Shadow IT solutions are causing data control problems for IT departments, according to a report from analyst firm Osterman research. Employees using consumer-grade file sharing and syncing solutions are putting data at risk, it said, and IT managers are worried about it.
Typically, employees wishing to share data that don’t have a ready solution will sign up for a consumer-grade file sharing and syncing (CFSS) account, which will often be free. These systems lack the features that enterprise-grade (EFSS) systems do, yet only 19% of organizations have replaced their CFSS solutions with enterprise ones, according to the report, titled The Critical Need for Enterprise-Grade File Sync and Share Solutions.
There are two main problems for companies whose clients use consumer-grade file sharing services, said Osterman.
The first is that these services typically bypass corporate content filtering systems. This means that sensitive data can pass out of a network without being seen by data leak prevention tools, and that malware can potentially pass into the network without being detected by content scanners.
The other problem is that the content stored on these systems isn’t always replicated in structured, in-house storage. Employees may well store critical documents that they have created on a consumer Dropbox account from the beginning, rather than on a company’s networked drive. This deprives the company of valuable assets.
Putting documents outside corporate control creates several negative effects for companies. Firstly, it makes legal document discovery a nightmare. Secondly, it makes mandatory encryption difficult if not impossible, further widening the security hole.
All this perhaps explains why 76% of survey respondents were between somewhat concerned and very concerned about this issue, with one in ten people apparently scared rigid.
Employees are increasingly forced to share files online due to several factors, including rising productivity demands that lead to difficulty in balancing work and personal life. Remote working is consequently on the rise, and mobile technologies give employees an easy way to manage it. Without a firm set of employer-sanctioned procedures and tools in place, though, companies are left to their own devices.
Email is by far the most popular way of sharing files today. 95% of employees send material this way. That creates its own problems, said the report, in terms of ballooning inboxes and poor visibility. Anyone who could have sworn that they received a file by email but then spends a few frantic minutes looking for it (and potentially not finding it) can relate.
42% of employees also share files via their own employee-managed consumer file sharing tools. A lot of the time, this happens without the consent of the IT department.
The biggest threat vector is Dropbox. The report found that 49% of people saw employees using Dropbox without IT’s blessing as of January 2015. Google Drive and Apple’s iCloud came second, each with penetration in the low forties. Significantly, Microsoft Skydrive/OneDrive lagged considerably, with 19% penetration. This was the only filesharing solution down slightly from 2012. That could reflect a Microsoft’s strong presence in the enterprise, and relatively weak presence in the mobile consumer space.
Aside from implementing policies around the use of file sharing systems, Osterman recommends two measures. One is to move towards enterprise-grade systems. Consider content sharing systems that include centralized access management, rather than allowing employees to control it, the report said.
This should enable IT departments to limit access times and only allow authorised individuals to see their data, it said. That authorization can be supported by integration with LDAP or Active Directory systems.
Enterprise-grade systems may provide options to store data in private clouds, rather than multi-tenanted public ones, and may integrate with in-house storage, the report added. Metadata should be stored in-house, it suggested.
The other recommendation is to deal more effectively with employees that have been using consumer systems. That involves understanding rather than finger-wagging, the report suggested, while all the time moving towards enterprise-grade systems. Understanding that the process is a transition, and exploring how data must be migrated and employees trained, is crucial.