Startup touts safe sharing of Office 365 documents

Startup Vera promises to secure Microsoft Office 365 documents no matter where they go using policies set by the businesses that create them.

The company lets users restrict access to individual documents or parts of documents in order to keep the content secure even if devices that contain them are stolen.

Vera already supported Office documents, but now it can protect them within Microsoft's Office 365 software-as-a-service environment.

The platform has value when sharing confidential financial documents among business entities, says Sujit Banerjee, managing director at K1 Investment Management and a Vera customer. For example, he can share sensitive financial information among business partners with the assurance that only designated persons can access the unencrypted content.

Vera's CEO Ajay Arora describes it as a secure Snapchat for files and documents.

The platform consists of a client that encrypts documents at the time they are created and a server that stores security policies on each file as well as the keys to decrypt them.

Alan Lepofsky, an analyst with Constellation Research, says the benefit for businesses is that Vera can protect documents without significantly changing user behavior meaning a low learning curve and a likelihood documents will actually be protected. It's also not platform, vendor or device specific, meaning it can be used on a device. And it won't interfere with other security tools.

There is no key management for customers to perform, avoiding a complicated and potentially expensive infrastructure, he says.

To share a file securely, users identify the file, right click on it, choose "secure with Vera" and create a list of who gets access. This last can be done by designating individuals, an email list (email is used to include persons outside an organization) or Active Directory group, Arora says.

Vera allows restricting file use once it reaches an approved party. So it could allow or disallow viewing the document offline, allow or disallow copy, paste and printing, allow or disallow printing a screen or make the file available only for a defined time period, for example.

The platform can also track what people try to do with the data and can revoke permissions for accessing the files.

Vera works on a software-as-a-service model where the Vera server can be based in a cloud or within the enterprise. A desktop application encrypts documents using AES 256 encryption. The encryption key is provided by the server and sent encrypted via HTTPS. Once the file is encrypted the app deletes the key. The application puts a wrapper around the file that indicates its file type. This information plus the policies that should be applied to the file is shared with the server.

If a user tries to share a file, the server fetches the policies for it and the keys needed to decrypt it. The system stores symmetric keys per data element, so certain paragraphs could have different policies from the rest of a document. The keys are not stored on end user devices; the devices need to be granted access to them. For offline use, the key would be encrypted and stored on the device for a defined time period.

The app has a shim between the application opening the file and the operating system to enforce policies. If the application opening the file tries to access print-screen, for example, but the policy forbids it, the Vera app intercepts the call.

On the receiving end, users authenticate via Google Authentication, get the decryption key from the server and decrypt in their browsers. For users without clients, the server can decrypt the document and render it to the browser.

The company was founded in January 2014 with $4 million in seed money from Battery Ventures, which invested $10 million more in November of that year. The company has 35 employees, 10 in Bangalore and the rest at company headquarters in Palo Alto, Calif.