You’re out of your
mind if you think blocking access to file sharing services is filling a
security gap. You’re out of your mind if you think making people jump through
hoops like Citrix and VPNs to get at content is secure. You’re out of your mind
if you think putting stuff in the cloud is dangerous.
When I mentioned to a client of mine that some of their
users were using consumer file sharing services there were noddings of heads,
murmurs of assent, and an “OMG how does he know?” Less than five hours after I
mentioned it in a meeting, an exec from one of the stakeholder groups got a
call from security stating that her team was violating policy by using Dropbox.
This client had deployed an Enterprise Content Management platform. One of the
key drivers for the platform is sharing of content among collaborators. One of
the key inhibitors is Citrix. So, what do the users do? They email documents to
each other. They store stuff on local drives. They get laptops with intellectual
property and personal information stolen, and can’t wipe the laptops or recover
the content. They use cloud services to store sensitive information. And
security struts around proudly thinking they’ve done something. They have;
they’ve created a security hole bigger than the one they tried to plug. Hell,
even the frickin’ President was storing company confidential documents in his
personal Dropbox account.
So I mention to the client that they may want to use an
Enterprise File Syncing and Sharing (EFSS) service like, I dunno, BOX! (Yeah, I like Box. So what?) Their
Director of IT Infrastructure tells me that the execs are scared of any service
that stores data in the U.S. because of the PATRIOT act. Really? Do they not
know that Canada has an equally odious piece of legislation? Do they not
realize that if the U.S. government wants to get at stuff in Canadian data
centres they will? And dig this … Box is working on something that would let
the customer (that’s you, btw) maintain control of, and access to, encryption
keys. No more sneak attacks by those pesky gubbmint people. Hey, they can still
come to you and ask, but at least you’ll know, no? Can you imagine!?!
Every time I have these types of conversations with people I
usually end up wanting to lay a choke hold on someone. Whether it’s for
spreading FUD (Fear, Uncertainty, Doubt) or for believing it … I’m not sure
which irritates me more.
Blocking access to file sharing services doesn’t work.
People will find other ways to connect (e.g.: phones make great wi-fi access
points) or email documents around. Instead of blocking access to consumer
services, IT and security ought to: 1) find out why staff is using the services
in the first place; 2) identify and provision SECURE enterprise grade services;
3) develop appropriate policies for using EFSS services, including remedial
action for violating the policies. If staff are using consumer services to
share business content it’s a pretty safe bet something is wrong with the corporately
provided tools. Fix them.
Part of the fix may actually be to provision
EFSS to staff. Think about it before you have a freakin’ hissy fit. EFSS
providers make money by providing a secure way for people to share content and
collaborate. How do you make money? What’s your core strength? Hell, you can’t
even stop your staff from sharing content unsecurely (is that even a word?).#sharing #useradoption #Risk #EFSS #box #Security #EIM #Collaboration #informationmanagement #cloud #usability #Filesyncingandsharing #ShadowIT #InformationGovernance #ECM