Securing File Sharing Without Losing Productivity Gains
Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity
Consumers flock to cloud file-sharing services -- such as Dropbox, Google Drive, and iCloud -- because they are easy to use and allow access to data from anywhere. In short, the services allow users to be more productive.
Yet for companies, file sharing also comes with a big drawback: Businesses lose control over their data once it moves into the cloud. To regain control, companies have to manage the security of their data and that invariably means more work, either for users, information-technology staff, or both.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Simple, Effective Patch Management: From Dilemma to Done Deed
- Thwart off Application-Based Security Exploits: Protect Against Zero-Day Attacks, Malware, Advanced Persistent Threats
"The whole file-sharing technology is a double-edged sword," says Bill Munroe, vice president of products for data-security provider Verdasys. "On one side, 'Oh, great, we are being more collaborative and sharing more data,' and on the other side, 'Oh, no, we are sharing more data, and now there is a bigger chance to lose it.'"
Making secure file-sharing services as easy to use as possible is key to keeping business data secure. Users will follow the path of least resistance. While productivity and usability do not have to detract from security, they frequently do, and that will lead workers to use easier, but less secure, alternatives. In a graduate thesis on evaluating usability in cloud-based file sharing-services, Trek Potter, a student at Naval Postgraduate School in Monterey, Calif., states that insecure file sharing leads to the majority of losses at government organizations and a significant portion of losses in the private sector.
"An employee’s need for the most usable solution will often drive him to share files over unsecured means," Potter states. "For this reason, file sharing remains one of the greatest contributors to nonmalicious insider threats."
Businesses typically take one of three paths to lock down file sharing: find a security-focused cloud service, use a cloud gateway to manage data encryption in already-existing cloud file-sharing solutions, or create their own file-sharing portal under their information technology teams' control. The ultimate solution depends on how much control a company wants over the security of its data, but also the degree to which workers can easily utilize the technology.
"Some organizations are really uptight and strict about controlling their data, and they want to be able to have all of their data on premise," says Heidi Shey, security and risk analyst with Forrester Research. "Others are not so strict and trust in the provider to protect it in their cloud."
Much of the control issues -- and productivity headaches -- boil down to where the keys for encrypted data are kept. With on-premise file-sharing solutions and cloud gateways, the keys are managed in-house. Dealing with key management can add significant complexity to an IT team's jobs, and failure to do it correctly can undermine security. Yet handing over the keys to a third-party provider runs counter to many business' need for control.
"At the end of the day, it is not really about encryption, but who does what [and] where with the keys," says Connor Fee, director of marketing for Nasuni, a maker of distributed storage solutions. "There is a natural trade off in all of that."
[Bring Your Own Software introduces data protection risks that BYOD attempts to account for. Enable your users with data protection encryption software on their own devices rather than playing IT whack-a-mole. See BYOS: Data At Risk From Endpoint To Cloud And Back Again.]
Ultimately, solutions that work tend to evolve from the business users discussing their needs with the IT department, Fee says. Then, user training and a clear policy are necessary to overcome any reticence on the part of the worker.
"The people who are most successful have their IT teams sit down with their end users and work together to find a solution that works for both," he says. "It doesn't help for IT to tell the users what to do and then get mad when it doesn't work out."
Training can go a long way to minimizing any loss to productivity and help educate workers in the business reasons for better file-sharing security.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.