You may have heard corporate IT people worrying that BYOD (bring your own device) means they have to support consumer devices. Now data center people have a tougher problem: BYOC, or bring your own cloud.
Anyone charged with securing an organization’s data and intellectual property could be forgiven for having nightmares at the thought of all the business information spilling over into consumer-grade cloud storage such as Dropbox, iCloud, Microsoft OneDrive (formerly SkyDrive) and Google Drive.
There are inherent security risks to such services, such as the serious authentication bug on Dropbox in 2011, and the 2014 leak of celebrity photos allegedly stolen from iCloud. But there is also the matter of ownership and control: quite simply, once it is on Dropbox or an equivalent, you have neither of them.
Confidentiality and IP
Alongside the obvious issues of confidentiality and IP, consumer-grade file synchronization services also present all sorts of legal and regulatory compliance dangers. Generally, compliance with the likes of HIPAA in the US, or the EU data protection rules, will require encryption (among other things), and very few consumer-grade services enforce this as standard. These services also tend to lack an audit trail for file sharing, as well as strong access control and authentication.
In addition, consumer services include no intrinsic data backup, instead declaring backup to be the user’s responsibility. So while there may be some limited protection against user error, for example allowing you to recover old versions and deleted files for up to a month, the user’s data is not protected beyond that time, nor will it be protected against disaster at the cloud storage company’s data center.
As a result, where once you might have focused on preventing people from copying confidential data onto unencrypted CD-ROMs or USB sticks, now you have to stop them copying it onto any of a multitude of cloud storage services. To make matters worse, they could also be copying it to and from a variety of devices, including the smartphone or tablet they use to work on the move.
It’s hard to say no
There are many problems with flatly saying No to Dropbox & Co, as well. For a start, the services themselves can be extremely agile and adept at getting past blockages, because they are designed to work well over just about any connection, whether it be home broadband, office wireless, mobile broadband, with or without NAT (network address translation), etc.
More importantly, though, the reason people use these services is that they work, and for many uses they work extremely well. This is because they were designed with the individual and with ease of use in mind. They make it especially easy to synchronize files readily from one device to another, for example, to help users share files with friends and family.
Synchronization makes cloud storage easier to work with, but there’s a problem — cloud storage is typically object-based, which means that standard file-based software applications cannot directly work with files in the cloud. Instead, they must either use an intermediary device or service that provides file-based access (such as a hybrid cloud storage gateway), download the files to local storage (or cache), and then upload them again once edited, or use web-based apps instead of local ones like Google Apps, for example.
Cloud storage is typically object-based, so file-based software applications will not work directly
The advantage of file sync is that it takes care of the downloading and uploading, transparently synchronizing work in the background. This works well for individuals and is extremely useful when it comes to automatically saving photos from your phone to your PC.
Sync is much less appropriate for sharing enterprise data. Data ends up in local storage on devices that can be lost, stolen, or simply taken away by their owners (by someone leaving the company, say). It also lacks the controls and checks needed for enterprise use.
The more likely requirement here is collaboration; for example, enabling a team to share a project folder, with revision tracking and true file sharing in place. If file synchronization to mobile devices is allowed — and it can be very useful for a subset of users and activities — then you also need file locking to avoid multiple updates to the same file from overwriting one another.
Yet when you look for enterprise-grade alternatives, they must also be just as effective and easy to use as the consumer services, because otherwise your users will not switch. No longer can the data center or IT department dictate to the user departments — the arrival of software-as-a-service (SaaS) and of cloud platforms means that local users and managers can too easily circumvent troublesome red tape by implementing their own local solutions, funded out of petty cash.
IT therefore needs to be inclusive on file sharing, offering a strong alternative that both meets users’ needs for collaboration and file sharing, and at the same time meets the organization’s needs for security and compliance. This alternative must be just as easy to use as the free services, and it must be accompanied by clear policies and training, spelling out the risks and liabilities to make sure the users understand why they must use this enterprise-grade service.
Fortunately, there are options that could fit the bill. There are three approaches (see box): file sync and sharing services that were designed for business use — with security in mind. There are enterprise versions of the consumer services, and you can run the storage locally in your data center.
The problem is real; luckily so are the solutions.