Establishing Digital Trust: Don't Sacrifice Security for Convenience
By Bill Ho, president of Biscom
Since Dropbox entered the world in 2009, the name has become a well-known part of the IT lexicon for file synchronization and sharing. Dropbox attained its popularity by creating a service that is very easy to use. The simplicity that Dropbox has created for sharing files with others or even with your own PC and mobile devices, however, also causes massive concern for the CIO, CISO, and others who are responsible for corporate and network security.
While certain regulated organizations and businesses that have strict privacy requirements should be particularly concerned, I would assert that any data that resides in an enterprise ̶ in any industry ̶ needs to be secure. Keeping information under tight control for businesses is essential – not just intellectual property or patents, but also financial reports, marketing campaigns and HR information.
Not long ago, one of the easiest ways to make a file accessible to you at home or while on the road was to simply email the file to yourself. This of course had all the security implications that come with email, but it also didn’t always work – some files were too large and could be rejected by mail servers. Also, no record of these transactions existed – at least nothing that could be easily reviewed for auditing purposes.
File Sharing Threat
Because many people didn’t want to wait for IT to solve their file sharing needs, they went out and found solution on their own -- and for many of them, that solution was Dropbox. It is easily installed, it’s simple to use, and it supports synchronizing files with your own devices and desktops, as well as simple collaboration with others.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
This creates new concerns, including potential violation of corporate data policies and missing reporting and auditing capabilities. In many cases, IT may be wholly unaware that people are siphoning data out of the corporate network and into a cloud service. Data exfiltration, even if it’s with the best intentions of people getting their work done, can break client agreements and put your compliance at risk. If a Dropbox user loses his or her mobile phone, which is most likely an unmanaged device unless a BYOD policy exists, IT usually has no way of remotely wiping or disabling that device.
Because services such as Dropbox are so attractive and useful to today’s enterprise workers, file sharing and synchronization is certainly here to stay. While Dropbox is primarily known for its consumer-focused service, and not for enterprise uses, enterprise file sharing and synchronization (EFSS) solutions are emerging. Like Dropbox and other consumer-oriented services, EFSS provides a way to offer employees anytime/anywhere access to files and services – but with added manageability and control for employers.
4 Tips for Evaluating Enterprise File Sharing Software
There are a few considerations to keep in mind when selecting and managing the use of an EFSS service in the enterprise:
- Different vendors serve different markets. Dropbox, as mentioned, is consumer focused. EFSS solutions, on the other hand, are designed for enterprise users and embody features such as file encryption, more granular controls, support for directory services and integration with common applications like Microsoft Outlook.
- Consider cloud pros and cons. While the cloud is the "in" thing, does it really make sense for your organization? Would an on-premises server make more sense? Will you allow any type of data to be shared, or will you set restrictions or policies about sharing? Cloud upgrades are at the vendor’s discretion, and some upgrades may introduce unwanted features or break an existing process without giving you time to recalibrate or re-engineer your workflow.
- Read the fine print before signing up for EFSS services. Not all vendors will have the same level of security. What may not be apparent in the fine print are topics such as how the data is stored (is it encrypted at rest? is it comingled with data from other companies?), whether it passes penetration testing and the possible ramifications of a data breach. Also, how do your costs grow as you scale up, and how much data can you store?
- With the recent NSA scandal, you should wonder who really has access to your data – including employees of the vendor. While most vendors will claim to not access your files, can you be sure? Have all their employees passed background checks, or other vetting mechanisms? The old SAS 70 certification has been superseded by SSAE 16 Type II, so look for these as at least a baseline to know a provider has processes and procedures in place for operational compliance controls.
I believe there is a real and growing market for products and services that make it easy to share and access information. The road warrior of the past is fast becoming the de facto way people work – wherever they may be. I predict the EFSS market will grow quickly and significantly, so it’s imperative to have a solution either in place or in at least the planning stages. Take the time to think through the usage scenarios, the people who will need this type of service, and what devices and locations you will allow.
Education is important as well so people know what is and is not allowable, and how to synchronize and share files within the organization’s policies. You will thank yourself for the advance planning and hopefully avoid, or at least reduce, unanticipated issues as you roll out a solution to your corporate users.
About the author: Bill Ho brings more than 20 years of Internet and software experience in the technology field to his position as President at Biscom. Bill received a BS from Stanford University and an MS from Harvard University, both in the field of computer science.