Protecting Sensitive Data While Complying With Regulatory Standards
MinterEllison is Australia’s largest law firm and provides legal and consulting services through a global network of affiliated firms and associated companies. MinterEllison is a purpose-led organization, and its partners and staff provide clients with clear, strategic, and commercial solutions that create lasting impacts to their businesses. Its legal staff advises and supports clients, including government, private and publicly listed companies, and small and large businesses, in Australia and overseas. Many of its clients have their own regulatory obligations and customer obligations that govern their data as well as their customer data.
Several years ago, Sunil Saale, the Head of Cyber and Information Security at MinterEllison, embarked on a search to identify a solution to securely exchange large files with the firm’s clients. Apart from the platform being secure and robust, a key requirement for the platform was user experience; it had to be easy to use and require very little training for our staff and clients.
For MinterEllison’s Australian government agency clients, the Infosec Registered Assessors Program (IRAP) from the Australian Cyber Security Centre (ACSC) is an important standard. IRAP enables Australian Government departments and agencies to vet vendors in their supply chain to ensure they have the appropriate security and governance controls in place to mitigate third-party vendor risk.
“Kiteworks minimizes onboarding friction for new clients and improves operational efficiencies for our team, while providing a safe and secure way to exchange files.”
– Sunil Saale, Head of Cyber and Information Security, MinterEllison
Kiteworks for Tracking, Controlling, and Securing Sensitive Data
After sorting through different technology options for tracking, controlling, and securing sensitive data, Saale and the MinterEllison team determined Kiteworks was the right fit. There were multiple attributes that played a key role:
- Platform security. MinterEllison is committed to maintaining the highest standard of information security when it comes to information regarding its clients, client matters, employees, as well as its own information. “Kiteworks’ security framework and hosting platform architecture assures us that we have the right controls in place to protect our data,” Saale says. “In addition, the Kiteworks platform allows MinterEllison to define controls, such as multi-factor authentication, access restrictions based on users and files, and the types of files we want to collaborate on.”
- Data governance. MinterEllison leverages the capability to define data governance rules to the level of users, folders, and files. “This allows us to define the entire life cycle for the files that transition through the platform, which includes full audit trail right from upload/creation of a file to the deletion/expiry of that file,” Saale explains.
- Easy-to-use interface. “User experience plays a critical role in how we design our cybersecurity platforms or solutions,” Saale relates. “If a platform isn’t easy to use, then collaborators may consider using unsecure and noncompliant alternatives. We really like Kiteworks’ intuitive, easy-to-use interface that we could customize with our branding templates, which creates a familiarity for our users and clients and helps drive user adoption while minimizing shadow IT risks.”
- Storage scalability. MinterEllison’s user storage demands are quite diverse. Some users share multiple files a day, while others may only use Kiteworks once every few months. “Kiteworks allows us the flexibility to scale up storage rapidly on demand and also comply with any jurisdictional requirements,” Saale comments. “While we currently don’t have requirements to host or restrict storage outside of Australia, with the Kiteworks platform we don’t need to make further technology investments if we have any such requirements from our clients.”
MinterEllison Protects Sensitive Data
- Operating overheads. “Kiteworks’ cloud hosting capability gives us the ability to rapidly scale up storage, apply security updates, and maintain high availability without all the overheads that come with on-premise hosting,” Saale says. “We can roll out updates in minutes, or add additional storage with very limited downtime.”
- Support model. Being an Australian firm, it is critical for MinterEllison to have support available in the Australian time zone. “The 24×7 support model helps us ensure that we have the assistance available at all times, and that translates into platform availability to our clients,” Saale says.
The MinterEllison team began rolling out Kiteworks to its internal users as well as external clients in 2019, and the outcomes have been quite positive. “We have an enterprise-wide agreement and upwards of 4,000 users on the Kiteworks platform today,” Saale says. “Because of Kiteworks and its security and compliance controls, we know that sensitive client data exchanged with our clients is protected—and in compliance with relevant industry and regulatory controls. The Kiteworks platform also allows us to define governance rules across the file life cycle while maintaining full auditability on the files and user accounts. Ultimately it is about having a secure platform that allows our staff and clients to collaborate in an easy and efficient manner.”
MinterEllison has been using Kiteworks to collaborate with clients on thousands of documents. In addition to the internal licenses MinterEllison uses, the firm also employs external licenses with clients and other third parties with which sensitive data is shared.
Reaping the Benefits of IRAP Compliance
Kiteworks’ recent certification with IRAP provides MinterEllison unique advantages. “Some of our public sector clients have strict requirements to only use IRAP-compliant solutions,” Saale says. “Using Kiteworks and other IRAP-compliant solutions makes it easier for us to do business with Australian Government departments and agencies, as it provides assurance that the platform has appropriate and effective controls and that it has been validated independently against Australian government policies and guidelines. Kiteworks also minimizes onboarding friction for new clients and improves operational efficiencies for our team. Kiteworks’ IRAP certification demonstrates its commitment to us and the Australian market in general.”
Looking to the Future
As Saale looks to the future, he is excited about continued enhancements to the Kiteworks platform. “With Kiteworks, we know the data is secure, fully auditable, and also has the ability to scale and adapt to the changing needs of our clients—all while complying with strict regulations that our clients need to comply with.”
- Provide a safe and secure platform to exchange files with clients
- Leverage technologies compliant with government and industry standards
- Provide a great user experience for ongoing operations and continued adoption of the platform
- Out-of-the-box platform customized to firm’s branding and user profiles
- Compliance with IRAP, SOC2, ISO 27001, and various other standards
- Used by approximately 4,000 users across MinterEllison and its clients
- Able to define data life cycle and provide auto-deletion after use and full audit trail
- Reduces risk of a sensitive data leak or compliance violation by enabling secure file sharing of sensitive data
- Removes friction for onboarding new clients
- Improves efficiency of Cyber and Information Security team
- Delivers seamless compliance reporting
“Securing sensitive content at all stages of the transaction is critical for a legal firm like MinterEllison, and Kiteworks has been an excellent choice for us.”
– Sunil Saale, Head of Cyber and Information Security, MinterEllison