Schellman & Company, LLC security and compliance assessment services provider — including SOC, HIPAA, PCI, ISO 27001, FedRAMP and HITRUST — all through a single legal entity.
But in the early 2000s, Schellman was like any other accounting audit firm. Teams communicated via email and file attachments, or used online file sharing tools accompanied by desktop-only applications with limited peer-to-peer sync capabilities.
"It certainly wasn't a modern architecture,” explains Kyle Young, Information Technology Manager at Schellman. “But it did what we needed it to."
In addition, information management and external collaboration involved multiple systems, complicating communication further. Clients would either email information or upload it to a SharePoint site, then an auditor would upload it into another system for internal use. The process was cumbersome — and it wasn’t efficient, effective or safe.
The need to modernize emerges
As more businesses moved to the cloud, Schellman's legacy tools began to show their limitations. The need to work on files both online and offline, while keeping everything safe and accessible was not a want, but a need.
"There were challenges with the desktop applications locking up, trapping our data," explained Young. "There was no centralized backup of data, so our hope was a copy with another team member.”
Young and the Schellman teams realized they needed something more powerful and secure that would allow them to work collaboratively in an organized manner. After an extensive evaluation of available tools and potential use cases, Box was the clear winner.
“The transition from our legacy content management system to Box was easy. With about thirty minutes of training, most of our professionals became proficient with Box. The process was very intuitive.”
- Kyle Young, Information Technology Manager at Schellman
Security built for a security company
Placing potentially sensitive company, client and vendor information into a third-party application raised concerns. Schellman and Box collaborated to solve all the issues, making sure necessary security, strong encryption and proper controls — such as Okta for multi-factor authentication — were in place.
"We appreciated [the] security first attitude [of Box] as it aligned well with our mission as a company," said Young. "When we were looking for a solution we placed significant importance on the security and privacy posture of the application."
As Schellman managed their own data center in Florida, there were no third-party apps or teams other than IT who had access to the data. While this was done on purpose to control access to client data, it was limiting for collaboration and getting work done. With Box, this was no longer a concern.
A scalable encryption solution
To address client concerns of sharing information with a third-party, the Schellman team built their own encryption key management solution that pre-encrypts audit evidence files before the data was archived in Box. This required auditors to use a separate front-end application which encrypted and decrypted the information as necessary.
But as the company grew, Young and the Schellman team realized running their own key management solution was neither cost effective or scalable. They explored desktop and cloud encryption solutions, and found everything too expensive or not robust enough.
"Our needs are that of a Fortune 500 company, but we are still cost-conscious," said Young.
In 2016, Box launched KeySafe with AWS KMS. Schellman was one of the first companies to leverage this native encryption solution.
“The benefit of KeySafe,” said Young, "is that now it applies to everything in Box when it enters, not just content that we purposely encrypt. With KeySafe enabled, all of our content is protected and uses encryption keys that we manage."
A modern, user-friendly way to work
For accounting audit firms, exchanging information internally and with clients will continue to be a challenge. Who has access to what, what could potentially get firms into trouble and who owns the keys are questions that need to be evaluated and answered.
Schellman answered these questions with Box. They confidently put their reputation on the line with clients and compliance agencies because they utilize a secure, user-friendly system that allows them to communicate and scale efficiently.
Disclaimer: Schellman & Company, LLC currently performs attestation and certification work for some of the services and areas for Box.com.