English French German Italian Portuguese Russian Spanish

Building the ‘Poor Man’s Data Room’

  • Published: 30 January 2014

Over the last 24 months, two of the biggest factors in tech – mobility and the cloud – have converged to deliver a one-two punch to your traditional file management system. Compared with the cost of hosting your own server and the added complexity of enabling access to it from mobile devices it appears that small firms are completely fine with modular approach to file management systems in 2014.

Public cloud storage services typically use a fermium model to get you hooked and provide excellent out-of-the-box features like backup, versioning, synchronization and excellent mobile apps. Even on the free tiers. So what are they missing? Well, it’s no longer on your premises, so there are concerns with who owns the data and where it’s stored. There is also the question of security – who can access it?

What if these tech factors meant you could roll your own highly available file server that doubles as a secure data room with best of breed access capabilities for remote workers, partners and mobile devices?

In the course of talking security and cloud risk appetite with one large Midwestern business law firm last month, they pulled out their monthly bill for their file access management system, servers and secure data room subscription. It topped $30,000 – a month. That’s a lot of billable hours …

The data room price tag took out a large chunk of their IT budget. This at a time when numerous lawyers were already using Dropbox and Box, and passing along files on two or even three devices. So, we did some counter math on the cost of using cloud sync and share services like Dropbox, Box and Google Drive, in addition to a security and user visibility application for the data itself. The commercial-grade editions of Dropbox, plus user security with Viivo, amounted to about $920 – a year per user. For Box plus Viivo, it was cheaper, at less than $550 a year per user. The public cloud based solutions also have versioning and restore features attorneys can use without IT assistance.

Cost and security aren’t the only factors. But it is an alternative. For smaller and mid-sized firms along with boutique wealth management and M&A brokers that cost differential is compounded. (Around the same time we talked to this bigger business firm, we also heard from a three-man money management firm that was still printing and hand-delivering every single doc in a transaction … oof!)

From the usability and empowerment side of things, it reminds us of one of the reasons lauded entrepreneur Aaron Levie started Box – to go after the “stodgiest, oldest and slowest moving” software. Given their expense and uncelebrated use, that could put the crosshairs over diligence data rooms and file management systems.

To follow through, users need security and compatibility to match their benefits in storage and sharing. The cloud sync and share providers are heavy on the collaboration side, but even their tech leaders emphasize the importance of bringing your own security. In the last year, Viivo included, we’ve made great strides in providing data protection that’s as easy as sharing.

We’ll be talking about this “poor man’s data room” more next month at the 2014 American Bar Association TECHSHOW in Chicago (follow on Twitter under @VIIVOkey and #ABATECHSHOW), as well as with a few trusted legal tech writers over the coming week. Take a look at your data room bill and a realistic view of how your attorneys are using the cloud.

Add a comment

Law Order in the Cloud: Legal Experts Share Security Practices for Dropbox

  • Published: 02 January 2014

We’ve had our heads down creating faster, fail-safe security and sharing features for the next iteration of Viivo (more on that in the weeks to come …), but I thought it was worth recognizing two recent mentions Viivo had in the legal tech field.

Jane Pribek, a former family law attorney and self-professed “Dropbox devotee,” gave a primer on some of the tools she uses for encryption, including Viivo. Since the start, security has been the primary pain point with the cloud. But, as Pribek writes, software that protects data at its source means that it “keeps getting easier to feel safe in the cloud.” More than that, we like this summation Pribek offers on how the legal community working in the public cloud should be thinking when it comes to data security:

“[W]hether you embrace Dropbox or use it grudgingly, you ought to be emphasizing the security of your clients’ confidential data.”

In another article last week, legal tech consultant Peegen Turner takes it a step further with firms in the cloud. Her multi-step blog outlines how a firm can shift the majority of its storage, sharing and infrastructure to the cloud. To abate risk with the legal documents shared and stored in the cloud, Turner, too, puts the security focus on the data (instead of just the device or network).

We’re, of course, flattered with the adoption rate of Viivo among the legal community. Attorneys and lawyers were never an expressly targeted market by our parent company, PKWARE, where the customer base of more than 30,000 is led by financial services, health care, retail and government agencies. Viivo has found particular traction with attorneys and the info sec pros at law firms.

Our team looks forward to meeting some of those attorneys using Viivo (as well as a few new ones) this spring at the ABA Tech Show in Chicago. There are already tracks at the show outlining encryption, security and NSA surveillance – some of our favorite topics of discussion with Viivo users in law (and other fields, for that matter).

And stay tuned … like I wrote above, there are some great new capabilities coming to make securing files in the cloud faster and easier. (If you can’t wait, take a sneak peak over the next few weeks in our user forums.)

-- Matt Little, Head of Product Development, Viivo

Add a comment

Public Cloud Security: What’s It Worth?

  • Published: 30 December 2013

Free storage and sharing are part of the allure of public cloud storage services like Dropbox, Box and Google Drive. When it comes to the security of your data in the Cloud, there’s a substantial difference between “free” and “no value.”

Cloud vendors do a fantastic job of helping people work together by providing easy, fluid storage for the modern, mobile nature of business. Along with the ease of use on free public cloud platforms, you’re assured by the providers of the security of your personal and business files. But does that security really match what you expect and what your business requires?

For their part, public Cloud vendors provide encryption and decryption of data while it’s in their data centers. Cloud vendors talk up this encryption as a central point of security. But what value do encryption and decryption have if they are entirely in the control of the Cloud vendor? It’s like having a locksmith put a new deadbolt on your front door, but then letting the locksmith keep all of the keys. And, to make matters worse, all the houses in the neighborhood have the same key!

What the security Cloud vendors actually offer is more along the lines of “zero-value encryption” as it’s been dubbed by trusted enterprise data security voice Steve Gibson and others. It’s a level of security for their data centers, but no great protection when it comes to how you sync, share and store files in the Cloud. The data should be safe inside the perimeter of the data center but as we have discovered, this vendor-backed security wavers.

Diving into the functionality of Cloud vendor-controlled security, a few cracks from this “zero-value encryption” have been revealed. In a recent instance, certain Web apps were regularly opened by Dropbox during the regular process of storing and sharing. One Box user found that a “complete stranger” had been allowed to delete all his files. Cloud vendors have been unable to shake security concerns since the start of the big Cloud adoption boom. Every week brings more tales of business data breaches, exposure of unencrypted personal information and revelations on federal snooping into programs. Every year, the cost of a breach goes up, registering nearly $200 per file in the most recent estimates from the Ponemon Institute.

The Cloud providers are even at odds with each other over what value their encryption provides. Recently, Dropbox and Google leaders got into a back-and-forth spat on the legitimacy of at-rest security of data. Digging into the details, cloud providers acknowledge that security-conscious customers would be best to take on their own layer of data protection. As Google Drive product manager Dave Barth summarized in a company blog outlining their in-house encryption and the control they retain over locking and unlocking the data: “Of course, if you prefer to manage your own [encryption] keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

Barth’s statement here cuts to the core of the matter. If you want true control over cloud security of value, it’ll take a bit more of a “trust no one” approach and some third-party software.

On the software front, there’s an emerging ecosystem of software, platforms and apps to fill in this security gap between business expectations and zero-value encryption on Cloud platforms. You can go the route of “containing” laptops and mobile devices through policies that implement an extra step or portals to share and store in the cloud. New security “as a service” vendors are offering what amounts to APIs for sharing and storage outside of the traditional business firewall. Coming from an encryption perspective with our product stack, including Viivo, we opt for data-centric protection of data where you hold the keys and authentication for data security in transit and at rest. Your data is protected wherever it goes regardless of how it gets there.

Storing data securely in the cloud is an uncomfortable prospect compared with how businesses typically seek security for their critical documents. Understandably, businesses within their own networks and systems aim for full control of data. Protection is expected for all information in transit or in storage. With public cloud storage services, users have opened up an exposure challenge to security norms, many under the perception that the cloud alone gives them full, valuable protection.

Businesses working in the cloud need protection of value, a level of control to go with security that doesn’t sacrifice user experience. With no shortage of risks and threats to business information, it’s worth your while to expect – and obtain – security and control in the cloud.

This blog was originally published at the expert insight and strategy site, Cloud Computing Topics. Syndicated with permission.

Add a comment

At the Edge of Cloud Data Security, It’s Just You

  • Published: 04 December 2013

What do you consider the “edge” of security with your business information? You know, that outer perimeter that used to be defined by firewalls or passwords?

Between user adoption of the public cloud and business, that security edge is you. Specifically, it’s coming down to how you secure data shared and stored into the cloud.

For instance, the Ponemon Institute estimated that 79 percent of businesses leave cloud security up to the end user, according to its recent comprehensive cloud report. Separately, InformationWeek found that approximately 35% of businesses plan to run at least one “mission-critical” application in the public cloud within the coming year. This mix of cloud interest and security uncertainty is pulling businesses outside of their known limits for protecting data. As one security research analyst put it bluntly to us during a round of talks last week: “There’s no perimeter anymore.”

“No perimeter” doesn’t mean security is a lost cause. It does, however, prompt new ways or renewed approaches to enable work and still protect data.

The cloud vendors themselves promote encryption and security, though they only give partial coverage that includes the critical caveat that they are the ones holding the keys. (Or, put a different way last week by Ben Fried, CIO at Google, makers of public cloud environment, Drive, in a talk about Dropbox: “Your corporate data is being held in someone else’s data center.”) From traditional software vendors,   there are different takes on securing users and data in the public cloud that involve app “containerization” or access gateways. We’ve spoken with one Midwestern insurance and investment firm that, in the process of shoring up their enterprise firewalls, kicked out external data connections by publishing an internal “shame list” of public cloud users. That seems extreme, though it at least takes a step toward acknowledging the end-user data security “exposure” challenge. In the workflow of people sharing, collaborating and working in the cloud, altering the way people have chosen to exchange data seems like a stop-gap or even chore. Arming them with security tools – encryption, authentication and security training across various devices, – prepares them in a data landscape where they’re increasingly the last line of defense.

We’re interested to hear how you’re sizing up the security challenges on the “front line” in the cloud: Are you locking down both files and personal devices, going after security of the data itself (full disclosure: that’s the path we take with our Viivo business and professional security solution), settling for “zero-value encryption”, or looking for a way to track cloud connections and use in the first place?

Add a comment

Streakers are Leaving Your Business Data Naked

  • Published: 03 October 2013

Every day, dozens of your employees are leaving the office completely naked. Yes, your busiest and most savvy employees are streaking from their cubicles. Attorneys au natural. Bond buyers in their birthday suits.

But don’t dial the HR department. Or the police. (Or a freelance photographer.)

It’s a form of nudity that relates to your business data and documents, and it’s hidden in plain view under the guise of shadow IT or public cloud cover. We’ve become accustomed to data streakers across social networks: the aunt who “likes” everything, the college buddy who checks in to every Foursquare spot and has the Vine videos of their sassy dog to prove it.

But the data “exposure” of SMB or enterprise data is less about voyeurism than it is about function. The ease and cost (read: free) of the public cloud beat the business plans to the punch. As data decision-makers sloughed through the set-up of a ghost town of a collaboration platform or built the rigid rules around a private cloud, data streakers worked together, quite literally, to pick the public cloud as their platform of choice. The biggest point of proof in this is Dropbox, the most heavily populated areas for the streakers (“nudist colonies” if we’re going to keep on the nakedness analogies at the risk of actual HR infractions).

They puts its use at approximately 95 percent among the Fortune 500. When it comes to security coverage for users, Dropbox promises their own “clothing” of sorts for customers via encryption of data as it passes through their portal. Whether you’ve accepted public cloud options like Dropbox as a cheap (or free) storage option or you’d like to snuff it out entirely, you’re met with the same threat: the data being shared in the public cloud is, at some point, insecure and out of their control.

With more data, devices and cloud adoption, it’s incumbent on business to recognize they’ve got data streakers running in and out of the office every day, from the C-suite on down. As business has led the way on using the public cloud, leading thinkers like InfoWorld’s David Linthicum say it’s incumbent on business users to make the case for broader cloud adoption, rather than IT. No matter who leads the charge, you have to first acknowledge that these streakers exist. Then, you can move forward with a plan that truly covers them – with something resembling a suit of armor that functions like the suit their used to.

Next blog, I’ll review steps businesses and professionals can use to address their data exposure problem. In the meantime, we’d love to hear more from you: Have an alarming story of data streaking? What specific problems do you see public cloud causing where you work? How are you balancing security risks and acceptance of public cloud use?

(Author Matt Little is the VP of Product Development for PKWARE. This post originally appeared under on the blog page for our parent company, PKWARE.)

Add a comment

Data Encryption at the Speed of Cloud Sharing

  • Published: 24 September 2013

Guest insight by Derek Singleton, analyst at Software Advice, on Viivo, legal community cloud security and the future of encryption key management ...

About a month ago, Software Advice created an in-depth comparison of Dropbox vs. Box as part of our work in with the Software Advice Labs. In the comparison, we evaluate each solution on a variety of criteria such as:

  • Sharing and access permissions
  • Technology and syncing
  • Device authorization
  • Security

That last point, security, is an increasingly important issue when it comes to Cloud storage solutions. Just between Box and Dropbox, there are more than 3.1 million business users (150,000 for Box and 3 million for Dropbox) accessing, syncing and sharing files every day. With millions more using other popular solutions such as Google Drive and Microsoft’s SkyDrive, companies need a way to independently manage file security when they share and transfer data in the Cloud.

To get a better sense of how companies can protect their data in the Cloud, I reached out to PKWARE to understand how their product, Viivo, is tackling the issue of security for Cloud storage solutions. With their deep roots in compression and security after developing the ZIP file, they’re well-positioned to help companies keep their data safe in the Cloud. Here’s what came of our conversation.

Viivo Matches Data Encryption with the Speed at Which We Share Data

While Box and Dropbox have features for data encryption, part of the way that these providers are able to make file sharing and collaboration easier is by making some security compromises. For instance, Dropbox opens every file to make sure they can index it for search in Dropbox and to make it possible to share a link to your file with anyone on the Web. This has great collaboration benefits, but it means that they’re using the same encryption key for all your files.

That’s where Viivo comes in to help you encrypt your files and maintain control over encryption keys. Traditional data encryption, however, can be a very manual and data-centric task. As such, according to Matt Little, VP of Product Development at PKWARE, traditional data encryption doesn’t take advantage of the high velocity solutions on the market such as Dropbox and Box. So Viivo takes a different approach that allows users to work directly within their Cloud storage program in a secure Viivo folder, while running all of the technical and manual processes of data encryption behind the scenes so the user’s workflow isn’t interrupted.

This approach effectively creates a secure tunnel between Viivo and the Cloud storage provider so that you can maintain control over your data encryption key, which is a crucial element of control that Viivo addresses which most Cloud storage providers have yet to offer. This approach to security in the Cloud is one that can help companies better manage their file sharing as BYOD proliferates and more files are shared over the Web.

A Use Case for the Legal Profession

The legal community is among the early adopters of this approach to file security. Why? Because the legal community continually needs to collaborate at high speeds, but they often need to share confidential client information. Lawyers need to know that when they share their client’s contracts and deal data in the Cloud that this data will not be compromised because there are serious legal and financial implications if there’s a security breach.

One Viivo client found this solution to be particularly useful after they started to notice that every time an employee’s personal laptop showed up in the IT department, there were gigabytes of unstructured company data that had been taken out of their DMS and stored in Dropbox on the laptop. In one case they found more than 20GB of unstructured data on an employee laptop syncing with a personal Dropbox account. How did this happen? Well, users are just going back to what they know, syncing their work files directly to their personal computers as they might sync a family photo album. That’s where security issues start to become troublesome.

To address the issue, the law firm implemented Viivo. With the product’s Web-based administration dashboard, the company can now track and monitor the overall public Cloud storage usage in their department to see things such as which users are sharing files within or outside the company, what kind of shares do they have, what devices are connected. With this visibility, the company no longer has to worry about employees downloading sensitive data and leaving it on their laptop unprotected.

The Future of Data Encryption and Key Management

As file encryption for Cloud storage becomes more important, companies will likely to want to have control over their keys while also being able to manage keys across multiple platforms. That’s where PKWARE sees data security heading next and I’m inclined to agree with their direction. Right now there’s an interoperability issue in that you can only manage keys for a single service, but as we all become more connected to different devices and networks, there will be a need to manage keys across platforms, and not just the public Cloud.

With these requirements, users will need a key sharing platform that allows people and businesses to manage private key sharing for any platform that accesses confidential data. In my view, PKWARE seems well positioned to become that vendor.

Derek Singleton is an analyst specializing in cloud, security, CRM and enterprise tech at Austin software review firm Software Advice. This review of Viivo and public cloud encryption topics reflect his independent views.

Add a comment