WHITE PAPER SPON. The Need for Enterprise-Grade File Sync and Share. Published February 2015 SPONSORED BY. An Osterman Research White Paper

Transcription

1 WHITE PAPER N The Need fr Enterprise-Grade An Osterman Research White Paper Published February 2015 SPONSORED BY spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: inf@stermanresearch.cm twitter.cm/msterman

2 EXECUTIVE SUMMARY The Drpbx prblem is the term applied t the widespread and prblematic use f cnsumer-fcused file sync and share tls that was ppularized by Drpbx, the mst cmmnly used tl in this space. In fact, a search fr the Drpbx prblem in Ggle returns nearly 4,000 results. T be fair, hwever, there are a large and grwing number f tls similar t Drpbx that are ffered by a wide variety f clud prviders. Mrever, mst f these tls wrk as advertised mst prvide users with several gigabytes f clud strage and allw them t synchrnize any file acrss all f their desktp, laptp and mbile platfrms autmatically. And therein lies the prblem: these tls allw any file t be synchrnized acrss any device by any crprate user withut the versight r cntrl f that user s IT functin. This means that crprate financial infrmatin, emplyee recrds, custmer financial infrmatin, embarged press releases, and any ther sensitive r cnfidential infrmatin can be synchrnized t any user s device withut first being encrypted, withut an audit trail established t track the data, withut an ability t prevent critical infrmatin frm being mdified, withut any cntrl ver wh has access t this data, and withut any cntrl ver where and by whm that data is stred. This creates enrmus legal, regulatry, privacy and ther risks fr an rganizatin that allws these tls t be used. The gd news is that mst decisin makers and influencers are at least beginning t take the prblem seriusly. As shwn in Figure 1 frm a survey cnducted by Osterman Research specifically fr this white paper, five ut f six IT decisin makers and influencers is at least smewhat cncerned abut the use f cnsumer-fcused file sync and share tls and nearly ne in five are very cncerned. Figure 1 Level f Cncern Abut Emplyee-Managed File-Sharing Services Surce: Osterman Research, Inc. ABOUT THIS WHITE PAPER The white paper discusses the risks assciated with the unmanaged use f cnsumerfcused file sync and share tls, and it makes the case fr why an enterprise-grade alternative shuld be deplyed t replace them. This white paper was spnsred by Suth River Technlgies infrmatin abut the cmpany is prvided at the end f this paper Osterman Research, Inc. 1

3 THE STATUS OF FILE SHARING TODAY THE DE FACTO TOOLS FOR FILE SHARING As shwn in Figure 2, has becme the primary file transprt system in the vast majrity f rganizatins Osterman Research has determined that abut 98% f the bits that flw thrugh the typical crprate system are files, nt messages themselves. Hwever, a number f ther tls are als widely used and increasing in ppularity relative t , including Micrsft SharePint, traditinal FTP tls, cnsumer-fcused file sync and share tls, and a number f thers. Figure 2 Methds Used fr Sharing Files Tday (Asked f IT Emplyees) % f Organizatins in Which Tl is Used Surce: Osterman Research, Inc. has becme s widely used fr file transprt because f its ubiquity, the fact that it is based n industry standards, and that the drag-and-drp capabilities available fr file sharing in virtually all clients and Webmail interfaces makes it very easy t use. CONSUMER FILE SYNC AND SHARE TOOLS ARE POPULAR As shwn in Figure 2, bth IT-managed and emplyee-managed file sync and share tls are als used extensively fr crprate file sharing. Hwever, Osterman Research believes that the penetratin f cnsumer-fcused file sync and share tls, such as Drpbx, is actually greater than that shwn in the figure. Because the fcus fr the survey cnducted fr this white paper was n IT decisin makers and influencers, and because use f these tls is cmmnly hidden frm IT, we believe the penetratin f Drpbx-like tls t be greater than shwn in the figure. In shrt, the cnsumerizatin f IT is a mre nerus prblem than IT thinks it really is. Cnsumer-fcused file sync and share tls represent an imprtant surce f crprate cntent. Mrever, remte wrk, which is enabled by a grwing variety f clud-based tls, is increasingly enabling the gegraphical separatin f wrk teams, which in turn fsters even mre use f clud-based tls Osterman Research, Inc. 2

4 CONSUMERIZATION OF IT IS A SERIOUS PROBLEM The Bring Yur Own Device (BYOD), Bring Yur Own Applicatins (BYOA) and Bring Yur Own Clud (BYOC) phenmena are part f the grwing trend tward the cnsumerizatin f IT: emplyees use their persnal smartphnes, tablets, hme cmputers, applicatins and clud-based services t access crprate cntent and ther resurces like , databases, and varius applicatins. It is imprtant t nte that the cnsumerizatin f IT cvers a wide frnt, including scial technlgies like Facebk and Twitter, clud-based tls t share r stre cntent in a faster and easier way, and mre cnsumer-riented expectatins within the wrkplace. The grwing ppularity f the cnsumerizatin trend is evident in the large prprtin f mbile phnes used in the wrkplace, the grwing number f mbile apps used t create and access crprate cntent, and the widespread use f file sync and share tls. In the cntext f file sync and share tls, the cnsumerizatin f IT has given birth t the Drpbx prblem, a generalized mniker fr the large and grwing number f tls that emplyees can use t stre infrmatin in the clud, sync it in near real time acrss f their cmputing platfrms, and share it with thers. The cnsumerizatin f IT is becming mre f a serius prblem ver time. Fr example, Figure 3 shws the penetratin f varius file sync and share tls in May 2012 and January 2015 based n Osterman Research surveys f IT decisin makers and influencers. Figure 3 Penetratin f Varius Tls 2012 and 2015 Used With IT s Blessing May 2012 January 2015 Used Used Withut With IT s IT s Blessing Blessing Used Withut IT s Blessing Tl Apple iclud 13.7% 40.0% 14.1% 42.3% Bx 5.3% 21.3% 14.7% 30.7% Drpbx 11.3% 45.4% 28.6% 49.1% Ggle Drive 8.4% 30.5% 17.6% 42.8% Micrsft SkyDrive/OneDrive 8.5% 20.2% 31.4% 18.9% Surce: Osterman Research, Inc. THE STATUS QUO HAS SERIOUS PROBLEMS Cnsumerizatin f IT capabilities leads t fur serius prblems fr any rganizatin, regardless f its size r the industry in which it perates: 1. Crprate risk increases when emplyees use cnsumer-fcused file sync and share tls t stre sensitive r cnfidential cntent in clud-based data repsitries ver which IT des nt have cmplete (r any) cntrl. 2. Emplyees becme accustmed t wrking with their persnally deplyed applicatins and s are ften reluctant t stp using them unless they are presented with alternatives that are just as easy t learn and use. 3. The number f cnsumer-fcused file sync and share tls cntinues t grw, making it mre difficult fr IT t rein in their use. 4. IT and business decisin makers must devte budget, time and effrt t implement rbust alternatives t the existing base f cnsumer-fcused file sync and share tls Osterman Research, Inc. 3

5 IT CONTROL OVER FILE SHARING IS CHANGING One f the mre serius issues facing IT and rganizatins in general is the increasingly distributed cntrl ver critical data assets. Fr example, an Osterman Research survey fund that 13% f crprate data is stred n emplyees laptps, 5% is stred n their smartphnes and tablets, and 1% is stred n their hme cmputers. Much f this data is synced with these platfrms using Drpbx and ther cnsumer-fcused file sync and share tls. What this means is that a) rganizatins are lsing cntrl ver crprate data assets because cpies f these assets are stred with a variety f third party prviders, and b) IT is increasingly unable t cntrl the management f infrmatin in their wn rganizatins. This is a message that has nt been lst n IT decisin makers and influencers. As shwn in Figure 4, nly 7% f thse surveyed give their rganizatins an A grade fr their management f infrmatin security best practices in the cntext f filesharing, while a majrity give themselves a grade f C r lwer. Figure 4 Grades That Organizatins Give Themselves Fr Their Management f Infrmatin Security Best Practices fr File-Sharing Surce: Osterman Research, Inc. CORPORATE RISK IS INCREASING There are a significant number f prblems assciated with allwing unchecked r unmanaged file-sharing t take place in an rganizatin, even if just a small number f users is ding s: Pr cntent management Files stred in and distributed by Drpbx r ther file sync and share tls is much less accessible t the rganizatin at large. This makes it mre difficult fr decisin makers t knw what cntent it has available fr ediscvery r regulatry audits, it increases the difficulty f accessing this data when required, and it makes cntent retentin mre difficult. Mrever, lack f an audit trail in mst file sync and share slutins cntributes t the serius risk assciated with their use in a crprate envirnment because there is n recrd f where, when r hw this data was shared. This can lead t mre risk f evidence spliatin, mre risk in satisfying regulatry bligatins, and mre difficulty in managing cntent retentin perids. The prblem is magnified when emplyees leave a 2015 Osterman Research, Inc. 4

6 cmpany and d nt prvide access t the crprate data in their persnal accunts prir t their departure. Many prviders d nt enfrce rbust security at every level Mst leading cnsumer-fcused file sync and share services ffer secure data strage in their data centers (r the data centers t which they utsurce). Hwever, there are tw significant security-related prblems with mst f these services. First, as with s many clud services, users are allwed t emply simple passwrds and many reuse the same passwrd fr multiple services. The lack f strng passwrd plicies and a lack f mandatry tw-factr authenticatin means that gaining access t users data repsitries is fairly simple. Secnd, while nt the fault f these services, leading prviders represent a high value target fr hackers because f the enrmus quantities f data that they stre gaining access t these accunts culd ptentially yield valuable infrmatin n a large scale. Search is mre difficult When rganizatins need t cnduct a search fr crprate data, such as during early case assessments that might precede a legal actin, when cnducting internal investigatins, r when respnding t a regulatry audit, data that is lcked away in third party data stres is mre r less inaccessible. This means that investigatins and the like will generate less-than-cmplete searches fr essential infrmatin, carrying with it a variety f negative cnsequences. Higher csts fr IT departments When essential crprate data is nt readily available in IT-managed data repsitries that are cmpletely under their cntrl, IT must spend mre time searching fr infrmatin, assuming it can even find this cntent. This nt nly drives up IT labr csts, but als takes IT staff members away frm ther, mre pressing IT tasks and initiatives. Regulatry r legal sanctins Pr recrd keeping r supervisin can result in a variety f regulatry r legal sanctins. Persnally managed infrmatin is treated as a frm f electrnic cmmunicatin r cntent by curts and regulatrs, and s is subject t the same well-established rules as thse fr . As a result, rganizatins must take int accunt regulatry rules and ediscvery guidelines when devising their BYOD, BYOA, and BYOC plicies and prcedures. Lack f encryptin Many cnsumer-fcused file sync and share services d encrypt data in transit between their custmers devices and their data centers, resulting in the ptential fr data t be intercepted by unauthrized parties. Mrever, sme services, such as Drpbx, create a hash fr each file that is sent t their strage infrastructure befre that cntent is encrypted fr strage. While the hash prcess is quite sensibly perfrmed t prevent users frm emplying Drpbx fr illegal file sharing, it als means that a third party has sme level f access t sensitive crprate cntent. If a third party prvider experiences a security prblem as has been the case fr sme cnsumer-fcused file sync and share prviders this can expse crprate cntent t a data breach. Related t this is the ptential fr access t sensitive and cnfidential data by varius gvernments that can access data withut the knwledge f thse wh wn it. Fr example, the Federal Bureau f Investigatin can issue a Natinal Security Letter t a clud prvider alng with a nn-disclsure requirement, prevent the prvider frm infrming their custmers abut the issuance f the Letter. Malware-related risks Anyne wh uses a cnsumer-fcused file sync and share tl t synchrnize crprate cntent fr use n a hme cmputer r persnally wned device, and 2015 Osterman Research, Inc. 5

7 inadvertently infects ne r mre files with malware in the prcess, can intrduce this threat t the crprate netwrk when syncing files. This is a serius issue that can wreak havc fr crprate security staff, lead t a lss f data, r create a number f ther prblems. Because many hme cmputers are nt maintained with the same level f security as crprate systems, and because cnsumer-fcused file sync and share tls can bypass crprate security defenses, malware incursin thrugh these tls is a distinct pssibility. Lack f an audit trail In mst cases, cnsumer-fcused file sync and share tls d nt prvide an audit trail f when and where files have been accessed. This can create serius data gvernance prblems, particularly during investigatins r when a chain-fcustdy fr sensitive infrmatin must be maintained. Mbile The grwth f mbile cmputing and the increasing use f cnsumer-fcused file sync and share tls n these devices means that data is increasingly at risk when stred n smartphnes and tablets. This risk cmes frm data that is nt natively encrypted n mbile devices and s can be accessed if a device is lst, r that can be intercepted in transit by unauthrized parties. RISK = COST These risks can lead t a variety f direct and/r indirect csts t an rganizatin. Fr example, an inability t prduce all necessary data during a legal actin r a regulatry audit can result in fines r ther sanctins. Having data scattered acrss the rganizatin in persnal file-sharing accunts can require extra IT staff r legal staff time t find and prcess. Malware, such as a keystrke lgger that is intrduced int an rganizatin thrugh an unmanaged file sync and share applicatin, can result in the lss f finances (e.g., thrugh exfiltratin f funds frm a crprate bank accunt), lss f intellectual prperty, r a breach f custmer data. There are a number f ways f quantifying these csts. In the example belw, we prvide a quantitative business analysis apprach t estimating them. Fr example, let s assume that the use f a cnsumer-fcused file sync and share tl will result in the fllwing ptential risks and csts: Spliatin f data in a lawsuit: A 2.0% likelihd each year f a $200,000 sanctin fr lsing data. A data breach f just 50,000 recrds: A 4.0% likelihd each year f incurring remediatin and ther csts f $200 per recrd. Intrductin f malware: A 2.5% likelihd each year f lsing $250,000 as a result f a single malware incident. If we multiply the likelihd f each incident by the cst f the event actually ccurring, this results in a ttal annual cst f $410,250. Hwever, it is imprtant t nte that these are quite cnservative estimates (a 2.0% chance equates t a single incident nly nce every 50 years), bth fr the likelihd f each event ccurring and its ptential financial impact. The csts culd be significant higher than thse presented here. BEST PRACTICES FOR CHANGING THE STATUS QUO One respnse t the varius risks assciated with the use f cnsumer-fcused file sync and share tls is an utright ban n their use, althugh sme rganizatins prefer t smehw limit their use. As shwn in Figure 5, ne in six rganizatins 2015 Osterman Research, Inc. 6

8 believes that they can mitigate the risk assciated with these tls by simply banning their use, while a much larger prprtin f cmpanies want smehw t limit them. Hwever, as, discussed belw, utright bans r placing restrictins n the use f cnsumer-fcused tls is an ill-advised strategy. Instead, we recmmend tw best practices t address the issues raised by cnsumer-fcused file sync and share tls. Figure 5 Crprate Thinking With Regard t Clud-Based File Transfer Systems Surce: Osterman Research, Inc. 1. UNDERSTAND THE DEPTH OF THE PROBLEM First and fremst, IT decisin makers, senir business managers, CIOs, legal cunsel and thers must understand the depth f the prblems their rganizatins face when emplyees use cnsumer-fcused file sync and share tls. These prblems, as discussed abve, include the increased likelihd f data breaches; an inability t access sensitive, cnfidential and ther data n demand; an inability t prperly fulfill ediscvery r regulatry audit requirements; and ther prblems. Hwever, many decisin makers d nt yet fully appreciate the severity f the prblems that cnsumer-fcused file sync and share tls can create. Fr example, as shwn in Figure 6, nly ne-third f the rganizatins surveyed fr this white paper have already replaced these tls r cnsidering their replacement a very high pririty. Mrever, when cnsidering nly thse rganizatins that are still using cnsumerfcused file sync and share tls, the prprtins are nt fundamentally different: nly 6% f rganizatins have already begun the migratin prcess away frm these tls and nly 25% cnsider it t be a very high pririty t d s. The prprtins that cnsider migratin a mderately high r lw pririty are virtually identical between bth ppulatins Osterman Research, Inc. 7

9 Figure 6 Level f Pririty fr Replacing Cnsumer-Fcused Tls by Early 2016 Surce: Osterman Research, Inc. 2. IMPLEMENT THE RIGHT TOOLS Instead f taking the rather dracnian (and largely ineffective) apprach f banning the use f cnsumer-fcused file sync and share tls, Osterman Research recmmends that rganizatins implement an enterprise-grade file sync and share slutin. Such a slutin shuld be implemented with the fllwing capabilities in mind: Fcus n ease f use An enterprise-grade file sync and share slutin must cmpete against the grwing number f easy-t-use, cnsumer-fcused file sync and share tls like Drpbx, Ggle Drive, Micrsft OneDrive, Apple iclud, and ther tls t which users have becme accustmed and upn which they rely t imprve their prductivity. Cnsequently, an enterprise-grade slutin must be very simple t use and have an interface cmpatible with user expectatins if IT expects users t emply it. N matter hw much IT dictates that users stp using their favrite file sync and share tl r attempts t frce the use f alternatives that are less appealing, users simply will nt use a tl if they dn t want t d s. Fcus n crprate gvernance True, enterprise-grade file sync and share slutins include the ability t manage data thrughut its entire lifecycle in keeping with infrmatin gvernance best practices. Unlike mst and FTP systems that are used fr file sharing, in which cntent is mstly unmanaged after being sent, enterprise-grade tls will allw cntent t be managed by senders and by IT with capabilities like making the cntent available nly fr a limited time r allwing its access nly by authrized parties. This ensures that data breaches are less likely and it will imprve IT s ability t manage cntent in keeping with regulatry, legal, and crprate plicy requirements. Managing crprate gvernance f data prperly is becming a mre serius issue as state, prvincial, and natinal gvernments fcus n stpping breaches f sensitive and cnfidential data. Because data breaches have been n the 2015 Osterman Research, Inc. 8

10 increase, Osterman Research expects that laws and crprate plicies designed t gvern data mre effectively will becme stricter in the future. Included amng these slutins are thse that will verlay enterprise-grade file sync and share capabilities ver an existing infrastructure in rder t preserve existing investments. Whether implementing a full-blwn enterprise-grade file sync and share capability r adpting an verlay apprach, the gal is t imprve the security and crprate gvernance capabilities inherent in an enterprisegrade slutin. Put IT back in cntrl f file sharing The fundamental prblem with cnsumer-fcused file sync and share tls is nt the utility f the file-sharing prcess itself, but rather that the cntrl ver the prcess shifts frm a) IT and its repsitries that are managed in accrdance with crprate plicies t b) emplyees and a randm selectin f third parties that d nt satisfy these plicies. Implementing a slutin fcused n the frmer is essential because it minimizes risk, ensures that crprate plicies are implemented and enfrced, and allws apprpriate cntrl ver sensitive and cnfidential crprate data. An imprtant element in putting IT back in cntrl f the file sync and share prcess is the ability t reign in cnsumer-fcused file sync and share slutins as part f the rllut f the enterprise-grade capability. This ensures that users dn t end up using bth. Evaluate the varius deplyment ptins Mst cnsumer-fcused file sync and share slutins are managed in the clud. Enterprise-grade slutins, n the ther hand, typically permit the ptin f clud strage, n-premises strage, r a cmbinatin f bth. Plus, if an rganizatin pts fr clud strage, the decisin t use public strage in a shared, multi-tenant envirnment shuld be cnsidered relative t a private clud apprach that is typically mre secure and mre cntrllable by IT. There is nt necessarily a right apprach t enterprise-grade file sync and share, althugh highly sensitive data shuld, in mst cases, be left n-premises r, if in the clud, managed using a private-clud mdel t maintain the highest level f security. In mst cases, it is advantageus t cnsider enterprise-grade file sync and share vendrs that ffer bth private clud and n-premises ptins, as well as a hybrid n-premises/private clud capability. Make sure that essential capabilities are included An enterprise-grade file sync and share slutin shuld include a number f capabilities that will ensure a high level f IT cntrl ver crprate data, as well as helping users and IT t ensure that data is managed prperly: An audit trail capability fr all files is essential t ensure that the lcatin and transmissin f sensitive r cnfidential infrmatin is trackable at all times. Rbust access cntrls that include highly granular permissins cntrl shuld be a key element f any slutin. All cntent shuld be prtected frm tampering s that the integrity f each file can be maintained. The slutin shuld als include security capabilities t prevent external hacking f the system and infectin f individual files with malware. The slutin shuld permit cntent t be sent frm and accessed by mbile devices easily Osterman Research, Inc. 9

11 The slutin shuld integrate easily with existing archiving, backup, mnitring, authenticatin, enterprise mbility management, security and ther systems. Finally, the slutin shuld be scalable, require very little IT labr t manage, and require minimal training s that new users can learn the slutin quickly. ABOUT SOUTH RIVER TECHNOLOGIES Suth River Technlgies develps sftware fr managed file transfer and enterprise file sharing. The SRT family f prducts prvides strng security fr encrypted data transfer and strage. Prducts include WebDrive and Crnerstne MFT Server. WebDrive is the first applicatin t map a netwrk drive letter t a server acrss the Internet. Enabling users t access remte files thrugh the instantly familiar interface f Windws Explrer r Finder, this technlgy ultimately reduces training and IT supprt csts. WebDrive makes every remte file as easily accessible as files n the desktp, enabling easy access t crprate servers, such as SharePint, SFTP and WebDAV servers, as well as ppular clud file sharing services. Crnerstne MFT is the premier slutin fr cmbining the security, autmatin and reprting f a Managed File Transfer Server with the effrtless file sharing and prductivity enhancements that have becme the de fact standard f cnsumer file sharing services. sales@suthrivertech.rg T: F: SRT slutins ffer security features such as tw-factr authenticatin, n-the-fly data encryptin that eliminates having t temprarily write unencrypted files t the disk, intelligent passwrd enfrcement and autmated events t thwart hackers. Prductivity enhancements include ne-click file sharing and direct editing f server based files, eliminating the need t dwnlad. Funded in 2001, Suth River Technlgies is a privately held cmpany based in Annaplis, MD. SRT slutins enhance the prductivity and security f nearly 90,000 custmers in 135 cuntries. Prducts are sld directly and thrugh resellers and distributrs in 40 cuntries. SRT sftware is available in English, French, German and Japanese. Fr mre infrmatin, visit Osterman Research, Inc. 10

12 2015 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statute, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 11