SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK

Transcription

1 SECURE FILE SHARING AND COLLABORATION: THE PATH TO INCREASED PRODUCTIVITY AND REDUCED RISK Whitepaper

2 2 Secure File Sharing and Collaboration: The Path to Increased Productivity and Reduced Risk Executive Summary Enterprise File Sharing and Sync (EFSS) products are making inroads into the enterprise in fact, Forrester analyst Ted Schadler recently called the space the hottest technology category since social networking. However, many EFSS implementations leave many issues unanswered, such as: How will intellectual property be protected if a user shares or syncs it? How will compliance be handled if regulated data ends up in the EFSS system? How will data be discoverable if files are synced to a cloud service and the company gets entangled in a lawsuit? Security is almost invariably top of mind (see chart below), and enterprises soon discover that many of the EFSS solutions fail to offer hoped-for security, and can even be a conduit to major security breaches.

3 3 What challenges if any has your organization experienced since deploying an online file sharing and collaboration solution? Percent of respondents, Sample = 139, multiple responses accepted. Security challenges Training users Internal processes/workflows Integrating existing applications User non-compliance Lack of admin control/auditing File size issues Slow performance Lack of senior management support Too expensive to justify No challenges 46% 40% 33% 32% 31% 30% 29% 24% 18% 15% 9% Source: Enterprise Strategy Group, Despite these challenges, EFSS implementations are expected to surge in the years ahead. Organizations are realizing that EFSS solutions have to protect data and prevent espionage by securing business plans, product roadmaps, financial documents and other confidential information that users may sync or share using these systems. As organizations are looking forward to deploying EFSS, they recognize that they must also put the right security and controls. Because of the nature of EFSS solutions, such security needs to extend to anywhere such information is shared inside and outside the organization, and to any type of device: PC and mobile, managed and unmanaged. This paper outlines the shortest path to implementing EFSS, while protecting the organization against data loss incidents. The first section presenting an expanded view of intellectual property (IP), factoring in that organizations now must be concerned with their IP when it is shared using EFSS with external users, like partners and suppliers. Next, recognizing that process, not technology, drives successful EFSS implementation, the paper lists six steps an organization can take to deploy EFSS with proper data security controls. Finally, the paper introduces the concept of documentcentric security, and demonstrates how a data-centric approach to EFSS technology can offers the robust data security enterprises require in their EFSS solutions, while delivering the experience users want.

4 4 What You Must Protect and Why Many companies protect their IP and other confidential information through a combination of access controls, encryption services and DLP tools. However, these protections are no longer effective as soon as a document is shared and goes outside the firewall to a mobile device or to an external party. IP can also include operational information, plans, forecasts and a huge variety of other files, which according to IDC, drive over 50% of the typical enterprise s business processes. In fact, any information that provides competitive advantage can be considered IP. The following realworld scenarios illustrate this fact: A film studio wanting to protect its scripts and marketing materials for an upcoming motion picture. A leading footwear manufacturer wanting to protect product designs sent over to Asia. A large private equity firm handling sensitive M&A transactions. A large oil company protecting intellectual property stored on various systems. The IP an organization needs to protect almost always extends to information shared with or by a partner or another third-party. There are potentially high costs to insufficiently protecting your IP, and once a breach occurs it is usually too late to stop or even mitigate the damage. Such external exposure can result in financial consequences like lost business and regulatory fines, devastated reputations, and other direct and indirect damages.

5 5 How Your IP Leaks Out While organizations have been focused around perimeter security and access controls, the following key vectors allowing sensitive data to leak require different tools: Device loss or theft A major leak vector is a mobile device (smartphone, tablet or laptop) being lost or stolen. In a BYOD world, and when mobile devices are used by third parties, it is difficult to solve this issue. Accidental sharing Much of the data leakage comes from insiders accidentally sharing the content via , Dropbox or other cloud services. It s as easy as sending an attachment to the wrong person, and having no recourse. Insider threat Employees many times copy sensitive data into a USB drive, a Dropbox account and move to a competitor. These are examples of the malicious insider threat. 14% of attacks are attributed to insider threat, and over 70 percent of these attacks happen within 30 days of an individual announcing resignation from the organization. Third party threats A lot of sensitive data and IP is shared with business partners, contractors and customers. As a business relationship ends, such data can remain with that third party. Additionally, any employee of that third party poses a threat equivalent to an organization s own insider threat. External attack Advanced Persistent Threats (APTs) affect many enterprises, and very frequently target critical IP and other data. As data becomes distributed, perimeter protection is not a sufficient defense. How Organizations Lose Data Insider External Attack Etc. Source: Forrester Research Lost Device Accidental Sharing

6 6 Six Steps for deploying Secure EFSS An ideal approach to implementing EFSS is to start small and move methodically through all steps below to ensure the project achieves the desired results. Particularly sensitive files, such as board and executive communications or IP are good places to start before moving to larger data sets with more owners and business processes. The six steps below for deploying secure EFSS are based on the collective experience at BlackBerry of working with hundreds of enterprise customers: 1. Identify and calculate the value of your data The key to solving this problem is working with your executives and information owners. Identify sensitive data, and determine a simple formula to estimate the value of your data. One of the best examples comes from the research group Securosis. Data value, frequency and audience is quantified within a table and allotted a score. Examples of data types include board and executive communications, IP, personally identifiable information (PII), sales data and any other specific data you are required to protect. An overall score is then defined based on the type of data. Below is an example of this in practice: 2. Make your business case with ROI A properly implemented EFSS solution typically saves one hour a week per user in productivity that s one extra work week each year. More specific ROI can come from less printing and shipping costs. For example, board books, event brochures or training materials can amount to hundreds of thousands of dollars a year. When using a secure EFSS solution, you can make your security ROI case, per the table above. You can demonstrate additional ROI for your security sponsors. This means clearly quantifying the immense value that comes when you know where your data is, who is accessing it and how it s being used. It s important to analyze, communicate and share the financial and organizational impact of stolen and lost data.

7 7 3. Identify business owners and solve for a few low hanging fruit Start with a small-scale deployment. Identify initial groups that have highvalue data, and are also feeling a sense of urgency around solving their collaboration and security needs. For example, senior executives may want to access their files on ipads and corp dev or legal teams may need to collaborate with external parties by sharing many sensitive files. It s important to identify the stakeholders, including who is going to manage the system and support it. For example, board documents may be managed by the corporate secretary, product design IP may be managed by the R&D group, and finance audit projects can be delegated to the individual project managers. Clearly identify success criteria in security as well as productivity terms. High level executives using the solution can prove its value and give it a lot of visibility in the organization going forward. 4. Deploy to wider groups After proving success on a small scale, you will likely see more demand throughout the enterprise. A gradual rollout is recommended to address additional groups and use cases. This stage typically encompasses a few hundreds of users and can go on for several months. 5. Integrate with your repositories and workflows before deploying enterprise wide To achieve wide-scale adoption, it is helpful to make sure the EFSS system is tightly integrated into user workflows. For example, if a content management system such as SharePoint is in use, it s important to have your EFSS solution pull data directly from that system in a seamless manner. Additionally, custom apps such as partner portals, document workflows, should be integrated via APIs into the EFSS system to provide consistent security and productivity across all enterprise systems. Once this is done, the system is truly ready for enterprise-wide adoption. 6. Leverage the compliance benefits Once the secure EFSS solution is in place, your organization will have significant auditing capabilities. It will be easy to prove compliance in the event of a lost or stolen device, terminated employee, ediscovery requirements and more. You will gain full tracking of files residing on lost devices, or being sent exchanged by employees and third parties.

8 8 The WatchDox by BlackBerry Secure EFSS Solution WatchDox by BlackBerry is a secure file sharing and sync tool that was build from the ground up by a team of security experts. As such, WatchDox addresses the real risks to your IP and the vectors it leaks through as described above: It embeds persistent controls in your files, so as they are shared with internal and external parties and across multiple devices they are always protected and tracked. Controls include restriction of document copy/paste, print, forward, unique watermarks and more. It allows remote wipe of data, whether it is on a lost or stolen mobile device (regardless if that device is a managed device or a third party device), or wiping data when a business relationship changes. It provides a choice of cloud or onpremise deployment, to address strong regulatory and security requirements WatchDox does all that, while still providing a friendly Dropbox -like experience for the end users. At the end of the day, this is what matters most. Users will reject a solution if it isn t usable, and they will find less secure workarounds. WatchDox provides an optimal combination of security and ease of use. Summary Enterprise File Sharing and Sync (EFSS) technology can be a double-edged sword, and the risk of allowing vast amounts of data to be easily taken out of the enterprise can outweigh the productivity benefits. WatchDox provides an EFSS solution that allows you to take back control over your data as it is shared, combining the benefits of productivity and collaboration with the type of security you need to protect your IP anywhere it travels in the course of doing business. WatchDox by BlackBerry enables organizations to access, protect and control their critical documents wherever they go: on any tablet, smartphone or PC, even those beyond the IT department s control. With WatchDox technology, organizations can collaborate securely with partners, safely adopt bring-your-own-device (BYOD) initiatives, and destroy their documents remotely if a device goes missing. More than 100 of the Fortune 1000 including many of the world s leading financial institutions, manufacturers and government agencies depend on WatchDox secure file-sharing solutions. Learn more at BlackBerry. Trademarks, including but not limited to BLACKBERRY, EMBLEM Design, WATCHDOX, WATCHDOX & Design and WATCHDOX & EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, its subsidiaries and/or affiliates, the exclusive rights to which are expressly reserved. All other trademarks are the property of their respective owners.