security considerations for evaluating online file sharing and collaboration solutions

Report Best Practices: Security Considerations for Evaluating Online File Sharing and Collaboration Solutions

By Terri McClure, Senior Analyst

March 2014 © 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Report: Best Practices: Security Considerations for Evaluating OFS Solutions 2

© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Contents Market Drivers for the Adoption of Online File Sharing (OFS) Services ....................................................... 3

OFS Security Considerations ......................................................................................................................... 3

Evaluating OFS Solutions .............................................................................................................................. 5 The Type of Solution Affects the Evaluation Process ............................................................................................... 5 Security in Context of Other Features ...................................................................................................................... 5 User Authentication and Security Basics .................................................................................................................. 6 Key Management...................................................................................................................................................... 6 Mobile Device Data Protection ................................................................................................................................ 7 Protecting Content ................................................................................................................................................... 7 Data Center and Network Security ........................................................................................................................... 8 Tracking and Reporting ............................................................................................................................................. 8 Privacy and Data Ownership .................................................................................................................................... 8 Governance and Compliance .................................................................................................................................... 8

Other Considerations for OFS Solutions ....................................................................................................... 8 The Importance of OFS Training ............................................................................................................................... 8 Working With—Not Against—Users ........................................................................................................................ 9

The Bigger Truth ......................................................................................................................................... 10 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.



Market Drivers for the Adoption of Online File Sharing (OFS) Services The explosive growth of mobility, consumerization, and BYOD has transformed the IT world like few trends have before. In response to this radical restructuring, new and existing vendors have revamped their business objectives to accommodate the growing ranks of end-users who insist that IT accommodate their newfound mobility dependence. Their position is clear and concise: Give us the software applications, hardware platforms, and support we want, or we will find them on our own in lieu of IT-sanctioned business tools. Not only have they done just that, but in so doing, they have also inadvertently founded a movement—shadow IT.

Caught up in this unprecedented churn, BYOD is morphing into BYOA—bring your own (consumer) application—as end-users increasingly obtain and implement data sharing and portability solutions, while accessing apps for multiple intelligent endpoint devices. IT now finds itself in the uncomfortable position of trying to woo disaffected end-users back into the corporate fold and provide them with the same type of simple online file sharing (OFS) from any device that they get from consumer solutions, leading to the adoption of OFS for business use.

OFS, which has traditionally been the domain of consumers and knowledge workers, helps users share, access, and collaborate on documents or files stored in public, private, or hybrid clouds via the Internet. Files can be accessed by and synced across multiple endpoint devices, including desktops, laptops, tablets, smartphones etc. In its new guise as a commercial tool, OFS is being used to both stem the BYOA tide—giving users ease of access, collaborative capacity, and, ultimately, increased productivity—and meet the number one demand of IT: control and protect business data.

OFS Security Considerations Although OFS services have resulted in many benefits for current users, companies also report a number of ongoing challenges as they adopt these services. According to ESG research, security is the most-cited concern for surveyed users regarding adoption of OFS solutions, and the most-cited inhibitor for those who don’t plan to adopt OFS at all.1

Indeed, many organizations that have deployed online file sharing are still grappling with security issues, including data leakage, web-based threats, and application layer vulnerabilities. A primary concern is simply that the online file sharing service provider itself will be attacked, potentially leaving users’ data vulnerable to theft. In addition, most OFS solutions offer “anywhere access” to data via mobile device-resident applications or web browsers. With this kind of accessibility, data leakage by employees, whether accidental or intentional, is an obvious cause for concern.

As can be seen in Figure 1, respondents to this ESG research survey indicate that end-to-end encryption (52%) and antivirus on files (45%) are the two most-cited pressing security-specific requirements that organizations require from corporate online file sharing and collaboration services, but the list spreads out from there with IT looking for everything from maintaining key ownership to link expiration.2 Other leading responses include digital rights management, remote wipe, integration with mobile device management (MDM) solutions, and compatibility with data loss prevention (DLP) tools.

1 Source: ESG Research Report, Online File Sharing and Collaboration: Deployment Model Trends, February 2014. 2 Source: ESG Research Brief, Security Requirements for Corporate Online File Sharing Services, to be published April 2014.

http://www.esg-global.com/research-reports/online-file-sharing-and-collaboration-deployment-model-trends/



Source: Enterprise Strategy Group, 2014.

End-to-end Encryption: It is important to ensure that data is encrypted wherever it may reside within the solution. This means at rest in the service providers data center, in flight over the internet to or from the endpoint devices, or on the endpoint device itself. This ensures that if any data is intercepted or accessed, that it is essentially unreadable.

2%

22%

22%

23%

23%

24%

24%

26%

27%

28%

28%

28%

28%

30%

31%

31%

31%

32%

33%

45%

52%

0% 10% 20% 30% 40% 50% 60%

None of the above

SAS 70 compliant data center(s)

File/link expiration

White list/black list domain names

Metadata stripping

Ability to randomly audit service provider’s onsite facilities

All service provider employees receive background checks

Ability to review/manage user password characteristics

Notifications of identity policy and workflow violations

Access to audit logs and reports

Integration with existing authentication

Integration with Mobile Device Management platforms

Industry-specific security standards such as FINRA, HIPAA, PCI, etc.

Security certifications such as SSAE 16 Type II, Safe Harbor, etc.

Integration with data loss prevention (DLP) tools

Remote wipe

Ability to maintain key ownership

Remote tracking

Digital rights management (DRM) capabilities

Antivirus on files

End-to-end encryption

Which of the following security-specific requirements does your organization require from a corporate online file sharing and collaboration service? (Percent of respondents, N=334, multiple responses

accepted)

Figure 1. Security Requirements for Corporate OFS



Antivirus on Files in OFS Environments: Locking down data to protect it from viruses and hackers is critical. Because so many people are connecting to shared file systems, if a virus penetrates a system, it can worm its way through an entire file sharing environment and corrupt all the data, rendering a workforce completely unproductive, which can be a very expensive situation. Having corporate data on mobile devices and controlling access to it via these devices exacerbates these concerns.

Evaluating OFS Solutions

The Type of Solution Affects the Evaluation Process

Security is a broad ranging subject. For OFS solutions, which can be delivered via public, hybrid, or private offerings, the topic could apply to everything from the solution provider’s software development practices, to whether the way it handles data on mobile devices matches the subscribing organization’s mobile device policies and procedures, to its internal monitoring and audit processes. That is why it is important to cover all the bases when evaluating security across OFS providers, but it is even more important to understand that an evaluation process is different depending on the types of solutions being evaluated.

Companies can implement a private solution in which IT organizations deploy the application and infrastructure in-house, and secure and maintain it like any other enterprise application. But data can also live on laptops, desktops, and mobile devices, so in that scenario, the evaluation focus should be on secure file sharing, mobile content management, and reporting. Alternatively, the solution might come in the form of a pure service or hybrid offering in which the software is delivered as a service with some (or all) corporate file data primarily residing within the service provider’s data center. In this case, in addition to evaluating the same criteria as for private deployments, the service provider’s application development practices, data center, and network security practices must also be evaluated.

Security in Context of Other Features

With all the noise from vendors and their laundry lists of must-have features, it’s important to know what an effective starting point is for evaluating solutions. It is not just about security—that is only part of the equation, albeit a big one—so make sure to assess it in the context of everything else that must be evaluated. As seen in Figure 2, a wide variety of feature requirements go hand in hand with security evaluations and influence security decisions. 3 The three most-cited of these requirements are integration with existing applications, the ability to synchronize files across multiple device types, and scalability.

OFS products must integrate with existing tools such as MDM and DLP so that IT teams don’t find themselves reinventing the wheel. Also, if security is in place but it doesn’t synchronize across multiple device types, end-users won’t adopt the solution IT provides. Given the premium placed on expanded mobile device support, it is not surprising that reliable synchronization across a variety of devices is a key evaluation criterion. Finally, organizations are looking for offerings that scale. Over time, many organizations expect to roll out OFS solutions to their entire employee base, and the ability to easily add users and devices will be crucial. Security is part of the puzzle, but companies need to make sure that they evaluate security in light of all the other features and functions they are going to need.

3 Source: ESG Research Report, Online File Sharing and Collaboration: Deployment Model Trends, February 2014.

http://www.esg-global.com/research-reports/online-file-sharing-and-collaboration-deployment-model-trends/



Source: Enterprise Strategy Group, 2014.

User Authentication and Security Basics

As OFS usage expands and becomes a more integral part of overall corporate IT strategies, it’s natural that IT professionals will look to integrate with existing technology systems, tools, processes, and policies, especially authentication and other security tools. Integration with existing applications was one of IT’s primary requirements, landing it a spot among the most-cited responses when current and planned users were asked about feature requirements4. If you have security but it doesn’t integrate with existing applications, stovepipe solutions are created, driving up organizations’ costs for support and integration.

Any short list of required features for OFS should include active directory (AD) integration because AD allows administrators to integrate OFS solutions into existing directory structures and leverage those permissions, rather than recreate them through custom integration work. It’s also important to understand a vendor’s encryption capabilities, especially in cases involving confidential data, because OFS solutions allow data to reside in many locations. Most solutions offer inflight and at-rest encryption, but not all provide mobile or client encryption.

Key Management

Successful encryption key management plays a critical role in keeping OFS data secure. Most public and hybrid online file sharing and collaboration vendors hold the keys themselves to enable sharing between users across domains. These services usually store the keys in different locations than the data and do double encrypting, both of which add a layer of security, but the keys are maintained outside of the subscribing company’s standard security 4 Ibid

25%

28%

31%

31%

31%

0% 5% 10% 15% 20% 25% 30% 35%

Ability to lock or check-in/out content

Integration with existing auditing software and tools

Scalability

Ability to synchronize files across multiple devicetypes

Integration with existing applications

Which of the following features/functions are the most important to your organization when evaluating and selecting an online file sharing and collaboration service? (Percent

of respondents, N=334, five responses accepted)

Figure 2. Top Five Most Important OFS Features/Functions



policies and practices. If these keys are wholly maintained by the service provider, the cloud service vendors themselves can access data or turn it over to authorities (unbeknownst to the subscribing company) in the event of a subpoena unless the subscribing organization has an element of the key. Some hybrid OFS solutions also allow keys to be maintained by the customer inside its firewall in accordance with its policies and procedures. Emerging technologies such as Multiblind Key Encryption allow both companies and OFS providers to hold the keys. Everything is encrypted at the service provider with a key held by the service provider—but then the service provider’s keys are encrypted and the subscriber has a set of keys to decrypt them.

In choosing the right key management processes, customers should think about the types of company data they want to store in their OFS solutions. For information that requires high security (IP, regulated data, etc.), customers may want to consider a solution that allows them to manage their own keys to ensure that any data stored in the cloud that may be accessed by a hacker (or a rogue employee in the cloud data center) is nothing more than useless bits and bytes. Regardless of who has access or owns the keys, activity around keys should always be logged for auditing purposes.

It is important to note the tradeoffs with key management. If companies control the keys or have the encryption of the service provider’s keys and they get lost or something happens to them, then no one can access the data and it cannot be recovered. When using sophisticated key encryption systems, it’s important to follow standard best practices to integrate with a key management system, run backups of the internal database, and protect encryption data appropriately to help mitigate exposure to this key loss scenario.

Mobile Device Data Protection

With data stored well outside the organizational boundaries on all sorts of mobile devices, it is necessary to understand the mobile data management parameters that vendors offer in their solutions, such as remote wipe of data from the device in the event it is lost or stolen–a security requirement in the eyes of nearly one-third of current and potential OFS users according to Figure 1–or the ability to limit what or how much (if any) data can be stored locally or cached on the device.

Integration with MDM and mobile application management (MAM) solutions is also important, although a growing number of vendors are embedding their own MAM capabilities in their products. This is an issue for organizations deploying MDM and MAM solutions because they need to know what types of application management functionality their OFS solution provides, and whether or not they are compatible with it. For example, does the provider support containerization, which enables users to open their files and edit them in a third-party application that is also safely within the container?

Potential users should also ask service providers if they allow mobile devices to access enterprise content management (ECM) systems while carrying over ECM permission levels. For example, when companies are using programs such as SharePoint, they may grant users permission to manipulate documents in a variety of ways. These could include the abilities to read, read-write, rewrite and modify, delete, and share. Companies don’t want to take everything out of SharePoint and put it in their OFS solution as it may require them to recreate all the SharePoint permissions in the OFS solution. Instead, they want the OFS solution to reach into SharePoint and provide data access while maintaining the permissions structure.

Protecting Content

Vendors offer varying degrees of protection when it comes to digital rights management and loss prevention. Vendors should provide an appropriate session timeout, and most vendors allow customized timeout settings. In cases where providers don’t allow flexibility, companies need to ask what the default setting is, especially in sensitive environments that may require short timeout windows.

When dealing with sensitive information, organizations should also look for functions that allow control over print, copy, and share abilities. In content distribution cases, they need to understand the granularity of permission levels offered (read only versus editing) and should take into account the ability to limit whether users can delete files.



Data Center and Network Security

For hybrid and public cloud services, IT needs to be aware of the service provider’s security processes and policies. At a minimum, IT should check that a service provider requires background checks and locked facilities for data centers. Some offer added security with surveillance and biometric access. Breach notification policies vary significantly across providers and companies need to understand the circumstances under which they would be notified of a breach, and how soon. Service providers should also employ firewalls and ideally perform penetration testing to ensure adequate protection. Event logging and reporting is also critical to assist in forensic investigations should a breach occur.

Tracking and Reporting

Access to audit logs, which should be available on demand, is a high-priority security requirement. Other types of reporting include business intelligence and the solution’s integration with security information and event management systems. At a minimum, service providers should offer a combination of data to help administrators track abnormal or malicious behavior and patterns such as which users access content and whom they are sharing with, where they are accessing data from, and how much they are downloading.

Privacy and Data Ownership

When data is stored in a service provider’s data center or an application delivered via SaaS, providers naturally require some customer information to run the service. IT should take care to read up on vendor privacy policies to fully understand the type of data being collected, for how long, and whom providers share data with because policies vary widely from vendor to vendor.

Data ownership is another concern of IT, which is charged with keeping company data safe. If data is stored on the site of a third-party provider, the question is: Do customers retain the rights to the data or do they forfeit those rights to the service provider if they fall into arrears on their payments or go out of business? What if the OFS provider goes out of business? Luckily, most OFS vendors indicate that the customer owns the rights to the data stored in the service, although they may be collecting and sharing other information around users or the customer organization. Play it safe and read all the fine print on data ownership policies regarding the rights to company data.

Governance and Compliance

Organizations’ needs vary greatly when it comes to governance and compliance requirements depending on the industry in which they operate. Understanding whether the OFS solutions can map to IT’s needs for data retention and access is important in determining the right solution.

Other Considerations for OFS Solutions

The Importance of OFS Training

Other than security, the biggest challenge IT professionals at organizations currently using OFS must overcome is training users on the new service. Training is critical because moving to a corporate OFS solution is not solely about teaching people how to use the new application. Many end-users have experience with consumer solutions that operate somewhat differently than those offered at the corporate level. Although many corporate-focused solutions are not as intuitive as consumer solutions, most OFS solutions are relatively easy to pick up with a little practice, which is important when it comes to fostering widespread employee acceptance—meaning end-users are less likely to go rogue—and, ultimately, usage. A word to the wise: good training is great, but the best OFS solutions may be the ones that require the least training to help drive adoption.



Working With—Not Against—Users

The sooner organizations and their mobile employees come to terms on guidelines for separate personal and professional computing, the better. People are understandably nervous about the NSA and its impact on their privacy. Then there is a more local potential problem: For example, the rogue usage of private consumer accounts for business data. No matter what they’re told to do, end-users just keep illegitimately using their consumer accounts. Even if IT puts up a firewall to shut them down, they’ll go to a WiFi cafe, or they’ll get on their company’s guest network, or they’ll find a hot spot somewhere that lets them get to their personal accounts. It is difficult to get employees to change their patterns of personal OFS solution usage.

OFS is commonly referred to as the most prevalent shadow IT application. However, it’s not shadow IT, but rogue usage that is causing many of the problems. Shadow IT occurs when workgroups, departments or even lines of business go out and procure applications without IT involvement. Rogue IT is a bit more dangerous – that is when employees use personal consumer file sharing accounts for business, and store business data there. When employees who practice rogue usage leave the company, the data leaves with them and IT has no way of knowing about the specific business data stored in their Dropbox accounts. This exposes the company to many business risks when sensitive or regulated data is removed from its control.

The solution has to be easy for IT to manage because they don’t want to incur a lot of OpEx spending as the solution scales up to support a broader chunk of their environment. However, ease of use for the end-user is equally as important, if not more so. Ease of use for the end-user and ease of management for IT ranked ahead of ROI and SLAs in a recent ESG study, with more than 25% of respondents considering those attributes as one of the five most important to an organization when it comes to selecting an OFS vendor. 5

The right approach is embracing BYOD employees as part of the evaluation and selection process because that way, they have skin in the game. And because it’s generally in everybody’s best interests to reach a consensus, the smart companies are really making this a collaborative evaluation process.

5 Source: Ibid.



The Bigger Truth OFS is becoming an increasingly important tool in the IT team’s toolkit, helping organizations reduce storage and administration costs (in the case of public or hybrid offerings), and improving employee collaboration, workspace flexibility, and productivity. But these organizations continue to struggle with security and governance concerns. In a mobile world, data lives everywhere—on many devices in many places, whether using an on-premises, cloud, or hybrid OFS solution. ESG suggests the following key points to consider when evaluating the myriad OFS solutions that are available:

OFS systems must be easy for IT to manage. IT wants to avoid spending a lot of money on more people supporting the system as it scales up for use in larger domains.

OFS systems must be equally easy for end-users to manage. Roughly a third of companies that ESG spoke with report that even after deploying OFS and collaboration solutions within their organizations, end-users continue to deploy consumer solutions for business data, which leaves that data unmanaged and outside the realm of IT.6.

Evaluation of security and ease of use should go hand in hand. Understand that not all data needs to be locked down to the same degree. Some data needs to be locked down, but an awful lot doesn’t. There is a real danger that some employees will continue to deploy rogue applications if they feel that security is too authoritative or heavy-handed. If employees won’t use the corporate-sanctioned solution, security risks increase. This is the counterpoint to the idea of rigorous security. Tradeoffs need to be made, and it is dangerous to ignore the ease-of-use issue.

Understanding integration issues with existing tools and infrastructure is important to reducing risk. This is a key point in helping to reduce risk because it minimizes the number of tools available and the amount of training users need to undergo. Reporting capabilities should match the level of visibility required by IT to keep data secure and meet any applicable regulatory requirements. Large organizations especially should look for tools that provide automated alerts so they don’t need to manually scan through audit logs.

Perimeter security is no longer enough. With the influx of mobile devices and laptops as preferred computing platforms, there really is no longer a perimeter. Therefore, endpoint data protection via encryption and remote wipe, as well as either integration with data loss prevention/digital rights management (DLP/DRM) solutions or availability of some basic DLP/DRM functionality is critical to maintaining data control and protection. OFS solutions offer many ways for IT to protect content—whether natively or through partnerships and APIs—and organizations need to ensure that the solution they choose can protect their content as it moves from servers to mobile devices.

The process should be inclusive, not exclusive. In a BYOD world that encourages bring your own application (BYOA), organizations should make employees a part of the evaluation process to ensure the solution fits the needs.

Few things in life are guaranteed—and no matter how hard anyone tries, there is no such thing as a 100% secure IT environment, whether it belongs to a well-established and disciplined enterprise IT organization or a service provider. IT organizations can, however, do everything within their power to reduce risk by ensuring the service provider has controls in place to make their data as safe as it would be if it were stored within their own four walls. Still, IT organizations must perform the due diligence and ask the questions, and this report can be used as a framework or starting point.

6 Source: Ibid.

20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com

http://www.esg-global.com/