Cloud file-sharing and syncing services have gained popularity in part because they enable more collaborative and less device-dependent work. However, these services can introduce security risks unless they are properly managed. Cloud admins need to find a balance between the need to protect the confidentiality and integrity of content with the need of users to have access to documents.
Seek to mitigate your risks and meet necessary security requirements, but keep usability in mind or it will be difficult to get users to toe the line.
One of the drivers behind the adoption of file syncing and sharing services is the widespread use of bring-your-own-device (BYOD) practices. Employees can function more efficiently when they have access to content from the variety of devices they regularly use. Tablets, smartphones and personal laptops are now storing enterprise content via the cloud that, prior to BYOD, would have likely remained under centralized IT control.
Vendors vying for enterprise customers have moved beyond the basic functionality found in consumer-oriented services. Enterprise-quality file-sync and share services include support for access control, document retention, authentication and other security policies.
Keep in mind these four points as you formulate and implement your cloud syncing and file-sharing policy.
1. Any policies cloud admins implement need a balance between the ideal governance policy and restrictions that users are willing to accept. Policies that are too rigid and constraining tend to drive users to alternative, uncontrolled methods of file-sharing. Seek to mitigate your risks and meet necessary security requirements, but keep usability in mind or it will be difficult to get users to toe the line.
2. File-sync and sharing policies must address the set of users that will have access to file-sharing systems. You may want to restrict access to employees only or include contractors, consultants and business partners. Consider how well your file-syncing and sharing service will support your access policy. For example, some services allow you to specify an Active Directory domain and limit access to users identified in that directory. Other services can allow users authenticated by trusted third-party authentication systems to have access to file syncing and sharing documents.
3. In your file-sharing policy, include a description of access controls on folders and documents. A data classification standard can help here. If you have a policy defining data classification types -- such as confidential, private, sensitive and public -- then it can be used as a starting point for defining file-sharing and syncing operations relative to the type of content. Some content will require strict control. For example, the owner of a folder containing sensitive data may have the privilege to share that folder with others, but he may not delegate the privilege to share to other users. Confidential and private data may be further restricted to sharing only within members of particular security groups.
4. Consider rules for sharing content with users outside your organization. Will you routinely share content with outsiders or will extramural sharing be more of an exception? If it is routine, then it may be more efficient to delegate sharing privileges to a large number of users. This can lead to a proliferation of file-sharing with individuals outside your organization. To mitigate the risk of unintended data loss, implement a policy requiring log monitoring and review. This helps identify patterns of excessive sharing or sharing with individuals in organizations that should not have access to your enterprise content.
About the author:
Dan Sullivan, M.Sc., is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.
This was first published in October 2013