AN ACCELLION WHITE PAPER BYOD File Sharing Go Private Cloud to Mitigate Data Risks Accellion, Inc. Tel +1 650 485-4300 1804 Embarcadero Road Fax +1 650 485-4308 Suite 200 www.accellion.com Palo Alto, CA 94303 info@accellion.com Accellion, Inc. All rights reserved. WP-BYODFileSharingPrivateCloud313
Executive Summary The consumerization of IT and the popularity of BYOD (Bring Your Own Device) are jeopardizing the security and integrity of business data. Seeking an easy way to share files across smartphones, tablets, and desktops, employees are signing up for free public cloud file sharing services that lack rigorous security and audit controls. These services are prone to security outages, and they lack the centralized monitoring and control features that IT administrators and internal security teams need for keeping data safe and demonstrating compliance. In place of consumer-grade public cloud file sharing services, enterprises need a secure file sharing solution that is convenient, easy-to-use, and rigorously secure. By deploying such a solution on internal private clouds, enterprises can ensure that employees get the file sharing services they want, while IT gets the management and monitoring capabilities they need for security and compliance. By adopting private cloud solution for file sharing and synchronization, enterprises can enjoy the benefits of improved collaboration and IT elasticity, without increasing their exposure to data loss, regulatory penalties, and other compliance risks. Accellion, Inc. 2
Where s Your Data? In the world of IT, what could be more fundamental than making enterprise data accessible to authorized employees while keeping that data safe and under control? Yet today a growing number of IT organizations struggle to meet this fundamental requirement. Why? Part of the problem is the consumerization of IT and the BYOD (Bring Your Own Device) revolution sweeping corporate networks. Employees are increasingly relying on consumer mobile devices such as ipads, iphones, and Android smartphones and tablets as their computing devices for work. A growing number of these employees are now carrying multiple portable devices daily 3.5 devices on average according to a recent survey. 1 Employees want their business data available on all these devices all the time. They ve become accustomed to gaining IT functionality as quickly as downloading a new mobile app, and they expect their new cross-device file sharing challenge to be solved with that same efficiency. Lacking an endorsed file sharing solution from the IT department, employees are signing up for one or more free, public cloud file sharing services such as Box, Dropbox, Google Drive, icloud, and SugarSync and syncing their files across systems and devices. To users, this approach seems quick, easy, and free, but to enterprise IT and security teams, it s troublesome, risky, and potentially quite costly. Through ad hoc subscriptions to public cloud file sharing services, enterprises are losing control over the confidentiality, integrity, and availability of their data. Employees are sharing valuable intellectual property such as research documents, design documents, and business plans. They re sharing confidential data such as customer records and sales forecasts data that in many cases is covered by industry regulations such as GLBA, FINRA, HIPAA, or SOX. Employees hope that public cloud file sharing services won t leak this data, and that thirdparty administrators won t abuse their authority and pry into confidential files. Employees hope, too, that the files they share will remain unaltered that data won t be tampered with or corrupted in any way either by a malicious user or a technical glitch. And they hope that these file sharing services won t suffer security breaches, exposing confidential data, or service outages, rending business-critical data unavailable to employees. That s a lot of hoping. Too often, those hopes are dashed. Hard as it is to believe, legitimate business users trusted their files to MegaUpload, a popular file-sharing service hosted in Hong Kong that U.S. authorities shut down when it became clear it was hosting large volumes of pirated data. All files hosted on the service, including files with confidential business data, have been seized and are yet to be released. 2 Another popular service, Dropbox, accidentally turned off all password protection for all their files for a four-hour period. 3 The company Dropbox still can t tell customers whether or not their files were accessed, and if so, by whom. Another service, Box, markets to consumers and business users, yet recently suffered an outage that kept business users from getting to their data for several hours. 4 Depending on which set of terms and conditions you read, Google Drive may or may not claim to own the business data that users post to it. 5 Public cloud file sharing solutions are, it seems, too public and free-form for organizations that need privacy and security. 1 http://www.forbes.com/sites/sap/2012/05/11/average-mobile-worker-carries-3-5-devices-heres-the-downside/ 2 http://www.wired.com/threatlevel/2012/06/feds-megaupload-data/ 3 http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/ 4 http://gigaom.com/cloud/box-cloud-storage-hits-a-glitch/ 5 http://www.zdnet.com/blog/btl/how-far-do-google-drives-terms-go-in-owning-your-files/75228 Accellion, Inc. 3
Staying Safe While Going Mobile Mobility is here to stay, and so is consumerized IT. Businesses need a way of sharing files securely among users and across authorized devices, which include smartphones and tablets that employees bring in from home. Traditional file storage and collaboration solutions, including Microsoft SharePoint, typically make it difficult to share files across multiple computing platforms and with external users, such as partners and customers who obviously don t have internal accounts (e.g., SharePoint accounts or entries in Active Directory or LDAP). Enterprises need a convenient, flexible, and secure solution for enabling an untethered workforce which increasingly comprises distributed teams with both internal and external users to share files with all stake-holders (internal and external) and on all popular devices, while ensuring that IT never loses control of confidential data and dataaccess records. Public-cloud file-sharing solutions such as Dropbox are convenient, but they fall short in security and manageability. Not only are these services subject to security breaches and service outages, but they also don t provide companies any means of auditing file distribution and access. They make it difficult or impossible for companies to meet legal ediscovery requirements, as well as regulations such as GLBA and SOX. Many of them also violate European data privacy laws, which require companies to know where data is located and to prevent its distribution across national boundaries. Rethinking Cloud File Sharing What s the solution to these file sharing challenges? Consider how companies select and manage cloud services in other areas of IT operations. Public cloud services are popular with development teams, but most IT departments would never post valuable intellectual assets or confidential data on loosely controlled public services. For example, no IT department is rushing to post financial records and HR files on a public cloud system simply to take advantage of the purported cost savings of cloud computing. When choosing cloud services for IT-managed projects, companies typically trust the public cloud only with non-confidential data outside the provenance of regulatory control. If data is confidential or regulated, most companies store it only on private clouds dynamic, scalable cloud infrastructures hosted and managed internally. IT departments trust third-party cloud services with private data only if those services can meet strict SLAs, pass audits for rigorous control and security standards such as SAS 70, and provide the same level of control and monitoring that s available for on-premise solutions. And federal agencies, of course, have even stricter requirements. To ensure agency data is safe, file sharing solutions must use FIPS-140-2 certified encryption for data in transit and data at rest, even if the data is at rest on a mobile device. The solutions should also integrate with agency authentication systems, such as Active Directory and LDAP, and support rigorous authentication standards such as SAML (Secure Assertion Markup Language) 2.0. Finally, the solution needs to integrate with the document platforms popular with federal agencies platforms such as Microsoft SharePoint. Needless to say, free, consumer-class file-sharing services such as Dropbox don t meet these rigorous standards. Accellion, Inc. 4
Going Private with Cloud File Sharing With the public cloud, organizations are resigned to operate using the security standards of a third-party cloud vendor. Fortunately, private cloud file sharing does meet these standards. With the private cloud, it is still possible to reap the benefits of having data live anywhere, but organizations can set their own standards and best practices to reduce threat risk. A private cloud solution for file sharing and synchronization helps enterprises enjoy the benefits of improved collaboration and IT elasticity, without increasing their exposure to data loss, regulatory penalties, and other compliance issues. Accellion Leader in Private Cloud File Sharing Accellion Secure Mobile File Sharing solutions are available as a private cloud, public cloud, or hybrid cloud solution, so enterprises can deploy Accellion services in whatever configuration best meets their IT security needs. Not surprisingly, four out of five enterprise customers choose to deploy Accellion on a private cloud under the watchful eye of the IT and compliance departments. Accellion, Inc. 5
Available as a secure, closely monitored service, Accellion provides all the file-sharing features that mobile users want, ensuring they have access to up-to-date files on all their devices all the time: Mobile access from multiple devices (ios, Android, BlackBerry, Windows Phone) Synced files and folders Collaborative workspaces with threaded discussions and comments Automatic notifications of file creations, modifications, and deletions File version tracking At the same time, Accellion Secure File Sharing gives the IT department fine-grained access controls for protecting data and ensuring that file distribution and data access comply with internal policies and industry regulations. IT requirements include: FIPS-140-2 compliant encryption of data in transit (SSL) and at rest User authentication LDAP/AD integration SAML authentication standard/single Sign-on File tracking and reporting audit trail for compliance DLP integration Archival integration Enterprise Content Plug-ins (e.g., integration with SharePoint, imanage and other Network File Shares) Accellion, Inc. 6
To ensure that all corporate data is shared through the Accellion solution, IT can take the additional step of blocking ports for the unmanaged file sharing services such as Dropbox. IT can also integrate Accellion services with commercial Data Leak Prevention (DLP) solutions, ensuring that mobile file access conforms with company policies for content distribution. Private Cloud File Sharing Doesn t Compromise Enterprise IT Security and Compliance By adopting a private cloud solution for file sharing and synchronization, enterprises can enjoy the benefits of improved collaboration and IT elasticity, without increasing their exposure to data loss, regulatory penalties, and other compliance issues. Accellion private cloud file sharing enables IT to meet employees demands without defaulting on their mission to protect data, monitor operations, and ensure that end-user activity never compromises the mission of the organization overall. For more information about Accellion, please visit www.accellion.com. THIS DOCUMENT IS PROVIDED AS IS. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. Accellion, Inc. 7