Compliance Management, Network Security, Privacy

Safe passage: Case study

The services provided by New York-based HR firm Pasona N A are data- and collaboration-intensive. During the course of doing business, its operations manage thousands of files containing sensitive and regulated data. This was enough to motivate its security team to enhance security capabilities so as to protect its shared files from unauthorized access. Also, like many other companies, it wished to enhance the security of files traversing outside its network.

Pasona N A has more than 100 employees and provides human resources services – such as temporary staffing and recruiting, as well as accounting, payroll and benefit administration – for companies of all sizes. Its headquarters are located in New York and it has 10 offices throughout the United States – in New York, California, Georgia, Texas, Illinois and Michigan. But its reach extends beyond North America with thousands of customers, temporary employees and job applicants and nearly 8,000 employees worldwide.

The information that Pasona N A processes often contains financial records, business analytics and personal identifiable information (PII) which may include email, bank accounts and Social Security numbers, says Sayaka Doi, director of professional services, Pasona N A. “We wanted to make sure our staff around the world could secure files being accessed internally and shared with customers and candidates.”

As director of professional services, it is Doi's responsibility to not only ensure Pasona N A's systems are appropriate and available, but also that they are secure. She wanted to see if she could enhance security capabilities for file collaboration – which represents a good part of the company's business. But she wanted to achieve this in a way that would be cost-effective and also have broad application. 

She and her team looked into cloud-based file-sharing products and also approaches that applied encryption based on password protection. “We felt that the security controls outside the service were not strong or flexible enough,” she says. She found that cloud file-sharing products were very useful, but still did not offer data protection outside their application, so an authorized end-user receiving a file would have the ability to share the file with others and that file could not be tracked. “As a result, we could still have an exposure of sensitive information.”

Her team also investigated a password-protected file encryption vendor that supported Adobe Acrobat, but it did not apply strong usage control or track files. This approach, she says, would require users to manage passwords for each file or each time they used the system. “We felt that this approach would not be easily managed as the company grew, especially since users often forget passwords, and also because the product only put controls on Adobe files.”

A third option worked with Microsoft applications, but would make it difficult to support external customers, contractors and job candidates, she says. After testing it, she believed it had the potential to disrupt operations and would only apply to certain Microsoft applications. 

“We not only exchange files via email, but also through file collaboration platforms, such as Dropbox, so we were also considering the security of files shared in that way,” says Doi (left). 

Business factors that were part of her requirements were that the security must be effective, but not complex for users or heavy to administer. “We only considered systems that offered centralized policy management and would support our customers and candidates,” she says. “The product would need to offer a low cost of deployment which could work in our current environment as well as accommodate external user devices.”

It was imperative, she says, for her staff to easily send and receive files to external parties and for these parties to readily be included in the file information rights management system. 

After assessing various alternatives, she and her team came to believe that a SaaS would be faster to set up and manage versus an on-premise solution. “We checked support for common applications – such as Adobe Acrobat, Microsoft Office and also media files,” she explains. “I believe about half of our users would protect file attachments in email and the other half will protect files being distributed through a cloud-based content manager. We needed support for Windows and Apple and Android tablets and smartphones.”

Finally, Doi assessed FinalCode against other tools and felt that the FinalCode platform would be easier to manage and quicker to implement, especially for an external user. After she presented the options and explained the FinalCode tool's value to the business, Pasona N A's president gave the final approval to choose FinalCode.

The top criteria were usability, low implementation and administration effort, and the means to have file security easily extended to users, such as customers and job candidates, outside the organization, Doi says.

How it works

For any file that an enterprise user would like to share, FinalCode quickly encrypts the source file and sets file permissions (e.g., duration, open, edit, save, print, screenshot) for each authorized recipient, says Scott Gordon (left), chief operating officer at San Jose, Calif.-based FinalCode. Permissions can be set manually by the file owner or automatically, based on pre-defined enterprise policy. The file meta data, not the file, are automatically sent to the FinalCode server for secure storage, management and logging, he explains.

“Once FinalCode has secured the file locally, the file owner can readily share it directly with the intended recipient(s) via any communication channel the user would like, including enterprise content managers, cloud storage and collaboration apps,” he says.

When another user receives the file and tries to open it, FinalCode (installed on the recipient's device) checks the FinalCode server to verify permissions, and securely import the required file encryption key, he points out. FinalCode then locally decrypts the file and enforces the usage permissions at the application and operating system level. File usage is logged and available to the file owner and the enterprise.

“If an unauthorized recipient tries to open the file, FinalCode will deny decryption and log the illicit attempt details,” says Gordon. The user can also dynamically modify recipients and permissions and can do so directly or by request from an authorized recipient. Finally, upon an unauthorized attempt or if the file owner decides to remotely delete the file, FinalCode will block any decryption attempts and send a “File Delete” command to any user device that tries to open it.

As a SaaS, installation and use is relatively fast, says Pasona's Doi. “FinalCode was a solution simple to implement,” she says. “We have not yet experienced any rise in unusual help desk call volume or confronted significant issues. We literally rolled out the system and communicated to our users, internal and external, in a matter of weeks.” 

The first run of the FinalCode deployment was to a handful of internal users and some customers to test different use cases. The production deployment was then to more than 60 employees in California, New York and Illinois. “We have hundreds of clients and candidates using it as well,” says Doi. The next phase expands to approximately 100 users within North America and a larger number of external users. The overall rollout of FinalCode went smoothly, she says. “Fortunately, it serves as an example for other parts of the company of how we can be proactive when it comes to security.”

When asked what differentiates his tool from that of competitors, FinalCode's Gordon says FinalCode revolutionizes the way businesses protect sensitive files wherever they go within and outside their networks. “It's easier, faster, requires less overheard and is more cost effective than conventional eDRM and information rights management (IRM) solutions. Our approach enables seamless, flexible and persistent file security and the unique ability to remotely delete files when they've, for example, been superseded, become obsolete or been sent to an unintended recipient.”

FinalCode simplifies user provisioning and managing multiple users and their devices for administrators, he adds. “The server can automatically email new file owners and recipients as a means of self-service on-boarding. When it comes to updates, the administrator can set whether the server should update the FinalCode client automatically or present a pop-up window that will notify the user and ask to download it from the server. FinalCode also supports distribution via popular systems management software.”

The tool delivered on Doi's adoption and management expectations, she says. “The platform met our security, deployment and management requirements and I think the solution was very cost-effective.”

User and customer satisfaction is so important for any security application that can affect workflow and how her firm conducts business, she says. “I am pleased that our users find the product very simple to use either by setting recipients, encryption and permissions as needed, by invoking a predefined template or by merely dropping a file into a FinalCode-monitored folder.”

The point, she says, was to make certain that the day-to-day administration would be minimal. “FinalCode has good user acceptance so far,” she says. “I believe this is due to its easy deployment and simple use. We only had to buy licenses for our employees that use FinalCode and we don't incur costs for external customers and job candidates. I found it extremely easy to administer and we can now can keep track all files being shared.”

Data protection support

Further, Doi says she was able to justify the purchase by explaining to executive management the industry best practice of securing sensitive and regulated data, demonstrating how easy FinalCode is to manage and how quickly it could be rolled out to internal and external users. “We did not have any immediate need to address specific compliance requirements, but file encryption and access control does support a multitude of data protection specifications.”

The current deployment is only for Pasona N A offices throughout North America, but Doi has demonstrated its success to other organizations within the company and, she says the firm intends to deploy the solution throughout North America and potentially help broader use in other parts of the company.

“We have always valued information security due to the nature of our business,” Doi points out. “Furthermore, news on security breaches and personal privacy data exposure have risen over the years, so I thought we should take a more proactive stance on managing this risk.”

The level of file security that FinalCode has provided allows Pasona N A to alleviate the real data protection concerns of shareholders, customers and prospects, she adds. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.