Security Considerations for Evaluating Online File Sharing and Collaboration Solutions
Upcoming SlideShare
Loading in...5
×
 

Security Considerations for Evaluating Online File Sharing and Collaboration Solutions

on

  • 1,842 views

Online file sharing solutions are seeing increasing adoption in enterprises yet often that adoption is driven by employees bypassing IT and bringing in consumer-grade services. For business use ...

Online file sharing solutions are seeing increasing adoption in enterprises yet often that adoption is driven by employees bypassing IT and bringing in consumer-grade services. For business use addressing concerns regarding privacy and security of corporate information is critical. This report outlines the key security considerations when evaluating file sharing solutions.

Statistics

Views

Total Views
1,842
Views on SlideShare
674
Embed Views
1,168

Actions

Likes
0
Downloads
10
Comments
0

5 Embeds 1,168

http://inthepersonalcloud.com 892
http://www.inthepersonalcloud.com 272
https://rankhigher.io 2
http://www.google.com 1
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Considerations for Evaluating Online File Sharing and Collaboration Solutions Security Considerations for Evaluating Online File Sharing and Collaboration Solutions Document Transcript

  • Report   Best Practices: Security Considerations for Evaluating Online File Sharing and Collaboration Solutions By Terri McClure, Senior Analyst March 2014 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 2 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Contents Market Drivers for the Adoption of Online File Sharing (OFS) Services.......................................................3 OFS Security Considerations.........................................................................................................................3 Evaluating OFS Solutions ..............................................................................................................................5 The Type of Solution Affects the Evaluation Process............................................................................................... 5 Security in Context of Other Features...................................................................................................................... 5 User Authentication and Security Basics.................................................................................................................. 6 Key Management...................................................................................................................................................... 6 Mobile Device Data Protection ................................................................................................................................ 7 Protecting Content ................................................................................................................................................... 7 Data Center and Network Security........................................................................................................................... 8 Tracking and Reporting............................................................................................................................................. 8 Privacy and Data Ownership .................................................................................................................................... 8 Governance and Compliance.................................................................................................................................... 8 Other Considerations for OFS Solutions.......................................................................................................8 The Importance of OFS Training............................................................................................................................... 8 Working With—Not Against—Users ........................................................................................................................ 9 The Bigger Truth .........................................................................................................................................10 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 3 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Market  Drivers  for  the  Adoption  of  Online  File  Sharing  (OFS)  Services The explosive growth of mobility, consumerization, and BYOD has transformed the IT world like few trends have before. In response to this radical restructuring, new and existing vendors have revamped their business objectives to accommodate the growing ranks of end-users who insist that IT accommodate their newfound mobility dependence. Their position is clear and concise: Give us the software applications, hardware platforms, and support we want, or we will find them on our own in lieu of IT-sanctioned business tools. Not only have they done just that, but in so doing, they have also inadvertently founded a movement—shadow IT. Caught up in this unprecedented churn, BYOD is morphing into BYOA—bring your own (consumer) application—as end-users increasingly obtain and implement data sharing and portability solutions, while accessing apps for multiple intelligent endpoint devices. IT now finds itself in the uncomfortable position of trying to woo disaffected end-users back into the corporate fold and provide them with the same type of simple online file sharing (OFS) from any device that they get from consumer solutions, leading to the adoption of OFS for business use. OFS, which has traditionally been the domain of consumers and knowledge workers, helps users share, access, and collaborate on documents or files stored in public, private, or hybrid clouds via the Internet. Files can be accessed by and synced across multiple endpoint devices, including desktops, laptops, tablets, smartphones etc. In its new guise as a commercial tool, OFS is being used to both stem the BYOA tide—giving users ease of access, collaborative capacity, and, ultimately, increased productivity—and meet the number one demand of IT: control and protect business data. OFS  Security  Considerations Although OFS services have resulted in many benefits for current users, companies also report a number of ongoing challenges as they adopt these services. According to ESG research, security is the most-cited concern for surveyed users regarding adoption of OFS solutions, and the most-cited inhibitor for those who don’t  plan  to  adopt  OFS  at   all.1 Indeed, many organizations that have deployed online file sharing are still grappling with security issues, including data leakage, web-based threats, and application layer vulnerabilities. A primary concern is simply that the online file sharing service provider itself  will  be  attacked,  potentially  leaving  users’  data  vulnerable  to  theft.  In   addition,  most  OFS  solutions  offer  “anywhere  access”  to  data  via  mobile  device-resident applications or web browsers. With this kind of accessibility, data leakage by employees, whether accidental or intentional, is an obvious cause for concern. As can be seen in Figure 1, respondents to this ESG research survey indicate that end-to-end encryption (52%) and antivirus on files (45%) are the two most-cited pressing security-specific requirements that organizations require from corporate online file sharing and collaboration services, but the list spreads out from there with IT looking for everything from maintaining key ownership to link expiration.2 Other leading responses include digital rights management, remote wipe, integration with mobile device management (MDM) solutions, and compatibility with data loss prevention (DLP) tools. 1 Source: ESG Research Report, Online File Sharing and Collaboration: Deployment Model Trends, February 2014. 2 Source: ESG Research Brief, Security Requirements for Corporate Online File Sharing Services, to be published April 2014.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 4 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Source: Enterprise Strategy Group, 2014. End-to-end Encryption: It is important to ensure that data is encrypted wherever it may reside within the solution. This means at rest in the service providers data center, in flight over the internet to or from the endpoint devices, or on the endpoint device itself. This ensures that if any data is intercepted or accessed, that it is essentially unreadable. 2% 22% 22% 23% 23% 24% 24% 26% 27% 28% 28% 28% 28% 30% 31% 31% 31% 32% 33% 45% 52% 0% 10% 20% 30% 40% 50% 60% None of the above SAS 70 compliant data center(s) File/link expiration White list/black list domain names Metadata stripping Ability  to  randomly  audit  service  provider’s  onsite  facilities All service provider employees receive background checks Ability to review/manage user password characteristics Notifications of identity policy and workflow violations Access to audit logs and reports Integration with existing authentication Integration with Mobile Device Management platforms Industry-specific security standards such as FINRA, HIPAA, PCI, etc. Security certifications such as SSAE 16 Type II, Safe Harbor, etc. Integration with data loss prevention (DLP) tools Remote wipe Ability to maintain key ownership Remote tracking Digital rights management (DRM) capabilities Antivirus on files End-to-end encryption Which of the following security-specific requirements does your organization require from a corporate online file sharing and collaboration service? (Percent of respondents, N=334, multiple responses accepted) Figure 1. Security Requirements for Corporate OFS
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 5 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Antivirus on Files in OFS Environments: Locking down data to protect it from viruses and hackers is critical. Because so many people are connecting to shared file systems, if a virus penetrates a system, it can worm its way through an entire file sharing environment and corrupt all the data, rendering a workforce completely unproductive, which can be a very expensive situation. Having corporate data on mobile devices and controlling access to it via these devices exacerbates these concerns. Evaluating  OFS  Solutions   The Type of Solution Affects the Evaluation Process Security is a broad ranging subject. For OFS solutions, which can be delivered via public, hybrid, or private offerings, the  topic  could  apply  to  everything  from  the  solution  provider’s  software  development  practices,  to  whether  the   way it handles data on mobile  devices  matches  the  subscribing  organization’s  mobile  device  policies  and   procedures, to its internal monitoring and audit processes. That is why it is important to cover all the bases when evaluating security across OFS providers, but it is even more important to understand that an evaluation process is different depending on the types of solutions being evaluated. Companies can implement a private solution in which IT organizations deploy the application and infrastructure in- house, and secure and maintain it like any other enterprise application. But data can also live on laptops, desktops, and mobile devices, so in that scenario, the evaluation focus should be on secure file sharing, mobile content management, and reporting. Alternatively, the solution might come in the form of a pure service or hybrid offering in which the software is delivered as a service with some (or all) corporate file data primarily residing within the service  provider’s  data  center. In this case, in addition to evaluating the same criteria as for private deployments, the  service  provider’s  application  development  practices,  data  center,  and  network  security  practices  must also be evaluated. Security in Context of Other Features With all the noise from vendors and their laundry lists of must-have  features,  it’s  important  to  know  what  an effective starting point is for evaluating solutions. It is not just about security—that is only part of the equation, albeit a big one—so make sure to assess it in the context of everything else that must be evaluated. As seen in Figure 2, a wide variety of feature requirements go hand in hand with security evaluations and influence security decisions. 3 The three most-cited of these requirements are integration with existing applications, the ability to synchronize files across multiple device types, and scalability. OFS products must integrate with existing tools such as MDM and DLP so that IT  teams  don’t  find  themselves   reinventing  the  wheel.  Also,  if  security  is  in  place  but  it  doesn’t  synchronize  across  multiple  device  types,  end-users won’t  adopt  the  solution  IT  provides.  Given  the  premium  placed  on  expanded  mobile  device  support,  it  is  not   surprising that reliable synchronization across a variety of devices is a key evaluation criterion. Finally, organizations are looking for offerings that scale. Over time, many organizations expect to roll out OFS solutions to their entire employee base, and the ability to easily add users and devices will be crucial. Security is part of the puzzle, but companies need to make sure that they evaluate security in light of all the other features and functions they are going to need. 3 Source: ESG Research Report, Online File Sharing and Collaboration: Deployment Model Trends, February 2014.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 6 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Source: Enterprise Strategy Group, 2014. User Authentication and Security Basics As  OFS  usage  expands  and  becomes  a  more  integral  part  of  overall  corporate  IT  strategies,  it’s  natural  that  IT   professionals will look to integrate with existing technology systems, tools, processes, and policies, especially authentication  and  other  security  tools.  Integration  with  existing  applications  was  one  of  IT’s  primary  requirements,   landing it a spot among the most-cited responses when current and planned users were asked about feature requirements4 .  If  you  have  security  but  it  doesn’t  integrate  with  existing  applications,  stovepipe  solutions  are   created,  driving  up  organizations’  costs  for  support  and  integration. Any short list of required features for OFS should include active directory (AD) integration because AD allows administrators to integrate OFS solutions into existing directory structures and leverage those permissions, rather than  recreate  them  through  custom  integration  work.  It’s  also  important  to  understand  a  vendor’s  encryption   capabilities, especially in cases involving confidential data, because OFS solutions allow data to reside in many locations. Most solutions offer inflight and at-rest encryption, but not all provide mobile or client encryption. Key Management Successful encryption key management plays a critical role in keeping OFS data secure. Most public and hybrid online file sharing and collaboration vendors hold the keys themselves to enable sharing between users across domains. These services usually store the keys in different locations than the data and do double encrypting, both of which add a layer of security, but the keys are maintained outside of the subscribing company’s  standard  security   4 Ibid 25% 28% 31% 31% 31% 0% 5% 10% 15% 20% 25% 30% 35% Ability to lock or check-in/out content Integration with existing auditing software and tools Scalability Ability to synchronize files across multiple device types Integration with existing applications Which of the following features/functions are the most important to your organization when evaluating and selecting an online file sharing and collaboration service? (Percent of respondents, N=334, five responses accepted) Figure 2. Top Five Most Important OFS Features/Functions
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 7 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. policies and practices. If these keys are wholly maintained by the service provider, the cloud service vendors themselves can access data or turn it over to authorities (unbeknownst to the subscribing company) in the event of a subpoena unless the subscribing organization has an element of the key. Some hybrid OFS solutions also allow keys to be maintained by the customer inside its firewall in accordance with its policies and procedures. Emerging technologies such as Multiblind Key Encryption allow both companies and OFS providers to hold the keys. Everything is encrypted at the service provider with a key held by the service provider—but then the service provider’s  keys  are  encrypted  and  the  subscriber  has  a  set  of  keys  to  decrypt them. In choosing the right key management processes, customers should think about the types of company data they want to store in their OFS solutions. For information that requires high security (IP, regulated data, etc.), customers may want to consider a solution that allows them to manage their own keys to ensure that any data stored in the cloud that may be accessed by a hacker (or a rogue employee in the cloud data center) is nothing more than useless bits and bytes. Regardless of who has access or owns the keys, activity around keys should always be logged for auditing purposes. It is important to note the tradeoffs with key management. If companies control the keys or have the encryption of the  service  provider’s  keys  and  they  get  lost  or  something  happens  to  them,  then  no  one  can  access  the  data  and  it   cannot be recovered. When using  sophisticated  key  encryption  systems,  it’s  important  to  follow  standard  best   practices to integrate with a key management system, run backups of the internal database, and protect encryption data appropriately to help mitigate exposure to this key loss scenario. Mobile Device Data Protection With data stored well outside the organizational boundaries on all sorts of mobile devices, it is necessary to understand the mobile data management parameters that vendors offer in their solutions, such as remote wipe of data from the device in the event it is lost or stolen–a security requirement in the eyes of nearly one-third of current and potential OFS users according to Figure 1–or the ability to limit what or how much (if any) data can be stored locally or cached on the device. Integration with MDM and mobile application management (MAM) solutions is also important, although a growing number of vendors are embedding their own MAM capabilities in their products. This is an issue for organizations deploying MDM and MAM solutions because they need to know what types of application management functionality their OFS solution provides, and whether or not they are compatible with it. For example, does the provider support containerization, which enables users to open their files and edit them in a third-party application that is also safely within the container? Potential users should also ask service providers if they allow mobile devices to access enterprise content management (ECM) systems while carrying over ECM permission levels. For example, when companies are using programs such as SharePoint, they may grant users permission to manipulate documents in a variety of ways. These could include the abilities to read, read-write, rewrite and modify, delete, and share. Companies  don’t  want  to  take   everything out of SharePoint and put it in their OFS solution as it may require them to recreate all the SharePoint permissions in the OFS solution. Instead, they want the OFS solution to reach into SharePoint and provide data access while maintaining the permissions structure. Protecting Content Vendors offer varying degrees of protection when it comes to digital rights management and loss prevention. Vendors should provide an appropriate session timeout, and most vendors allow customized timeout settings. In cases  where  providers  don’t  allow  flexibility,  companies  need  to  ask  what  the  default  setting  is,  especially  in   sensitive environments that may require short timeout windows. When dealing with sensitive information, organizations should also look for functions that allow control over print, copy, and share abilities. In content distribution cases, they need to understand the granularity of permission levels offered (read only versus editing) and should take into account the ability to limit whether users can delete files.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 8 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Data Center and Network Security For hybrid and public cloud services, IT  needs  to  be  aware  of  the  service  provider’s  security  processes  and  policies.   At a minimum, IT should check that a service provider requires background checks and locked facilities for data centers. Some offer added security with surveillance and biometric access. Breach notification policies vary significantly across providers and companies need to understand the circumstances under which they would be notified of a breach, and how soon. Service providers should also employ firewalls and ideally perform penetration testing to ensure adequate protection. Event logging and reporting is also critical to assist in forensic investigations should a breach occur. Tracking and Reporting Access to audit logs, which should be available on demand, is a high-priority security requirement. Other types of reporting include business intelligence and the  solution’s integration with security information and event management systems. At a minimum, service providers should offer a combination of data to help administrators track abnormal or malicious behavior and patterns such as which users access content and whom they are sharing with, where they are accessing data from, and how much they are downloading. Privacy and Data Ownership When  data  is  stored  in  a  service  provider’s  data  center or an application delivered via SaaS, providers naturally require some customer information to run the service. IT should take care to read up on vendor privacy policies to fully understand the type of data being collected, for how long, and whom providers share data with because policies vary widely from vendor to vendor. Data ownership is another concern of IT, which is charged with keeping company data safe. If data is stored on the site of a third-party provider, the question is: Do customers retain the rights to the data or do they forfeit those rights to the service provider if they fall into arrears on their payments or go out of business? What if the OFS provider goes out of business? Luckily, most OFS vendors indicate that the customer owns the rights to the data stored in the service, although they may be collecting and sharing other information around users or the customer organization. Play it safe and read all the fine print on data ownership policies regarding the rights to company data. Governance and Compliance Organizations’  needs  vary  greatly  when  it  comes  to  governance  and  compliance  requirements  depending on the industry  in  which  they  operate.  Understanding  whether  the  OFS  solutions  can  map  to  IT’s  needs  for  data  retention   and access is important in determining the right solution. Other  Considerations  for  OFS  Solutions The Importance of OFS Training Other than security, the biggest challenge IT professionals at organizations currently using OFS must overcome is training users on the new service. Training is critical because moving to a corporate OFS solution is not solely about teaching people how to use the new application. Many end-users have experience with consumer solutions that operate somewhat differently than those offered at the corporate level. Although many corporate-focused solutions are not as intuitive as consumer solutions, most OFS solutions are relatively easy to pick up with a little practice, which is important when it comes to fostering widespread employee acceptance—meaning end-users are less likely to go rogue—and, ultimately, usage. A word to the wise: good training is great, but the best OFS solutions may be the ones that require the least training to help drive adoption.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 9 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. Working With—Not Against—Users The sooner organizations and their mobile employees come to terms on guidelines for separate personal and professional computing, the better. People are understandably nervous about the NSA and its impact on their privacy. Then there is a more local potential problem: For example, the rogue usage of private consumer accounts for business data.  No  matter  what  they’re  told  to  do,  end-users just keep illegitimately using their consumer accounts.  Even  if  IT  puts  up  a  firewall  to  shut  them  down,  they’ll  go  to  a  WiFi cafe,  or  they’ll  get  on  their  company’s   guest  network,  or  they’ll  find  a  hot  spot  somewhere  that  lets  them  get  to  their  personal  accounts.  It is difficult to get employees to change their patterns of personal OFS solution usage. OFS is commonly referred to as the most prevalent shadow  IT  application.  However,  it’s  not  shadow IT, but rogue usage that is causing many of the problems. Shadow IT occurs when workgroups, departments or even lines of business go out and procure applications without IT involvement. Rogue IT is a bit more dangerous – that is when employees use personal consumer file sharing accounts for business, and store business data there. When employees who practice rogue usage leave the company, the data leaves with them and IT has no way of knowing about the specific business data stored in their Dropbox accounts. This exposes the company to many business risks when sensitive or regulated data is removed from its control. The  solution  has  to  be  easy  for  IT  to  manage  because  they  don’t  want  to incur a lot of OpEx spending as the solution scales up to support a broader chunk of their environment. However, ease of use for the end-user is equally as important, if not more so. Ease of use for the end-user and ease of management for IT ranked ahead of ROI and SLAs in a recent ESG study, with more than 25% of respondents considering those attributes as one of the five most important to an organization when it comes to selecting an OFS vendor. 5 The right approach is embracing BYOD employees as part of the evaluation and selection process because that way, they have skin in the game. And because it’s generally in  everybody’s  best  interests  to  reach  a  consensus,  the  smart   companies are really making this a collaborative evaluation process. 5 Source: Ibid.
  • Report: Best Practices: Security Considerations for Evaluating OFS Solutions 10 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved. The  Bigger  Truth OFS  is  becoming  an  increasingly  important  tool  in  the  IT  team’s  toolkit,  helping  organizations  reduce  storage  and   administration costs (in the case of public or hybrid offerings), and improving employee collaboration, workspace flexibility, and productivity. But these organizations continue to struggle with security and governance concerns. In a mobile world, data lives everywhere—on many devices in many places, whether using an on-premises, cloud, or hybrid OFS solution. ESG suggests the following key points to consider when evaluating the myriad OFS solutions that are available:  OFS systems must be easy for IT to manage. IT wants to avoid spending a lot of money on more people supporting the system as it scales up for use in larger domains.  OFS systems must be equally easy for end-users to manage. Roughly a third of companies that ESG spoke with report that even after deploying OFS and collaboration solutions within their organizations, end-users continue to deploy consumer solutions for business data, which leaves that data unmanaged and outside the realm of IT.6 .  Evaluation of security and ease of use should go hand in hand. Understand that not all data needs to be locked down to the same degree. Some data needs to be locked down, but an awful lot  doesn’t. There is a real danger that some employees will continue to deploy rogue applications if they feel that security is too authoritative or heavy-handed. If  employees  won’t  use  the  corporate-sanctioned solution, security risks increase. This is the counterpoint to the idea of rigorous security. Tradeoffs need to be made, and it is dangerous to ignore the ease-of-use issue.  Understanding integration issues with existing tools and infrastructure is important to reducing risk. This is a key point in helping to reduce risk because it minimizes the number of tools available and the amount of training users need to undergo. Reporting capabilities should match the level of visibility required by IT to keep data secure and meet any applicable regulatory requirements. Large organizations especially should  look  for  tools  that  provide  automated  alerts  so  they  don’t  need  to  manually  scan  through  audit  logs.    Perimeter security is no longer enough. With the influx of mobile devices and laptops as preferred computing platforms, there really is no longer a perimeter. Therefore, endpoint data protection via encryption and remote wipe, as well as either integration with data loss prevention/digital rights management (DLP/DRM) solutions or availability of some basic DLP/DRM functionality is critical to maintaining data control and protection. OFS solutions offer many ways for IT to protect content—whether natively or through partnerships and APIs—and organizations need to ensure that the solution they choose can protect their content as it moves from servers to mobile devices.  The process should be inclusive, not exclusive. In a BYOD world that encourages bring your own application (BYOA), organizations should make employees a part of the evaluation process to ensure the solution fits the needs. Few things in life are guaranteed—and no matter how hard anyone tries, there is no such thing as a 100% secure IT environment, whether it belongs to a well-established and disciplined enterprise IT organization or a service provider. IT organizations can, however, do everything within their power to reduce risk by ensuring the service provider has controls in place to make their data as safe as it would be if it were stored within their own four walls. Still, IT organizations must perform the due diligence and ask the questions, and this report can be used as a framework or starting point. 6 Source: Ibid.
  • 20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com