IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines IT Today Catalog Auerbach Publications ITKnowledgebase IT Today Archives infosectoday.com Book Proposal Guidelines
IT Today is brought to you by Auerbach Publications

IT Performance Improvement

Management

Security

Networking and Telecommunications

Software Engineering

Project Management

Database


Share This Article



Free Subscription to IT Today





Powered by VerticalResponse

 
Social Software Engineering: Development and Collaboration with Social Networking  by Jessica Keyes, ISBN 978-1-4398-5375-7
How to Reduce the Cost of Software Testing, edited by Matthew Heusser and Govind Kulkarni, ISBN 978-1-4398-6155-4
Enterprise Systems Backup and Recovery: A Corporate Insurance Policy
Best Practices in Business Technology Management
The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results
Antipatterns: Managing Software Organizations and People, Second Edition by Colin J. Neill, Philip A. Laplante, and Joanna F. DeFranco, ISBN 978-1-4398-6186-8, $79.95
The Green and Virtual Data Center

What the Gurus of Secure Collaboration Couldn't Tell You - How to Do It Right

By David Gibson, VP of Strategy, Varonis Systems

Organizations are making progress in securing the enterprise and the huge amounts of data we produce, consume and analyze. However, despite best efforts to secure that information, data breaches continue to hit the headlines day after day. There has never been a more pressing need for enterprise-level collaboration technologies that ensure that data is accessible to the right people by the right devices, stored in the right places, and protected and managed efficiently.

Faced with huge growth in mobile technologies and new free collaboration services, such as Dropbox, organizations need to find ways to coexist with these technologies, taking advantage of the efficiencies they bring, and ensuring that their data assets are adequately protected. Employees need a secure method to collaborate and share information. If IT doesn't provide one, they will take matters into their own hands; many already have. The challenge lies in how to transform chaotic collaboration, which, unfortunately, exists in most corporations today, into organized, secure collaboration that leverages modern file-sharing and synchronization technology without succumbing to the risks they bring.

File synchronization services create a virtual folder on your workstation, laptop, tablet, or smartphone that looks and behaves like a regular folder. You can save files in it, browse them, open them, and edit them. Unlike normal folders, though, the files inside them are automatically copied to a system somewhere "in the cloud." That means that they are stored on some server on the internet, and as soon as they are uploaded they are copied to all the other devices that sync with your folder and made available to all those with whom you have chosen to share and collaborate.

There are a lot of conveniences for organizations in terms of management. You don't need to worry about things like backing up, disaster recovery, or hosting sites, because the cloud service takes care of those things (or so we assume).

For consumers, cloud services offer advantages over traditional file sharing platforms in that you have all your files whether or not you're connected to the Internet or your corporate network, and you can access your files from your tablet and smartphone. The most compelling thing, however, is that we don't have to put any thought at all into using them:

  • There's a folder
  • You put files in it
  • They sync, and
  • Wham! All your files are available to you and to those with whom you collaborate

The fact that we don't need to put a lot of thought into using these services is also a big problem. The line between personal use and corporate use has blurred, and employees are storing corporate data in cloud services without corporate approval or oversight.

In fact, unless you're actively blocking all cloud services, it's almost certain that your employees are using them. If you do block them without offering an acceptable solution, then it's almost certain that your employees are using them anyway, working on their personal devices entirely outside of the corporate network.

This not only opens you up to data theft and data breaches, but exposes your company to compliance and regulatory offences that could put you out of business. Many organizations are subject to regulations concerning customer information, financial information, and other types of sensitive data. Ensuring regulatory compliance is already a challenge in established IT environments. How can organizations be sure that regulated content isn't being stored in cloud repositories where controls may not be as mature?

Some key questions organizations need to ask about cloud synchronization services are:

  • Who are these cloud service providers and how do they protect their networks?
  • Are actual access events and permissions changes audited, and how can they be integrated with existing audit trails?
  • How is disaster recovery performed?
  • How can organizations inspect them to make sure they are behaving as they claim?
  • How can organizations make sure they even have a copy of all the data an employee has created, much less make sure employees aren't taking data when they leave?

In addition to the security concerns, there are issues of manageability. Cloud services are just starting to integrate with corporate directory services infrastructures, such as Active Directory, so that means maintaining separate user and group entities, managing access control lists in yet another system and having processes and controls in place to demonstrate that access is maintained and reviewed consistently by the appropriate parties. Organizations are already overwhelmed with managing access controls for the data that resides inside their networks. Adding an additional platform outside the infrastructure will only increase workload and complexity.

According to a recent Gartner report, How to Control File Synchronization Services and Prevent Corporate Data Leakage, "Gartner believes that providing file synchronization across as many diverse devices as possible will be most effective in meeting user needs, thereby discouraging users from seeking unauthorized file sharing technologies."

Based on Gartner's assessment that "Huge Amounts of Proprietary and Regulated Data Are Leaking Onto Non-corporate Devices, Outside of Enterprise Controls and Audit Trails," and the analysis above, here are three conclusions that can be drawn about the current state of file sharing for organizations:

  • Cloud-based file synchronization services have become so popular that they threaten to scatter organisational assets.
  • Organizations must offer sanctioned file synchronization services and device interoperability or they run the risk of losing control of digital assets outside the corporate LAN.
  • Today's cloud based file synchronization services sacrifice a level of control and do not fully integrate with existing infrastructure.

Organizations are at a turning point -one where they either let things go as they are now, where their employees use personal devices and free cloud services to store organisational assets wherever they choose, or select a separate, cloud-based file synchronization service that will add additional management overhead, and new risks that are difficult to quantify.

However, there is another way. What if organizations could offer file-synchronization services with their existing infrastructure, taking advantage of the storage that they already own, authenticating with their own user catalog, and integrating with protection and management technology and processes they already have? Organizations could then offer the cloud experience with their existing infrastructure. Imagine:

  • Data is stored in the right place, on storage that organizations already own
  • Authentication, authorisation follow existing processes
  • Existing data protection and management regimes can be utilized

Hopefully we managed to make it clear that organizations cannot afford to ignore creeping consumerization and the introduction of collaboration methods into the enterprise - which can damage it fundamentally. However, consumerization has shown that collaboration is not only possible but inherent in human activity and a very positive force to be harnessed by the corporation. Whether we like it or not employees like collaborating amongst themselves and rather than losing control the enterprise has to seize on the good points of consumerization and gently clamp down on the bad ones.

It is unfortunate but true that unless organizations choose and direct course of action and put policies into place they run the risk of being in an impossible situation very soon: data that their organization relies on to function and data that they are responsible for will be scattered over thousands and even hundreds of thousands of servers, datacenters, and workstations all across the globe over which they have absolutely no power. It is time for organizations to introduce a coherent policy for collaboration in place of the dangerous ad hoc creep of consumerization, which is the reality of most enterprises at the moment.


© Copyright 2012 Auerbach Publications