How eFortresses leveraged SafeShare to streamline CMMC training and implementation processes safely and securely for HISPI and eFortresses CMMCSCORECARD serviceTaiye Lambo, the founder of eFortresses and the non-profit Holistic Information Security Practitioner Institute (HISPI) is a cybersecurity leader, socially-engaged entrepreneur and virtual CISO with over 30 years of information technology experience across 4 continents. When Cocoon Data originally approached eFortresses about using their CMMCSCORECARD service to develop a roadmap and prepare SafeShare for their planned CMMC Certification, neither Taiye Lambo nor Cocoon Data’s Richard Matthewman realised at the time that this initial connection would lead to such an important ongoing strategic partnership between eFortresses and Cocoon. Taiye Lambo shares the story behind the collaboration between eFortresses and Cocoon Data and the reasons why eFortresses decided to leverage SafeShare’s secure storage and collaboration tool for its CMMCSCORECARD service to receive objective evidence of CMMC Processes, Activities and Practices.
Use Case 1 – Using SafeShare to Protect and Enforce NDAs for CMMC Course Content developed by HISPI
Cocoon Data’s Richard Matthewman initially reached out to Taiye Lambo to enquire about using the eFortresses CMMCSCORECARD service to prepare SafeShare for their planned CMMC assessment towards the end of 2020.
“It all started on LinkedIn,” says Taiye. “When Richard explained the concept of Cocoon Data’s SafeShare with me, I was immediately intrigued and I really wanted to try it out for myself.”
“I already had at least one immediate use case for the product. At the time, my non-profit Holistic Information Security Practitioner Institute (HISPI) was very close to being approved by the CMMC Accreditation Body (CMMC-AB) to become a Licensed Partner Publisher (LPP). In fact, HISPI was one of the very first 11 organizations to be approved to develop and provide CMMC training content on behalf of CMMC-AB.”
Taiye held an HISPI webinar to provide an overview of CMMC, which Richard and about 100 other participants attended in September 2020. The webinar was a call to action, asking participants to help HISPI review their CMMC course content. The participants in this HISPI webinar that responded to the call to action, had to sign an NDA before they received the CMMC Course content, but Taiye was also looking for a way to control exactly who had access to that content to prevent his competitors from seeing this proprietary and confidential material.
SafeShare Compared with Other Secure File Transfer Methods
Taiye was familiar with other secure file transfer methods. “After learning about SafeShare, I decided to participate in the free trial Cocoon Data offers and then leverage it as a way of ensuring the PDF documents were “view only”. SafeShare proved to be a very good way of controlling access – in fact, it was brilliant!”
“SafeShare allowed me to safely share the course material with the participants, but they could not download, print or even take a screenshot and share this proprietary and confidential material, because SafeShare automatically imprints a digital watermark that cannot be removed or changed.
“SafeShare even helped me weed out any competitors who may be trying to snoop. After I explained that I was using SafeShare and made them sign an NDA, one of the participants who I had my suspicions about never logged into the SafeShare platform once they realised SafeShare prevented them from downloading, printing or taking screenshots.”
“I don’t know of any other secure file sharing competitors to SafeShare who can restrict “view only” access by location, time, etc. Right from my very first trial of SafeShare, it worked really, really well.”
Use Case 2 – How eFortresses used SafeShare to gather evidence, report and share for the gap analysis for Cocoon Data’s CMMC Certification Readiness.
After Taiye’s initial trial of SafeShare to protect his NDA for the CMMC Course Content developed by HISPI, he decided to also leverage SafeShare to securely gather evidence, report and share updates for the gap analysis eFortresses was conducting for Cocoon Data’s CMMC Certification Readiness using eFortresses CMMCSCORECARD service.
“Cocoon Data engaged my company eFortresses’s CMMCSCORECARD service in mid-September with a 30 day timeline to complete the gap assessment for their CMMC certification readiness and because of COVID, the assessment had to be 100% virtual.
“With the Cocoon Data stakeholders located around the world in the US and Australia, we had to leverage Zoom to do some of the assessment workshops, as well as share all the data online – once again, SafeShare was the platform of choice and proved to be the perfect tool for the job. I insisted that no files would be shared via email or any other platform – only SafeShare was allowed.”
“I felt that if Cocoon was trying to become CMMC compliant, the last thing I wanted was the reports being on the internet and being hacked – we needed to treat every file like Controlled Unclassified Information (CUI), which SafeShare’s Two Factor Authentication for every individual file enabled us to do.”
“We used all of SafeShare’s access controls, apart from geofencing, which meant at every point, I knew exactly who had access to the files and I could track all downloading, forwarding and printing of files. I could also disable the access to any file at any time.”
“SafeShare was easy to set up, easy to implement and easy to use in our role as auditors and assessors for Cocoon Data’s gap assessment for CMMC. I immediately realised how it would help solve many of the problems faced by fellow auditors and assessors.”
Other secure file transfer methods or solutions don’t have this level of access control or built-in ability for auditing.
SafeShare for Auditors and AssessorsIn his role as assessor for Cocoon Data’s CMMC Certification Readiness, Taiye uses SafeShare to gather evidence, report and share progress. He explains how SafeShare’s features help solve many of the problems faced by auditors and assessors. “The main challenge assessors face today is being able to conduct their assessment in a timely manner AND securing assessment related files in a way that they as Assessors don’t become a weak link for their customer. With SafeShare, you can benefit from the speed, convenience and ease of accessibility of sharing in the cloud, without compromising the security of any files.” “You don’t have to worry about exposing your client to additional risk because with SafeShare’s Two Factor Authentication and location, time and user-based controlled access to sensitive documents, SafeShare is built for security rather than just functionality. “However, that being said, I really do believe that ease of use is the biggest selling factor – SafeShare is just so simple and easy to use, but it also comes with a lot of bells and whistles that you can use if you need to. “Auditors can create SafeShare folders and invite individual process owners to securely upload control evidence to these folders. Collaborators can report work, share meeting notes and deliverables for assessment through SafeShare. It can also be used as a document repository because all assessment related files are treated as Controlled Unclassified Information (CUI). “The individual encryption key processes are transparent to the user – the Two Factor Authentication is seamless, and I never had to be prompted.” “One of the things I love the most about SafeShare is that I don’t have to bring my techie hat!” That’s not the case for other secure file transfer methods.
SafeShare for Virtual CISO’s
“Before I started using SafeShare as a virtual CISO, I had an experience with a client who went through ISO 27001 re-certification,” explains Taiye. “They were trying to raise money, so they went through a due diligence audit and they were not comfortable sharing their financial information with external auditors, so what they did was extract the front page of the due diligence audit report as evidence of an independent review of their information security program.”
“Although I had done an independent review of this client’s information security program at the beginning of my engagement, they weren’t allowed to use my own assessment reports as objective evidence of an independent review since I was their virtual CISO, but they could have used SafeShare to give the external auditors to “view only” access to the due diligence audit report during the audit without giving them the ability to download and also use SafeShare’s time-limited controls to restrict the length of access.”
“I am now recommending SafeShare to all of my virtual CISO clients, because it solves a common problem if they have concerns with sharing of sensitive information. In the past, they could sign a NDA, print out a PDF and allow third parties to read sensitive information in a locked boardroom. But now, especially with COVID, they cannot print out and share in a boardroom with a signed NDA.”
“SafeShare helps virtual CISOs to implement cyber security policies because it provides easy, secure and time-based access to non-public policies and it can also be used as a share point for restricted policies.”
“Sharing personal information is another huge area where SafeShare can really help. For example, background checks can contain very sensitive data, such as social security numbers, dates of birth, medical history, home address, etc. With SafeShare, the admin or HR person can share sensitive files without the IT admin potentially having access to the information and the person the information is shared with can be time restricted and one time only.”
“Most companies outsource background checks and from what I have seen 9 out of 10 times, sensitive background check information is sent by email. SafeShare secures this highly sensitive data and also ensures independence and full audit trail.”
SafeShare’s Integration with eFortresses CMMCSCORECARD SaaS platform
SafeShare is now being integrated with eFortresses CMMCSCORECARD SaaS platform as an additional option to Microsoft SharePoint. Clients using the CMMCSCORECARD SaaS platform will now have a simple and secure way to upload sensitive objective evidence with each document having its own unique encryption key, eliminating sending the evidence via email or being uploaded onto a single key database.
And Taiye is incredibly excited about the benefits for his clients.
“Ease of use, secure design, privacy by design, ISO 27001 Certification, CMMC Certification Ready… SafeShare is an architecture that enables scalability.”
“SafeShare also helps enforce policies – multi access controls can be applied to a classification or documents to allow users to send a secure document without having to be concerned about complying to policies because SafeShare takes care of it. SafeShare enables checking of all the boxes for the relevant critical controls in ISO, NIST and CMMC, etc.”
“SafeShare stores your data right here in the United States securely in AWS GovCloud.”
Why eFortresses decided to “dogfood” SafeShare
As a strategist, Taiye firmly believes if you’ve got a product and you’re trying to take it to market, it’s important to position it in such a way that you become a customer – in other words, you need to first “dogfood” your own product.
“Dogfooding is eating your own dog food,” explains Taiye.
“If you’re building a product, use it yourself so you become your own raving fan first. This is one of the lessons I learnt when my team at eFortresses started helping Microsoft to build their security and compliance framework for the cloud 14 years ago. Before Microsoft launches any product, they have already used it themselves extensively.”
“So when Cocoon Data signed up as a customer for eFortresses CMMCSCORECARD service, we decided to also sign up as a customer to use SafeShare for both HISPI and eFortresses. Cocoon Data dogfood our CMMCSCORECARD service and we also dog food Cocoon Data’s product, SafeShare.”
“For me, security is about people, processes and technology. I never vouch for technical products because although I have a technical background, I’m a big proponent of investing in people and processes more than investing just in technology.”
“Just because you have a tool, doesn’t mean you know what to do with it. A fool with a tool is sometimes a bigger fool, but once you have the right people and the right training processes, then it makes sense to give them the tool, but the tool can’t replace the human.”
“Before I tout a tool, I want to know that I’ve used it and that it solves a real business problem. Once I started using SafeShare, I was sold…I was really, really sold on the value.”
“SafeShare is a very simple concept – but the simple solutions are the best. It’s the Keep It Simple Stupid philosophy – if I need a PhD to run the tool, it is probably not the right tool.
“What SafeShare does so well is that it takes out the human element that can lead to accidental data breaches. At HISPI, for the past 15 years, we have been doing extensive research into data breaches and we know they are mostly due to the weaknesses of people and processes.”
“And as far as eFortresses and HISPI are concerned, why would you file share when you can Safe Share instead?”