Managing and protecting all enterprise data

jules - Fotolia

Understand enterprise file sync-and-share deployment models

Terri McClure looks at how "shadow EFSS" has made it easy for sensitive data to fall into the wrong hands and hard for companies to protect it.

The disturbing trend of shadow IT continues to pop up in all corners of the enterprise. This is mostly due to the...

availability of new, easy-to-use applications that have been placed at employees' fingertips thanks to the ubiquity of the cloud and mobile devices. As a result, if an organization doesn't respond to employee demands, workers are more willing and capable than ever to go around IT to obtain, deploy and use the tools they want on their own.

Case in point: The widespread use of enterprise file sync and share (EFSS) services.

When it comes to accessing, sharing and collaborating on required documents and files, often from legacy applications that aren't typically mobile-enabled, employees demand the simplicity they experience with other mobile apps. This is what they get from the likes of Box and Dropbox, the file sync-and-share tools they use at home. So when IT is slow to respond because it has other priorities (say supporting critical applications) employees solve the problem on their own by downloading these tools themselves.

Basic services to look for in EFSS products

  • Does the ESS service sync data across endpoints for offline access? Do you need sync -- will employees require access to all files while offline?
  • Does it cache data to offline devices?
  • Does it allow for easy file sharing inside and/or outside the company?
  • Can users easily search across synced directory trees?
  • What type of collaboration features does it support? Is there workflow or check-in/check-out functionality?
  • Does it support versioning? Do versions expire after a set time period? How many versions are saved?
  • How broad is endpoint device support?
  • Are there file size limits that could prohibit storing and sharing your corporate data?
  • Is pricing seat- or capacity-based, or a combination? What are the capacity limits, and are they flexible?

How are features such as enterprise application integrations priced? Are there chargeable add-ons?

One of the big risks of what I'll call "shadow EFSS" is that a company has no visibility into what data (or types of data) are in personal employee file sync-and-share accounts. Consequently, that data cannot be properly protected and managed, which can lead to major business challenges such as regulatory compliance violations, loss of competitive advantage and damage to the business from bad press associated with a leak.

With shadow EFSS, it has become incredibly easy for corporate IP, financial information and regulatory data to accidentally fall into the wrong hands. In the old days, when an employee left an organization, they had to download data onto a floppy disk (that's the very old days), a thumb drive or a removable memory card to take corporate information with them. With shadow EFSS, however, the default behavior is that data automatically leaves with an employee. Once company data goes into an employee's personal EFSS account, the data stays there and is accessible from any device (smartphone, laptop, desktop, tablet) they currently or will use in the future.

Let's take a look at what you can do about shadow EFSS.

Bringing EFSS in and out of the shadows

If employees are willing to go around IT to use enterprise file sync and share, then the best way to deal with this trend is to embrace employee input by making them a part of solving the problem. Workers are much more likely to use and advocate for an outcome they helped choose. Embracing the EFSS trend can also help unlock new productivity gains by taking the friction out of information-sharing, communication and collaboration, as well as reduce the risk of data leakage by having more corporate data under IT control.

EFSS service, support questions to answer

  • What service levels are offered? Is there 24-7 service?
  • Is there phone or email support?
  • What are the response times?
  • Is there a service-level agreement (SLA)?
    • What is it?
    • Who is responsible for maintaining the SLA?
    • Are there remedies in place if the SLA isn't met?

The two main areas of consideration when bringing EFSS into the corporate fold are employee requirements, which lean toward ease of use to drive adoption, and the IT side, which also needs ease of use but requires security and control even more. The question becomes, how do I provide employees with a cloud-like experience while meeting security and regulatory requirements? There are many variables in this equation that could be geographically driven or corporate-policy driven, but are likely a mix of both.

One of the key considerations for IT is whether to use a cloud EFSS service such as Box or Dropbox for Business, deploy an on-premises EFSS application from the likes of Acellion, Intralinks or Varonis, or go hybrid with products such as Citrix ShareFile, Egnyte or Syncplicity.

Public cloud EFSS

Cloud EFSS is a pretty attractive option. In addition to being fast and easy to set up, the public cloud model allows customers to offload some storage and most infrastructure costs. A few providers even offer unlimited storage for business accounts. The problem with this option is it leaves businesses at the mercy of how service providers handle data protection and security. It may also leave your company exposed when it comes to regulatory compliance.

EFSS admin and control questions that need answering

  • Can group policies be set from a central dashboard, or does each account need to be set individually?
  • Is there integration with Active Directory for not just single sign-on to the service but also de-provisioning and policy management, using Active Directory Groups for fast and easy provisioning?
  • Does the EFSS service allow for administrator visibility into account use and file sharing through audit reports and provide data for chargebacks to business units?
  • Is there a search capability that allows administrators to find files across the entire domain?
  • Are there blacklists and whitelists that allow for setting policies about what domains users can share data with?
  • Can IT set sharing and collaboration policies, such as what data can be shared outside the company?
  • Are there user and group quotas to ensure no one is using an inordinate amount of the available capacity?

How easy is it to de-provision accounts?

Encryption is a must-have for storing corporate data in the cloud, and pretty much all the EFSS service providers encrypt data in the cloud, on endpoint devices and in flight. The question is who manages the encryption keys, the service provider or the subscriber? If the service provider manages the keys and holds the data, some of their employees can actually access your data. This leaves you open to snooping and hacking. Thankfully, many EFSS providers now offer customer-managed keys, which alleviates some of these major concerns.

Another related cloud consideration is the regulatory environment. Laws differ from country to country regarding how and where data is stored, as well as who has jurisdiction over that data. The landscape here is still unclear. If data is stored in one country and managed in another, which country has jurisdiction? Both? And what are the laws of each country regarding whether that data can be turned over under subpoena? Do they contradict each other? Are there cross-geographic boundaries? All of this, how data sovereignty is affected by provider location, is still a moving target. The collapse of the European Safe Harbor Agreement guidelines last year certainly proved that.

Private and hybrid-cloud EFSS

The issues and uncertainty surrounding public cloud EFSS are driving organizations to look at hybrid and on-premises options, with hybrid seeming to be the preferred model. In a hybrid environment, some components run on premises while others run in the cloud. The most well-known hybrid model is an EFSS application delivered via SaaS, while data is stored at the discretion of the subscribing company in the cloud or on premises.

Question to ask EFSS vendors about data availability, recovery

  • Do you store data in single or multiple data centers?
  • What are your backup and contingency plans?
  • How's data protected? Is there local protection like RAID or mirroring? How many copies are there?
  • Is data replicated remotely in the event of a site failure?
  • Is there automatic failover to a disaster recovery site?
  • How long does failover take?
  • Can users perform self-service restores?

Note: If versioning is supported and configurable (see table 1), the EFSS service may provide sufficient levels of data protection to supplant backup.

When we ask companies about factors driving interest in retaining EFSS data on premises, many say they are looking for flexibility and control over where data is stored. Along the same lines, many organizations believe they are better equipped than third-party services to secure and protect their data. Again, in a public cloud model, the service provider is responsible for storing and providing access to company data. If, for example, the service provider experiences an outage or security breach, customers may not be able to access their data until service is restored, or may find sensitive data has been compromised. Knowing they can manage more sensitive or critical files in company data centers, where security and availability policies have already been established, puts IT at ease.

Additionally, many organizations, particularly large enterprises, have made significant investments building out on-premises data storage and infrastructure, and they cite the ability to use these existing resources as reasons to pursue alternate EFSS deployment models. Even though storage can be relatively inexpensive in public cloud offerings, if organizations want to put all their data in an enterprise file sync-and-share setup, they need to find a way to migrate existing data, which is often time-consuming and expensive. So a number of hybrid EFSS providers (such as Accellion, Citrix Sharefile and Egnyte) allow access to data in existing file shares, without migrating data.

Answer these security questions when EFSS comparison shopping

Enterprise file sync-and-share topic: Areas of consideration

  • Which authentication tools does it integrate with? How does it integrate?
  • Does it provide native multifactor authentication?
  • Does it integrate with Active Directory, SSO and other identity management tools?
  • What controls do administrators have over passwords?
  • Can you associate user authentication with device authentication to limit services to designated and approved devices?
  • Does it offer integrated antivirus capabilities?

Encryption and key management

  • What type(s) of data encryption are available?
  • Is encryption done at the file level or container level?
  • How does it handle key management?
  • Does it integrate with hardware security modules for encryption key management?
  • Does it have specific policies, processes and technologies for key management?
    • If yes, get a copy of the written policy
  • Is there a dedicated group for key management or is that for the security and/or IT operations team?
  • Who has access to the actual keys? How is activity monitored?
  • Can customers manage their own keys? If so, how?

What are the content protection capabilities?

  • Does the EFSS service allow admins to set:
    • Length for active-user session timeout?
    • Password requirements
  • Are there DRM policies around content such as:
    • Whitelist, blacklist
    • Read-only vs. editing capabilities
    • File expiration dates
    • Print, cut and paste
    • Save to disk, save to peripheral storage
  • Can users integrate password/DRM requirements with existing authentication systems?
  • Can users track files outside the system?

How does it secure data on mobile devices?

  • Does it support remote wipe of mobile devices?
  • Do users need to consent before apps are allowed to access "sensitive" information?
  • Does it support admin controls for allowing/preventing caching files on local devices?
  • Does it allow admins to limit what third-party apps can be used?
  • Does it create a temporary clear text file when the open-in function is performed on a mobile device?
  • For which capabilities or functions does the EFSS provider partner with mobile device management or mobile application management vendors for?

What type of auditing controls does it offer?

  • Does it track and report on any of the following:
    • Where data is accessed
    • Group and user creation
    • Login attempts and failures
    • Device management activities
    • Comments and discussions around content
    • Synced and unsynced folders
    • Collaborator activities
    • Shared link tracking
    • Which users access content
    • Who users share content with
    • Users' amount of data transferred
    • When users last connected
    • When users access content by date and time
    • What users did with content
  • Does it integrate with BI to monitor usage, trends?
  • Does it integrate with security-information-and-event-manager providers (like Splunk) to provide monitoring and alerting around usage?

For public/hybrid EFSS vendors only: What types of network security controls are in place?

  • Do they use firewalls that provide denial-of-service protection?
  • Do they have an intrusion detection system to monitor network traffic?
  • Do they perform penetration testing?
  • May a prospective customer test EFSS provider's network security
  • How's their network segmented? (e.g., IP subnets and VLANs)
  • Are there ports/protocols that are prevented from accessing their network? Which ones?

What are policies regarding privacy and data ownership?

  • Are there opt-in/opt-out privacy policies that pertain to personal information collection?
  • Do they let customers modify or create their own terms of use for the service?
  • Who owns the rights to data stored in the service?
  • What type of data does the provider collect from customers?
  • How long is data collected?
  • Who do they share this data with?
  • What is their policy for collecting data for the government?
  • Do they share any customer data as part of their end-user license agreement?

Lastly, most enterprises (90% in a recent ESG survey) have at least some data (e.g., sensitive IP and regulated data) they forbid from being stored in the cloud. This seems to suggest that the vast majority of these organizations have reservations around how service providers handle sensitive data. In light of these misgivings, it isn't surprising that customer interest in the on-premises and hybrid EFSS deployment models is burgeoning,

EFSS deployment considerations

When you are looking to deploy enterprise file sync and share, there are a few core guidelines you should follow to help drive success and adoption:

Embrace employee input and feedback. It will drive viral adoption and make your life much simpler. And more adoption means less risk of exposure through shadow IT.

Pay special attention to the "not one size fits all" rule (see sidebar). If you lock everything down, you'll drive down adoption. Some enterprise file sync-and-share vendors provide a tremendous degree of flexibility and balance when it comes to ease of use, security and control, but typically they trend in one direction or the other.

File sync 'n' share: One size doesn't fit all

One of the worst mistakes an organization can make is place too much emphasis on the strictest departmental requirements when it comes to adopting and deploying enterprise file sync and share. For example, asking HR or finance (both of which are likely under strict regulatory compliance requirements) to be the only departments providing input on adoption will lead to a particularly locked-down EFSS environment. This, in turn, will drive those departments that do not need such strict security controls to revolt and flock to the consumer EFSS services you are attempting to keep out in the first place. So be open to deploying multiple EFSS platforms with varying levels of security in place. For some departments, ease of use trumps security, for instance, which will lead to greater adoption, and greater adoption means more control over more corporate data for IT. 

Understand infrastructure considerations. Do you need to access the existing corpus of information via mobile devices? Can you migrate data in a cost-effective and timely manner? Do you have sufficient networking capacity to handle additional LAN, WAN or Wi-Fi access to files?

Be careful about capacity planning. Storing all data from all laptops can add up fast, and so can costs. It is important to understand your real EFSS capacity requirements and plan for fast growth. Once you unlock greater access to data and collaboration, employees will become more productive, which means more data to store at a faster clip.

Pay attention to integration with existing apps, including productivity and security applications. You don't want to reinvent the wheel to accommodate EFSS. And you need it to fit into existing frameworks like Active Directory and the applications you may use where offloading storage can save money, such as Salesforce.

Table 1: Basic* comparison of public, hybrid, and private cloud options for online file sharing 


Public cloud

Hybrid cloud

Private cloud

Application hosting

Hosted by service provider

Hosted by service provider


Application control

Controlled by service provider **

Controlled by service provider **

Controlled by the client

Equipment ownership

Service provider owns, runs and maintains all equipment

Client owns, runs and maintains some equipment; service provider owns, runs and maintains some equipment

Client owns, runs and maintains all equipment

Typical licensing plan

Client licenses software on a per-seat, subscription basis

Client licenses software on a per-seat, subscription basis

Multiple models available

*This table covers just the basic deployment models, there are other models, such as virtual private cloud, hosted.

**Client may control some limited configuration settings and controls user administration functions.

The cloud and the influx of mobile devices and applications in the enterprise are revolutionizing how we work and driving the adoption of file sync-and-share products -- often without the blessing and knowledge of IT. To successfully bring enterprise file sync and share out of the shadows and into the light requires careful consideration and thought. Be it cloud, on-premises or hybrid, enterprise file sync and share deployment is a big project that should involve not just your IT team but knowledge workers, legal, security experts and pretty much everyone else at the company. It's worth the effort, however, as the payback in productivity and reduced security risk can be enormous.

About the author:
Terri McClure is a senior storage analyst at Enterprise Strategy Group in Milford, Mass.

Article 3 of 8

Next Steps

Cloud-based EFSS applications

What your EFSS app should include

Pick the right enterprise file sync-and-share vendor

Dig Deeper on Cloud storage management and standards

Get More Storage

Access to all of our back issues View All