Document Sharing Services - WST

Financial institutions often have a requirement to receive documents from customers, including financial statements, tax documents, and other types of information critical to the institution’s decision-making processes and documentation requirements. Many organizations will provide specific employees of FI access to the sending organization’s file sharing service to obtain the necessary document(s).

We frequently see audit findings regarding access to online storage sites. Paraphrased, the finding says “all/some employees have access to multiple online storage sites with no restrictions.” That leaves a door wide open for exfiltration of files from the FI out into a document sharing platform for which the FI has no control. If your employees must pull data from each customer’s online document sharing platform, managing access to each platform via firewall rules and/or web access filtering tools will likely become burdensome to your IT staff. Secure email can be problematic due to limitations on the size of email attachments, thus the need for a secure online document sharing solution.

So, how do you provide a mechanism for your customers to provide documents to you in a secure manner?

Consider acquiring a secure document sharing platform, owned, and managed by your institution, then provide your customers access to that solution versus managing your employees’ access to myriad customer-managed document sharing platforms. Your institution would have its own site to provide a mechanism for customers to securely upload documents. By owning your online document sharing and storage platform, your customers will push data to you, rather than your employees pulling data from a customer’s online storage site. You provide and manage the customers’ credentials and security settings. You control how long you’ll provide them access to your document sharing solution.

The security settings and management complexities vary from one online document sharing solution to another, so it’s worth taking the time to determine which solution meets your needs and provides you with optimal security. Start by defining your requirements in detail then look at the various providers to see which solution fits, versus doing a side-by-side comparison of each solution without having your requirements documented. Follow that with your normal vendor management processes used when selecting a technology provider.

Authored by: Bill Wallen, Security+