Modern Infrastructure

Lift and shift vs. re-platforming cloud apps

chris - Fotolia

EFSS combats consumer cloud storage risks

Companies wrestle with the security concern of using consumer cloud storage, but there are enterprise file sync-and-share options out there that users and IT can both love.

IT faces an eternal tug-of-war when it comes to providing services: How can it supply something employees want to use while also maintaining security and manageability?

In the era of consumerization, few business processes have been more impacted by this balancing act than enterprise file sync-and-share (EFSS). While bring your own device is discussed frequently, it's "bring your own app" that can't be overlooked.

Employees are drawn to consumer cloud storage applications because they're easy to use. The importance of user experience (UX) can never be underestimated in anything related to mobile or end-user computing and companies can discount UX at the risk of their data.

It's not that employees have bad intentions when they use non-IT approved file sync and share; they just want a place to get their work done and access it more easily than keeping everything in email, said James Gordon, first vice president of information technology at Needham Bank in Needham, Mass.

"I can't manage content via email," Gordon said. "Email is not a place for long-term content storage and there's no shared access."

But if IT doesn't carefully monitor and regulate how data is stored, consumer-grade cloud offerings such as Dropbox and Google Drive can wind up being home to your sensitive data. This could lead to the nightmare scenario for IT: a terminated employee saves that data to their personal Dropbox account before they depart and your data is out in the wild forever.

IT is trying to fight back. In a 2015 survey of 300 IT professionals conducted by cloud storage solutions provider CTERA Networks and research firm Research Now, 83% of respondents have corporate policies that either restrict or entirely forbid the use of specific software as a service-based file sharing product. Yet 35% of organizations experienced corporate data leaks in 2014 as a result of employees sharing files -- often using unsanctioned file sync and share services.

"I think there are two categories of people in IT: people who realize they have the ["Dropbox"] problem or the people who just haven't had it yet," Gordon said.

Despite the dangers, vendors have listened to IT's concerns and many products are on the market that combine usability and security from the consumer-first vendors.

What to look for in EFSS

When looking for an EFSS vendor, options fall in a couple different camps: those with standalone EFSS products or those with file-sharing integrated into a larger platform, said Alan Lepofsky, vice president and principal analyst with Constellation Research in Toronto.

If you don't have a corporate-approved EFSS vendor already, it isn't hard to find one. It's likely some IT shops already have a secure EFSS option from a vendor in-house -- IBM Files, Salesforce Files, Microsoft OneDrive for Business, Citrix ShareFile and AirWatch by VMware's Secure Content Locker are among the EFSS products from established enterprise software vendors.

"The simplest decision is that your email provider can also be your collaboration provider," Lepofsky said.

In contrast, the standalone players include enterprise-focused versions of products like Dropbox and Box while others like Egnyte, Accellion, Intralinks and Soonr also populate the space.

In the enterprise file sync-and-share market, customers often want four things: security, consumer-style ease of use, scalability and integration as part of a larger feature set, said Alistair Mitchell, CEO of Huddle, a content sharing and collaboration vendor in London.

"[Customers] don't want 15 different point solutions," Mitchell said.

Five years ago, Needham Bank began to invest heavily in mobility, which allowed employees to access corporate information and workflows on mobile devices while deploying MobileIron for mobile device management. But because email wasn't enough for content management and collaboration, the bank found employees were getting around IT-approved channels by using products like Dropbox.

The bank turned to Accellion to provide an IT-friendly and secure content collaboration and storage platform. Besides security, Accellion affords "Dropbox-like functionality" in user experience for employees, Gordon said.

Integration with existing systems is also a key advantage for EFSS platforms. For example, Accellion utilizes connectors to SharePoint and Windows file share environments so customers learn new ways of accessing content without the help of bank employees.

"We didn't have to reinvent the wheel to mold to [Accellion's] processes and they were able to connect to our content," Gordon said.

The management capabilities of EFSS tools have also gotten more comprehensive. Early EFSS admin consoles only showed usage statistics, but they now give IT a view into user adds, user deletes and transfer of file ownership. Admins can also ensure files are flagged if they're shared outside of an organization. Most major enterprise platforms give IT these manageability tools, including Box, Dropbox and Egnyte, Lepofsky said.

For IT pros like Gordon, logging is another important feature. As a highly-regulated business, a bank needs to track who created a file share at what specific time and how long that shared access lasted. A product that doesn't do that is a non-starter in his world.

"What do you do when you have to forensically get your hands dirty, and roll up the sleeves, and find out who did what when?" he asked. "After-the-fact wouldn't be the time to say, 'I wish we had logs.'"

Management hurdles remain, however. Data portability in EFSS systems, for example, isn't what it should be, Lepofsky said.

"When it comes to switching from one platform to another, no one is great at that today," he said. "It's not easy to migrate all your files to places like Box or Salesforce Files right now."

With regard to security, the Holy Grail for EFSS is key encryption and management, Lepofsky said. Vendors are offering more client-side key management options as opposed to keeping key management within the vendor. Box recently introduced an Enterprise Key Management program that gives customers full control over encryption keys.

"If the vendor has access to your encryption key, in theory they can do more with your data," Lepofsky said. "Customers who want maximum security want to manage the keys but they may lose some end-user functionality as a result, so there's a tradeoff there."

Many admins feel they must hold the key encryption to make EFSS viable.

"I feel strongly with all the SSL and protocol vulnerabilities out there that we need to hold the keys and manage them appropriately," Gordon said.

Stand your ground on file sharing

The interest surrounding EFSS has grown as the market has matured. BlackBerry's 2015 acquisition of WatchDox is a recent example of an EFSS vendor getting scooped up by a larger technology company to round out its portfolio.

"The viable winners in this market are reducing down to a small number," Mitchell said. There is still room for new solutions to the problem. Beyond the two different sets of vendors mentioned above is a third approach, where IT uses third-party software to secure files within an EFSS platform. Vendors such as Vera and SearchYourCloud take this tack, where users can employ any EFSS product they want and the files are safe.

"Instead of being the alarm system, they're going to grab all your valuables and put security on them and let you in anytime you want," Lepofsky said.

Nor are all of the players in the market created equal, Gordon said.

"They all seem to be very convenient and easy to use, which is good," he said, but noted that IT needs to keep personal and corporate information separate when using the different versions of those products.

In order to make sure all stakeholders understand the risks associated with going outside of sanctioned avenues for file sync and share,IT must take a stand, and this is one place to do it.

"We have to have a thick skin," Gordon said.

Jake O'Donnell is news writer for TechTarget's SearchConsumeriza­tion and SearchVirtualDesktop, covering the consumerization of IT, enterprise mobility and desktop virtualization. He can be reached at [email protected] or @JakeODonnell_TT on Twitter.

Article 10 of 11

Next Steps

How to choose an EFSS vendor -- or a secure alternative

Consumer cloud-based storage services force changes in security

Dig Deeper on Mobile data, back-end services and infrastructure

Get More Modern Infrastructure

Access to all of our back issues View All