Encrypted file sharing with 20+ off-site partners?
October 3, 2015 10:07 AM

I need to securely transfer (large-ish) data files between my organization and 20+ partner organizations. How do I do this in a way that is (i) simple, and (ii) up to "industry standard" when it comes to privacy/security in 2015?

Part of my job involves sharing data files between my organization and 20+ partner organizations (two-way file transfer). The information in the files is sensitive (i.e., we are expected to undertake all kinds of due diligence measures to ensure that the information is kept secure). The different partner organizations should obviously not be able to view the files of other partner organizations. The files are typically too large for something like encrypted e-mails to make sense, but it's not exactly big data (think: 100 MB per partner). My contacts at the partner organizations are typically not tech savvy and/or may be operating in rather locked-down/firewalled IT environments.

Our IT department set up an FTPS server that our partners need to connect to using a third-party FTP client (e.g., FileZilla). This is awful because every partner either runs into issues installing a third-party client (they typically don't have access to install software on their systems) or because of issues with our ports and their firewalls.

What I think I want instead is a secure website to which our partners can log into (using a username/password I share with them) through any web browser with an "upload files" button and then they can manage their files from there. No kind of automatic syncing is required (in fact, automatic syncing would be undesirable -- the nimbler, the better). We're a nonprofit on a shoestring budget but may be able to find a few hundred dollars per year (definitely not more than $1,000) to pay for this type of service.

What we have unsuccessfully proposed/tried so far:

(1) Google drive: For not entirely clear reasons, my organization refuses to use any google product, so this is out.
(2) Dropbox: I'm actually not sure how secure this is, and our partners are confused by this solution (e.g., it seems to me they need to create a Dropbox account for this to actually be somewhat secure, and they're typically not willing to do this).

What kind of vendor/solution should I propose? All suggestions/recommendations welcome!!
posted by yonglin to Computers & Internet (8 answers total) 5 users marked this as a favorite
Spideroak is an encrypted file sharing portal which is endorsed by Edward Snowden. This might be worth a look-in.
posted by jacobean at 10:49 AM on October 3, 2015


Box.com (NOT Dropbox) is what I've used in similar situations. Our data was confidential, but not HIPAA-level or anything requiring regulatory compliance. More like trade secrets. If you have regulations you need to comply with, I can't vouch for its suitability (and it might be hard to find something in your budget range, since compliance can be complex and expensive).
posted by primethyme at 11:02 AM on October 3, 2015


My company uses Citrix Sharefile for this. I'm not sure how expensive it is but we specifically need certain granular privacy features it has. It seems to work fine and I haven't heard any complaints from clients having to use it to download deliverables.
posted by selfnoise at 11:10 AM on October 3, 2015


I use data rooms heavily for due diligence. Many clients use Box, though I'm not sure of its ultimate security. Sharefile is also good, with lots of options for security groups. If you're looking for real security, companies like Firmex provide virtual data room services. They're not tremendously cheap, but you might be able to squeak a basic package in your budget. Their level of accountability and logging is an order of magnitude above general cloud services. They offer time-limited access, tracking of what has been downloaded, and folder renaming for evidence purposes.

The own SFTP server may be a bad idea. A local consultancy had such a server, but recently upgraded their web presence. Their new web team accidentally opened the data room server to public access, where years of client reports, data and confidential audits spilled into Google's cache. It was … ugly. The great thing about paying for a data room is that you know that all access will stop pretty much as soon as you stop paying.
posted by scruss at 11:38 AM on October 3, 2015


As an IT guy in the health insurance industry, I'd hope that any company that didn't let you use FTPS would have an approved file sharing protocol. My first move would be to ask those people what they can do, and hope to find some commonality.

Our company is in the process of setting up email that automatically encrypts email and attachments between specific email servers. That way, you can just attach a file and send it, no worries.
posted by SemiSalt at 12:04 PM on October 3, 2015


(using a username/password I share with them)

That is very far off from "industry standard security" so don't do that.
posted by DarlingBri at 12:57 PM on October 3, 2015


Citrix sharefile or Ipswich moveit dmz
posted by bfranklin at 6:07 AM on October 4, 2015


Citrix Sharefile would be good.
It's got a straightforward web interface for all those folks who are in locked-down environments or aren't savvy enough for fancy integrations - click to view or download, drag&drop to upload.
Security is designed for legal and financial environments that require control and confidentiality; there are features like reports to audit all access, user-managed unique passwords, etc.
Pricing should fit your budget; it's based on 'employee' accounts and the overall block of storage - 'client' accounts are free. (Employees can invite and manage other users, and create root-level folders; Clients can just upload & download.) So if you just need 5 Employees that can control the system, and everyone else just contributes or receives files, one of the basic business plans should work.
posted by bartleby at 1:09 PM on October 4, 2015


« Older Querying Literary Agents: the fine points   |   Good Online Career Counseling Newer »
This thread is closed to new comments.