As a multi-billion-dollar apparel-based specialty retailer with more than 3,000 company-owned stores, over 80,000 employees and a significant online presence, this company needed a secure, reliable and brand-safe means to share information across its geographically dispersed business, exchange sensitive data with suppliers, and comply with the requirements of GDPR. The organization was confronted with several challenges and opportunities:
- The organization’s upcoming fashion show required the transfer of a large volume of media files in a short period of time (e.g. 2TB in 24 hours) out of China, a region well known to block file sharing services such as Box, Dropbox, Google Drive and Microsoft OneDrive.
- The company needed to accelerate its’ cloud-first IT strategy, especially with regard to its’ Office 365 license that had not been fully utilized, including 20 Petabyte of OneDrive storage (with a replacement value of $200,000 per month).
- GDPR required the organization to find a secure way to respond to consumer requests for their personal information (i.e. a subject access request, or SAR), without triggering further GDPR exposure.
The organization had several options available. One was to expand its current use of Box, which was in use by 1500 users within one of its divisions. Though the use of Box was successful when viewed from a distance, there were several issues raised upon a closer examination.
- 57% of the files shared externally were shared on an anonymous basis, with no logging of how the shared data was being used. Despite the obvious security concerns, anonymous sharing was done for the convenience of the recipients, as no login/password would be required of them.
- While the company had 20 Petabyte of essentially free file storage in the form of OneDrive for its 10,000 users, it was paying $400,000 per year for Box for 1,500 users, for functionality no different from that of OneDrive.
- Attempts to use Box to share files in and out of China failed, the Great Firewall of China was routinely blocking the URL links to the shared files.
- The Box system offered no opportunity for the organization to leverage and build upon its well known brand when sharing data with external parties.
Microsoft OneDrive was an obvious candidate to meet the organization’s requirements, given the ready and ample storage it made available for file sharing, but it too had challenges.
- OneDrive was no more reliable than Box with respect to sharing data in and out of China.
- OneDrive was also unable to support the organization’s branding needs.
- OneDrive had not yet been approved for storing the organization’s most sensitive data. The security team would require file-based encryption that users could selectively apply, something OneDrive did not natively supply.
The path chosen by the organization was to deploy eShare in conjunction with Microsoft OneDrive. Why?
- Internal data sharing occurs natively through OneDrive, though a “secure folder” has been set up for all users, where highly sensitive files (e.g. non-public financial data) can be placed and automatically encrypted with keys that the organization alone controls (i.e. neither Microsoft or eShare can access un-encrypted data).
- All external sharing is done via eShare, with all aspects of this sharing performed using the organization’s branding. All web pages and emails have their logo and colors and the links to all shared files use a sub-domain of the organization, not one belonging to Microsoft, Google, Box or Dropbox.
- The fashion show media files made their way out of China easily without any problems, enabling social media promotion concurrent with the event and the timely post- production of video for international television broadcast a week later.
- Requests for personal information from consumers pursuant to GDPR are satisfied by sending the consumer links to their information, encrypted within OneDrive, using passcodes. This eliminates the need for the consumer to provision themselves an account to access a secure email, which could bring about yet another GDPR subject access request.
The organization is in the process of polling its business units to identify additional use cases for eShare and OneDrive. These are likely to exist around sharing sensitive data with the organization’s supply chain and with external parties such as auditors, regulators and lawyers.