Posts

More news about leaks of highly sensitive information

There are now virtually daily examples in the media of how leaks of highly sensitive information are occurring, often due to human error or misbehaviour, but also due to lack of security in poorly designed or managed systems. A current article in the media today highlights a glaring example of this – click here for more information.

Safe4 was designed with security at the core

The fundamental design of Safe4 is based around the use of secure vaults, into which information can be placed by the provider of the service, such as a professional practitioner or an employer, and the individual users who have been given access to that specific vault. Information cannot “leak” in the way that seems to be occurring regularly in other systems.

Even if a hacker were to break in to the “back door” of Safe4, without using one of the normal user interfaces, nothing can be inferred due to the way that the data is obfuscated and encrypted. The secure vault design underpins this, so that each vault becomes a completely discrete storage space for information in structured form (in columns and rows, similar to spreadsheets and simple databases) or unstructured form (document files).

Regulatory compliance

Safe4 complies with a number of regulatory frameworks by virtue of the fact that all stored information is encrypted, everything is held in UK-based data centres that comply with ISO 27001, 2-factor authentication, and a full audit trail of all user actions is maintained. The ideal solution for the storage and management of highly sensitive information, in effect.

Please contact us if you would like more information on how Safe4 can help your organisation to enhance compliance, reduce costs, and improve client service.

Confusion reigns regarding responsibility for data protection compliance

A recent survey suggests that there is still a good deal of confusion regarding responsibility for data protection compliance. Given that the UK adopted the EU GDPR into the Data Protection Act in May 2018, this reflects the general lack of awareness among many organisations today.

This survey also indicates a lack of clarity over whether cloud-based information management services offer better or worse protection that traditional on-premise storage. The answer of course is that the level of security and therefore protection depends on which cloud service provider is involved. Safe4 has an unblemished record of secure service provision, with an availability record very close to 100%. Not all cloud service providers can offer this.

Safe4 has also clarified the different roles and responsibilities relating to data protection in their Data Protection Policy – click here for more details. Safe4 does not claim ownership of any data that is stored within its system, and thus acts as the Data Processor. Customers own their data and have responsibility for any information that is placed in Safe4, and therefore are Data Controllers.

Adding to the benefit of using Safe4 for information storage is the fact that Safe4 only uses UK-based hosting services accredited to ISO 27001. Together with enhanced password strength management and 2-factor authentication, Safe4 provides a platform for its customers to be confident that the system will support their own Data Protection compliance programme. No cloud service provider can make its customers compliant with the Act however – ultimate responsibility lies with the Data Controller to ensure that their own information security policies and practices are enforced. The vast majority of data security breaches are caused by human error or poorly trained employees.

For more information on how Safe4 can assist your data protection compliance programme, please contact us.

Enhanced 2-Factor Authentication from Safe4

In line with the Safe4 policy of constantly enhancing security, as well as maintaining compliance with the recommendations of the UK National Cyber Security Centre, the latest release of Safe4, version 6.02, features 2-Factor Authentication using 7-digit codes sent to the user’s mobile device by text message. This enhanced 2-Factor Authentication from Safe4 (2FA) replaces the PIN, which has been a feature of the system since inception in 2010. The advice from the NCSC is summarised here.

Safe4 users with a PIN on their account will be prompted to enter a mobile phone number to which authentication codes will be sent. Once this has been done, they will be challenged to enter the code when logging in. The authentication code will have a life of 24 hours. When this period has elapsed a new code will be sent to the user’s mobile device on the next login.

Flexible options for applying 2-Factor Authentication

The use of 2FA can be enforced by a provider administrator, or can be selected optionally by each user in their own personal settings. In either case the registration of the mobile phone number will be followed immediately by the sending of an authentication code that must be entered before access is gained to the system.

The mobile phone number that is registered is held in the user’s My Account settings, to which entry will be controlled by a further 2FA code challenge. This will prevent a user’s settings being altered without authority. If a user changes their mobile phone number for any reason, the provider administrator will be able to require the user to reset 2FA with a different phone number.

Other enhancements in version 6.02

As always, version 6.02 of Safe4 includes a number of server-based security updates that relate to the way that data is held and managed on our servers. It is our policy not to publish details of these changes.

A further change in version 6.02 relates to the way in which folders are displayed. Folders and subfolders will be shown in the right-hand pane of the screen, together with any files that are stored in that folder. This is the first step towards more flexible management of folders.

Additionally, version 6.02 will allow the selection of which users will receive notification of file uploads. This will involve a further option in the Upload Files dialog box.

The Safe4 User Guides have been updated to reflect these changes.

For more information on how Safe4 can help your organisation to reduce cost, enhance client service and improve security and compliance, please contact us. We will be delighted to assist you.