WHITE PAPER N The Need fr Enterprise-Grade Synchrnizatin An Osterman Research White Paper Published August 2012 spnsred by spnsred by SPONSORED BY SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 inf@stermanresearch.cm www.stermanresearch.cm twitter.cm/msterman
EXECUTIVE SUMMARY Clud-based file-sharing and synchrnizatin (FSS) tls are amng the httest applicatins used in the wrkplace, ffered by market-leader Drpbx, Inc. and a large and grwing number f vendrs. These tls, which bradly can be classified as cnsumer-fcused because they are typically deplyed by individual users and nt as part f a crdinated IT plan, ffer tremendus usability. By synchrnizing files acrss a variety f platfrms desktp, laptp, smartphne and tablet these tls enable users t have near real time access t all f their cntent frm any cmputing platfrm and any lcatin. The Need fr Enterprise-Grade Synchrnizatin Hwever, these tls create a number f prblems fr IT and rganizatins in general: Files that are shared and stred n individual platfrms many f which are persnally wned devices like smartphnes and tablets are nrmally nt managed in accrdance with IT cmpliance and gvernance plicies. This means that files may nt be encrypted, backed up r archived as files n IT-managed systems wuld be. The vendrs wh manage the clud data centers in which custmer files are stred may r may nt prvide sufficiently rbust security t prtect cntent frm unauthrized access, malware infectin r inadvertent data leakage. Files shared using these tls are ften nt scanned by crprate malware systems, and s create an additinal pprtunity fr malware t enter the crprate netwrk. FSS tls have been used n sme ccasins t distribute spam. FSS tls can als create ther prblems, including the mixing f crprate and persnal data leading t privacy prblems in sme cases and they can als cmplicate the e-discvery and regulatry management prcess. KEY TAKEAWAYS FSS tls are extremely useful and they make users mre prductive because they enable access t cntent in near real time n a variety f devices. Hwever, these tls create serius cmpliance, gvernance and security prblems. Our research fund that 49% f rganizatins believe the prblems created by these tls are abut as serius as they were 12 mnths ag, but 42% reprt they are mre serius nly 8% find they are nw less f a prblem. Files that are shared and stred n individual platfrms many f which are persnally wned devices like smartphnes and tablets are nrmally nt managed in accrdance with IT cmpliance and gvernance plicies. In respnse, IT departments shuld nt establish plicies r take ther measures t prevent the use f file synchrnizatin capabilities per se. Instead, IT departments shuld deply enterprise-grade replacements fr these tls that will prvide the same benefits f everywhere-access t files, but that put IT in cntrl f the cntent that is shared using these files. AN IMPORTANT CAVEAT Thrughut this white paper we refer t cnsumer-grade FSS tls and Drpbx (referring t the slutins ffered by Drpbx, Inc.). It is imprtant t nte that ur purpse in this white paper is nt t denigrate either this categry f tls r Drpbx in particular, but rather t prvide a fair and hnest assessment f these tls benefits and drawbacks. ABOUT THIS WHITE PAPER This white paper was spnsred by Email2 infrmatin abut the cmpany is ffered at the end f this white paper. 2012 Osterman Research, Inc. 1
THE CURRENT STATE OF FILE SHARING AND SYNCHRONIZATION USERS NEED TO SHARE AND SYNCHRONIZE CONTENT One f the fundamental tenets f the mdern enterprise is that users need t share infrmatin with thers fr a variety f purpses: t cllabrate n the creatin f dcuments, presentatins and spreadsheets; t send, sign r receive critical business dcuments like prpsals, cntracts and purchase rders; and t bradcast cntent f varius types. Mrever, users need t synchrnize cntent acrss the grwing variety f platfrms they use t create, view and share cntent. Fr example, it is nt uncmmn fr a user t create a dcument n a desktp cmputer, mdify it n a laptp while traveling r at hme after hurs, view it n a tablet, and share it with smene else using a smartphne. Anther imprtant driver fr the need t have anywhere-access t cntent is permanent r semi-permanent telecmmuting in which users d nt have an ffice, but instead wrk frm hme, ging int an ffice nly when necessary. Fr example, 40% f IBM emplyees wrk remtely i and 85% f Cisc s emplyees telecmmute ii n a regular basis. IDC estimates that mre than three millin crprate ffice hme ffices will be added t the current base f US telewrking husehlds between 2011 and 2015 iii. Add t this the majrity f infrmatin wrkers that wrk at hme r therwise remtely after hurs and must have access t cntent. This ut-f-ffice experience further drives the need t have access t the same dcuments and the crrect versins f these dcuments available in a variety f lcatins and n several different devices. EMAIL IS USEFUL FOR COMMUNICATION, BUT NOT SO USEFUL FOR COLLABORATION Email has becme the de fact tl fr sharing cntent with thers because f its ease f use, the fact that it is universally accessible because it is built n industry standards, and it is available frm virtually any cmputing platfrm. Hwever, email has sme serius shrtcmings as a file-sharing tl: it is cumbersme t use fr cntent synchrnizatin, it cntributes t versin cntrl prblems, and mst crprate email administratrs place limits n the maximum size f a file that can be sent using email. T vercme the limitatins with email, many users emply FTP systems, persnal Webmail r physical delivery. Hwever, these alternatives intrduce their wn set f limitatins: FTP systems require IT t prvisin and manage these systems, nt t mentin the fact that undermanaged FTP servers can stre cntent fr years and lead t ptentially unauthrized access t sensitive cntent. The Need fr Enterprise-Grade Synchrnizatin Email has sme serius shrtcmings as a file-sharing tl: it is cumbersme t use fr cntent synchrnizatin, it cntributes t versin cntrl prblems, and mst crprate email administratrs place limits n the maximum size f a file that can be sent using email. Persnal Webmail bypasses crprate cntent scanning, archiving and backup prcedures, nt t mentin the fact that crprate files are stred utside f the cmpany s cntrl r access. Physical delivery r transprt f cntent, such as n CDs/DVDs r USB sticks, is slw, cumbersme and expensive. Mrever, when users cpy files t a USB stick t take wrk hme with them, they can run int versin cntrl issues, they may frget particular files they need t d their wrk, they may infect crprate files when using them n an unprtected hme PC, r they may lse the USB stick and sensitive crprate data with it. 2012 Osterman Research, Inc. 2
DROPBOX HAS BECOME THE DE FACTO STANDARD FOR CONTENT SYNCHRONIZATION T satisfy their cntent-sharing and synchrnizatin requirements, millins f users have turned t FSS tls, mst f which use a) a client installed n each device and b) the clud fr synchrnizatin f cntent. These tls, mst f which are available fr free r at a nminal cst, are extremely easy t use and wrk exactly as advertised: they allw cntent created r saved n ne device t be distributed t, r at least easily accessible frm, any ther device a user emplys. The Need fr Enterprise-Grade Synchrnizatin Drpbx has becme the leading FSS tl with a user base exceeding 50 millin users as f Spring 2012 iv, up frm just 3 millin users tw-and-a-half years earlier v. Althugh Drpbx is the clear market leader, there are many ther file synchrnizatin tls in use frm a large and grwing number f vendrs. An Osterman Research survey cnducted specifically fr this white paper fund a large number f FSS tls in use in the wrkplace mst cnsumer-fcused and a few true enterprise-grade tls. Mrever, sme f these tls are used with IT s blessing, but mst are used withut it. File Synchrnizatin Tls in Use With and Withut IT s Blessing As a % f Organizatins Rughly ne ut f every 16 crprate files is stred in a primarily cnsumerfcused filesharing and synchrnizatin system. T underscre just hw imprtant these tls have becme, ur research discvered that amng thse respndents wh culd estimate the ttal amunt f their crprate data that is managed using FSS tls, the average was 6.2% -- i.e., rughly ne ut f every 16 crprate files is stred in a primarily cnsumer-fcused FSS system. Hwever, 39% f respndents have n idea hw much f their data is stred in the systems. WHY ARE THESE TOOLS USED? The vast majrity f crprate emplyees are smart and they want t find effective and efficient ways f ding their wrk. As a result, users are increasingly turning t FSS tls because f the many benefits they ffer: They eliminate the file size limitatins inherent in email. 2012 Osterman Research, Inc. 3
They are much easier t learn and use than FTP systems. In fact, nce the lcal client sftware has been installed, file synchrnizatin takes place autmatically and transparently such that simply saving a file makes it accessible within secnds n ther platfrms, either fr persnal use r sharing with thers. The Need fr Enterprise-Grade Synchrnizatin These tls make bringing wrk hme r n the rad far simpler and mre reliable. These tls are available at very lw cst. Mst prviders ffer tw r mre gigabytes f strage at n charge, with much larger amunts f strage available fr a nminal mnthly fee. The bttm line is that FSS tls cmbine ease-f-use, lw cst and utility that mre traditinal file-sharing technlgies simply cannt match in terms f cst r cnvenience. PROBLEMS WITH THE STATUS QUO Despite the many benefits f the cnsumer-fcused FSS tls in use in the wrkplace tday, there are a variety f prblems that these tls intrduce, as discussed belw. The magnitude f these prblems has nt been lst n decisin makers: as shwn in the fllwing figure, nearly fur ut f five rganizatins surveyed fr this white paper are at least smewhat cncerned abut these prblems. IT Management Cncern Abut the Use f Cnsumer-Grade File Sharing and Synchrnizatin Slutins When cntent is shared using cnsumerfcused filesharing and synchrnizatin tls, cntent is nrmally nt encrypted unless the user specifically chses t d s and installs additinal sftware fr this purpse. SO, WHAT ARE THE PROBLEMS? There are fur fundamental issues assciated with the use f cnsumer-fcused FSS tls in a wrkplace cntext: A lack f cmpliance and gvernance capabilities When cntent is shared using cnsumer-fcused FSS tls, cntent is nrmally nt encrypted unless the user specifically chses t d s and installs additinal sftware fr this purpse. The result is that ptentially sensitive crprate data 2012 Osterman Research, Inc. 4
can be sent ver the Internet and stred in a third party s clud data center withut encryptin, ptentially expsing it t interceptin and pssibly in vilatin f regulatry bligatins (e.g., the Health Insurance Prtability and Accuntability Act [HIPAA] r the Payment Card Industry Data Security Standards [PCI DSS]). Fr example, Drpbx encrypts custmer data n the server side, but nt at the client. The Need fr Enterprise-Grade Synchrnizatin Mrever, when cntent is stred in a clud-based FSS vendr s data center, accessing this data fr purpses f e-discvery r a regulatry audit becmes impractical r impssible because f the need fr IT t gain access t every such accunt and then search it fr the required cntent. Plus, tls like Drpbx are nt cmpliant with a number f cmpliance standards like HIPAA, PCI DSS, ISO 27001, ISO 9001 r the Family Educatinal Rights and Privacy Act (FERPA). Finally, mst cnsumer-fcused file synchrnizatin services d nt permit users t cntrl the physical lcatin f data, which can lead t regulatry prblems r thers issues in jurisdictins that require sensitive data t be stred nly in certain gegraphies, r at least make it desirable t d s. Fr example, a nn- US cmpany will typically prefer that its data nt be stred in a US-based data center t avid its access under the PATRIOT Act. Sme types f data held by cuntries in the EU are required t stre data nly in certain gegraphies. A lack f IT cntrl ver cntent Anther serius shrtcming f mst cnsumer-fcused FSS slutins is that they prvide IT with n cntrl ver the lifecycle f data sent using these slutins. Fr example, these tls typically d nt prvide any cntrl ver when cntent will expire and thus will n lnger be viewable, they prvide n plicy-managed encryptin, and they d nt prvide any plicy-managed permissins r access cntrl. Mre fundamentally, crprate plicies that cntrl encryptin, backup, archiving r DLP that apply t cntent sent thrugh email r FTP systems cannt be applied t cntent sent thrugh cnsumerfcused FSS tls. In shrt, the lack f IT cntrl ver the cntent sent thrugh mst FSS tls puts the emplyee in charge f emplyer-wned data, when in reality it shuld be the latter. Related t IT s lack f cntrl ver cntent when emplyees use file synchrnizatin tls is that nt all clud prviders ffer a stellar recrd f security prtectin. Fr example, n June 19, 2011, Drpbx experienced a serius security breach fr three hurs and fifty-tw minutes that permitted anyne t access custmer-wned data vi. A serius shrtcming f mst cnsumerfcused filesharing and synchrnizatin slutins is that they prvide IT with n cntrl ver the lifecycle f data sent using these slutins. An inability t scan cntent fr malware Anther shrtcming f cnsumer-fcused FSS tls is that they typically d nt scan cntent fr unwanted cntent like malware r spam. This permits cntent frm an unprtected hme cmputer, fr example, t be infected with malware, upladed t the clud, and then dwnladed t a user s wrk cmputer, circumventing crprate malware-scanning systems and ptentially spreading the infectin thrughut a cmpany s netwrk. Drpbx, fr example, admits that it des nt scan fr malware: in a February 2012 frum pst, a Drpbx mderatr nted that Checking [fr malware] will nly be dne n yur wn machine after it has dwnladed. vii Althugh nt cmmn, Drpbx has als been used t distribute spam. Symantec, fr example, fund that Drpbx has been used t distribute spam viii. A mix f crprate and persnal data Anther prblem with cnsumer-fcused FSS tls because they are nrmally under the cntrl f end users is that they can be used t send and share a mix f crprate and persnal cntent. Fr example, mixed with sensitive cmpany infrmatin might be an emplyee s vacatin phts, résumé r persnal financial recrds. This makes activities like e-discvery r regulatry 2012 Osterman Research, Inc. 5
cmpliance much mre difficult because reviewers will ften find, and must srt thrugh, persnal data as they search fr crprate recrds that are relevant t the discvery prcess. Mrever, privacy rights fr persnal data might becme a thrny issue, particularly in jurisdictins that are heavily fcused n emplyee privacy rights. The Need fr Enterprise-Grade Synchrnizatin The bttm line is that use f mst cnsumer-fcused FSS tls put rganizatins at greater risk and it drives up the verall cst f managing crprate data assets and netwrks. Cmplicating the issue further is that while mst rganizatins use cnsumer-fcused FSS tls, mst d nt use their enterprise-grade equivalents, as shwn in the fllwing figure. Des yur cmpany use enterprise-grade clud file synchrnizatin slutins? Use f mst cnsumerfcused filesharing and synchrnizatin tls put rganizatins at greater risk and it drives up the verall cst f managing crprate data assets and netwrks. It is als imprtant t nte that ur research fund 45% f users in the rganizatins surveyed currently use mbile apps t access clud-based FSS tls, but nly 18% f rganizatins currently supprt these mbile apps. YOUR OPTIONS TO GAIN THE UPPER HAND Many IT decisin makers and influencers wuld prefer that Drpbx and ther types f cnsumer-fcused file synchrnizatin tls nt be used at all. As shwn in the fllwing figure, a plurality wuld prefer that these tls nt be used (nt surprising given the prblems they can cause), while abut ne-half want varying levels f use, but with IT versight f the data sent and stred in these services. 2012 Osterman Research, Inc. 6
What wuld yur IT management prefer fr services like Drpbx? The Need fr Enterprise-Grade Synchrnizatin WHAT SHOULD YOU DO? Decisin makers faced with the prspect f users wh have installed and are using cnsumer-fcused FSS tls i.e., mst rganizatins have three ptins t deal with the prblem: D nthing This is clearly the simplest and least expensive ptin fr decisin makers t cnsider. Hwever, it als is the mst risky ptin frm a cmpliance, IT cntrl and security perspective fr the reasns nted abve. Osterman Research highly recmmends that the D Nthing apprach nt be cnsidered. Create plicies that require users nt t emply these tls Anther relatively simple ptin is t implement a crprate plicy that requires emplyees nt t install r use any srt f cnsumer-fcused FSS tl. While sme emplyees will cmply with the plicy, it is safe t assume that many will nt. Fr example, a 2011 Osterman Research survey asked 214 IT decisin makers and influencers abut their level f agreement with the statement, [Our] emplyees d nt install applicatins n their cmputers in vilatin f IT plicies. The survey fund that 30% f respndents in rganizatins f up t 500 emplyees disagreed r strngly disagreed with this statement; in larger rganizatins the situatin was even wrse: 41% disagreed r strngly disagreed. Clearly, plicies will nt be an effective methd t prevent the dwnlad and installatin f cnsumer-fcused FSS tls. Osterman Research highly recmmends the deplyment f an enterprise-grade file-sharing and synchrnizatin tl as a replacement fr the cnsumer-grade equivalents that are s prevalent in mst rganizatins tday. Deply an enterprise-grade file synchrnizatin tl Osterman Research highly recmmends the deplyment f an enterprise-grade FSS tl as a replacement fr the cnsumer-grade equivalents that are s prevalent in mst rganizatins tday. Ding s will ffer the best f bth wrlds: it will give users the flexibility and ease f use that drives them t cnsumer-fcused file sharing and synchrnizatin; and it will give IT easy access t crprate data when required, the ability t cntrl hw cntent is sent, and where it is stred. Key features f an enterprise-grade slutin shuld include: 2012 Osterman Research, Inc. 7
The ability fr users t synchrnize cntent easily The ability fr IT t easily deply and manage the system Access using a variety f devices, brwsers and perating systems Integratin with LDAP r Active Directry In sme cases, deplyment n-premise if IT prefers this apprach Tracking f all file versins The ability t stred deleted files, if desired Activity lgs t mnitr cntent flws Encryptin f sensitive cntent Management f cntent accrding t crprate plicies The ability t archive cntent Permissin and access cntrl fr individual files The ability t establish expiratin perids fr files A cmplete audit trail fr cmpliance purpses The Need fr Enterprise-Grade Synchrnizatin SUMMARY Cnsumer-fcused FSS tls prvide enrmus benefits t end users, but they intrduce a number f risks and ther prblems in a crprate setting. Cnsequently, every rganizatin shuld deply an enterprise-grade FSS tl that will cmbine the benefits f their cnsumer-fcused equivalents with the IT cntrl that rganizatins require. SPONSOR OF THIS WHITE PAPER Email2 ffers clud-based slutins fr secure file transfer and email encryptin ensuring secure, cmpliant cmmunicatin and cllabratin. Integrating seamlessly with any email platfrm, Email2 s slutin enables rganizatins t send, track, and receive secure email and attachments n any device, anytime, anywhere. Email2 s Secure Messaging Platfrm: Eliminates size limitatins fr secure large file transfers, allwing files f any size t be securely transferred withut taxing the netwrk r mail server Ensures cmpliance with all majr data privacy and security regulatins including Sarbanes-Oxley, HIPAA, PCI-DSS, and Gramm-Leach-Bliley Safeguards cnfidential emails and files frm unauthrized disclsure r lss thrugh pwerful tracking features and permissins tls; additinally allwing recall f messages and attachments even if the cntent has already been read www.email2.cm sales@email2.cm +1 888 362 4520 +1 604 684 8133!! Enables anytime, anywhere secure cmmunicatin and cllabratin by allwing users t send, track and receive secure email and attachments n any mbile device including iphne, ipad, Andrid and BlackBerry Autmates and securely delivers messages and file attachments t any email archive database r third party applicatin thrugh a secure API Simplifies the cmplexity f secure cmmunicatin and cllabratin, preserving wrkflw by integrating seamlessly with any email platfrm including MS Outlk, MS Office 365, Gmail and Zimbra Email2 s Secure Messaging Platfrm ensures secure data transfer and cmpliance, withut sacrificing functinality, making it the right platfrm fr rganizatins wh want t meet cmpliance requirements while preserving wrkflw. Email2!s superir functinality and seamless API integratin with existing infrastructure makes the 2012 Osterman Research, Inc. 8
platfrm a perfect value added service fr technlgy integratrs, value-added resellers and security vendrs. The Need fr Enterprise-Grade Synchrnizatin 2012 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statue, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i ii iii iv v vi vii viii http://www.ibm.cm/ibm/respnsibility/emplyees_well_being.shtml http://www.vancuversun.cm/jbs/welcme+wrkplace/5772250/stry.html U.S. Hme Office 2011 2015 Frecast: Recvery Drives Interest in IT as Hme Office Husehlds Adjust t New Ecnmic Realities, Internatinal Data Crpratin http://www.drpbx.cm/static/dcs/drpbxfactsheet.pdf http://gigam.cm/2009/11/24/drpbx-raises-7-25m-crsses-3m-users/ http://techcrunch.cm/2011/06/20/drpbx-security-bug-made-passwrds-ptinal-frfur-hurs/ http://frums.drpbx.cm/tpic.php?id=52598 http://www.symantec.cm/cnnect/blgs/drpbx-abused-spammers-0 2012 Osterman Research, Inc. 9