My company is looking for a way to securely share sensitive information with some of our clients and trusted advisors. The idea is to be able to host files that are encrypted while at rest and in transit and allow only designated users to see or download them. The boss requires that those who have access should be able to download what we want to give them with minimal setup, so I can't propose any solutions that require the people on the other end to install new software or do anything more complicated than use their email client or unmodified Web browser.
Naturally, there are additional constraints on the project. If any portion of the solution–either the management system or the file hosting–is cloud-based, then:
- The company providing the software must have been SSAE-16 audited. (Our security requirements may be in excess of those required by relevant regulations. Even if they are, I'm stuck with them.)
- The datacenter where the server(s) are located must have been SSAE-16 audited.
- The company must own all servers on which our files might reside.
- Those servers must be in the United States.
Those three requirements are obviated if we can host the solution on our premises, however. If we do that, my boss is willing to procure a new, dedicated server to go in the DMZ or, alternatively, to buy / lease / rent a dedicated appliance. That said, the service provider would need to support both the sharing software and the machine running it, from planning the specs through setup into ongoing coverage. And I think my boss is allergic to running virtualization on anything but an appliance that the vendor provides.
And now for a few more things that make this even more challenging.
- Although we have a couple of people who know a thing or two about how to implement software in business network environments, we have no actual IT staff.
- The budget has not been specified, but it seems to be a few hundred dollars per month at most. (I know that that's very little for a business-grade solution. Unfortunately, I have no control over the allocation.)
- Support must be based in the US and available around-the-clock.
- We only have, like, 3 users for this.
Past research
I have been in touch with:
- Globalscape – No SSAE-16, so their cloud offering is out. Too much money up front for on-prem.
- SmartFile – Out of budget.
- FTP Today – Cloud only, no SSAE-16.
- IQ Storage – Cloud only; runs on Amazon's servers or their own–but their servers are in Canada.
- Accellion – Cloud runs on AWS. On-prem has per-user pricing structure with a minimum of 50 accounts.
- Tonido FileCloud – Support based in India. Phone support is billable per ticket; email / forum support is free, but only available 9 – 5 US Central Time.
- OpenText.com – On-prem quoted with $40,000+ setup costs.
- Citrix ShareFile – Cloud service and on-prem management portal both run on AWS. On-prem option might otherwise be feasible.
- Axway DropZone – Don't own their servers. On-prem appliance not available to us; running on our own machine would require virtualization.
- Voltage – Requires 50 users for on-prem; no cloud option available for our needs.
- Ipswitch WS_FTP – Requires FTP client to access files.
- Ipswitch MOVEit – Out of budget.
- Anchor – Maybe? None of their resellers would ever call me to talk about it.
Is this possible? If so, who should I get in touch with? If not, how do I best explain to my boss that he has constructed a set of requirements bit-by-bit that are impossible to meet?
Best Answer
Check out WatchDox I actually went through what you're looking at, this looked to be the most secure of all the Enterprise solutions I could find.
Alternately, if you can get the encryption working, OwnCloud might work well.
As was said in the comments though, those are some ridiculous requirements. With no IT staff I wouldn't even look at an on-prem solution. This sort of software isn't easy. Print it and mail it. Have the recipient make sure that the wax seal isn't broken.