Business users are demanding tools that allow them to work with content from anywhere, at anytime and with anyone. Extending on-premise ECM systems to users outside the firewall and on mobile devices, however, is flat out hard and expensive. It’s fraught with technical and business challenges such as access to browser interfaces and cloud architecture, not to mention licensing considerations for external users. As a result, IT departments have been slow to formally extend on-premise ECM functionality such as file sharing, collaboration and workflow to the Cloud.
In response, business users have moved in droves to whatever content cloud service they could find that seems to address their needs. In a study earlier this year by CryptZone, a SharePoint security vendor, 45% of business users admitted to taking customer-sensitive content out of SharePoint to do their jobs to put on consumer file sharing systems and thumb drives to just to work at home and share with those on their projects. Unfortunately, by relying on consumer-class file sharing services, users introduce serious vulnerabilities into the corporate computing environment. In fact Gartner predicts that by 2014, a worm exploiting cloud-based personal file synchronization services will cause massive, costly enterprise data loss and service disruption. {Gartner Predicts 2012: Enterprises Must Balance Opportunity and Risk in Cloud and Mobile Security}
An AIIM 2012 Industry Watch survey (http://tinyurl.com/9mpma6n) indicated that only 19% of IT department actively prevent content from being downloaded in an ad hoc way while only 5% of these departments offer an “official” cloud alternative. Additionally, only 11% of respondents have a policy governing the use of business-class systems. That a lot of rogue content access!
So, what does business-class look like?
First, business-class security. When assessing security, consider 4 aspects
-
Content in transit -- When content is uploaded (in transit), is it transmitted over 128-bit SSL or sFTP/FTPS? Is email encrypted with TLS or other encryption protocol? Is fixed media encrypted while in transit to the data center?
-
Content at rest -- Is your content and metadata 256-bit encrypted while at rest?
-
Content on mobile devices – If an employees mobile device is lost or stolen or an employee is terminated, can company content be wiped? In the case of BYOD, can you delete only company content and not the employee's personal data? Can some content be required to be sync'ed while other content can never be sync'ed?
-
Robustness of the vendor’s data center, and related security policies and procedures. – Has the vendor passed SSAE 16 and SOC 2 audits over their whole stack? Is data backed up? Is it redundant? Is there a tested disaster recovery plan in place?
Business-class means answering, “yes,” to all of these questions.
Second, business-class governance. This is a tricky topic as one of the beauties of most cloud apps is that line-of-business application admins and end users can configure the app in a many ways. It’s quick work to click a few buttons to enable users to do all kinds of stuff with little consideration of policies and procedures. With that in mind, it easy to set up a taxonomy or folder hierarchy but does it supports policies and procedure? Can users be required to put content in the right place? Is there a rich metadata model that’s easy to adopt to support classification, search, reporting and workflow needs? Can content access and entitlements be set on a document level or is folder-level as granular as the system will allow? Can you set expiration and retention schedules? Does the system allow you to make copies and/or move content, or not? Can content be classified as a “record” in the event of ediscovery? Again, for business-class systems, the answer is “yes”.
Third, business-grade rights management. How can corporate IP or intelligence be safeguarded while at the same time accessed by those who need it to be effective at their jobs? Can those with permissions share content with 3rd parties, and, if so, can entitlements be enabled/restricted (i.e. view/edit/delete/etc.) as policy dictates? Can document-level access permissions be granted or is a library or folder the most granular? Can content be downloaded? If so, is native format okay or is an un-editable PDF available? Can printing, email, faxing or forwarding be enabled or restricted? Can rights be automatically set by the system or is manual intervention required? Once again, “yes,” is the answer for business-class systems.
Using content cloud services is inevitable whether it is a corporate initiative or through the creativeness of business users. Selection of business-class tools provides the foundations to ensure that your content is managed to corporate policies and procedures. Why take a risk with consumer-class services?
#BackUp #disasterrecovery #Security #MobileDeviceManagement #Content in Transit
#cloud #content at rest
#Redundant #SOC #mobile #SSAE #MDM #Content in Transit
#Business-Class #content at rest
#InformationGovernance