This article can also be found in the Premium Editorial Download "Storage magazine: How to get the most out of solid-state technology."
Download it now to read this article plus other related content.
Cloud-based file sync and share is becoming more popular as employees use their own devices to access corporate data. Here's what you need to know to keep your company's data safe.
Bring-your-own-device (BYOD) policies and an increasingly mobile workforce are putting new pressures on IT and changing the requirements for how workers want (and need) to access corporate data. IT is no longer in a command-and-control role where it can dictate the hardware and software that employees use. Workers want to access files anywhere, anytime and from a variety of endpoint devices.
Many business users have turned to consumer cloud-based file-sharing and collaboration services. These services are simple to use, but they're a dilemma for IT as it needs to balance business enablement with the ability to maintain the control and security of company data.
The dangers of consumer file sync and share
Consumer-focused cloud file sync-and-share services offer free storage and file-sharing functionality, and are quick to install and easy to use. Business users can increase productivity by removing barriers to file access and sharing, but there is some risk. The danger lies in employees signing up for personal accounts, as data stored in these services falls outside the control of IT, potentially exposing organizations to data leakage and data breaches.
IT may not know an account even exists or what's stored in it, and has no way of applying the organization's security and access policies to protect company assets. This is especially disturbing because employees with such accounts often sync corporate data across multiple devices, such as a home computer, tablet or smartphone. If an employee with a personal online file-sharing account leaves the company, the former employee still owns the account and any corporate data stored there is still accessible by them using their personal access devices. Clearly, this can create an unacceptable security, legal and business risk for employers.
IT seeks solutions for sync-and-share risks
Most IT shops are aware of this risk and have data security top of mind. Enterprise Strategy Group research indicates that 70% of organizations know or suspect this type of rogue employee activity takes place within their companies, and they're sprinting to catch up and regain control over company data.
First and foremost, IT needs to rein in personal account use among employees. Many companies have formal policies or discourage employees from having their own accounts, but while blacklisting consumer cloud-based applications may curtail the security risks short term, end users will ultimately find ways to get around company firewalls. It's only a matter of time before they realize they can hop into a Starbucks and get on a Wi-Fi network, or pull out a hotspot and gain access to their personal accounts. The best way for IT to handle this is to deploy a company-approved corporate online file-sharing account. This helps to ensure data stays within company-approved applications and that IT will control company data, yet grants employees the access and functionality they feel they need to be productive.
The good news is that the corporate online file-sharing market is a burgeoning one, with more than 50 vendors offering some combination of "secure" file store, sync, share, send and collaboration. There seems to be an offering to suit nearly every business need -- the challenge for IT is that there is no one-size-fits-all file-sharing solution because organizations have varying security and business requirements. IT therefore needs to think about a number of considerations so it can implement the best corporate online file-sharing solution.
Public, private or hybrid
The first, and most important, consideration is the type of deployment model. Online file-sharing services can be delivered via public, hybrid or on-premises offerings. In a pure service or hybrid offering, software is delivered as a service and some (or all) corporate file data primarily resides within the cloud (albeit for sync and share; it also lives on laptops, desktops and mobile devices). With an on-premises implementation, IT organizations deploy the application and supporting infrastructure in-house, and secure and maintain it like any other enterprise app with the focus likely on secure file sharing and mobility.
Public cloud solutions are typically easy to configure and deploy, but companies are completely dependent on the service provider for file security. And if a data center goes down or is breached, IT doesn't have any control over how long an outage would last or what data may be compromised. On-premises solutions take more work to deploy and can be more expensive since the company absorbs all the associated data center costs while IT maintains full control of the application. Businesses in regulated industries are often more comfortable with this setup since they can better manage policies to stay in compliance. Hybrid cloud solutions fall somewhere between the two: IT can control what data stays behind the company firewall, but the control plane lives in the cloud so there could still be some risk of data leakage at the provider level.
Key features and considerations
In addition to deployment models, customers should ask vendors numerous questions about the product's features and functions to ensure their business and security requirements can be met. Here are some key features to pay attention to:
Integration with existing tools and processes like single sign-on (SSO) and Active Directory must be considered. SSO lets users sign in using one set of credentials across their work devices and apps, and gives IT greater flexibility in using existing policies to manage accounts. SSO also allows organizations to plug their online file-sharing solution into their existing identity management solutions (Active Directory, LDAP, Ping Identity, OneLogin, Centrify and so on) to inherit existing passwords and security policies, and to allow for auto-provisioning/deprovisioning of accounts from one control point.
Granular administrator controls are extremely important to IT when it comes to protecting company data. Most offerings allow IT to set some type of permissions around data sharing (within an organization versus external sharing) though not all provide controls that define which users can access what data or which devices can be used. Some offerings allow IT to set password requirements (length, complexity, expiration period and so on) and some offer digital rights management functionality to help protect content (file expiration, printing restrictions).
In a mobile world, one of the most important administrative features to protect content is the ability to remotely wipe a lost or stolen device. The degree of control varies from vendor to vendor, and companies should do sufficient research to ensure that admin controls meet their particular needs and compliance requirements.
Auditing/reporting capabilities are other key features to consider. In addition to setting policies to prevent accidental or malicious data leakage, administrators need some degree of reporting or auditing. Again, available functionality ranges by vendor and product but at the very least, IT should be able to understand how much data is stored in the corporate online file-sharing account and what's stored in all the accounts. Some vendors offer detailed visibility into individual user activity (with whom users are sharing files, what files they access, when they access files, what devices they use to access files). Others allow IT to impersonate users or even search files globally for a text string. These capabilities can help administrators spot suspicious employee behavior and react accordingly.
Security needs may vary
Not every department needs tight security; some organizations may find they need very secure online file sharing for some teams, while others just need to access data easily on multiple devices. The user experience can vary significantly among offerings, with the more secure solutions often not as user friendly at the endpoint.
This presents a challenge: Many IT teams report that a key challenge to deploying a corporate file sync-and-share solution is that employees continue to use their personal accounts because it's just easier for them. Endpoint ease of use is a key adoption driver (and inhibitor) and shouldn't be overlooked. Organizations may find themselves deploying multiple file-sharing applications for multiple use cases, providing easy-to-use, consumer-like solutions for general access and locked-down, highly secure solutions for teams that work with sensitive data.
It's worth noting that aggregator services are cropping up to help users and IT manage multiple individual accounts. These services allow users to access multiple storage accounts from one point of control. Though this helps consolidate access to offerings into one service, this application category is very young and its security functionality is still nascent; however, it's worth keeping an eye on as it matures.
Cloud convenience can't be ignored
We live in a world where information equals power. With the influx of online file-sharing solutions, distributing information has become easier than ever. As a result, it's now easier for information to fall into the wrong hands intentionally or unintentionally.
IT is tasked with the increasingly difficult job of ensuring company data is secure. Fortunately, sync-and-share vendors have heard IT's cries for help and are integrating more robust security functionality with every new release. But no matter how hard you try, there's no such thing as a 100% secure IT environment.
IT organizations can reduce their risk by ensuring the product they choose has a deployment model that works for their business, as well as integrations and controls to make their data as safe as possible. But IT must perform the appropriate due diligence and ask smart questions. If an answer doesn't measure up to needs, they should ask what can be done. Many service providers publish terms of service, but they're often negotiable and can be customized for specific business requirements.
About the authors:
Terri McClure is a senior storage analyst at Milford, Mass.-based Enterprise Strategy Group (ESG); Kristine Kao is an associate analyst at ESG.
This was first published in July 2013