How to Minimize Enterprise File Sharing Risks
File sharing and sync (FSS) services like Dropbox can expose sensitive corporate data. Luckily, there are enterprise-grade FSS alternatives.
Since the days of the floppy disk, users have tried to piece together convenient ways to share files between one another. Every system seemed sloppy in its own way.
Email was the first file exchange platform, albeit an informal one, due to its convenience factor. But the costs of exchanging files with email are high in terms of inefficiency, lack of revision control and weak security.
Then came Web-based file sharing services like Dropbox. With a reported 200 million-plus users, Dropbox has become an almost-generic name for a rapidly emerging market of file sharing and sync (FSS) services. Users are attracted to the ease with which they can share files with anyone and maintain cloud-based file storage in sync with local copies from any networked location.
Widespread consumer embrace of FSS means that, like mobile devices and other consumer-friendly technologies, its use is exploding inside the enterprise. Like those other technologies, employee behavior rather than centralized IT policy drives adoption.
Out of Control Data
With consumer services like Dropbox, Box, Microsoft SkyDrive and Google Drive being increasingly used by business workers, enterprise IT has to contend with loss of control over potentially sensitive data. When users share a file using third-party services, that file has essentially been carried right over the corporate firewall; whether the user has properly secured the file when sharing it externally is now outside the company’s control.
Because FSS services are built to encourage users to set up automatic syncing between their local machines and the cloud, employees or contractors may accidentally share files that aren’t even meant to be seen.
Going beyond user practices, enterprises also lose control to the cloud services themselves. How are shared files secured in the cloud storage? Many services encrypt files both in storage and in transit, with security ranging from 128- to 256-bit, but some – like Amazon Cloud Drive – don’t encrypt files in storage.
Service reliability can impact access to files, especially if employees have become dependent on the service for up-to-date copies. In a post-Snowden era, some are concerned about government access to private data, whether in the United States or elsewhere.
In 2012, authorities in the U.S. and New Zealand seized the operations of leading file sharing service MegaUpload due to pirated content being shared using its platform. Although MegaUpload was more like a predecessor to today’s FSS services, the government seizure terminated access to many legitimate files that organizations had stored on the service for their own operations. Both criminal and financial concerns should lead an enterprise to evaluate the long-term viability of an FSS service.
Lack of Trust in File Sharing
In a June 2014 study by Gigaom Research and Harris Interactive, an eye-opening 84 percent of IT professionals reported security problems caused by use of consumer-oriented FSS services for company business. Only about a third of those polled expressed trust in these services for personal or confidential files, although trust is much higher among workers under 40 – a potential red flag to IT departments.
Responding to the growing concerns and specialized needs of the enterprise, cloud sharing and sync providers have rolled out a variety of business-class products. Differentiating these from their consumer-grade cousins, enterprise FSS services can provide features like:
- Authentication that integrates into existing corporate backends using platforms like ActiveDirectory and other single sign-on and/or two-factor authentication systems.
- Centralized IT management for crafting policies targeted at profiles like intranet and mobile access.
- Customizable storage targets ranging from third-party cloud services to private local storage.
Short List of Enterprise FSS Products
Leading FSS products with enterprise offerings include:
The corporate flavor of Dropbox adds integration with popular authentication platforms and central management of user membership.
Enterprise customers of Box can also authenticate against corporate platforms. The service also offers light collaboration features and an API that enables Box storage integration with in-house apps and popular products like Microsoft Office and Google Apps.
This enterprise-oriented service offers a custom look-and-feel to match your company identity and integration with Right Signature for electronic document signing, which can protect documents even if they escape or leak to the outside.
Fully departing from consumer-oriented services, SyncPlicity and Egnyte are "enterprise-first" FSS platforms which provide a full suite of sharing and syncing management tools including authentication, monitoring/auditing, granular policies and flexible storage configurations. Both support "hybrid" storage options which can sync files to both off-premises data centers and on-site storage based on customizable rule sets.
Going Private with FSS
In an era that seems to be defined by the cloud, turning to private storage for file sharing and syncing may just be the next "new" thing. In a 2014 study by Research Now and CTERA, a majority of companies polled expressed a preference for private cloud storage. A majority of large businesses with over 30,000 employees outright prohibit the use of third-party FSS services.
Clearly, usage of file sharing and sync is not going away. Like other "consumerization of IT" trends such as BYOD, employees are bringing behaviors they have embraced in the consumer realm into their work lives. Enterprises cannot turn a blind eye to this reality, and in fact can benefit from the literacy and productivity employees bring with using tools they have already adopted.
But data security and regulatory compliance requirements put serious question marks on the use of arbitrary third-party FSS services. Enterprise-tuned offerings represent an improvement that will probably meet the needs of many small-to-midsized businesses. Large organizations, however, will best be served by keeping file syncing and sharing in-house, bucking the modern trend of offloading everything to the cloud.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet.
By Jeff Goldman
June 05, 2014
The link direct victims to a zip file hosted on Dropbox, which delivers a malicious executable.