When it comes to consumer file sync and sharing services in the enterprise (think Dropbox, Google Drive, SkyDrive...
and so on), most security pros quickly realize two things. First, end users want it. Second, end users are willing to go around corporate policies to get it.
To see this in action, consider the recent survey from Nasuni that found that one out of every five employees currently use consumer file sharing services for business purposes. Moreover, of those employees working in organizations that had policies specifically prohibiting the use of these services, about half of them use the services regardless.
The reason for this defiance isn't too hard to understand. Employees today are using multiple devices for business purposes, and these services help them quickly and easily access files and data from those devices which, in turn, enables employees to be more productive. Moreover, it assists in collaboration, as users can share files with team members whether they are inside the organization or outside of it.
However, there is a dark side to these services, especially from a security standpoint. A recent survey from Research Now suggested that 31% of organizations have already experienced data leakage incidents (e.g., loss, theft or accidental exposure) as a result of the use of these consumer-oriented file sharing services. To say that this represents both a challenge and a potential area of security concern is an understatement.
Feasibility of blocking services
The consumer-based file sync and sharing services conundrum leaves security pros with a huge technical challenge: to reign in these services. When faced with this situation, the first option enterprises often consider is setting up a policy prohibiting employee use of these services for business purposes. However, as the above data about contrary-to-policy usage shows, relying solely on policies is likely a losing game. Even in optimal situations, where users are all aware of the policy prohibiting usage, a subset of them -- potentially as high as 50% -- will continue to use the services despite that policy.
The second option organizations are likely to consider is blocking consumer file sharing services altogether. The difficulty with this approach is that it is notoriously hard to implement. In the first place, there are dozens, if not hundreds, of sync and sharing services out there. As a practical matter, this almost guarantees an "arms race" as it pertains to blocking efforts. New services are added to the blocked list in "whack-a-mole"-like fashion as new usage is discovered, new providers emerge and service providers make changes to their individual services. Keeping up with the ever-evolving market can be challenging, to say the least.
Additionally, users are adept at coming up with workarounds for blocking mechanisms. There are numerous sources of easy-to-follow instructions available on the Internet describing many ways to get around blocked services, such as sharing files via email (many consumer-oriented services support this), arcane proxy configurations, using alternate addresses for services, and more.
The point is, blocking the services directly requires a lot of effort and offers limited long-term efficacy. Because of this, many organizations are considering another possibility in reigning in use of these services: offering a secure, value-added alternative.
Alternative mechanisms (EFSS)
There are products and services emerging in the marketplace that attempt to provide file sync and storage in a secure fashion in the same way as consumer-oriented services. These are often referred to as "enterprise file sync and storage," or EFSS.
Much like their consumer-oriented counterparts, these services enable access to files across multiple devices and allow the sharing of those files between users. The main difference between the two is that EFSS services are built with enterprise security in mind -- adding features like the ability to encrypt data, ensure secure and authenticated access to files, investigate files to look for certain types of data (e.g., sensitive or regulated information like Social Security numbers or credit card numbers), enable advanced auditing capabilities, and so on.
There are a few different ways that these services can function architecturally. One model focuses around leveraging on-premises resources. For example, an enterprise might leverage private data storage it maintains in its data center, while other organizations utilize on-premises appliances or gateways to "pre-process" data for subsequent storage in a public cloud storage provider's environment. For organizations that have well-developed technical expertise and the infrastructure to support it, a model like this can help ensure security while still leveraging the services that end users want. Enterprises may also use a hybrid model that utilizes both private and public cloud storage for those that wish to leverage existing storage they've already paid for (i.e., without relying on public cloud providers). Examples of technologies in this space include Accellion, Inc. and Citrix Systems, Inc.'s ShareFile.
Another approach offers business-focused cloud file sync and sharing services via a software as a service platform, but pays special attention to the higher security needs of an enterprise. Examples of services along these lines include the recently out of beta Dropbox for Business as well as the long-standing Box. It should be noted that these products can also potentially integrate with existing on-premises private storage resources. These systems often provide business-oriented features such as enhanced auditing, wipe/deletion capabilities, encryption, centralized user administration and enterprise authentication. Other security-relevant services, just like those available from on-premises products, may also be available but delivered via the cloud. This type of service might be more advantageous for organizations that have limited technical expertise (e.g., smaller shops or those that are heavily outsourced).
The most important thing to remember when it comes to EFSS services is that they offer enterprises the best of both worlds. Employees have a simple way to share and synchronize files -- just like they've always wanted -- and admins will have control over both the usage and the information that is stored with the system. For organizations that are in the position of trying to get the "horse back into the barn" on proliferating consumer-oriented file sync and storage usage, products and services like these can be a useful thing to have on the radar.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.
Learn why the standalone EFSS market still has some life in it