Collaboration between simply doing and not being allowed to

Operational cooperation in the dilemma of collaboration between simply doing and not being allowed to

There was no choice: anyone who wanted to continue their business during the corona lockdown had to switch to video calls or online conferences for conferences, coordination meetings or team meetings. If documents were exchanged, data protection and information security often fell by the wayside.

In the real world, we know exactly what we can and cannot discuss in public or in large groups. What is allowed to lie in the storage compartment at the workplace and what belongs in the safe is basically clear and is observed. In the digital space, however, this awareness is less effective. How else can it be explained that it is common practice in many companies to exchange confidential documents via channels that are not suitable for this.

For example, meetings are held using Microsoft Teams or other common collaboration tools and content is stored there that has no place in this environment. Although these tools are practical, readily available and widely used, they are anything but watertight from the point of view of data protection and information security. This means that only data with a low security rating should be shared here. The mere fact that logs and other documents are often stored in teams and the connected systems such as OneDrive and SharePoint is risky. This risk can be minimized by ensuring that such content is automatically deleted after 30 days. For permanent storage, it is advisable to offer other, more secure systems.

Cloud Act steals security

The problem is well known and affects many well-known and very popular collaboration products. Above all, the platforms that are subject to the Cloud Act in the USA, because it opens the floodgates to uncontrollable access by US authorities. Even if the product of a US provider runs in a European data center, it is not safe from such access, as the State Commissioner for Data Protection in Lower Saxony clarifies: "The US Cloud Act (...) allows US authorities to access personal data owned or controlled by US companies, even if that data is outside of the US.”

Nevertheless: under the pressure of the Corona events, many companies with easy-to-use cloud offers have spontaneously created facts that are not tenable in the long run. Not only do they put the confidentiality of internal information at risk, they also do not meet the requirements of the EU GDPR.

Cloud offers such as Zoom, Cisco WebEx or Microsoft Teams are particularly popular. But they are always the subject of criticism from privacy advocates. For example, the Berlin State Commissioner for Data Protection subjected some of the common video conference platforms to a brief evaluation - and rated them using a traffic light system. Some of the major providers received red traffic lights. Including those mentioned above.

Insecure platforms dominate

Getting along without the market-dominating products of the US suppliers hardly seems practicable. Because even if you have found a video conferencing platform that meets the required security standards - in the next online appointment organized externally, you will most likely be dealing with an insecure platform again.

Of course, this is not always a problem. There is a lot of content that can be shared without special protection. In order to be able to distinguish them from content that has no place on an insecure platform, employees should be made aware of it. However, this only helps if easy-to-use alternatives are available for such sensitive content. Solutions that run in the private cloud or even on-premises could be suitable, for example.

One thing is certain: The search for a solution must begin with an analysis of the specific requirements. Because they set the framework. It is also urgently advisable to use the information provided by the state commissioner for data protection and to take into account the recommendations of the Federal Office for Information Security (BSI) when it comes to information security.

The solution: special tools for sensitive content

Unlike the telephone, which works the same worldwide regardless of the hardware and software used, there has not been a uniform standard for collaboration tools to date. It is true that participants from other companies will often use the same platform as oneself, since the number of tools used is manageable. But of course it can also happen that other companies use other tools.

This may raise questions about the security of the third-party tool. And there are usually initial difficulties because the participants have to adjust to an unfamiliar tool with an unfamiliar user interface. There is also the risk that third-party tools are blocked by your own IT security.

A way out of the dilemma: Use common platforms and offer special tools for sensitive content that offer the desired security. Keeping the hurdles for users as low as possible is crucial for acceptance and thus actual use. This includes integration with as little media disruption as possible. For example, MS Teams including OneDrive can be used, and a secure alternative can also be integrated for file sharing. An example of a tool that does this is DoubleSlash's file-sharing platform.

Two-edged swords: application firewalls

It is possible to block certain service categories using an application firewall. However, the blacklists behind them often lag behind reality. It should also be considered that isolation ultimately leads to restrictions in collaboration. But that is exactly what needs to be prevented as far as possible. Anyone who resorts to an application firewall should therefore weigh up how far any restrictions have to go and whether the desired goal can also be achieved by sensitizing employees and at the same time making practicable solutions available. Regulatory requirements, possible risks and the specific potential for damage must be taken into account when making this assessment.

However, the lack of uniform standards can lead to further hurdles: If a company has carefully selected a collaboration solution, it can still happen that the communication partner does not accept this solution and blocks it. This then makes file transfer or problem-free collaboration impossible.

Common standards urgently needed

For a truly secure, global collaboration, we therefore need common standards and values, such as those that Europe is striving for with Gaia-X. The Gaia-X project is intended to promote and support the emergence of an open source software community at European level, while at the same time taking European data protection and security standards into account.

In addition to data sovereignty, the primary concern is the pure availability of data. Because it is the decisive factor for the success of digitization. Specifically: We need a data infrastructure on which we can exchange and process data in a trustworthy, secure and transparent manner. This is the only way to use the scaling advantages of large databases in Europe. These are exactly the goals of Gaia-X. However, the project is still under construction, and there are simply not yet any offers that effectively support real data sovereignty and availability.

Workable interim solutions

However, given the rapid development of technology and market power, waiting is not an option. So as long as there are no standardized procedures, we will need practicable interim solutions.

The basis for this can certainly be the widespread (US) products. Microsoft Teams, for example, now bundles many good collaboration tools such as video conferencing or file sharing. They are easy and convenient to use, as are fully integrated tools such as MS OneDrive and SharePoint. But above all: Thanks to its open architecture, MS Teams makes extensions relatively easy. On this basis, secure alternatives such as the DoubleSlash Business File Manager can be integrated for the exchange and storage of security-relevant information.

Solutions for almost every need

The market today offers a solution for almost every need. There are offers that often only serve a very specific aspect, and others that cover a whole bundle of applications. Due to their specialization, the former tend to be better suited to cover the requirements in their specific environment. On the other hand, broader tools often have the advantage that the individual parts are very well integrated with each other. Hybrid platforms – such as MS Teams – usually allow functions or a channel for the exchange of content that is particularly worthy of protection to be added.

The individual tools range from the classics such as e-mail, chats, video conferencing and file sharing tools. They include blogs, wikis and task management tools such as the widely used Atlassian products Jira, Confluence and Trello, or alternatives such as Asana or Hive. Which one is used is ultimately determined by the specific need and one's own requirements. In general, the higher the requirements in terms of data security, the tougher and more restrictive the measures. It is important here that the restrictions are appropriate and the tools are easy to use. The safest tool is worth nothing if bypassed due to lack of acceptance.

When checking whether a product is suitable for your own application, the first question should be whether there is a coherent safety concept. Among other things, it is about which attack vectors are considered there and how they are secured. It is also important whether the authorization concept covers the requirements and whether the data is at least transmitted in encrypted form or even end-to-end encrypted in the case of public cloud offerings.

Of course, the product should be able to be connected to the company's own Identity & Access Management in order to be able to quickly block user accounts. What quality assurance looks like in software development and maintenance is just as relevant as the question of whether there are meaningful certifications for development and operation (ISO 27001). Also: Is the tool operated in Europe and is it a European provider? It is ideal if there is an evaluation by state data protection officials. These and many other questions should be clarified in advance.

Overcoming “German Angst”, actively shaping change

One thing is certain: while the degree of digitization is increasing, the demands on the products and services on the market are also growing. Technical progress, changing regulatory frameworks, generational changes and cultural changes in companies interact here.

The digitization train has long been on its way, and it's accelerating. If you don't want to be left behind, you have to go along with the constant change and actively shape it; must overcome the almost proverbial “German Angst” and see online collaboration as an opportunity that needs to be seized and shaped.

Among other things, companies should now pay more attention to the fact that their existing solutions can be easily migrated. And they should replace the public cloud applications, which were quickly introduced in Corona times, with secure solutions as quickly as possible. Above all, it is about the fact that the data stored in the cloud can be migrated quickly and with little loss to other providers.

Important: The change must be wanted and well planned. The much-cited shadow IT must be pulled out of the ground by tested, secure applications. It's not just about using the right tools. Rather, it is also important to take generational conflicts into account and develop media skills. Not to be forgotten: the cultural change associated with digitization must not be ignored.”

* The author Wolfgang Kleinertz is Associated Partner at DoubleSlash. As a Senior Software Consultant, he has worked with customers such as BMW AG and Deutsche Post and brings a wealth of experience from analysis to the implementation of IT projects. DoubleSlash offers an evaluation matrix for choosing a file share tool. It serves to ask the right questions in advance and to proceed in a more targeted and faster manner when collecting the requirements and evaluating them.

(ID:47982100)