Quip Blog

Collaboration and Security: Don’t Be Scared To Share

By Alan Lepofsky

In late July, I had the pleasure of being on an enterprise security panel at the CIO Perspectives conference in Palo Alto. At first I was perplexed about what point of view I would bring. Me, talking about security? For more than 20 years I’ve focused on collaboration tools and processes. What could I bring to the discussion? Then it struck me: Most security conversations are about things like architecture and infrastructure. I decided to augment the typical back-end conversation about security by discussing how modern collaboration tools are transforming the employee experience. After all, the ways we create and share content, plan projects, connect with colleagues and customers, ask questions, and share ideas are dramatically changing. Email-centric communication is shifting to more social group messaging. Static documents are being replaced by collaborative dynamic pages. Stand-alone applications are giving way to deeply integrated platforms that connect multiple tools. These new styles of working provide great benefits in transparency, productivity and innovation, but they also bring with them new security concerns such as privacy, confidentiality, governance, and compliance. I proposed the topic and the moderator and fellow panelists were hooked.

Here is short recap of topics we discussed around collaboration and security.

First, let’s think about the security aspects of communication. As we all know, email is often both overused and misused. Why? Usually because it’s the lowest common denominator; it’s simple and everyone has it. As an employee, you just click Compose, add a few names to the recipient field, type your message, hit send, and away the email goes. You don’t really think about security. Was the message encrypted? Is it only going to the people I intended? Where is the message being stored? Thankfully, email is a mature tool and most of these things are taken care of behind the scenes by your company’s IT administrators. But as the usage of email is replaced with tools like chat clients, group messaging, and social networks, are all the same protections in place? Actually, yes, and in most cases the new modern tools are even more secure. For example, while there are methods of encryption available for email they are complex to setup and rarely used. Have you ever encrypted an email? Compare this with the group messaging that takes place in Quip, Salesforce’s productivity and collaboration platform. It’s just as simple to use as email: Select the names or groups you want to communicate with, type a message, and click Send. But with Quip, information is encrypted automatically, without any action required by the employee, both while being sent and while it’s stored. (AES 256-bit at rest and TLS 1.2+ in transit for you security experts out there!) This ensures messages can only be read by the intended recipients.

Second, let’s think about the security around creating and sharing documents. If you’re using a standard office suite, you typically create the document, spreadsheet, or presentation and then share it as an attachment via email (unfortunately!) or as a link to a file-sharing site. But what happens when people download the attachment? Can they then forward it to others? Can they change the content without any central auditing? There are tools that can help alleviate these concerns, but again they are rarely used as complexity usually outweighs the convenience. With Quip, everything is encrypted, auditable, and controlled. To control user access to documents, there is a granular permissions model that increases in authority from view only, to commenting, to editing, and ultimately full access. Additionally, if a page is shared with people outside your organization it is automatically flagged, so it’s easy to see which pages are internal only and which are shared with external guests.

Finally, one of the benefits of using an integrated collaboration platform such as Quip is that it brings together content and conversations into one seamless experience. So, instead of sending an attachment or sharing a link, discussions in Quip take place right on the page itself. Those conversations can be about the entire document, or down to a specific word, image or even cell in a spreadsheet. Contrast that to email, where each recipient receives their own copy of the message. That makes it very difficult for IT Administrators to do things like grant and revoke access. Since they don't have visibility to how content is being copied and distributed this can lead to data loss and data leakage. By creating and sharing securely in Quip, everyone is literally on the same page.

This new style of collaboration can dramatically improve the way teams work. No more back-and-forth messages. No more out-of-date attachments. No more conversations detached from the actual things being discussed. And all of this happens in a secure environment with powerful administration and reporting features and robust security controls for auditing, governance, and compliance. For details of all of Quip’s security features, including encryption, data privacy, governance, single sign-on, and more, please visit www.quip.com/security.