File Sharing in the Cloud
In the not-too-distant past, our primary method for sharing files was to exchange a USB Drive, SD card, or email. All these mediums have various limitations and vulnerabilities. Specifically, malicious actors use these vehicles to transmit malevolent code and, in most cases, the media on which the data is stored or transmitted is not encrypted at a level that would be considered acceptable, if at all. Additionally, we had technologies like Bluetooth that could be used but, unless you had a moderate level of technical skill, it turned out to be a bit cumbersome.
Enter the cloud. It seems like overnight the cloud evolved into a practical solution that addressed many challenges. File sharing became much easier with applications like Google Drive, SharePoint, iCloud, DropBox, among others. It’s convenient to drop a file, or many files, in a folder and give someone else access to that folder. In a matter of minutes, a folder could be created and all the members of a team, whether they were employees within your organization or a business partner, could have access.
Many companies have taken a strict stance on file sharing in the cloud and have decided not to allow it. Other companies have allowed the flexibility in combination with a series of implemented controls:
- Passwords and Authentication. Regardless of which service is used, you should verify that strong passwords and authentication is implemented. For example, the service should require a complex password that meets or exceeds the standards set by your organization. Additionally, and at a minimum, multi-factor authentication (MFA) should be required for any user gaining access to your shared files and folders. There have been many breaches that involved user credentials and, since user IDs and passwords are commonly used across multiple applications, MFA is no longer a “nice-to-have.”
- Termination of Access. When an individual leaves the company, it should be routine to disable access on Active Directory, the EMR application, the EMR application, email, and other key platforms. File sharing in the cloud, on the other hand, is typically set up by individuals and not as easy to monitor. If your company is going to allow file sharing, it should be monitored, company managed, and, when someone leaves, access should be terminated.
- Assignment of Access. When adding individuals to shared folder, careful consideration should be given to whether someone needs read, write, delete, or modify access. There may be instances where read access is adequate. Additionally, if there are options to limit the ability to download the data and content, this should also be taken into account.
- Review of Access. Periodically, the membership and entitlements of shared file areas should be reviewed. This should be implemented as a general company control and owners of shared file areas held responsible for competing the reviews.
- Encryption. When choosing a provider, it is important to ensure that the data is encrypted at rest and during transmission, upload, and download.
- Capacity and Housekeeping. Unfortunately, these cloud storage platforms do not have unlimited storage space. Owners of the folders should routinely maintain the contents by archiving unnecessary and moving obsolete content to another secure location.
Information Classification. The type of information that is allowed to be shared in a cloud folder should be restricted based on the classification. For example, the most sensitive information should never be shared in a cloud folder.