Keeping Data Out Of The Insecure Cloud
Companies looking to keep their data safe need to give their employees a choice of solid file-sharing services and apps. Otherwise, it's back to their insecure favorites
File sharing is both a boon and a danger to companies.
While speeding communications between employees and corporate partners, unrestricted file sharing carries with it the risk of leaking sensitive information. Services such as Dropbox, Google Drive, Apple's iCloud, and Microsoft SkyDrive allow workers and consumers to share files and collaborate, while at the same time increasing the likelihood that attackers get access to -- or malicious insiders make off with -- confidential documents.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- SaaS and E-Discovery: Navigating Complex Waters
- SaaS 2011: Adoption Soars, Yet Deployment Concerns Linger
"There is no way that you can be totally sure that people are putting enterprise data somewhere where they shouldn't," says Dimitri Volkmann, vice president of product strategy for enterprise technology provide Good Technology, which provides mobile business software and platforms. "It's an illusion to think it's possible."
Yet companies cannot ban the tools for collaboration because the benefits of quickly sharing files are just too high. Three-quarters of small and midsize businesses, for example, have adopted file sharing for productivity reasons, according to a June survey funded by software-security firm Symantec. Other research, by analyst firm Aberdeen Group, found that two-thirds of best-in-class companies use secure file sharing, while only a third of laggards use the technology.
"The evidence is that the top performers continue to address the need to share data through secure, reliable and well-managed commercial solutions, while all others, perhaps overwhelmed (by complexity) may be losing control of their policies and processes in this area," Derek Brink, vice president and IT research fellow with Aberdeen, stated in the report.
To secure their data, companies need to set strict policies and educate their employees on the dangers of unrestricted file sharing. Yet using just the stick will not work; you need a carrot as well, says Good's Volkmann.
"Because of the nature of the bring-your-own-device [BYOD] trend ... from an IT perspective, if you don't find a way to give your employees a solution that is secure, they will find an insecure one," he says.
[ IBM tracked cases that show an increasing number of large password stores targeted by thieves, even when the passwords are hashed with encryption mechanisms. See Bashing The Hash: IBM X-Force On Password Follies. ]
To convince workers to use a service, it has to be well-designed, Volkmann says. Companies should focus on providing consumer-friendly, but secure, options to file sharing and regain control of the policies securing the data.
Nearly 80 percent of companies using secure file-sharing service Accellion, for example, deploy the company's on-premise solution to create a private storage cloud. Employees can use the infrastructure no matter where they are located to share documents and collaborate, while giving the risk and compliance team the ability to monitor controls.
"It is important for an enterprise to pick a solution that offers the capabilities that end users are used to in a solution like Dropbox, but provide the IT folk with the security controls and the compliance reporting," says Hormazd Romer, senior director of product marketing for the firm.
Startup WatchDox has taken a similar approach, but focused on providing detailed monitoring of security controls while keeping the end user's experience simple.
Another aspect to managing the risk: When dealing with a cloud service, companies need to pay attention to the rights that a storage provider has to the enterprise data, Accellion's Romer says. In addition, while any modern file-sharing service should strongly encrypt the user's data, companies should be concerned about where the keys for that data is kept. Encryption keys stored with the data allows the service provider -- and possibly an attacker -- to easily access the data.
Good's Volkmann stresses that IT managers should not expect a perfect solution -- employees can bring in a personal device to get around any reasonable security a company's IT department can create.
"At the end of the day, employees could have a BlackBerry in their right pocket and a personal iPhone in their left pocket," he says. "It is really about education and giving them the right tools."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.