This article can also be found in the Premium Editorial Download "Storage magazine: Cloud-based DR to the rescue."
Download it now to read this article plus other related content.
I have written quite a bit in recent months about the increasing adoption of (and challenges associated with) online file-sharing (OFS) and collaboration solutions. Because of its prevalence in the consumer market, the most well-known product on the market today is Dropbox. But over the past two years, many offerings targeted at businesses have arrived on the market. Those targeted at business use cases differ from consumer products in that they have a central administration console to provision, manage and monitor individual user accounts, as well as centralized billing and often a shared storage quota. At the same time, traditional consumer-focused vendors, like Dropbox and SugarSync, now have offerings built for business use. However, enterprises are still hesitant to adopt these solutions, primarily because of security concerns.
Security emerges as top concern
The increasing use of mobile devices by employees is a key driver behind the adoption of online file-sharing and collaboration solutions at the corporate level. Corporate use of OFS solutions is growing rapidly. According to Enterprise Strategy Group (ESG) research, 28% of organizations have established a corporate OFS account and 61% expect to do so within two years.
For organizations that haven't adopted online file-sharing solutions or have no plans to adopt one, "security concerns" is the most commonly cited reason behind this lack of interest. These security issues include data leakage, Web-based threats and application-layer vulnerabilities. Organizations also grapple with ongoing questions about data ownership and regulatory compliance in an online file-sharing environment.
Biggest threats: Employee behavior and attacks on providers
A variety of security challenges are causing headaches for current users of online file-sharing solutions, and deterring other organizations from deploying online file sharing. The primary concern is simply that the online file-sharing service provider itself will be attacked, potentially leaving customer data vulnerable to theft. An example of this vulnerability was the breach of Dropbox last summer. Fortunately, that incident was not disastrous, resulting mostly in spam and inconvenience for Dropbox customers. Indeed, the spam issue seems to be continuing into this year. Nevertheless, this was a wake-up call for current and planned OFS customers. Online file-sharing platforms could well be the target of sophisticated attacks in the future, based on the volume and value of the customer data passing through their gates.
The aggregate amount of business data stored in these solutions presents an extremely rich target for hackers. To protect against such attacks, most online file-sharing providers ensure data is encrypted and that the encryption keys (if the service provider is holding keys) are stored at a different location than the data so that attackers would, at the very least, have to break into two data centers to gain access to usable data. And most (including Dropbox) have introduced optional two-factor authentication. Moreover, attacks designed to steal an administrator's password could be achieved as easily within a corporate data center as they could at a service provider. For IT professionals, it's important to understand how and where encryption keys are held and protected, as well as the implications of an administrator password theft for any online file-sharing and collaboration provider under consideration. You should also ask about and understand which employees in the provider's organization have access to their passwords and data.
Staying compliant, planning for accidents
Organizations that have adopted online file sharing are still concerned about data leakage, whether accidental or intentional, by their own employees. Whether subscribing to a service or hosting an OFS solution internally, the risk of having an internal employee either accidentally or willfully causing a data breach is one to be taken seriously, though not likely to be elevated simply through the use of a cloud service provider. The proliferation of corporate information on a greater number of employee-owned devices could certainly increase risk, and is a good reason to deploy a corporate OFS solution to monitor file usage patterns and detect anomalies, as well as wipe corporate data if a device is lost or stolen.
Organizations also worry that they'll have a tough time remaining compliant with industry regulations as a result of their online file-sharing usage. Service providers can't be fully compliant on their own -- the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA) and other regulations are a shared responsibility between the service provider and the subscriber. More and more service providers are providing tools and controls to enable compliance across many industries. Service provider Box recently announced a comprehensive HIPAA/HITECH-enabled solution, and most well-known vendors, such as Airwatch, Citrix (ShareFile), Egnyte, EMC Syncplicity, Intralinks, WatchDox and Workshare, claim to support HIPAA; some even support the Federal Risk and Authorization Management Program, FISMA and PCI compliance.
Of course, there's always the option to host data in-house. There's a different cost model, of course, but the tradeoff is peace of mind. There are options to leverage the benefits of a Software-as-a-Service (SaaS) model with in-house storage -- vendors such as Citrix ShareFile, EMC Syncplicity, Egnyte and Signiant offer the ability to store data on site while the software platform runs in the cloud. There's also a fully private option in which the software and data are installed on the premises. Accellion, Acronis, Airwatch, OpenText and WatchDox, among others, all support on-premises installation.
What this means for you
OFS is becoming an increasingly important tool in the IT team's toolkit, helping organizations to reduce storage and administration costs and improving employee collaboration, workspace flexibility and productivity. But organizations continue to struggle with security and governance concerns. In a mobile world, data lives on many devices in many places, even when using an on-premises OFS solution.
There's no such thing as a sure thing when it comes to security; data is at risk whether within the four walls of the enterprise or at a service provider. Service providers realize the scrutiny they're under and most have invested much of their venture capital or parent company funding in beefing up security. It's amazing just how far these companies have come from a security and control standpoint in just the past 18 months. I was recently told by an IT administrator that he had to wait for Active Directory integration before deploying a corporate OFS solution -- most vendors overcame that hurdle a year ago and have moved on to much deeper reporting and controls. Many are even integrating data loss prevention and information rights management controls. With the plethora of offerings available (ESG is tracking roughly 60 at the moment), there's likely something for everyone, no matter what your level of threat or concern.
About the author:
Terri McClure is a senior storage analyst at Enterprise Strategy Group, Milford, Mass.
This was first published in August 2013