This article can also be found in the Premium Editorial Download "Storage magazine: Disaster recovery planning: 10 tips to help you avoid costly missteps."
Download it now to read this article plus other related content.
A whopping 70% of IT managers know or believe that their users have business data in their own personal file-sharing accounts, according to a recent ESG survey.
File data isn't as interesting as business applications to most IT shops, but intellectual property is being shared on smartphones and laptops in ways that surprise most IT shops. A recent Enterprise Strategy Group (ESG) survey reveals this growing problem is threatening many organizations, and that formal policies only go so far in discouraging rogue users.
For a long time, file data has been neglected. IT managers typically spend their time dealing with business applications and associated data -- data that's typically stored on internal disks, DAS or SAN. That's because these business applications keep the so-called lights on by ensuring bills are paid, orders get shipped and invoices are tracked. File data, meanwhile, is typically associated with individuals or line-of-business applications. IT is often involved in some level of decision making and support when it comes to how that data will be stored and managed, but oftentimes, responsibility for file sharing and support is decentralized.
That's why, until recently, primary storage for file data could be found in three places:
- In the data center, either on specialty NAS systems, or Windows or Linux servers
- Scattered across departmental specialty NAS systems, or Windows or Linux servers
- On employees' PCs and laptops
But this is changing. With the influx of consumer devices such as tablets and smartphones into the enterprise, IT needs to pay much more attention to file data. These devices mean files can be found in a new, fourth location: consumer file-sharing services.
Warning: Your file data has left the building
Users are storing business files in personal file-sharing accounts so they can access them from multiple mobile devices, such as tablets and smartphones, as well as from business devices such as PCs, Macs and laptops. ESG recently conducted research into IT's perception of just how widespread the problem is. A whopping 70% of IT managers surveyed know or believe that users have business data in their own personal file-sharing accounts.
IT managers have been trying to keep data under control by discouraging or even setting formal policies against the use of personal file-sharing accounts for business data -- but 37% of respondent companies with formal policies against the use of personal accounts know employees use them, while 21% suspect rogue usage. The news is worse for companies without formal policies: Thirty-five percent know about the use and 51% suspect rogue usage. These numbers are likely low, as some IT managers are probably reticent to admit (even in a blind survey) that they know or suspect that employees are using personal accounts despite policies and discouragement.
The imperative to take action
The danger of these personal accounts is the threat of data leakage, opening the network to external threats, and the lack of IT control and visibility into the sharing environment. When an employee stores data in a personal file-sharing account, IT has no visibility into what data is stored there and what devices it may be shared on.
There's also no audit trail of who else has access to the data. Perhaps most disturbing is the fact that if an employee leaves the company, the data in the online file-sharing account more or less "leaves" with that person. It's in their personal account in a cloud service, and probably synced to their laptop or desktop, or cached on a tablet. IT has no visibility as to what data left with the employee.
The threat of data loss to an authorized employee has always been a challenge for IT, but it has always been a conscious decision by an employee/former employee to take data by copying it onto a USB stick or CD. With personal file-sharing accounts, the threat is heightened: Data leakage becomes the default behavior -- it just happens. And because the data could be on multiple devices accessed by multiple people, there's no accountability whatsoever.
It's not a question of whether there will be a major data loss event associated with the use of personal file-sharing accounts; it's simply a matter of when it will happen. That's why IT needs to act sooner rather than later to build a file-sharing environment that supports the mobility requirements of the modern enterprise without compromising corporate security by opening the network to outside threats. End users are doing it without IT; it's time for IT to change the equation and get back in control of corporate data.
About the author:
Terri McClure is a senior storage analyst at Enterprise Strategy Group, Milford, Mass.
This was first published in February 2013