WHITE PAPER SPON. The Critical Need for Enterprise-Grade File Sync and Share Solutions. Published August An Osterman Research White Paper
Size: px
Start display at page:

Download "WHITE PAPER SPON. The Critical Need for Enterprise-Grade File Sync and Share Solutions. Published August 2015. An Osterman Research White Paper"

Transcription

1 WHITE PAPER Grade File Sync and Share An Osterman Research White Paper Published August 2015 spnsred by spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: twitter.cm/msterman

2 EXECUTIVE SUMMARY Cnsumer-fcused file sync and share (CFSS) slutins have becme ne f the mst ppular categries f applicatins used in the wrkplace ver the past few years. Led by Drpbx as well as varius freemium and paid fferings frm cmpanies like Micrsft, Ggle, Apple and at least 80 ther vendrs these tls allw users autmatically t synchrnize their files acrss all f their desktp, laptp, smartphne and tablet platfrms. Users implement these tls fr a variety f gd reasns: t have access t all f their files when wrking after hurs r while traveling, in supprt f frmal r infrmal telewrk prgrams, r t share large files mre efficiently r when the crprate system will nt supprt sharing f files ver a certain size. Hwever, while there are gd reasns fr emplyees t use CFSS systems, their use significantly increases crprate cmpliance risks, legal csts and puts a significant prprtin f crprate cntent utside the cntrl f IT and thers charged with managing it. CFSS slutins have fundamentally changed hw much cntrl individual users nw have ver infrmatin in their wn enterprises. Left unchecked, this culd enable risky cnduct that cmprmises the gvernance, risk management and cmpliance fabric f the enterprise far beynd the IT department. This is particularly true fr mre heavily regulated industries like financial services, banking, healthcare and life sciences. T mitigate these risks and lwer the csts f managing crprate infrmatin, rganizatins shuld deply enterprise-grade file sync and share (EFSS) slutins as replacements fr CFSS systems. Ding s will enable cntinued efficiency and mbility fr users, while at the same putting IT back in charge f crprate cntent. The research cnducted fr this white paper fund that while nly 19% f rganizatins have already replaced their CFSS tls with EFSS alternatives, 55% cnsider it t be a mderately r very high pririty t d s ver the next 12 mnths. KEY TAKEAWAYS A significant prprtin f crprate cntent is stred in third party CFSS (typically clud-based) repsitries utside the cntrl f the crprate IT and/r security departments. This creates a situatin in which cntent can bypass crprate archiving systems and s becmes unavailable when the rganizatin needs it fr early case assessments, ediscvery, litigatin hld, regulatry cmpliance r ther purpses. Mrever, use f CFSS systems typically bypasses crprate cntent filtering systems, and s can intrduce malware int a crprate netwrk. Similarly, use f CFSS systems can bypass crprate data lss preventin (DLP) systems, increasing the likelihd f data breaches. While sme f the cntent stred in CFSS systems is a duplicate f cntent stred n crprate file servers and ther IT-managed venues, much f it is nt. Fr example, cntent created by an emplyee n a mbile device r hme cmputer and then stred in a CFSS system might never be duplicated n a crprate system and s remain unavailable t the rganizatin at large. Ultimately, the use f CFSS slutins shifts cntrl ver crprate data frm IT t individual emplyees, and has becme a key element f the Shadw IT r Cnsumerized IT prblem that rganizatins must address. The use f EFSS slutins will mitigate the risks assciated with CFSS slutins. ABOUT THIS WHITE PAPER This white paper fcuses n the use f CFSS tls in the wrkplace, the prblems that their use causes, and it ffers several recmmendatins fr rganizatins that 2015 Osterman Research, Inc. 1

3 seek t address these prblems the mst imprtant f which is t deply EFSS tls as an alternative. In additin, this white paper als prvides data frm an in-depth survey n file-sharing practices cnducted by Osterman Research during July Finally, this paper prvides a brief verview f Tpia Technlgy, the spnsr f this white paper, and their relevant fferings. HOW DO ORGANIZATIONS SHARE FILES TODAY? INEFFICIENT AND RISKY METHODS OF FILE TRANSFER HAVE BECOME DE FACTO STANDARDS Organizatins emply a wide range f platfrms and technlgies t share electrnic infrmatin, as shwn in Figure 1. Fr mst users and rganizatins, has becme the standard and preferred methd f sharing files fr several reasns: is ubiquitus, it is based n standards that make cntent delivery highly reliable, and file transfer via is very easy, typically using just the drag-and-drp paradigm t share cntent. Figure 1 Methds Used by Infrmatin Wrkers t Share Files With Others % f Organizatins in Which Capability is Used Surce: Osterman Research, Inc. While is an easy way fr users t share files, it creates a number f functinal prblems in the cntext f managing servers and the verall IT infrastructure: Sending large files, r sending attachments t a large number f recipients, can negatively impact netwrk bandwidth during peak perids. Senders and recipients mailbxes can grw quickly as a result f string sent and received files, frcing them int spending time n mailbx management t stay under the mailbx size qutas that mst IT departments implement Osterman Research, Inc. 2

4 Large mailbxes result in extended backup times fr servers and lng perids f dwntime in the event an server must be restred frm a backup. Even thugh a grwing prprtin f crprate is managed by clud prviders, mst f the prblems assciated with using as a file transprt mechanism are the same whether is prvided in the clud r n-premises. Crprate r sensitive data infrmatin leak can be a huge prblem even fr the smallest f cmpanies when files are shared directly as attachments. There is als the issue f data cpyright: emplyees can unwittingly share infrmatin that is cpyrighted and leave the cmpany pen t, at best, a rebuke, r, at wrst, a lawsuit. T cmbat this files shuld be shared as secured, passwrd-prtected links rather than as attachments. The links can be set t expire after a certain time r even n first dwnlad. Lgging r auditing f these links shuld be in place s that the user sharing the link can be tracked, as can the remte IP address and the gecatin f the recipient dwnlading the file. CONSUMER FILE SYNC AND SHARE TOOLS ARE COMMON As nted in Figure 1, CFSS tls whether managed by IT r individual emplyees are cmmnly used in the wrkplace and fr a variety f reasns: Users want an easier way t gain access t their files frm any platfrm. The traditinal methd f cpying files t a USB flash drive t take wrk hme r while traveling resulted in files that were ut f sync, creating versin cntrl and ther prblems. Mrever, the grwing use f mbile devices, mst f which d nt have USB prts, necessitated the use f a file-access mechanism that wuld allw synchrnizatin with file stres in near real-time and withut being physically cnnected t these stres. Drpbx, which ppularized the CFSS space, prvided an easy-t-use, freemium ffering that satisfied users requirements fr file sharing and synchrnizatin acrss all f their platfrms. Largely in an effrt t cut csts, a grwing number f rganizatins implemented telewrk prgrams that allw their emplyees t wrk part-time r full-time frm hme. Fr example, mre than 40% f IBM s emplyees d nt have a permanent, cmpany-prvided wrkplace, allwing the cmpany t achieve significant savings n ffice space, utilities and ther infrastructure csts. Hwever, these telewrk prgrams necessitated the ability fr users t have access t all f their cntent, n every platfrm, and at all times, a particularly imprtant issue fr emplyees wh wrk bth in an ffice and remtely. Drpbx, and tls like them, were able t satisfy the file sync and share prblem quite nicely and withut having t wait fr IT departments t implement a slutin. The result has been what many, perhaps unfairly, refer t as the Drpbx Prblem the prliferatin f crprate cntent int an increasingly dispersed base f emplyee-managed, clud-based file repsitries ver which IT has less and less cntrl. Fair r nt, decisin makers are quite cncerned abut the use f Drpbx and similar types f CFSS tls, as shwn in the fllwing figure Osterman Research, Inc. 3

5 Figure 2 Level f Cncern Abut the Use f CFSS Tls Surce: Osterman Research, Inc. CONSUMERIZATION OF IT IS A MAJOR PROBLEM Shadw IT, r the cnsumerizatin f IT, is a grwing and significant prblem fr rganizatins f all sizes. While CFSS tls are bth a key cmpnent f the prblem and the cause f it, there are a variety f ther emplyee-managed tls that are either installed withut the blessing f IT r, in sme cases, even withut their knwledge. These tls include: The cnsumer versins f Skype and ther Internet-based telephny tls that emplyees use t make business calls, particularly internatinal calls. Cnsumer instant messaging tls. Scial media tls like Facebk, Twitter, Instagram, vk.cm, Ggle Plus, Snapchat, Tumblr, YuTube, Whatsapp, Vine and many, many thers. Web cnferencing slutins like Apple FaceTime, AnyMeeting and Jin.me, amng many thers. The variety f persnally wned smartphnes, tablets, laptps and hme cmputers that emplyees use t generate and stre wrk-related cntent. The grwing number f clud-based apps, mbile apps and ther free and freemium tls that are used fr wrk-related purpses. The cnsumerizatin f IT has becme a much mre serius prblem ver the past few years. Fr example, as shwn in Figure 3, the penetratin f varius file sync and share tls in May 2012 and January 2015, based n Osterman Research surveys f IT decisin makers and influencers, demnstrates that the prblem has increased significantly. While a grwing prprtin f CFSS tls have cme under the umbrella f IT management during the past few years, as nted in the table, it is imprtant t understand that the prprtin f these tls that are used withut IT s blessing significantly utweighs thse that are used with IT s blessing by nearly tw-t-ne Osterman Research, Inc. 4

6 Figure 3 Use f Varius File Sync and Share Tls May 2012 t January 2015 Used With IT s Blessing May 2012 January 2015 Used Used Withut With IT s IT s Blessing Blessing Used Withut IT s Blessing Slutin Apple iclud 13.7% 40.0% 14.1% 42.3% Bx 5.3% 21.3% 14.7% 30.7% Drpbx 11.3% 45.4% 28.6% 49.1% Ggle Drive 8.4% 30.5% 17.6% 42.8% Micrsft SkyDrive/OneDrive 8.5% 20.2% 31.4% 18.9% Surce: Osterman Research, Inc. THE PROBLEMS WITH CONSUMER FILE SYNC AND SHARE IT CONTROL IS CHANGING AND NOT FOR THE BETTER A serius issue that impacts IT, legal, HR, finance, cmpliance and ther functins within all rganizatins is the increasingly distributed cntrl ver critical data assets as a result f the grwing use f CFSS tls. Fr example, an Osterman Research survey revealed that 13% f crprate data is stred n emplyees laptps, 5% is stred n smartphnes and tablets, and 1% is stred n emplyees hme cmputers. A significant prprtin f this data is synced with these platfrms using CFSS tls. The implicatins f this are that: Organizatins are lsing much f their cntrl ver crprate cntent because cpies f these assets are stred with a variety f third party prviders and managed slely by emplyees. IT is less able t cntrl the management f infrmatin in their wn rganizatins fr purpses f legal and regulatry cmpliance. The bttm line is that IT has less cntrl ver crprate cntent because f the grwing use f CFSS tls, and IT cannt cntrl hw their cntent is accessed r managed. Mst IT decisin makers and influencers understand just hw serius this prblem has becme. As shwn in Figure 4, nly 8% f thse surveyed give their rganizatins an A grade fr their management f infrmatin security best practices in the cntext f file-sharing, while nearly ne-half give themselves a grade f C r lwer Osterman Research, Inc. 5

7 Figure 4 Grades That Organizatins Give Themselves Fr Their Management f Infrmatin Security Best Practices fr File-Sharing Surce: Osterman Research, Inc. CORPORATE RISK IS INCREASING The result f widespread and unmanaged use f CFSS tls has created a number f prblems that have dramatically increased crprate risk: Access security is ften lacking Mst CFSS tls ffer reasnably secure data strage in their data centers (r the data centers t which they utsurce, such as the Amazn Clud). Hwever, there are tw key security-related prblems assciated with CFSS tls: As with many clud services, users are permitted t emply weak passwrds and ften reuse the same passwrd fr multiple services. The lack f strng passwrd plicies and the absence f mandatry tw-factr authenticatin means that it can be fairly easy fr hackers t gain access t users data repsitries and the crprate data they cntain. Fr example, in Octber 2014, a majr data breach f Drpbx was blamed n hackers stealing lgin credentials frm ther sites and then attempting t exfiltrate Drpbx cntent using them 1. While CFSS vendrs are nt directly at fault, leading prviders represent a high value target fr hackers because f the enrmus quantities f data that they stre. Fr example, if a hacker culd gain access t Drpbx, Ggle Drive r Micrsft OneDrive accunts, their access culd yield enrmus quantities f sensitive r cnfidential crprate infrmatin. Inadequate cntent management Cntent that is stred in a CFSS tl is much less accessible (ften cmpletely inaccessible) t the rganizatin at large. This makes it mre difficult fr decisin makers t knw the cntent that is available fr review and prductin during ediscvery r regulatry audits, it increases the difficulty f accessing this data n demand, and it makes cntent retentin mre haphazard. Mrever, the lack f an audit trail in mst CFSS slutins adds t the serius risk assciated with Osterman Research, Inc. 6

8 their use in a crprate envirnment, since there is n recrd f where, when r hw data was shared. This can result in higher risks fr spliatin f evidence, mre difficulty in satisfying regulatry bligatins, and mre difficulty in managing fr hw lng cntent is retained. The prblem is magnified when emplyees leave a cmpany and d nt prvide access t the crprate data in their persnal accunts prir t their departure much f this data can simply be lst t the rganizatin frever. Sanctins frm curts r regulatrs An rganizatin that cannt manage its cntent r supervise hw this cntent is managed can find itself the subject f legal r regulatry sanctins. Any cntent that is managed by individuals, including their files, is treated as a frm f electrnic infrmatin by curts and regulatrs, and s is subject t the same well-established rules as thse fr . Cnsequently, rganizatins must take int accunt regulatry rules and ediscvery guidelines when devising their BYOrelated plicies and prcedures. Search is mre prblematic When decisin makers need t search fr crprate infrmatin, such as during the preliminary stages f a regulatry audit r during early case assessments that might precede a legal actin, data that is lcked away in CFSS data stres is largely inaccessible. The result is that investigatins and similar types f activities will generate incmplete searches fr critical infrmatin, resulting in a variety f ptentially negative cnsequences. The prblem becmes wrse as data is stred in differing CFSS cntent stres. Even if these stres are apprved, there is ften n way t prcess a federated search against all f these stres. Missing audit trail As nted abve, mst CFSS tls d nt prvide an audit trail f where, when and by whm files have been accessed. The result can be serius data gvernance prblems because IT, security, cmpliance r ther teams cannt verify if data was tampered with, the true and authentic cpies f data, if necessary data was deleted, etc. Unencrypted cntent Many CFSS tls and services d nt encrypt data in transit, creating the pprtunity fr data t be accessed by unauthrized parties. Plus, sme services create a hash fr each file sent t their strage infrastructure befre it is encrypted fr strage. While the hash prcess makes sense in rder t prevent users frm emplying CFSS slutins fr illegal file sharing purpses, fr example, it als results in a third party having access t ptentially sensitive r cnfidential cntent. If a third party prvider experiences a security issue as has been the case fr sme CFSS vendrs this can result in a data breach. There is als the ptential fr gvernments t access crprate data withut the knwledge f thse wh wn it. As just ne example, the FBI can issue a Natinal Security Letter t any clud prvider, including CFSS prviders, alng with a nn-disclsure requirement that prhibits them frm telling their custmers abut the existence f the Letter r the FBI s access t their cntent. While CFSS service prviders will ften strenuusly bject t this access, there is little that they can d frm a legal perspective. Frm a cmpany perspective, sensitive data stred in third party CFSS data stres shuld always be encrypted prir t being stred. Higher IT csts Crprate cntent that is nt readily available in IT-managed data repsitries results in IT spending mre time searching fr infrmatin, assuming it can even determine the lcatin this cntent. This drives up IT labr csts and takes IT staff members away frm ther, mre essential IT tasks and initiatives Osterman Research, Inc. 7

9 Greater ptential fr malware incursin When emplyees use CFSS tls t synchrnize crprate data fr use n a hme cmputer r a persnally wned mbile device, they run a higher risk f infecting that data with malware than when accessing that data n crpratemanaged devices. Because hme cmputers and persnally wned devices are typically nt scanned well fr malware, and because cnsumer-fcused file sync and share tls can bypass crprate security defenses, malware incursin thrugh these tls is mre likely. Mbile Increasing use f smartphnes and tablets and the use f CFSS tls n these devices als results in grwing risk. This risk results frm data that is nt natively encrypted n mbile devices and s can be accessed by unauthrized parties if a device is lst r when data is in transit. Plus, there are ther risks that impact rganizatins when CFSS tls are emplyed n mbile devices: the use f malicius cpycat apps that are meant t mimic bna fide mbile apps; leaky mbile apps that are nt designed with security in mind, but that are nnetheless installed n mbile devices that access crprate data; use f questinable, third party app stres; r cnnectin t nn-secure Wi-Fi netwrks in cffee shps, htels, airprts and ther venues. All f these can increase the risk f data breaches when CFSS tls are used n mbile devices. WHY HAVE THE PROBLEMS GOTTEN SO BAD? S, why have these prblems with CFSS becme s prblematic? Fr many rganizatins, it cmes dwn t fur prblems: Budget Many rganizatins have nt allcated budget t implement rbust alternatives t CFSS slutins that will satisfy bth users requirements and crprate needs. While mst IT decisin makers will readily admit that addressing the Drpbx Prblem is imprtant t them, many decisin makers will wait until a data breach r adverse legal judgment has ccurred befre they will assign budget t address the issue. In fact, budget issues were the mst cmmnly cited radblck we fund in the survey cnducted fr this white paper in replacing CFSS tls with EFSS alternatives. Hwever, EFSS alternatives are typically nt expensive n a per user basis, and dramatically less expensive when cnsidering the risks assciated with unfettered use f CFSS tls. Fr example, if the use f CFSS tls in a 2,500-user rganizatin increased the risk f a $5 millin data breach by just 5% cmpared t use f EFSS tls, that equates t a mnthly, per user cst f $8.33 in additinal crprate risk frm nt implementing an EFSS slutin. Expertise abut alternatives Many rganizatins are nt aware f the varius ptins available t them fr replacing CFSS tls with EFFS alternatives. There are a significant number f rbust alternatives available, sme f which are discussed at the end f this white paper that can prevent the prblems assciated with CFSS tls. One in six f the IT decisin makers and influencers surveyed fr this white paper cited lack f expertise t make the decisin as a radblck r majr radblck fr replacing CFSS tls with EFSS alternatives. Resurces Sme rganizatins may lack the resurces that they perceive are necessary t evaluate, deply and manage EFSS slutins. These tls are typically easy t manage and many integrate nicely with existing archiving, security, cntent management, encryptin and ther systems. Plus, mst vendrs have prfessinal services rganizatins r cnsultants available t help with the varius (typically minimal) deplyment and management investments required Osterman Research, Inc. 8

10 Crprate leadership In sme cmpanies, senir executives have pushed internal IT departments fr easier, n-demand access t crprate data. THE ISSUE OF DATA SOVEREIGNTY Data svereignty the idea that cntent is subject t gvernance accrding t the laws f the natin in which it is stred is an essential cnsideratin fr management f any electrnic data, but particularly when using clud prviders and/r remte data strage. This is an increasingly imprtant and thrny issue fr all rganizatins, but particularly fr thse that perate in multiple jurisdictins and may be subject t different and smetimes cnflicting legal, privacy and ther requirements. Where this becmes a serius issue is when cmpanies must stre data nly in certain jurisdictins r else be ut f cmpliance, r when they stre data in the clud. Fr example, as far back as 2004 the Gvernment f British Clumbia began requiring public entities in the prvince t stre persnal infrmatin in its custdy r under its cntrl nly in Canada and [fr it be] accessed nly in Canada 2. Data that is wned r held by cmpanies in the Eurpean Unin (EU) generally has t stay nly within the EU. The Office f the Australian Infrmatin Cmmissiner, thrugh its enfrcement f The Australian Natinal Privacy Act f 1988, impses strict requirements n hw infrmatin abut Australians is managed. The use f clud prviders fr data strage and management can raise varius data svereignty issues, since nly a handful f prviders ffer irn-clad guarantees that data will be stred nly in specific jurisdictins. Fr example, Micrsft stres Office 365 custmer data in a number f different cuntries based n the lcatin f the custmer. Mrever, Micrsft can mve custmer data withut ntice and will nt guarantee exactly where a custmer s data will be stred. The issue f data svereignty has becme even stickier since the passage f the US PATRIOT Act, and mre recently the revelatins frm Edward Snwden abut surveillance by the Natinal Security Agency. Many rganizatins utside f the United States have been reluctant t use US-based clud prviders as a result f their fear that the US gvernment will smehw gain access t their infrmatin. While sme rganizatins may believe they are immune frm the PATRIOT Act r ther US surveillance f their data by nt string their data in the United States, virtually the nly way that an rganizatin can be cmpletely immune frm legal US gvernment access t all f their data is by having n peratins f any kind in the United States, smething that applies t relatively few multinatinal firms. Cnsequently, the nly way that an rganizatin can be reasnably immune frm US gvernment access t its data is t either a) nt have any peratins within the United States r b) t maintain all f its data in-huse and utside f the cuntry. Hwever, it is imprtant t nte that a) the PATRIOT Act impacts primarily US crpratins regardless f their lcatin; b) nn-us cmpanies with a US presence, but that d nt share data with nn-us sites, can be reasnably prtected frm PATRIOT Act access t nn-us data; and c) the US gvernment can still issue a search-and-seizure warrant via a gvernmental prcess utside f the PATRIOT Act that may be successful. RECOMMENDATIONS Osterman Research recmmends that all rganizatins cnsider the fllwing steps t address the grwing risks they face frm the use f CFSS tls. Understand the depth f the prblem First and fremst, decisin makers must understand the depth f the prblems 2 lives.html 2015 Osterman Research, Inc. 9

11 that the use f CFSS creates. Typical use f CFSS slutins brings with it a higher likelihd f data breaches, crprate data becmes less accessible, ediscvery and regulatry cmpliance becme mre difficult and mre expensive, and IT spends mre n finding and recvering crprate data. Mrever, there are situatins in which crprate data may be unrecverable, such as when emplyees leave a cmpany and IT cannt access the data they have stred in their persnally managed CFSS accunts. Decisin makers need t understand just hw serius each f these issues is. Implement apprpriate plicies Next, befre implementing any srt f CFSS alternative, IT decisin makers perhaps wrking with security, legal and cmpliance teams shuld develp plicies fr the apprpriate use f file sync and sharing capabilities. These plicies shuld be part f the rganizatin s verall acceptable use plicies fr , scial media, FTP, cllabratin, instant messaging, Internet telephny and ther tls, and shuld clearly spell ut when and hw file sync and share tls shuld and shuld nt be used. Hwever, any plicy implemented shuld nt be t cmplex and be as transparent as pssible t the users, r decisin makers will find that users will nt fllw it and may actively seek t g arund it. It is als imprtant t knw the details f these plicies frm an Operatinal Risk Management standpint. Risk is the pssibility that an event will ccur that culd detrimentally affect the achievement f bjectives, s it is key t understand such risks. Mrever, many cmpanies already have established plicies that encmpass IT fr initiatives like Basel 2 r Sarbanes-Oxley CFSS risk and clud use need t be factred int these. Dealing with CFSS-dependent emplyees One f mre imprtant recmmendatins we can ffer is nt t prhibit the use f CFSS slutins, althugh nearly tw-thirds f the rganizatins surveyed fr this white paper have either banned r limited their use. Instead, it is essential fr IT and ther decisin makers t understand the critical rle that CFSS slutins play in helping users t becme mre prductive, while als acknwledging the risks they cause, all while mving tward the deplyment f an EFSS alternative. While decisin makers may be tempted t address the risks f CFSS quickly by simply banning its use, ding s will nly stifle the prductivity f emplyees wh actually adhere t the new plicy, but will d nthing t address the prblems frm emplyees wh ignre it. In shrt, there is a need t manage CFSS applicatins as part f the verall prcess f rlling ut EFSS slutins, ensuring that the migratin f data, training f emplyees, and implementatin f the new slutins is as prblem-free as pssible. A key part f putting IT back in cntrl f the file sync and share prcess is the ability t reign in the use f CFSS tls as part f the rllut f EFSS alternatives. This ensures that users dn t end up using bth. Fcusing n EFSS as a replacement fr CFSS Finally, all rganizatins shuld replace their CFSS slutins with EFSS alternatives. While there are a wide range f features, functins and capabilities available in varius EFSS tls, decisin makers shuld fcus n the fllwing checklist f features, functins and capabilities in an EFSS slutin t determine hw these will fit with their file sync and share requirements: Ease f use in an EFSS tl is essential, since mst f the leading CFSS tls prvide simple, easy-t-use interfaces and synchrnizatin capabilities. Because EFSS tls must cmpete with CFSS fr emplyee mindshare, an EFSS tl that is nt easy t use r des nt integrate well with emplyee wrk habits simply will nt be used and the crprate investment will have been wasted Osterman Research, Inc. 10

12 Any EFSS slutin must have gd infrmatin gvernance at its cre, since the primary reasn t replace CFSS tls is t manage infrmatin in a way that satisfies all f an rganizatin s legal, regulatry and best practice bligatins. Unlike file sharing in mst and FTP systems, in which cntent is largely unmanaged after it is sent, EFSS tls will allw cntent t be managed by senders and by IT with varius capabilities, like making the cntent available nly fr a limited time r allwing its access nly by authrized individuals. This ensures that data breaches are much less likely and it will imprve IT s ability t manage cntent apprpriately. In shrt, all cntent managed in an EFSS system must be managed with a fcus n the lifecycle f crprate data in mind, including its defensible deletin. It is highly advantageus if EFSS tls can manage infrmatin at the dcument level. Fr example, thrugh the use f infrmatin rights management fr all files, an rganizatin can cntrl cntent wherever it resides, prviding them with cmplete cntrl ver infrmatin at every stage f each dcument. A key distinctin between EFSS and CFSS tls is where primary cntrl ver crprate cntent is managed: IT with the frmer and individual emplyees with the latter. Cnsequently, it is essential that any EFSS slutin under cnsideratin puts IT in cmplete cntrl f crprate data, while still enabling users t wrk with data as they need. Mre than 90% f survey respndents reprted that an EFSS slutin shuld include rle-base sharing cntrls that are based n Active Directry r LDAP, as shwn in Figure 5. Figure 5 Imprtance f EFSS and CFSS Rle-Based Sharing Cntrls that are Based n Active Directry r LDAP % f Organizatins That Cnsider Capability Imprtant fr Each Slutin Surce: Osterman Research, Inc. The majrity f CFSS slutins are prvided via the clud. EFSS slutins, n the ther hand, typically (but nt always) allw the ptin f clud strage, n-premises strage, r a cmbinatin f bth. Mrever, if an rganizatin pts fr clud strage, the decisin t use public strage in a 2015 Osterman Research, Inc. 11

13 shared, multi-tenant envirnment shuld be cnsidered relative t a private clud apprach that is nrmally mre secure and mre subject t IT cntrl. It s imprtant t nte that there is nt necessarily a right apprach t EFSS in this regard, althugh highly sensitive data shuld nrmally be left n-premises r, if in the clud, managed using a private-clud mdel t maintain a high level f security. In many cases, it is useful t cnsider EFSS vendrs that ffer private clud and n-premises ptins, as well as a hybrid n-premises/private clud capability. A significant majrity f the rganizatins surveyed agreed n certain security traits f an EFSS system. Fr an in-huse EFSS slutin, metadata shuld be kept in-huse instead f the clud. Mrever, the vast majrity agree that data shuld be fully encrypted between endpints, with n intermediate steps where data is nt encrypted, as shwn in Figure 6. Figure 6 Imprtance f In-Huse Metadata and Encryptin Between Endpints in EFSS and CFSS % f Organizatins That Cnsider Capability Imprtant fr Each Slutin Surce: Osterman Research, Inc. Key management is a cnsideratin fr any EFSS slutin, since wnership f the keys fr encrypting data in EFSS slutins is an imprtant determinant f just hw secure crprate data will be. Hwever, the primary challenge is less abut key management and mre abut key generatin. If an rganizatin s keys are generated by a third party and are able t be intercepted frm a key server s memry, they lack the security that will be required in many situatins. Third party key generatin, regardless f wh ultimately wns the keys, will nt be adequate fr a variety f rganizatins, including many in the banking, gvernment, defense and ther industries. Any EFSS slutin shuld integrate well with ther slutins within the IT infrastructure. This includes crprate t allw cntent t be autmatically (r at least easily) transferred via EFSS instead f thrugh , as well as integratin with encryptin systems, authenticatin systems, backup slutins, enterprise mbility management, security, cllabratin tls, single sign-n capabilities, etc Osterman Research, Inc. 12

14 An EFSS slutin shuld ffer a number f capabilities that will ensure IT cntrl ver crprate data, as well as helping users t ensure that data is managed prperly. These capabilities shuld include an audit trail t ensure that sensitive r cnfidential infrmatin is trackable at all times, prtectin f data frm tampering s that file integrity can be maintained, security t prevent external hacking f the system and infectin f files with malware, rbust access cntrls that include granular permissins cntrl, and rbust mbile access. Many EFSS slutins may be prvided with their wn strage, while thers are strage agnstic that wrk with existing crprate and CFSS data stres t prvide federate cntrl and access. These can be used t prvide a bridge between the use f enterprise data in cnjunctin with CFSS data while cntinuing t prvide cmpanies with apprpriate access, security and audit cntrls. Finally, the EFSS slutin shuld be scalable, require minimal IT labr t manage, and require minimal training s that new users can get up t speed n the slutin quickly. Mrever, the survey fund that 95% f rganizatins believe that EFSS prduct architecture shuld cnsider latency, bandwidth, and reliability f netwrk cnnectivity f remte ffices as part f the EFSS decisin prcess. Figure 7 Imprtance f Cnsidering Latency, Bandwidth and Reliability f Netwrk Cnnectivity fr Remte Offices in EFSS and CFSS % f Organizatins That Cnsider Capability Imprtant fr Each Slutin Surce: Osterman Research, Inc. SUMMARY CFSS tls prvide enrmus utility t emplyees by enabling them t have access t all f their cntent frm any device at any time. Hwever, these tls intrduce significant legal, regulatry and ther risks t an rganizatin and shuld be replaced with EFSS tls that will a) prvide the same prductivity gains as CFSS tls, but that will b) enable t IT and ther parts f an rganizatin t regain cntrl f crprate infrmatin. EFSS tls will dramatically lwer crprate risk by keeping 2015 Osterman Research, Inc. 13

15 crprate infrmatin assets under the cntrl f IT, and by ensuring that all data is managed in accrdance with crprate plicies and the systems designed t enfrce these plicies. SPONSOR OF THIS WHITE PAPER Funded in 1999, Tpia Technlgy spent the last decade securely mving and managing data in cmplex distributed envirnments fr prgrams with the US Army, FAA, Air Frce and TSA. Each f these custmers required security cupled with strict perfrmance metrics challenges met by Tpia s innvative slutins and seasned engineering team. With a grwing fcus n data breaches in and arund the enterprise and the need t ensure best-in-class levels f data security in highly regulated industries, Tpia intrduces its military-grade security platfrm, Secrata, t ffer unmatched security, flexibility and perfrmance fr the enterprise. Secrata is an innvative, patented technlgy that shreds and encrypts data end-t-end t harden security fr clud, mbile and Big Data. Secrata is the nly triple-layer enterprise security platfrm prviding encryptin and separatin end-t-end, and prtects against brute frce attacks and mre innvative security threats. The slutin ensures a new level f security, privacy and cmpliance fr all enterprise data regardless f where it is stred r hw it is accessed inf@tpiatechnlgy.cm Tpia s wrld-class engineers specialize in securing data in cmplex distributed systems, systems engineering, and distributed architectures, including service riented architecture (SOA) and clud cmputing Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statute, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 14

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information