access Control – Measures to control who can access the data and what actions they can perform.
- Authentication – Authentication, authorisation and revocation mechanisms strong enough to verify the identity of users accessing the service.
- Auditing and Logging – Detailed logs of all activities and accesses to the data, allowing for accountability and traceability.
- Incident Response – Procedures to respond and mitigate changes, continuity, disaster, security incidents or breaches.
- Data Encryption – Encryption to protect data from unauthorized access.
- Data Integrity – Maintenance and assurance of data over its entire life-cycle.
- Data Deletion and Disposal – Supports procedures for securely deleting and disposing of data when it is no longer needed.
- Data Governance – Policies and procedures for the proper management and use of data within the organization.
- Data Classification – Data classification based on its sensitivity.
- Network Security – Prevention of unauthorized access and protection against external threats.
- Vendor Risk Management – Assessment and management of security risks associated with third-party vendors or partners involved in the data sharing process.
- User Training and Awareness – Education available to users about security best practices to help prevent security incidents.
- Secure Development Lifecycle – Security in the software development process must be respected.
- Security Monitoring – Tools and processes for continuous monitoring of the service and its environment for potential security issues.
- Compliance and Regulatory Requirements – Ensure that the service complies with relevant laws, regulations, and industry standards.
Functionality and ease of use
Functionality and ease of use only matters if the information security criteria are met.
- Ease of use – There should be a fully featured web App, Windows, Mac desktop drive/volume level support is desirable, folder level support acceptable. iOS and Android Apps are highly desirable.
- Functionality – Branded Portal, Let's Encrypt SSL support, Custom URL, Shared Files and Folders, (password protection, public, time timited), Unlimited storage. Comprehensive email notifications.
No system guarantees everything in an information security policy
This exercise is not about criticising systems that cannot guarantee total compliance with information security policies. None are perfect, It is more to show that if information security cannot be guaranteed then the risks should be quantified, written down, subject to regular review and accepted by the executive management of the business.
TL:DR: Operating system vendor solutions and well known SaaS services cannot easily be made to satisfy all of these conditions. The only way to guarantee compliance with strict information security policies is to self host with a technology and platform that enables you to encrypt your data in transit and at rest. You have to have the keys to the kingdom!
Detailed secure file sharing service evaluation against an information security policy framework
Features, functionality and ease of use are important, but information security is a pre-requisite.
Information Security
Information Security is about ensuring that the right people have the right access to the right data at the right time. This is achieved through:
- Confidentiality – Access to information is only to those with appropriate authority
- Integrity – Information that is complete and accurate, for the purpose needed
- Availability – Making sure information is available when it is needed
This table compares the major file sharing platforms we are interested in, against our information security policy requirements.
Access Control
| Measures to control who can access the data and what actions they can perform. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Access control is granted on the principle of least privilege | |||||||
| Group or Role based access | |||||||
| Unique username or identifier | |||||||
| Identification and authentication | |||||||
| Internal account creation, modification and deletion is performed by authorised personnel and is fully documented |
Table: Access control criteria for a secure file sharing service
Authentication
| Authentication, authorisation and revocation mechanisms strong enough to verify the identity of users accessing the service | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Passwords can be managed according to organisation policy | |||||||
| Multi factor authentication is available | |||||||
| Device authorisation can be revoked without disabling the user account |
Table: Authentication criteria for a secure file sharing service
Auditing and Logging
| Detailed logs of all activities and accesses to the data, allowing for accountability and traceability. These should be regularly reviewed. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Easy to review Access rights, inactive and dormant accounts. | |||||||
| Logs are kept of user activities, exceptions, faults. | |||||||
| Logs are kept of user activity by device/app. | |||||||
| Logs are kept of system events, updates, changes. | |||||||
| Logs are kept of security events. | |||||||
| Logs are believed to be tamper proof. |
Table: Auditing and Logging criteria for a secure file sharing service
Incident Response
| Procedures to respond and mitigate changes, continuity, disaster, security incidents or breaches | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Changes to the system can be managed via a change management process. | |||||||
| Business continuity or Disaster recovery scenarios are supported by the technology. |
Table: Incident Response criteria for a secure file sharing service
Data Encryption
| Encryption to protect data from unauthorized access. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Stored information is believed to be encrypted at rest | |||||||
| Information is believed to be encrypted in Transit | |||||||
| System can be set up so that cannot be read by hosting providers, or regulatory authorities | |||||||
| Separation of Administrator accounts from user accounts |
Table: Data encryption criteria for a secure file sharing service
Data Integrity
| Maintenance and assurance of data over its entire life-cycle. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Data maintenance and assurance functionality. | |||||||
| Malware and Anti Virus controls are configurable for the system. |
Table: Data integrity criteria for a secure file sharing service
Data Deletion and Disposal
| Supports procedures for securely deleting and disposing of data when it is no longer needed. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Information retention policies which take account of UK GDPR are supported |
Table: Data governance criteria for a secure file sharing service
Data Governance
| Policies and procedures for the proper management and use of data within the organisation. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Data residency can be guarnteed to satisfy region specific laws and regulations | |||||||
| Information can be classified accouring to our Information classification and handling Policy which takes account of UK GDPR | |||||||
| Secure, encrypted backups are supported by the technology and can be configured to take account of data retention requirements, business requirements, and legal and regulation legislation requirements including but not limited to the GDPR and Data Protection Act 2018. | |||||||
| Information transfer policies must be respected. Notification email messages must contain clear instructions of the recipient’s responsibilities and instructions on what to do if they are not the correct recipient. |
Table: Data governance criteria for a secure file sharing service
Data Classification
| Data classification based on its sensitivity. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Information can be classified accouring to our Information classification and handling Policy which takes account of UK GDPR |
Table: Data classification criteria for a secure file sharing service
Network Security
| Prevention of unauthorized access and protection against external threats. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Physical access to servers/compute infrastructure compliant with our Physical security policy. | |||||||
| Equipment, cabling and network access should be compliant with our Physical security policy. |
Table: Network Security criteria for a secure file sharing service
Vendor Risk Management
| Assessment and management of security risks associated with third-party vendors or partners involved in the data sharing process | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Low risk of unauthorised use | |||||||
| Low risk of data leakage | |||||||
| Low risk of non-compliance with regulations | |||||||
| Low risk of cyber security threat |
Table: Risk management criteria for a secure file sharing service
User Training and Awareness
| Education available to users about security best practices to help prevent security incidents. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Information Security help and training guidance is available |
Table: User Training and Awareness criteria for a secure file sharing service
Secure Development Lifecycle
| Security in the software development process must be respected. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Segregation between development, test and production environments should have separate components, be on separate networks and have separate administration credentials. |
Table: Secure development criteria for a secure file sharing service
Security Monitoring
| Tools and processes for continuous monitoring of the service and its environment for potential security issues. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| Access to systems can be monitored for actions that could affect the confidentiality, integrity or availability of data | |||||||
| Network security features should be configurable, able to be monitored and documented. | |||||||
| Extensive logging is available in the system |
Table: Logging and monitoring criteria for a secure file sharing service
Compliance and Regulatory Requirements
It should be possible to validate if a service partialy or completely complies with relevant laws, regulations, and industry standards. Cloud Service Suppliers hold relevant information security certifications for services provided. Self hosted solutions may rely upon cloud intrastucture as a service (IaaS) providers in part, but organisaitons will also need to add their own information security management systems, processes and certifications as required.
| Ensure that the service complies with relevant laws, regulations, and industry standards. | Google Drive | Microsoft OneDrive | Apple iCloud Drive | Dropbox | Tresorit | FileCloud | Nextcloud |
|---|---|---|---|---|---|---|---|
| ISO 27001 requirements for an information security management system (ISMS), best practices, and security controls. | |||||||
| SOC 2 report on controls relevant to security, availability, processing integrity, confidentiality, or privacy. | |||||||
| UK GDPR | |||||||
| Data Protection Act 2018 |
Table: Certification criteria for a secure file sharing service
