Data security is top of mind for IT departments and often the key reason for choosing a Citrix solution. Nowhere is this topic more relevant today than in discussions involving enterprise mobility and data sharing.

ShareFile, the Citrix sync-and-share solution for the enterprise, makes it easy to exchange information with third parties–sometimes too easy. Users should not be allowed to share files broadly when they contain sensitive information like credit card numbers, personally identifying information or intellectual property. For health care organizations, limiting the spread of protected health information (PHI) is the core requirement for HIPAA compliance.

For premise-based systems like corporate e-mail and web proxy servers, outbound information can be checked at the network edge and the egress of sensitive data, accidental or intentional, can be prevented. But when you send a file as a hyperlink instead of an attachment, the existing systems are bypassed and your security team loses visibility into what is leaving the network.

Soon after Citrix introduced ShareFile Enterprise with StorageZones, our partners Digital Guardian and Code Green Networks developed solutions to mitigate the risk of data leakage by leveraging ShareFile APIs to move or revoke access to files that contained sensitive information. But if your security team had already standardized on a different on-premises security suite, you had either to manage two sets of DLP policies or accept the risk of sensitive data going out via ShareFile.

So, we’re very excited to announce that ShareFile now integrates with several market-leading DLP offerings to enable content-aware sharing restrictions.

Documents stored in your on-premises StorageZone can be examined by any third-party DLP security suite that supports ICAP, a standard network protocol for inline content scanning. Sharing and access privileges can then be adjusted based on the results of the DLP scan and your preferences for how strictly you want to control access.

Which DLP systems are supported?

Because we rely on the ICAP standard for interaction with your DLP server–same as a web proxy would–ShareFile DLP integration will work with any ICAP-compliant solution and requires no changes to policies or servers in your existing security suite. ICAP-compliant solutions include:

Tying ShareFile security policies to your existing DLP security suite means you can maintain a single point of policy management for data inspection and security alerts. If you already use one of the solutions mentioned above for scanning outgoing e-mail attachments or web traffic, you can point the ShareFile StorageZones Controller to the same server.

How ShareFile works with market-leading DLP solutions to prevent data loss

We’ve developed a flexible policy-based system that offers granular access and sharing controls based on a new classification attribute that will be associated with each file. The system uses DLP scan results to classify every version of every file in your StorageZone. There are three data classifications:

  1. Scanned: OK – Files that were scanned by a DLP system and passed OK
  2. Scanned: Blocked – Files that were scanned by a DLP system and were found to contain sensitive data
  3. Unscanned: Files that have not yet been scanned (in cases where files exist before DLP is configured, or when the external DLP system is unavailable or slow to respond)

Next, the ShareFile platform enforces different access and sharing restrictions for each data classification. For each of the three categories, the ShareFile administrator chooses which actions to allow:

  • Whether employees can download or share the file
  • Whether 3rd-party users can download share the file
  • Whether anonymous users can download the file

These settings constrain the normal permissions and sharing controls available to users as they interact with their ShareFile data and collaborate with others. For instance, when sending someone a file, users could choose to block anonymous access even if DLP settings would allow them to share it anonymously. But if they attempt to share a file in a way that the DLP settings prohibit, the platform prevents them from doing so.

This flexibility allows you to control the trade-offs between security and usability as best fits your organization. If a document is flagged as sensitive, you could still allow sharing between employees but block sending to anyone outside your organization. Or you could take a stricter approach and block all users (even the owner of the file) from downloading or sharing the file with anyone. If you block downloads, an employee would not be able to access ShareFile from an unmanaged device, get the file and share it by other means.

For any files that are not yet scanned, you can configure the same sets of constraints. This means ShareFile could take an “innocent until proven guilty” or “guilty until proven innocent” approach according to your appetite for impeding the flow of information.

When StorageZones Controller sends files to the DLP system for scanning, it includes metadata indicating the owner of the file and the folder path where the file resides in ShareFile. This allows the DLP server to log incidents and create notifications with enough detail to be actionable.


ShareFile DLP integration requires StorageZones Controller release 3.2, which will be generally available in June 2015.