Beyond Zip File Attachments: PPAP Deprecation & the Future of Work for Enterprise and Agency Digital Collaboration

by Donald R. Hammons, MBA and Alexis Panagides

The practice of sharing files by emailing them in password-protected zip files is flawed and puts organizations at risk. Fortunately, there are better and readily available alternatives.

Background

In late 2020, Japan’s Minister of Digital Transformation, Takuya Hirai, announced that his Japan Cabinet Office would cease to use password-protected ZIP file email attachments (PPAP), citing enterprise and agency security concerns. While the use of zip files to compress and transmit large digital files was a mainstay solution for decades, it is no longer a viable go-forward content management, collaboration, compliance, or security posture for the Future of Work. The use of password-protected ZIP files, while well intended, actually generates several challenges for agencies and firms who still employ its use.

Flow diagram of the PPAP process. Files sent through email are "protected" within ZIP encrypted archives. A secondary email sends the zip password to the recipient.

Some of the challenges with this file-sharing modality include:

• Information security risks pertaining to security breaches given standard ZIP file encryption is extremely insecure.
• Little or no file version management, ownership retention of digital assets, or collaboration capabilities once a digital owner transmits the files.
• Perimeter defense systems often flag ZIP files as suspicious, and no file preview capability exists for recipients creating malware or ransomware attack surfaces from ill-intended actors. For the files within the ZIP, software may be challenged to detect embedded virus payloads.
• Content sprawl proliferation, as ZIP files are opened, content can be forwarded, saved to myriad and often unsecured devices.
• Passwords allowing access to the ZIP file (even if sent via separate email communication) represent little security for firms. An email system breach will give access to both the ZIP file and the access password.
• Attachment payloads represent a security threat and contribute to global CO2 emissions [cite], impacting both the sustainability and the enterprise security aims of agencies and firms.

The Future of Work

While many of us have encountered ZIP files in our professional lives, it is no longer a viable Future of Work posture for public sector agencies or enterprises. As we look to the future, firms will enhance their ability to collaborate around digital content with individuals inside and outside their organizations. They’ll do so at the file level in most cases. Furthermore, firms will mandate that they maintain full ownership and control of their vital digital assets even when undertaking a collaboration process around those same digital assets. With today’s technology and cloud-based enterprise content management platforms, firms will be able to invoke bespoke rules applicable to their security and collaboration aims. These rules will govern how files may be shared, collaborated on, governed, and secured for their organization. File size limitations — an early rationale for using PPAP/ZIP files within email are no longer an impediment for firms when they leverage modern digital bridge technologies. Today, organizations can collaborate via secure URL links to digital assets of nearly any size.

When digital strategies include a sanctioned enterprise-wide digital content cloud, extending the value and security benefits of such a cloud-based posture to the ubiquity of email is essential. A proven and effective strategy for extending the content cloud to email is to leverage a digital bridge. When a sender sends a file through email, the digital bridge will replace the attachment with a link appropriately configured for digital security and collaboration. For example, when a user in the future attaches a series of digital assets into an email, the intelligent digital bridge will invoke a set of rules applicable to the internal recipients that might be copied on that communication, whereas the external recipients copied on that same communication may have a completely different set of rules established for accessing that same content (e.g., View Only, Link Auto-Expires in X days). This invocation of a group of specific and horizontally applicable rules, applicable to all users in the agency or enterprise, will ensure system-wide security, collaboration, and digital content accessibility while not injecting friction into the end user’s workflow processes.

mxHERO Mail2Cloud real-time capture security diagram. Email attachments are automatically moved into the user’s secure content cloud storage. A self-expiring, password-protected link is sent to the recipient. The process improves upon the PPAP model by removing the need for sender effort (upload and secure link creation are automated), allowing for very large attachment delivery & tracking, enabling on-demand access revocation, and by making file access time-limited which ensures that even upon a breach event or email mishandling, all links and their content remain inaccessible after the expiration period. By ensuring that files are replaced by links to those files secured in the content cloud, organizations maintain full control of digital assets even after their emails are delivered.

Furthermore, file size limits are mitigated when intelligent digital bridge technology can be leveraged to capture content in-flight. Additionally, the sending organization remains in complete control of the digital assets being shared at all times. This is a paradigm shift for organizations that aim to stay compliant, secure, and collaborative around their most vital digital assets and for firms who wish to deprecate or retire legacy ways of doing business when sharing digital assets via email without burdening users with additional effort.

The future of work will continue to exploit cloud-based technologies. As we see continued adoption of cloud-based content management platforms, extending the advantages of those same platforms to the ubiquitous digital content moving application that is legacy email will be paramount. Offensive approaches to information security via digital hygiene initiatives and the ability for firms to be more intelligent about how they share content with internal/external actors and how they handle the ingestion of digital content will be vital. The good news is, as firms move beyond PPAP and ZIP file modalities for enterprise and agency content sharing, we now have new technologies to ensure we solve this problem head-on while ensuring collaboration and enterprise security aims are met or exceeded. This — is critical to the future of work.