Photo by Fahrul Azmi on Unsplash

How do you handle all the documents in your company ? Is everything available to everyone at any time? Is there some restrictions on some documents ? Did you ever (or someone) think about it ?

Introduction

🤔 For example, how do you manage your application's architecture documents and how to share these documents within your organisation ?

💻 Often, we have these type of files on a hard drive on your computer.

💥 But what happens if your computer explodes (that is pretty rare, but you got the point) ?

💾 So, I am saving these files on an external harddrive (both are not going to explode at the same time. Are they ? 🤔).

😤 My datas are now on a USB key, which can be stolen or lost pretty easily (just as my computer), and so someone ill-intentioned can get it.

☁️ An easy solution would be to put all of my datas to the cloud

👎🏼 Is it really a bad idea to put all your sensitive (even critical) datas on Public cloud whose I don't have any idea who has access to my files (the cloud provider employees are very likely to access it or the US government as well if it is on the US soil 🇺🇸 🤔). It is a matter of trust (and data sovereignty 👑).

㊙️ You can then encrypt your data, was it on the external drive (the USB key for instance), or on the cloud service.
There are a lot of excellent products that are doing that.

Personnaly, I love Cryptomator , which works on any platform (Windows, Mac OS and Linux) and allows you to encrypt your data for any cloud service.

🤝 Often (all the time 🤔) in organisations, we are interacting in groups. And working in groups means sharing files. If one don't really care if the cat picture you shared on the network leaks, I do think that it would be critical if technical architecture files or Audit files leak.

Sharing Files within an Organisation

📧 To share files, one usually uses e-mail.

1. Classify the Files

In order to take the proper decision in terms of sharing a file, you have to have classified such files regarding their confidentiality level.

The classification I am using is pretty classic.
Files have 4 privacy types :

• Restricted (only some clearly identified people can access the file)
• Confidential (only a subset of people within the organisation can access the file)
• Internal (it is available to people within the organisation)
• Public (it is available to anyone. It is a press release for instance)

In case of Restricted or Confidential files, you must encrypt your e-mails.
In case of Internal files, file's encryption has to be considered on a file to file basis.
The Public files do not need to be encrypted (but you can encrypt everything as it is set up. 😉 So this way there is no risk of leakage before you decide to release the file).

2. Encrypt the Communication

A lot of organisation are using Microsoft Exchange as their e-mail servers. Using Outlook, it is easy as pie to encrypt a file.

Nevertheless, you have to understand that when you encrypt an e-mail, you just encrypt the content of it and not the attached files nor the subject (just as https does not encrypt the URL, and so that "id" you added at the end of it 😉) .
Similarly, encrypting an e-mail does not guarantee that these e-mail or its attached file cannot be transferred to someone else unsecurely.
And if you do not control to whom you sent the file means that you have no possibility to know who is responsible for a leak.

Finally, once you've done all that, one can think that all the documents we have and share are safe and cannot fall in the wrong hands.
But as soon as I am sending a file, I am giving control over it. 🙅
But as I am responsible for the security of the file I shared, I have to keep control over it. Let's see some technics that I am using to keep control over the files I am sharing.

The first one is very simple. In your e-mail client (Outlook, Postbox, Thunderbird, etc...), one must select, in addition to "Encrypt", the "Do Not Transfer" option. That way, the recipient can only read the file through its e-mail client and nothing else.

3. Empower the Recipient

Here is a method that is used by Movie Studios when they are sending movie rushes and avoid leaks (let's have a look at X-Men Origins in 2009). I am using something similar to empower my recipients.
It consist of watermarking the file with the recipient's name. It allows, if the file leaks, to know what copy of the file leaked and take actions regarding this piece of information.

I made a tool on Github to automate watermarking pdf files.

./install.sh

go get github.com/hhrutter/pdfcpu/cmd/

4. File Management Tools

All of these methods are very useful but cannot replace a proper Document Management System.

It is important to have a software which can store files regarding their classification, was it "Restricted", "Confidential", "Internal" or "Public".
This allows a very strict file management, but also a collaborative work.

Sharepoint, from Microsoft, allows this. It is part of the Office 365 service. But a lot of other tools providing this exact service are available on the market. Confluence, from Atlassian, allows a very strict access right management and can be a very good answer to this problem.

I hope you enjoyed that article and learned a lot of things about proper file management and file sharing within an organisation.

It is also good practice to think about that for your own files.
I do not upload files (either "critical" or not) on someone else's computer (aka "The Cloud") unencrypted. Cryptomator is my software of choice for that.
And in terms of Cloud, I made my own for 100€.
You want your own as well. Read my article on how to build it for less than 100€ and you got 3To (at least) for ever (that's a pretty decent deal, I guess 😉).