Not all file-sharing solutions are created equal.
Understanding the context in which an organization intends to use file-sharing technology is just the first step. It's also important to weigh risk against the primary features of both on-premises and cloud-based file-sharing platforms. At a high level, the primary features of on-premises file-sharing include no shared infrastructure while IT maintains control and visibility into use; the ability to monitor both inbound and outbound traffic, and the assurance of data governance for regulatory compliance. Likewise, cloud file-sharing features a low barrier for adoption, a simple interface that is easy to use; it's free of rigid IT constraints and is cost effective.
While the goals of both approaches are similar, the data security and privacy implications inherent with either require a closer look. The key is for an organization to do its homework and take nothing for granted.
Perhaps the biggest risk associated with file-sharing tools and applications is that their pervasiveness—combined with the assumption that enterprise-endorsed or well-known cloud applications are secure—may result in sloppy practices that can increase the risk of a data breach. Because we use them as a matter of routine in both our work and personal lives, and because the lines between are blurry, we can fall into the trap of treating a database filled with personally identifiable information (PII) as cavalierly as we do photos from a day at the beach.
That’s why it’s a good idea, and even mandated under state laws such as Mass 201 CMR 17, to engage employees with regular training programs that raise awareness of the risks associated with file-sharing and collaboration—at every level.
I recently talked with Greg Hoffer, senior director of engineering for Globalscape, a provider of secure information exchange technology, and he said that privacy and data security are now a boardroom issue. Trusting sensitive data, what he referred to as the “crown jewels,” to a public cloud application may not be an option for companies in risk-averse industries such as healthcare or financial services. In such situations, an organization may want to use a cloud application for low-risk activities while maintaining on-premises file-sharing and collaboration tools for activities where regulations such as HIPAA, PCI-DSS and others require retaining the control and governance.
And then there are the specialized file-sharing cloud applications that are making it possible to share data more efficiently and safely outside of an organization. As one such player, we are starting to see more applications that offer differentiating features like more security, content protection and integrated digital rights management, for example, that aren't offered by the larger cloud-based “boxes.” There may be times when large batches of relatively innocuous data can be safely shared via a common cloud application, but a single document containing highly sensitive PII, for example, needs special attention.
The proliferation and adoption of cloud-based file-sharing services raises the notion of shared responsibility for data security within the cloud platform. A file-sharing cloud application vendor cannot possibly understand the difference between normal and abnormal usage across thousands of different accounts. New technologies, such as cloud access security brokers that provide a comprehensive view of user behavior and risks across multiple cloud applications, are needed.
Fortunately, a new breed of “cloud access security broker” is helping to fill that gap with innovative technology that gives companies that choose to adopt a cloud-first IT posture the ability to centralize control over all content in the cloud. One such player in that arena is Adallom, which provides SaaS security for application providers, including file-sharing services such as Box, Dropbox and Google.
Adallom Chief Technology Officer Ami Luttwak explained the company's technology adds a risk-management and governance layer to cloud applications for securing data in the cloud. What’s more, he said that advanced heuristics can compare normal use patterns within cloud applications to identify anomalies in behavior, isolate compromised accounts and respond quickly to mitigate the risk and effects of a data breach.
Another trend in the market is the advent of hybrid file-sharing services, where file storage might be on-premises but the mechanism to share and manage the data reside in the cloud. In fact, some government-related bids we are working on overseas are adopting such a model.
Each organization must evaluate its needs based on a combination of user preference, risk tolerance and regulatory compliance before making a decision on a file-sharing solutions. The good news is that the evolution of this technology means that on-premises are starting to emulate the ease-of-use of cloud applications while cloud applications are working to strengthen security.
If you want to comment on this post, you need to login.